Malware update: ssl-verification.net

Quick malware update: The site ssl-verification.net (nice name) is being used to distribute SEO spam and malware (the famous fake AV). We recently wrote about the domain ssl-validation, but it seems that they disabled it and are using ssl-verification instead now.

You can get details of the code being used here: 7ea73e3ac775b52b945d5b45a5abb7ad and b99003ddc4a4815bb82a39cc6af3b452

All the infected sites so far had an encoded piece of PHP code inside their index.php or footer.php (if using WordPress) and a backdoor inside a random PHP file. We found the backdoor and by the analyzing logs, we could find the C&C IP address: 41.190.16.17.

41.190.16.17 – – [20/Oct/2010:03:35:21 -0700] “GET /img/readthat.php HTTP/1.1″ 200 11204 “http://phlks.com/doors/check_all.pl?5″ “Opera/9.80 (Macintosh; Intel Mac OS X; U; ru) Presto/2.2.15 Version/10.10″

What is interesting is that it seems the attackers are using http://phlks.com/doors/check_all.pl to manage their network of infected sites and according to Google, they have more than 4k sites under their control.

The malicious site is hosted at 85.17.213.243, so suggestion for hosting companies: Block this IP.


Having issues with malware? Sign up at http://sucuri.net and we will get it all sorted out.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • http://www.eyewebmaster.com Rosendo A. Cuyasen

    As a developer I have encounter this problem and I’ve come across with your article. Our CMS is compose of oscommerce and wordpress is a different one. With your example here, I would like to ask if this will work our our cms?

Share This