More attacks – Hilary Kneber and meqashoppecom – Part II

A few days ago we reported a large scale attack affecting WordPress sites at hosted on 123-reg servers. They were using the domains meqashopperinfo.com and meqashopperonline.ccom to spread the malware. You can read more about it here.

Today, we’re seeing a small variation of this attack. We’re continuing our research, but it seems the attack has spread to another host, and maybe more. The attackers are using meqashoppercom.com to spread the malware and the following javascript gets added to the affected sites (result from our scanner):

Malware is getting loaded from:

http://meqashoppercom.com/kb.php
http://77.78.240.233/index.php?xxx

All the sites we’ve seen so far have the following code added to all PHP files:

eval(base64_decode(“aWYoZnVuY3Rpb….

Here is the malware entry.

Note: The domain meqashoppercom.com (77.78.240.233, 77.78.239.53) IS NOT blacklisted, so it has the potential to infect a very large number of visitors, specifically visitors with outdated AV signatures and definitions.

What’s interesting is that the domain is registered by the same people responsible for the previous attacks at Godaddy, Bluehost, etc: Hillary Kneber:

Registrant Contact:
HardSoft, inc
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

Administrative Contact:
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

The following script should clean up any infection: Sucuri Simple Cleanup Solution

Update 1: Also make sure to remove the file wp-content/wp-indexit.php, which is a backdoor used in this attack. For hosting companies, block the IP: 85.234.191.140


If you need help cleaning up your site, contact us at support@sucuri.net or at http://sucuri.net

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Pingback: Tweets that mention More attacks – Hilary Kneber and meqashoppecom – Part II | Sucuri -- Topsy.com()

  • Alex Walsh

    I’m getting the following log from exploit scanner, is this another version waiting to go live:

    wp-admin/wordpress-fix.php:15
    Often used to execute malicious code ot; -type f |xargs sed -i ‘s###g’ 2>&a
    wp-admin/wordpress-fix.php:15
    Used by malicious scripts to decode previously obscured data/programs type f |xargs sed -i ‘s###g’ 2>&1`;
    wp-admin/uploader/pclzip.lib.php:2675
    Often used to execute malicious code eval(‘$v_result = ‘.$p_options[PCLZIP_CB_P
    wp-admin/uploader/pclzip.lib.php:2819
    Often used to execute malicious code eval(‘$v_result = ‘.$p_options[PCLZIP_CB_P
    wp-admin/uploader/pclzip.lib.php:3716
    Often used to execute malicious code eval(‘$v_result = ‘.$p_options[PCLZIP_CB_P
    wp-admin/uploader/pclzip.lib.php:3990
    Often used to execute malicious code eval(‘$v_result = ‘.$p_options[PCLZIP_CB_P
    wp-admin/uploader/pclzip.lib.php:4040
    Often used to execute malicious code eval(‘$v_result = ‘.$p_options[PCLZIP_CB_P
    wp-admin/uploader/pclzip.lib.php:4116
    Often used to execute malicious code eval(‘$v_result = ‘.$p_options[PCLZIP_CB_P
    wp-content/plugins/wp-to-twitter/json.class.php:21
    Often used to execute malicious code * Javascript, and can be directly eval()’ed with no further parsing
    wp-content/plugins/wp-to-twitter/OAuth.php:202
    Used by malicious scripts to decode previously obscured data/programs $decoded_sig = base64_decode($signature);
    wp-content/plugins/multi-level-navigation-plugin/scripts/superfish.js:11
    Often used to execute malicious code eval(function(p,a,c,k,e,r){e=function(c){return(c<
    wp-content/plugins/wptouch/js/ajax_upload.js:339
    Often used to execute malicious code response = eval("(" + response + ")");
    wp-content/plugins/wptouch/js/fancybox_1.2.5.js:12
    Often used to execute malicious code ;eval(function(p,a,c,k,e,r){e=function(c){return(c<
    wp-content/plugins/wp-copyrightpro/index.php:56
    Often used to execute malicious code eval(base64_decode('JGNwcmY9J1puVnVZM1JwYjI0Z1k
    wp-content/plugins/wp-copyrightpro/index.php:56
    Used by malicious scripts to decode previously obscured data/programs eval(base64_decode('JGNwcmY9J1puVnVZM1JwYjI0Z1kyOXdlWEpwWjJoM
    wp-content/plugins/wp-copyrightpro/index.php:95
    Often used to execute malicious code eval(base64_decode('ZXZhbChiYXNlNjRfZGVjb2RlKCR
    wp-content/plugins/wp-copyrightpro/index.php:95
    Used by malicious scripts to decode previously obscured data/programs eval(base64_decode('ZXZhbChiYXNlNjRfZGVjb2RlKCRpbmNfY3JwKSk7&
    wp-content/plugins/bitdefender-antispam-for-wordpress/img.php:5
    Used by malicious scripts to decode previously obscured data/programs echo base64_decode("R0lGODlhAQABALMAAP8p9////////////////////
    wp-content/plugins/antivirus/js/script.js:1
    Often used to execute malicious code m=$('#av_template_'+id);if(input){input=eval('('+input+')');if(!input.nonce||input.nonce !=av_nonce){return;}item.addClass('danger');var i=0;var lines=input.data;var len=lines.length;for(i;i<len;i=i+3){var num=parseInt(lines[i])+1;var line=lines[i+1].replace(/@span@/g,'’).replace(/@/span@/g,”);var md5=lines[i+2];var file=item.text();item.append(‘‘+av_msg_1+’‘+av_msg_2+’ ‘+num+’'+line+'‘);$(‘#’+md5).click(function(){$.post(av_ajax,{‘action':’get_ajax_response’,’_ajax_nonce':av_nonce,’_file_md5′:$(this).attr(‘id’),’_action_request':’update_white_list’},function(input){if(!input){return;}input=eval(‘(‘+input+’)’);if(!input.nonce||input.nonce !=av_nonce){return;}var parent=$(‘#’+input.data[0]).parent();if(parent.parent().children().length=av_files_total){$(‘#av_manual .alert’).text(av_msg_3).fadeIn().fadeOut().fadeIn().fadeOut().fadeIn().animate({opacity:1.0},500).fadeOut(‘slow’,function(){$(this).empty();});}else{check_theme_file(id+1);}});}$(‘#av_manual a.button’).click(function(){$.post(av_ajax,{action:’get_ajax_response’,_ajax_nonce:av_nonce,_action_request:’get_theme_files’},function(input){if(!input){return;}input=eval(‘(‘+input+’)’);if(!input.no
    wp-content/plugins/wp-security-scan/simplepie.inc:12488
    Used by malicious scripts to decode previously obscured data/programs $data = base64_decode($data);
    wp-content/plugins/gtranslate/jquery.js:16
    Often used to execute malicious code async:false,dataType:”script”}):c.globalEval(b.text||b.textContent||b.innerHTML||””
    wp-content/plugins/gtranslate/jquery.js:132
    Often used to execute malicious code p;f.indexOf(“javascript”)>=0)c.globalEval(a);return a},param:function(a,b){function d(i,o
    wp-content/plugins/wordpress-forms/js/jquery.metadata.min.js:19
    Often used to execute malicious code data=”{“+data+”}”;data=eval(“(“+data+”)”);$.data(elem,s
    wp-content/plugins/wordpress-forms/js/jquery.metadata.min.js:25
    Often used to execute malicious code data=”{“+data+”}”;data=eval(“(“+data+”)”);$.data(elem,s
    wp-content/themes/atahualpa/functions/bfa_footer.php:126
    Often used to execute malicious code eval(‘?>’.$footer_content);
    wp-content/themes/atahualpa/functions/bfa_postinfo.php:593
    Often used to execute malicious code eval(‘?>’.$postinfo);
    wp-content/themes/atahualpa/functions/bfa_header_config.php:376
    Often used to execute malicious code eval(‘?>’.$header_items);
    wp-content/themes/atahualpa/options/jscolor/jscolor.js:336
    Often used to execute malicious code for(var p in properties) eval(‘e.style.’+p+’ = properties[p]&#
    wp-content/themes/atahualpa/functions.php:513
    Often used to execute malicious code eval(‘?>’.$center_content);
    wp-content/themes/atahualpa/functions.php:531
    Often used to execute malicious code eval(‘?>’.$custom_code);
    wp-content/themes/producer/js/jush.js:507
    Often used to execute malicious code e|is_fault|parse_method_descriptions))|p(?:ath_(?:eval(?:_expression)?|new_context)|tr_(?:eval|new_con
    wp-content/themes/producer2/producer/js/jush.js:507
    Often used to execute malicious code e|is_fault|parse_method_descriptions))|p(?:ath_(?:eval(?:_expression)?|new_context)|tr_(?:eval|new_con
    wp-content/themes/producer3/producer/js/jush.js:507
    Often used to execute malicious code e|is_fault|parse_method_descriptions))|p(?:ath_(?:eval(?:_expression)?|new_context)|tr_(?:eval|new_con

    It’s the eval base 64 stuff that’s got me concerned :(

Share This