The last few days we’ve been tracking a large number of sites infected with a very interesting piece of malware.
All the sites hacked so far contain the following in their .htaccess file (PEcasas.php could be many names like PEtherm.php, PEmerle.php, PEirade.php, PEdropt.php, PErodeo.php, etc):
Those PE*.php files have a very long piece of code:
When decoded, it tries the following: First, it connects to publifacil.org (69.13.181.190) to get a piece/command to be executed –Note that publifacil.org is not blacklisted anywhere.
This request will return a long base64 encoded string to be appended to the web site content (generally a javascript that hides a call to load a malicious iframe from http://pie.goldmonatomic.com/in.cgi?2). Some details here: http://sucuri.net/malware/entry/MW:JS:457.
This is how the javascript looks like on a web site:
Cleaning it up: To clean up the mess, you have to delete those PE*.php file, put the .htaccess back in place, search for new files added (generally backdoors) and find out how they hacked you in the first place (old version of a web application? wrong permissions?)
We will post more details as we learn more about this attack.
Need help getting your site cleaned up? Contact us at http://sucuri.net and we will get your site malware-free and blacklist-free.
3 comments
Thanks, thats exactly what I did, and it works. Now I have a doubt, I was reading in wordpress.org blogs that people that has that problem where hosted in MediaTempla (like me). Is it a Mediatemple problem?
I just discovered this issue today, and it’s not just limited to WordPress sites. Even sites with simple HTML and images are at risk. I am on MediaTemple and it may be specific to their service. I have an open ticket with them and I’m curious to hear what they have to say. I included details on the hack, sites of mine that were infected, and links to this site.
I discovered this on my domain tonight. The .htaccess file had been modified, referencing PEglops.php. However I’ve been unable to find the PEglops.php file anywhere.
Interestingly, this is on my primary (www.) domain, and did not happen in the subdomain where I have my wordpress installation.
I am on mediatemple gridserver as well.
Comments are closed.