• Web-Malware Spoofing Images (imgaaa.net)

    The incidence of web-malware is on the rise, thousands of websites are infected every day as webmasters and business owners grapple with this new hydra of the Internet. Traditional Anti-Virus software is completely helpless when it comes to detecting these new and evolving pieces of malware which are being used to infect websites by malicious hackers.

    In this short post we present an extremely widespread variant of an FTP based web-malware which is used to infect web sites.

    Identifying the Malware
    This code is injected as a result of a trojan or a “sniffer” malware being installed on a personal computer or server. This trojan software simply listens for FTP connections destined for web servers.

    The code below shows the malware payload which is injected into web sites:

    <img heigth='1' width='1' border='0' src='http://imgaaa.net/t.php?id=36910902'>

    To determine if this trojan has infected your site, follow the steps below:

    1. Log into your web account using FTP, SFTP, or SSH.
    2. Check for files present with the following names: [some-two-digit-number].php (e.g. “21.php”). These files usually begin with:
      <? eval(gzuncompress(base64_decode(

      The above code may also be present on the last line of files named “index.php” (a reader identified the fact that there may also be files present with names like “police.php”).

    3. Check for folders or directories present named “.log” (a reader identified the fact that there may also be a folder present called “.logs”).
    4. Check for the presence of “imgaaa.net” in all files. Use the following command if you have shell access.
      grep -lr imgaaa.net
    5. Check for the presence of the following line in your “.htaccess” files.
      RewriteRule ^(.*)$ /wp-admin/21.php?q=$1

    Removing the Malware
    If you find traces of the infection, upgrade your web application software (e.g. your CMS, WordPress, etc.) installation, change your FTP passwords, and clean or remove the infected files from your site immediately.

    We Can Help!
    If you need additional support, please see if our services can help and feel free to contact us with any comments or questions.

    • Hi
      I’ve been struggling with the “imgaaa” infection for a month already, on a series of my servers.
      What i don’t see in your post, is how to remove the initial infection on my local computor, the trojan that started the whole thing, by stealing my FTP passwords. Is traditional anti-virus software enough? i have AVG, and i have run it, and it did find and remove some things, but i can’t be sure this one was among them.

      Btw, just today i was cleaning one server that i forgot to cleean before, and i saw 2 new things happened, slightly different from symptoms described in the post (while all other infections till now were consistent with it) :
      – besides .log, now there was also a .logs directory (also full of the fake pages, like .log)
      – files with “eval(gzuncompress” this time weren’t called by numbers (21.php etc) but had (random) words as filenames – in my case there was lacoste.php and police.php

      so you should probably update the post slightly…

      Posted by Karo on May 6th

    • Thank you for the information. Yes. you are right about the .logs folder and the filenames with names like you have mentioned. We will update the post, thank you.

      Posted by anirban on May 6th

    • Thanx for reply. What about my question in thge first part of my comment?

      Posted by Karo on May 6th

    • Please try to scan your computer/server with MalwareBytes/Kapersky, usually good results can be expected.

      Posted by anirban on May 6th

    • I have this virus on my website, but now it is imgddd.net, is it the same, or an update? in what is it different and how can i fix it, cause your method is not working, thank you

      Posted by bary on May 10th

    • Yes, the basic premise is the same. Other websites which participate in this same kind of attack are:
      zoomt.net, alcobro.net, curem.net and others, including imgddd.net and imgaaa.net.

      Posted by anirban on May 10th

    • Malwarebytes will remove that trojan from your local PC and it’s free (there’s a paid version, but the free version will scan and remove that trojan). As for the server, the sooner you change your ftp password, the better. Then, get the “imgaaa” injected code snippets off all your index pages ASAP. The, delete the crud as soon as you can. I had one site infect with over 100,000 of their garbage files and had to use SSH to delete them.

      I’m sure it happened because the trojan stole my ftp passwords from Cute FTP. Since then, I’ve learned a lot about how to avoid this, but that’s another subject…

      Posted by J. Miller on May 19th

    • […] For more information on the code have a look here http://www.stopthehacker.com/2011/05/04/web-malware-faking-images/ […]

      Posted by A rather nasty piece of malware « Lets Do It Blog site on May 20th