Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Fake jquery site

2012-09-07  by  Daniel B. Cid
Seeing many sites with a fake jquery links on them from jquery-framework.com (just registered on 2012/08/05): :



If you use jquery, make sure to link to reliable sources (either jquery.org or googleapis). This one is redirecting users to http://browser-31.com/s/3013.

We are seeing a new batch of the "rebots.php" infections on WordPress and one thing is intriguing us. On many sites we are analysing, WordPress is updated and no suspicious backdoors or plugins were found. All in order, except for the javascript injected inside the theme.

The only thing in common on them is a single login to wp-admin, followed by a visit to wp-admin/theme-editor.php to modify the theme:



So it seems someone was able to steal the wp-admin password and edit the theme. It was done automatically, since no CSS or .JS files were loaded.

Another intereting issue is that on some of these sites, we didn't identify any brute force attack trying to guess the passwords. Just this single login.

Since we don't know how these passwords got stolen, we recommend people to change their wp-admin passwords asap until we have more info (specially if you have been compromised with the rebots.php injection).

Dennis (from unmask) posted about some iframe injections that he has been seeing lately: RFI: Server-wide iframe injections.

The post is interesting, so read that first. We are also seeing many variations of this attack, always with the iframes being injected as domain.com/[randomnumbers].html and redirecting the user to Fake AV. This are some of the URLs we are seeing:



Note that all (or most) of these sites are compromised and being used by the attackers to spread malware "botnet" style. Dennis also questioned how are these sites being hacked.

Initially, all of them were running Plesk (at least I could access it as site.com:8443). However, as the infection is growing, I am seeing many sites not using Plesk with this type of malware, so we can't know for sure. We assume it is a mix of attacks (brute force FTP + outdated Plesk + anything they can find).

We posted yesterday about the Blackmuscats .htaccess redirection that was affecting thousands of web sites.

They are still happening (and growing), but the attackers decided to switch names to "nonalco", "mimosa" and other random keywords for their files:



The redirection is still the same, going from those .ru domains, to additional second level .ru domains and them to a .pl:



So far we have identified more than 17,000 sites with this type of malware. More details as we track them.

We are seeing thousands of sites compromised with an iframe from cndexit.com:

This is the iframe that we detected:



Google has already flagged this domain and found it to be responsible for the infection of more than 1.5k sites:



We can't say for sure how sites got hacked, but we will post more details when we have them. If your site is compromised, our team can clean it for you: http://sucuri.net/signup

Yahoo Leak

2012-07-12  by  Daniel B. Cid
You can check if your email is part of the yahoo leak here: http://labs.sucuri.net/?yahooleak.

This is a simple way to know when a vulnerability in Plesk (or any other software) is being exploited in the wild:



When the mass scans for it starts. The data is from ISC (isc.sans.org) and shows a massive increase in the number of queries for port 8443 (used by Plesk).

Top malware entry for the day: poseyhumane.org/stats.php



It seems to be the stats.php "malware" of the day. Related to our post here: Distributed Malware Network Outbreak Using Stats.php.

We also identified a CC (command and control server) for these infections: http://botstatisticupdate.com/stat/stat.php. More info to come soon.

A few weeks ago we reported the case of a few compromised sites with an .htaccess redirection to msn.com. Now we are seeing a few sites with the same redirection but to google.com.

This is what we are seeing on some hacked sites (.htaccess file):



We have no idea why this hapening. Maybe a bug in the attackers malware injection code, but we can't say for sure. We will post more details when we find out what is going on.

While looking at a compromised site, we found an interesting mass mailer in there. The content was encoded using eval/gzinflate and base64_decode:



But when switching the "eval" for "print" we could see the mass mailer hidden and what it was doing:



What I found interesting is that this spam tool stored all the emails in the database and the script supported options to update the email list, change content and many things like that. And every few hours the attackers would access it, update the emails and spam everyone in there.