Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About
Yesterday we listed www.google.com as being used for .htaccess conditional redirections on hacked sites. Google does no evil, so what happened?

We identified the source of the malware, which looks for certain user agents and IP addresses and redirects to www.google.com if it comes from them or to the real malware if not.

This is the code:



So, if you are not familiar with PHP, what this code is doing is checking for the user agent of some bots (Googlebot, MSN, Bing, etc) and for a few IP addresses for bots and anti virus companies (Trend, Bitdefender, etc). If the requests are coming from them, they ignore the connection and redirect to www.google.com.

That's why we were seeing www.google.com and listed it on our malware dump (already fixed).

For all the other users (the victims), the malware was contacting http://88.198.28.38/api.php?action=link to get the URL to redirect (generally in the .tk domain). Any questions, let us know.

We are seeing something very strange on a few compromised sites lately. Instead of doing .htaccess redirections to malware sites, the attackers added the "malware" to redirect users to msn.com.

This is what we are seeing on some hacked sites (.htaccess file):



If you are not familiar with the .htaccess syntax, it is basically redirecting any users coming from search engines (Google, Bing, Yahoo and even Twitter/Facebook) to msn.com instead of going to the real site.

Anyone have ideas? It seems like a bug in the attackers malware injection code, but we can't say for sure. And no, we do not think Microsoft is behind those (conspiracy theory). :)

We are seeing many sites compromised with malware from thesea.org/media.php. All sites had the following added to the .htaccess file:



So far we detected more than 500 sites with this type of redirection in the last few days.

Seeing many sites compromised with malware from paysafecard.name/analitics.js. This is the js inserted on the hacked pages:



We talk a lot about sites that get hacked to redirect their users to malicious exploit kits (blackhole, etc). Very often we see encoded javascript and our users ask what they do... Those are some of the URLs we saw just this last week being used by the attackers.



Encoded javascript

2012-06-05  by  Daniel B. Cid
Interesting redirection from lolotrololo.1dumb.com:



Which redirects to http://indefw.bee.pl/info.php?n=40&p=n.
Seeing some variations on how sites are getting hacked to link to the blackhole exploit kit. This is the type of encoded javascript we are seeing inserted into sites now:



Which are pointing to multiple URLs on the .gg.biz and .rr.nu TLD ( ex: http://dmujkkz.igg.biz/d/404.php?go=1, odzyzjyyi.rr.nu, mqvtrt.got-game.org, etc). More details to come.
A few days ago, we posted a list of domains hosting webshells for timthumb related attacks. We identified more than 420 different URLs hosting those backdoors.

What is interesting is that during the same period, we identified almost 1,000 ip addresses scanning sites for vulnerable thimthumb scripts on WordPress themes and plugins. Those are all the ips and the number of hits we detected:



And we will keep monitoring them.
We have been tracking timthumb.php related attacks for a little while. And they are still at full force. Just for the month of May, tohse are the domains we identified hosting backdoors that were used by the attackers (420 different urls).



And most of them are still live. If you download them you will see many backdoor variations:



And we will keep monitoring them.
Seeing many sites compromised with an iframe pointing to http://lowresolutionit.in/in.cgi?6, mostly on outdated WordPress. That domain is currently redirecting to http://hewjzkgvkhwec.tk/27973751.html and then to fake AV.