Sucuri Security » Malware

Malware entry: MW:JS:JJ677

dcid — Fri, 10 Feb 2012 19:08:37 +0000

Description:

A suspicious and encoded javascript was found. It used the jjencoder to hide its content, but we detected a hidden call to load content from remote web sites in attempt to exploit a specific browser vulnerability.

Note that any PHP, HTML and JS file gets compromised by this malware. Sometimes it can also be hidden inside the database.

Affecting: Any web site. Often on outdated WordPress, Joomla and osCommerce sites.

Clean up: You can also sign up with us and let our team remove the malware for you.

Loads malware from multiple sources:

no domain specified
(and many other domains).

Malware dump (sample of malware):

$z =~[]; $z={_: ++$z,$$$$:(![]+”")[$z],__$:++$z,$_$_:..

Malware entry: MW:IFRAME:ENC1560

dcid — Wed, 08 Feb 2012 17:23:07 +0000

Description:

A hidden and dangerous iframe was identified. It loads content from remote web sites in attempt to exploit a specific browser vulnerability. In some variations, the browser is redirected to blackhat seo spam sites. It is also known as “Exploit:HTML/IframeRef.AA” by some anti virus products.

Note that every PHP, HTML and JS file gets compromised by this malware.

Affecting: Any web site. Often on outdated WordPress, Joomla and osCommerce sites.

Clean up: You can also sign up with us and let our team remove the malware for you.

Loads malware from multiple sources:

http://tds83.1dumb.com/stds/go.php?sid=1
http://pokosa.com/tds/go.php?sid=1
(and many other domains).

Malware dump (sample of malware):

Malware entry: MW:BLACKLISTED:35

dcid — Mon, 06 Feb 2012 19:05:46 +0000

Description:

A suspicious code was identified loading content from a blacklisted domain. Example of domains include:

abcdecorez.cx.cc
kokosina.in
www.ironydon.co.cc
solid-success.in
ewinarfm.co.be
companyairline.ru
broadway.bee.pl
search-box.in
fairbankhouston.cz.cc
secondon.in
aht-textile.ru
hhwsdfhshds.co.cc

And many others. Those types of code are often used to distribute malware from external web sites while not being visible to the user.

Signature:

This is not a signature-based rule, but looks at our Blacklist to identify malicious content.

Affecting:

Any web site sites (no specific target)

Clean up:

This malware is generally hidden inside the HTML or PHP files. Sign up here to get it clean up: Signup

Malware dump (sample of malware):

Malware dump not available.

Backdoor: PHP:PREG_REPLACE:EVAL

dcid — Tue, 31 Jan 2012 14:55:07 +0000

Description: We detected a malicious code hidden under a preg_replace with the “e” switch that acts as an eval call (code execution). It is often used to bypass simple detection methods that only look for “eval(” call itself.

Use: Hide spam, malware and backdoors.

Affecting: Any web site (often through outdated WordPress, Joomla, vBulletin, osCommerce and stolen passwords).

Clean up: You can also sign up with us and let our team remove the malware for you.

Malware dump:

Backdoor: PHP:C99:045

dcid — Mon, 30 Jan 2012 17:08:27 +0000

Description: We detected the “C99″ backdoor that allows attackers to manage (and reinfect) your site remotely. It is often used as part of a compromise to maintain access to the hacked sites.

Affecting: Any web site (often through outdated WordPress, Joomla, osCommerce and stolen passwords).

Clean up: You can also sign up with us and let our team remove the malware for you.

Malware dump:

Backdoor: PHP:R57:01

dcid — Mon, 30 Jan 2012 17:05:09 +0000

Description: We detected the “R57″ backdoor that allows attackers to access, modify and reinfect your site. It is often hidden in the filesystem and hard to find without access to the server or logs.

Affecting: Any web site (common on compromised Joomla, osCommerce and WordPress sites)

Clean up: You can also sign up with us and let our team remove the malware for you.

Malware dump:

Backdoor: PHP:EVAL:GZINFLATE:B64

dcid — Mon, 30 Jan 2012 16:26:40 +0000

Description: We detected a highly encoded (and malicious) code hidden under a loop of gzinflate/gzuncompress/base64_decode calls. After decoded, it goes through an eval call to execute the code.

Affecting: Any web site (often through outdated WordPress, Joomla, vBulletin, osCommerce and stolen passwords).

Clean up: You can also sign up with us and let our team remove the malware for you.

Malware dump:

Backdoor: PHP:GENERIC:07

dcid — Sat, 28 Jan 2012 11:14:17 +0000

Description: We detected a generic backdoor that allows attackers to upload files, delete files, access, modify and/or reinfect your site. It is often hidden in the filesystem and hard to find without access to the server or logs. It also includes uploadify scripts and similars that offer upload options without security.

Affecting: Any web site (often through outdated WordPress, Joomla, vBulletin, osCommerce and stolen passwords).

Clean up: You can also sign up with us and let our team remove the malware for you.

Malware dump:

Backdoor: PHP:WEBSHELL:03

dcid — Sat, 28 Jan 2012 11:07:02 +0000

Description: We detected a generic web shell (backdoor) that allows attackers to access, modify and reinfect your site. It is often hidden in the filesystem and hard to find without access to the server or logs.

Affecting: Any web site (often through outdated WordPress, Joomla, osCommerce and stolen passwords).

Clean up: You can also sign up with us and let our team remove the malware for you.

Malware dump:

Backdoor: PHP:Filesman:02

dcid — Sat, 28 Jan 2012 10:53:03 +0000

Description: We detected the “Filesman” backdoor that allows attackers to access, modify and reinfect your site. It is often hidden in the filesystem and hard to find without access to the server or logs.

Affecting: Any web site (often through outdated WordPress, Joomla, osCommerce and stolen passwords).

Clean up: You can also sign up with us and let our team remove the malware for you.

Malware dump: