By

The recent "Movie Review" infections

Over the past week, we’ve been seeing a lot of infected websites that are ranking for various movie review web pages – and these sites have nothing to do with movies!

The typical infection is a five letter .php file such as:

  • juqip.php
  • kirqf.php
  • wxtrg.php
  • mtywo.php
  • tijox.php

And other file names. The common denominator here is the five letter file name. From what we’ve seen the file name doesn’t start with a vowel and it appears there is a different file name for each website. If you were to Google tijox.php you’ll only see it on one website.

For each of these sites, there is a folder named “./files”. The reason for the dot before the folder name is to hide it from many programs. For instance in the FTP program I use WS_FTP by Ipswitch, you have to specify that you want to see all listings that begin with a dot. By default, in WS_FTP, this folder won’t even show. The same is true for Linux. You won’t see the folder that begins with a dot.

All the files in the “./files” folder are put there by the hackers. The majority of them are movie reviews, but there’s also .html files in there about the Buffalo Sabres hockey team, various “Lord of War” files, Texas Lottery Pick 3 and various other frequently searched terms.

We have seen a lot of them using search terms that reference “lord of war”, but other search terms used are:

  • 3 10 To Yuma Soundtrack
  • death of a cheerleader wiki
  • tx lottery pick 3
  • sabres hockey
  • strike force results hershel walker
  • strike force nashville presale code
  • kesha snl
  • strangers on a train movie
  • knights templar
  • freshman fall imdb
  • dazed and confused cast
  • strangers on a train patricia highsmith
  • luci baines johnson pictures
  • bernadette protti pictures
  • dan henderson vs jake shields fight video
  • kelly pavlik news
  • the good shepherd imdb
  • acm awards 2010 voting
  • doctor who victory of the daleks download
  • dazed and confused lyrics
  • amstel gold race 2010
  • roma airport
  • farley granger imdb
  • tao las vegas
  • mastiff
  • josh selby basketball
  • king mo vs mark kerr
  • pavlik vs martinez undercard
  • american bulldog
  • kelly pavlik vs miguel espino
  • kelly pavlik wiki
  • sergio martinez next fight
  • joe mather girlfriend
  • batman and robin comic
  • bernadette protti
  • guillain barre syndrome wikipedia
  • shake weight reviews does it work
  • strikeforce results january 30
  • the hitcher movie
  • psn code generator
  • amanda peterson photos
  • elearning
  • tea leoni
  • patrick dempsey
  • unemployment
  • and many, many others

However, the real interesting information is in the query string. The query string has the “?” after the .php file name, and then it uses a variety of identifiers. Sometimes it’s a single letter other times we’ve seen words like;

  • sell
  • in
  • post
  • off
  • do
  • topic
  • page
  • pageid
  • go

these are followed by the search term. In the search term the spaces are converted to %20 possibly to further try and obfuscate their work.

We found that the majority of sites with this infection have already been found by Google and labeled, “this site may harm your computer”. Unfortunately not all of them have been flagged yet. I say unfortunately, because it seems as though that’s the way most website owners or webmasters find out that a website has been infected – by Google flagging it and sending an email to the email addresses listed in the Google Webmaster Tools.

If you were to Google, “the hitcher movie”, many listings appear that have the warning this site may harm your computer. Some don’t. Anyone looking to find information about “the hitcher movie” might click on one of the sites that hasn’t been labeled by Google yet and here’s what would happen.

First, inside the “./files” folder, there is typically a file named “b.log”. This file contains the website that these files redirect to when clicked on only from a Google Search Results Page (SERP).

For instance in one investigation the b.log file looked like this:

kqx7ea.xorg.pl|1271657010

Anyone clicking on a Google SERP for this particular website would be directed to:

http://kqx7ea.xorg.pl/in.php?t=cc&d=18-04-2010_x_1816&h=kdsproductions.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26rlz%3D1T4GPTB_enUS290US290%26q%3Dthe%2Bhitcher%2Bmovie%26start%3D10%26sa%3DN http://kdsproductions.com/ekctj.php?p=the%20hitcher%20movie

Which then redirects to:

http://www4.nomikals2.com/?p=p52dcWltbV%2FRlsijZFaZp29e2KHObWOXk5ecmmFoZG6a http://kqx7ea.xorg.pl/in.php?t=cc&d=18-04-2010_x_1816&h=kdsproductions.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26rlz%3D1T4GPTB_enUS290US290%26q%3Dthe%2Bhitcher%2Bmovie%26start%3D10%26sa%3DN

Which redirects to:

http://www2.scanprotection34p.net

Which wants to install a fake (rogue) anti-virus program on your PC.

What to look for

Look in your root folder for your website. It might be public_html or just html. Look for any .php files that have five letters that look totally random. From what we can tell, they are totally random. Then make sure that your FTP software is showing hidden files and folders. Look for a folder named “files” and see if there aren’t a whole lot of .html files in there that you’re quite certain, you didn’t put there.

What to do

If you do find these instances on any of your websites, remove the ./files folder and the five letter randomly named .php file. There may also be .php files installed in your images folders. Search all files for the string:

eval(base64_decode( followed by a long list of characters. Don’t just delete this file, but examine it. If you need help decoding it, please email at: traef@wewatchyourwebsite.com

In all our cases, we’ve found that the culprit was a virus on a PC with FTP access to the infected website. We’ve seen the FTP logs and we’ve identified the IP addresses that some of these files came from.

As with many website infections, the first step is change all FTP passwords and do not save them on any PC – yet.

Then obviously remove all the files identified above.

Next, install a different anti-virus program on your PC. The reason is that these viruses and trojans know how to evade detection of the anti-virus program that’s already been installed when the virus first infected the PC. In order to find and remove the viruses you have to install a different anti-virus program.

Many have had good success with one of the following: Kaspersky, Avast or Vipre (Sunbelt Software). If you’re already using one of these, then try one of the other two – it has to be different.

Once you’ve found and removed the virus or trojan, you can then use your FTP program with the new passwords and feel safe.

The last thing to do is to Request a Review from your Google Webmaster Tools – if your site has tagged with the warning this site may harm your computer.

All of our clients prevented this warning by our monitoring service. While we couldn’t prevent their PCs from getting infected, we could detect when their websites changed. We immediately removed the files and alerted them to take the above steps to clean their PCs. Their websites were never blacklisted by Google because of our automated cleaning process.

If you’d like to be protected, please send me an email: traef@wewatchyourwebsite.som

If you have any comments, please feel free to register and let me know your thoughts or experience with this type of infection.

2 Responses to The recent "Movie Review" infections

  1. Pingback: Major Security Warning for Anyone Using Ad Services | Marty Thornley

  2. Pingback: Tweets that mention The recent “Movie Review” infections | Website Security -- Topsy.com

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>