Earlier this week, Sucuri wrote about auto generated iframes in hacked WordPress blogs. The malicious PHP code fetched the iframe URLs from a remote server (hxxp://82 .200 .204 .151/config.inc.php) on-the-fly every time someone loaded infected web pages. This trick helped regularly update the malicious URLs without having to change the code on each hacked site individually. All the URLs had the same format http://<domain-of-a-hacked -site.com>/news/faults-ending.php. For example, hxxp://brewerstire .com/news/faults-ending.php .
This reminded me of another ongoing attack that also rotates iframe URLs in a similar way. However it has some distinguishing features that make it worth it to describe it separately.
It’s a follow up to my post about server-wide iframe injection attack where I asked for any information about that tricky hack. Thanks to my readers and administrators of infected servers I have some new information about it. Now I know how it works and what is infected, but still have no idea how hackers break into servers, so your input is welcome.
This post is a request for information.
This summer I come across some clearly infected servers where I can’t figure out how exactly the hack works and what should be done to clean them up and to protect other servers from similar hacks. So I decided to share my information about the issue and hope someone could shed some light on it.
Here we go »»
When Michael VanDeMar mentioned the malicious “googlesafebrowsing .com” domain, I decided to check how exactly it was used in malware attacks. It’s quite a popular trick to mimic Google’s own domains to make malicious code look legitimate. I have a “collection” of several dozens on misspelled Google Analytics domains alone that were used for malware distribution. In this case, the domain name was made up rather than misspelled. It referres to Google’s Safe Browsing project and their diagnostic pages that actually use the google.com domain (as most other Google’s services).
This is a review of the malware injection attack that I see quite often lately.
On Safe Browsing diagnostic pages, infected sites usually mention the following domains:
Malicious software is hosted on 4 domain(s), including new-solomon .cz.cc/, newsalamandra .cz.cc/, banpox .cz.cc/.
2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including chadon .nl/, 75.127.108 .0/.
In intermediaries, they usually include chadon .nl, corkit .co, tongho.co.th and some IP address.
On infected sites, I found various modification of a script that generally looks like this:
EMI Music is one of the world’s leading music companies with many successful record labels and signed popular artists that include The Beatles, Depeche Mode, Gorillaz, Iron Maiden, Kylie Minogue, Pink Floyd, Queen, Snoop Dogg and many more. They have their own web hosting subsidiary EMIHosting.com that provides web space for EMI’s websites and many official websites of EMI artists.
In the beginning of this September EMI Hositng.com was attacked by hackers. As a result more than a hundred websites on a server with IP address of 195 .225 .83 .57 have been infected with a malicious iframe. Google’s diagnostics page for AS34401 (EMIMUSICGROUP) says: