Tag Archive: hacked


A few days ago, Polonus posted about the relationships between unknown html and xmlrpc.php malware. Recently, Essexboy, Polonus, and I had the opportunity to help out a website owner that was infected by his own site. Check out the avast! topic.

At first, the website appeared ok. However, with a search referral, I was shown a 302 (redirect) in the header.

HTTP/1.1 302 Moved Temporarily
Date: Thu, 28 Feb 2013 19:29:17 GMT
Server: Apache
Location: hXtp://fpert.qpoe.com/
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html

Also see: urlQuery Report & Sucuri Results

So then, I wondered, what was the root cause behind the redirect? At first, I thought it was an .htaccess redirect, but later, Polonus discovered that it was an xmlrpc.php redirect.

Always keep your WordPress up-to-date,
~!Donovan

Updated 51la Malware ~ No Antivirus Detects

Reported on the avast! forums, a site recently got hacked and was redirecting users. Based on the Sucuri and VirusTotal results Pondus gave, I decided to dig a little deeper. I found the following in the HTML return for the hacked site:

Which can be beautified as follows:

Well look at that! Some HTML if the user has scripts disabled. And look at that! An .asp file for an image tag. Suspicious, no?

There is also a script tag for those who do run scripts. I sent the URL to JSunpack.

The unreadable code strikes again.. I have parsed it into readable content:

The following checks for specifics, then generates a cookie based on the returns. Shortly after, the document is fed an invisible image with a go.asp?… At least one antivirus should’ve considered this suspicious..

Ok, but does it work? I sent the URL to urlQuery to confirm just that. Notice on the image preview it says “Connecting to web1.51.la”, which means that the exploit is live and active.

Below are the VirusTotal results, not detected by any antivirus..

Script Getter (As seen in Figure 2) | Script Original (As seen in Figure 3) | Script Beautified (As seen in Figure 4)

 

Could use the following syntax: Base([a/random-letter][4-random-numbers])Mix([2-random-letters])

~!Donovan

Found to infect another site with the Blackhole Exploit, a user reported this issue on the avast! forums. Confirmed with urlQuery and Sucuri, researching the blackhole site: Google says it has infected over 23 sites while Sucuri says it’s been used for redirection.

So, just how many scanners will detect this (Besides urlQuery and Sucuri of course)?

Interesting,
~!Donovan

WRI Official Site

The World Resources Institute, or WRI for short, has a sub-domain, namely cait, that is blacklisted by Google with the “This site may be compromised” tag. Details about this tag can be found on various sources.

Google Search of WRI CAIT

Google Return For WRI CAIT

WRI CAIT Official Site

WRI CAIT Official Site

So, why exactly is Google warning us? Lets look at the urlQuery results. First thing we notice is a redirect to the main domain. Lets look at the header’s return:
CAIT WRI Get ResponseFirst, we know that this is a 302 redirect to the target page of CAIT from the official site. Second, they use an outdated version of Apache. The latest stable release was version 2.4.2 released 2012-04-17. But what is the offending content that this site return? The suspicious element I found is below:

WRI CAIT init4q function

Which returns..

CAIT WRI init4q function Return

Notice the site name. Detected by two at urlVoid. If you check the history you notice that these are the same results from two months ago. There isn’t really anything on the site however, not even close to a site. Could be associated with phishing.

Outdated sites are more likely to get hacked,
~!Donovan

Zappier Technology Homepage

Yesterday, this out-dated wordpress site was hacked. The webmaster took the immediate action required. Posting the information to the public. He reports his issue to the WordPress forum and the avast! community forum. They also ask for help at StackOverFlow, but the question was removed. Google Cache saves us in this case. Lets check some of the links our friend Pondus provided us. Sucuri SiteCheck tells us that the main site contains a redirect using the .htaccess file. A similar .htaccess hack was mentioned here. Various Blackhole exploit malware is also present in case the redirect is cleared. urlQuery returns ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 3 and SPECIFIC-THREATS Blackhole landing page with specific structure – prototype catch with the severity of 1. Lets see why.

Zappier Technology JavaScript frmAdd() Function

Oh, nothing more than the typical hidden iframe that the BlackHole Exploit Kit uses.  By setting the top and left CSS rule of the iframe as -999em, it will be shown out of the user’s sight. This is to avoid being detected by scanners that search for low height and/or width. It leads to the BlackHole Exploit Hotspot,’Miami Tickets’. However, HostGator realized the malicious activity and closed the site. The user has yet to change the .htaccess rules, so the redirect to MercuryTutors is still there. Sucuri caught this behavior.

 
Stay Safe,
~!Donovan