If you have any question about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here. For all the “ask sucuri” answers, go here.
Question: My site got hacked and it is distributing malware. Why would anyone do that to me? I don’t know much about virus on web sites. How do they work?
This is a question we get very often. How can a site have a “virus”? Where does it hide? How does it work? Why would anyway hack my site?
1- Why would anyone hack my site?
2- What can they gain by hacking my site?
3- How can they find my site and hack it?
4- Where can they hide the malware in my site?
5- How can you check if my site is hacked?
1- Why would anyone hack my site?
Is your site small? Very low page rank? Very few visitors? Or a big site with thousands of users?
It really doesn’t matter much. Most malware (and spam) attacks on web sites are automated, where the attackers crawl thousands of sites and check if they are vulnerable/outdated and try to compromise them.
They often do search engine searches looking for specific plugin or software usage and try to compromise the sites found in there.
So, even if your site is small, it can still be found and hacked. Most of the time it is not a targeted attack against you, but you got mixed as part of a large malware campaign.
2- I mean, seriously, why? What does anyone gain by hacking my site?
It depends on the goal of the attacker. On Blackhat seo spam campaigns, they compromise thousands of sites and insert links back to their own domains. Their gain is financial where their own sites get a big boost in page rank and better results in search engines.
Those services are also sold by some SEO companies to help their clients increase their page ranks and search engine visibility.
On malware attacks, their goal is a bit different. Some of them infect sites in order to compromise the desktops of the users visiting them. So the web site compromise is just a end to the goal of having thousands of desktops hacked (which they can use to steal credit card information, botnets, etc).
On other cases, they hack web sites to hide phishing (fake bank/ credit card pages), or DoS (denial of service) or even spam mailer tools.
At the end, the benefit for the attacker is hughe. He get more resources, more link backs, more visibility to their malware campaigns or anything else they want to do.
3- How can they find my site? Can you give an example?
Finding a compromised site is very easy, some attackers have lists with millions of sites that they just scan and look for specific vulnerabilities to compromise. They can go to Alexa and get the top 1m sites and start from there.
Do you want a simple example? Look at these logs:
174.143.172.111 – - [01/Mar/2012:02:26:31 -0500] “GET /phpmyadmin/index.php HTTP/1.1″ 404 219 “-” “-”
174.143.172.111 – - [01/Mar/2012:02:26:31 -0500] “GET /phpmyadmin1/index.php HTTP/1.1″ 404 219 “-” “-”
219.129.216.34 – - [01/Mar/2012:10:55:00 -0500] “GET /phpmyadmin2/index.php HTTP/1.1″ 404 218 “-” “-”
219.129.216.34 – - [01/Mar/2012:10:55:01 -0500] “GET /mysqladmin/index.php HTTP/1.1″ 404 219 “-” “-”
Do you know what is happening here? Someone is scanning my site and looking if I have phpmyadmin installed on multiple directories (phpmyadmin, pypmyadmin1, mysqladmin, etc).
Do you know what happens if they find it? They will try to compromise it using the latest vulnerabilities that were found on PHPMyAdmin. After that, well, they own the site to do anything they want.
*Btw, did you ever install PHPMyadmin on your site? And forgot it there? Better remove it or make sure it is updated, otherwise you can become one more victim of those attacks.
4- So where is this web based malware hidden?
There are many types of web-based malware and it can be hidden on multiple places. The most common ones are:
.htaccess file
The .htaccess allows you to control how your site will behave. You can configure redirections, PHP settings, and many other options in there. See how useful it can be to an attacker?
What we see often is the attacker redirecting users coming from search engines (like Google or Bing) to another web site (generally in the .ru, .in or free domains) where they will try to compromise the poor user. Example:
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http://sokoloperkovusk…/in.php?g=916 [R,L]
See what it is doing? If you visit the site by typing it in the browser, nothing will happen. However, if you search for something on Google, and click on a link to this site, you get redirect to the bad domain.
Sneaky… We call them as conditional malware and it is very hard for the site owner to detect, since most of the time he will be visiting his site directly instead of searching for it on Google. More details about .htaccess attacks here.
Index and other main files
Those are the common ones. The attackers inject iframes, remote javascript includes, encoded content (eval followed gzdecode, base64_decode, etc) and all type of stuff to display their malware. Many times they restrict it by Browser type, operating system and location to be harder to detect. Simple example:
eval ( base64_decode ( aWYoZnVuY3Rp….
Most of our malware posts talk about them if you want more details.
Other hidden places
These are just examples, but on WordPress sites we often see malware hidden inside the theme, faking as a plugin, inside wp-config.php or inside the database.
But that’s not it, they can also use the php.ini, hide inside images, use curl to download the bad content and all sort of techniques to disguise what it is doing and to be harder to find.
There is also backdoors. Oh backdoors, they can be hard to find.
5- How can I check if my site is compromised?
There is no easy answer for that. We recommend trying our Malware scanner Sitecheck that should find most of these things.
Cleaning up the mess is not that simple, but possible. You can hire professionals to do that or attempt by yourself. If you are doing on your own, I recommend starting clean. Backup your theme (templates) files, backup your database and configuration files. After that, remove everything else, and reinstall based on your backups (just make sure they are clean too).
We just scratched the surface of web based malware and we will do many follow up posts with more details. Have any questions or comments? We are happy to answer them.
