InterShield Evolves

Posted at March 19, 2018 at 7:17 am by Ylber Popaj

InterShield Evolves

InterServer’s InterShield system is able to stop many attacks and updates daily based on new data including new possible malware, known exploits and other Common Vulnerabilities. However, sometimes even with all these a new type of malware comes up.

In a recent case a site was redirecting to a pharmacy website but only when coming from a google search engine result. The site initially passed all scans of known vulnerabilities, the url did not exist in the code or database and it was reproducible. In this cases advanced debugging is needed. So xcache with trace was enabled which determined some interesting results. Follow this brief analysis and walk-through of our debugging process!

 

Debugging Begins

Starting here we load a normal WordPress file:

 

  •                     0.2006   18215480               -> force_ssl_admin() /home/xxxxx/public_html/
  •          fanxxx/wp-includes/default-constants.php:295
  •  0.2010   18242992             -> require(/home/xxxxx/public_html/
  •          fanxxx/wp-includes/vars.php) /home/xxxxx/public_html/
  •          fanxxx/wp-                settings.php:290

 

WGET

However, here the include is for a file not found in WordPress, so we continue to debug. We soon find that the URL being called was /privacy-policy/. We then execute a ‘wget’ to a remote URL. The wget then gives this information which does the redirect:

 

 0.4207 18334192 >=> ‘HTTP/1.1 200 OK\r\nDate: Fri, 02 Mar 2018 16:17:56 GMT\r\nServer: Apache/2.2.15 (CentOS)\r\nX-Powered-By: PHP/5.3.3\r\nContent-Length:   82\r\nConnection: close\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n<location>http://med-shop24x7.com/site/search?q=finast&track=all-fancou</location>’

 

In the vars file we find:

  •           * @package WordPress
  •           */@require_once(‘class.wp-includes.php’);

 

The @require_once is hidden after a comment.

 

Debugging Ends


End Notes

Using this data the our staff was able to  to create virus signatures in order to detect these. Class.wp-include.php signature is available at:

http://sigs.interserver.net/info?hash=7fee30e79473e63c6393adc6fa183a2036689e4d9b3317b25bf5166d77d23b6e.

InterServer’s virus db detects most common malware and is available from https://interserver.net​.  InterServer will continue to provide security updates to our customers so stay tuned for more on the expansion of our powerful InterShield.

 

You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply