Here is a screen from a web hosting company’s website showing their pricing:

What they don’t know is that they have been hacked:

Someone created a folder with a rather NSFW title.

Clicking on it loads a webpage full of exploits linking to: yuh.afyopku.cn

I don’t know about you, but I wouldn’t trust a hosting company whose own site has been hacked.

Jerome Segura

Criminals like to plant code in the sites they want to hack so that they can remotely gain access to them.

Here is an example of a legitimate site that was hacked. A few ‘php’ scripts (also known as shells) were uploaded into the ‘images’ folder – something that should raise suspicions.

Let’s take a look at one of these files: ShadowX.php. If you open it in a text editor you will notice that is not humanly readable:

In order to view its actual content, you need (in this case) to decode the base64 encoding. Once this is done you can see what the purpose of the file actually is (various remote capabilities).

Now all they need to do is execute the ‘php shells’ remotely and they have full control and an overview of your website’s server:

From there they can type commands that include reading customer records, deleting files or launching attacks on other sites:

You never thought your website could be turned into something that bad did you?

Jerome Segura

The free file hosting services fileave.com and ripway.com seem to have been shutdown today.

They were both owned by Ripside Interactive Inc. which also appears to be down.

The registrant was:

Smith, Scott

ATTN FILEAVE.COM

care of Network Solutions

PO Box 459

Drums, PA.  US  18222

The sites were notorious for hosting a lot of malware giving the bad guys great tools to infect PCs worldwide.

My friend Steven Burn over at the hpHosts blog had several run-ins with fileave.com.

As a matter of fact up until yesterday we saw various Trojans being hosted there:

I guess the bad guys will have to go find somewhere else to put down their payloads.

Jerome Segura

Sometimes it is pretty obvious when a site has been hacked:

Beside the error messages on the page, how about a Java application named PayPal? Or a script to display the passwords stored on the server?

Let’s take a look at the ‘PayPal applet’ (click to enlarge):

Here is a piece of code that grabs the infected computer’s information, such as OS version, Java version etc…

vuzia.com/get.php?os=Windows+XP&jv=1.6.0_16&ov=x86&t=35DC92D76FEAF0125F0DE161FE9861
ADD8B7157A&f=522F051368ED46EE5FC992CA6764B7EB

Let’s check out what this domain (vuzia.com) is:

It’s actually a forum dedicated to hacking web servers:

A somewhat restricted forum you might say, as you need to be a ‘paying customer’:

What exactly are they selling on this forum? Well, how about custom Java malware scripts?

Here are some excerpts of a post describing what to hack and how to do it:

“Because I wanted to show how effective my software works, and make a good impression on the infection rate, I needed traffic.”
“Websites that had a java pop up on them by default, because that is what my driveby does too. So to reduce suspicion I needed that.
“Well what is the best high traffic place to find this, filled with people that press run without even looking? Runescape.”
“I looked up some private server domains, pinged them, got their IP, and nmapped them.”
“I than just googled all the software, looking if there were any public exploits for them.”
“You’re able to exploint at least 10 servers in one hour.”

Full transcript below (click to enlarge):

Although the forum was created a few days ago, there are already about 50 registered users:

So many servers are running old versions of various software programs. You can see that all it takes is a bit of googling and a few tools to start a hacking spree.

If you’d like to scan your site to make sure it is all patched and secure, feel free to use our free website scanner. It will give you a report showing any vulnerability that may exist.

Jerome Segura

Hello and welcome. For those who don’t know me I have been maintaining the MalwareDiaries blog over at ParetoLogic where I was a security researcher.

I have since then changed job and am now working for SparkTrust Systems. Here I will be blogging about all things web security related, from hacked sites to data leaks.

Stick around and I hope you enjoy the ride

Jerome Segura