You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Spectrum CS <sp...@spectrumcs.net> on 2014/09/03 19:28:28 UTC
Hacked Wordpress sites & Cryptolocker
Hi All,
I thought I'd share this incase its helpful to any body else. Today a series of emails passed though our spamassassin filter cleanly which had URLs to Wordpress sites like the following...
hXXp://ticket-deals.de/wp-content/themes/xblog/index.php?id=741693561
hXXp://vertaser.ru/wp-includes/js/tinymce/plugins/media/xblog/index.php?id=225070296
Clicking those links bounces you over to hXXp://royalmail-service.co.uk and using the ruse that they have missed a parcel delivery encourages end users to enter the capchta. They then end up downloading a 200KB track_c4ca4238a0b923820dc.zip file which contains a track_89258099.exe file which is infected with the Cryptolocker virus. (The timestamp of the track_89258099.exe is 2014-09-03 09:07. The catchpa number is alwasy the same as is the zip and exe file name. I've downloaded from multiple locations)
As of an hour ago VirusTotal showed that only Malware Bytes detected the infection, however one of my users had downloaded and executed the track EXE and it was detected by AVG, but not after having encrypted about 700 files which I've restored from backup.
I've just crafted the following rule in order to block any more of these messages reaching end users as having now looked though the logs I've found about 15 have come though today (all originating from the same IP in russia?!)
uri __SCS_HACKED_WORDPRESS_URIa /wp-content\/(plugins|themes)/is
uri __SCS_HACKED_WORDPRESS_URIb /wp-includes/is
meta SCS_HACKED_WORDPRESS_URI (__SCS_HACKED_WORDPRESS_URIa || __SCS_HACKED_WORDPRESS_URIb)
describe SCS_HACKED_WORDPRESS_URI Mail contains a URL which looks like it points to a hacked wordpress site
score SCS_HACKED_WORDPRESS_URI 5
I appericate that the score 5 is high but as a Wordpress user I've never needed to use URLs which contain wp-content or wp-includes as they are used by the internal mechcanise of the framewaork so I feel confident of not getting any false positives.
Any comments welcome
Regards
Steve
DISCLAIMER
This email is for the use of the intended recipient(s) only. If you have received this email in error, please notify the sender immediately and then delete it.
If you are not the intended recipient, you must not keep, use, disclose, copy or distribute this email without the authors prior permission.
We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message.
We cannot accept liability for any loss or damage caused by software viruses.
The information contained in this communication may be confidential and may be subject to the attorney-client privilege.
If you are the intended recipient and you do not wish to receive similar electronic messages from us in future then please respond to the sender to this effect.
Re: Hacked Wordpress sites & Cryptolocker
Posted by Reindl Harald <h....@thelounge.net>.
Am 05.09.2014 um 16:49 schrieb Mike Grau:
>> I'm testing versions that insist on .php and am getting very good
>> results. Thanks to the OP for pointing this out!
>
> I'm also getting WP phishing urls that end in "/", like so:
>
> ... /wp-includes/logs/
>
> Presumably, this is the equivalent of /wp-includes/logs/index.php?
surely, "index.php" and "index.htm" are usually DirectoryIndex
Re: Hacked Wordpress sites & Cryptolocker
Posted by Paul Stead <pa...@zeninternet.co.uk>.
I do see some FPs, but not many this combined with one or two rules from the sandbox seem to be doing okay
meta BODY_URI_ONLY_WP ((BODY_URI_ONLY || BODY_SINGLE_URI) && LOC_WP)
On 05/09/14 18:06, John Hardin wrote:
On Fri, 5 Sep 2014, Paul Stead wrote:
What would the thoughts on something like the following be?
uri LOC_WP m{/((wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module).{0,64}(?!gif|jpg|png|bmp).{3})$}
This seems to match on the example posted, uses a negative match to not match common image file types
I've added it to my sandbox with minor tweaks to give masscheck a chance to evaluate it. Unfortunately if it does FP very much I can't provide examples of what it FPs on for any message that's not in my corpora...
--
Paul Stead
Systems Engineer
Zen Internet
Re: Hacked Wordpress sites & Cryptolocker
Posted by John Hardin <jh...@impsec.org>.
On Fri, 5 Sep 2014, Paul Stead wrote:
> Appreciate you adding this John,
>
> I believe the adjusted rule is slightly off:
>
> uri __PS_TEST_LOC_WP
> m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{0,64}(?!\.gif|\.jpg|\.png|\.bmp).{4}$;i
>
> should do with your adjustment
Gah. You're right, thanks for catching that.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Ignorance doesn't make stuff not exist. -- Bucky Katt
-----------------------------------------------------------------------
12 days until the 227th anniversary of the signing of the U.S. Constitution
Re: Hacked Wordpress sites & Cryptolocker
Posted by Paul Stead <pa...@zeninternet.co.uk>.
Appreciate you adding this John,
I believe the adjusted rule is slightly off:
uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{0,64}(?!\.gif|\.jpg|\.png|\.bmp).{4}$;i
should do with your adjustment
On 05/09/14 18:06, John Hardin wrote:
On Fri, 5 Sep 2014, Paul Stead wrote:
What would the thoughts on something like the following be?
uri LOC_WP m{/((wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module).{0,64}(?!gif|jpg|png|bmp).{3})$}
This seems to match on the example posted, uses a negative match to not match common image file types
I've added it to my sandbox with minor tweaks to give masscheck a chance to evaluate it. Unfortunately if it does FP very much I can't provide examples of what it FPs on for any message that's not in my corpora...
--
Paul Stead
Systems Engineer
Zen Internet
Re: Hacked Wordpress sites & Cryptolocker
Posted by John Hardin <jh...@impsec.org>.
On Fri, 5 Sep 2014, Paul Stead wrote:
> What would the thoughts on something like the following be?
>
> uri LOC_WP m{/((wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module).{0,64}(?!gif|jpg|png|bmp).{3})$}
>
> This seems to match on the example posted, uses a negative match to not match
> common image file types
I've added it to my sandbox with minor tweaks to give masscheck a chance
to evaluate it. Unfortunately if it does FP very much I can't provide
examples of what it FPs on for any message that's not in my corpora...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #6: If you can choose what to bring to a
gunfight, bring a long gun and a friend with a long gun.
-----------------------------------------------------------------------
12 days until the 227th anniversary of the signing of the U.S. Constitution
Re: Hacked Wordpress sites & Cryptolocker
Posted by Paul Stead <pa...@zeninternet.co.uk>.
What would the thoughts on something like the following be?
uri LOC_WP m{/((wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module).{0,64}(?!gif|jpg|png|bmp).{3})$}
This seems to match on the example posted, uses a negative match to not match common image file types
Paul
On 05/09/14 16:26, Mike Grau wrote:
I'm also getting WP phishing urls that end in "/", like so:
... /wp-includes/logs/
spample plz?
http://pastebin.com/yBLqTrYP
--
Paul Stead
Systems Engineer
Zen Internet
Re: Hacked Wordpress sites & Cryptolocker
Posted by Mike Grau <m....@kcc.state.ks.us>.
>> I'm also getting WP phishing urls that end in "/", like so:
>>
>> ... /wp-includes/logs/
>
> spample plz?
>
http://pastebin.com/yBLqTrYP
Re: Hacked Wordpress sites & Cryptolocker
Posted by John Hardin <jh...@impsec.org>.
On Fri, 5 Sep 2014, Mike Grau wrote:
>> I'm testing versions that insist on .php and am getting very good
>> results. Thanks to the OP for pointing this out!
>
> I'm also getting WP phishing urls that end in "/", like so:
>
> ... /wp-includes/logs/
spample plz?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Of the twenty-two civilizations that have appeared in history,
nineteen of them collapsed when they reached the moral state the
United States is in now. -- Arnold Toynbee
-----------------------------------------------------------------------
12 days until the 227th anniversary of the signing of the U.S. Constitution
Re: Hacked Wordpress sites & Cryptolocker
Posted by Mike Grau <m....@kcc.state.ks.us>.
> I'm testing versions that insist on .php and am getting very good
> results. Thanks to the OP for pointing this out!
I'm also getting WP phishing urls that end in "/", like so:
... /wp-includes/logs/
Presumably, this is the equivalent of /wp-includes/logs/index.php?
-- Mike G
Re: Hacked Wordpress sites & Cryptolocker
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Wed, 3 Sep 2014 10:49:50 -0700 (PDT)
John Hardin <jh...@impsec.org> wrote:
> On Wed, 3 Sep 2014, David F. Skoll wrote:
> > I think the FPs can be almost eliminated if we additionally insist
> > the URL contain ".php" somwehere after the /wp-*/ component.
> Right. That's what I'm adding to the versions I'm putting in my
> sandbox.
I'm testing versions that insist on .php and am getting very good
results. Thanks to the OP for pointing this out!
Regards,
David.
Re: Hacked Wordpress sites & Cryptolocker
Posted by John Hardin <jh...@impsec.org>.
On Wed, 3 Sep 2014, David F. Skoll wrote:
> On Wed, 03 Sep 2014 19:36:00 +0200
> Axb <ax...@gmail.com> wrote:
>
>> I've seen a rather large number of legit msgs including links to
>> images in /wp-content/
>
> I tested the rule. Lots of false-positives.
>
> I think the FPs can be almost eliminated if we additionally insist the
> URL contain ".php" somwehere after the /wp-*/ component. All the FPs I've
> seen so far point to images. And since WordPress is written in PHP,
> any malware dumped into a WP directory is likely to be in PHP also.
Right. That's what I'm adding to the versions I'm putting in my sandbox.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
All I could think about was this bear is so close to me I can
see its teeth. I could have kissed it. I wished I had a gun.
-- Alyson Jones-Robinson
-----------------------------------------------------------------------
14 days until the 227th anniversary of the signing of the U.S. Constitution
Re: Hacked Wordpress sites & Cryptolocker
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Wed, 03 Sep 2014 19:36:00 +0200
Axb <ax...@gmail.com> wrote:
> I've seen a rather large number of legit msgs including links to
> images in /wp-content/
I tested the rule. Lots of false-positives.
I think the FPs can be almost eliminated if we additionally insist the
URL contain ".php" somwehere after the /wp-*/ component. All the FPs I've
seen so far point to images. And since WordPress is written in PHP,
any malware dumped into a WP directory is likely to be in PHP also.
Regards,
David.
Re: Hacked Wordpress sites & Cryptolocker
Posted by Axb <ax...@gmail.com>.
On 09/03/2014 07:28 PM, Spectrum CS wrote:
> I appericate that the score 5 is high but as a Wordpress user I've
> never needed to use URLs which contain wp-content or wp-includes as
> they are used by the internal mechcanise of the framewaork so I feel
> confident of not getting any false positives.
I've seen a rather large number of legit msgs including links to images
in /wp-content/
Can't say it's good or bad.. just sightings.
Re: Hacked Wordpress sites & Cryptolocker
Posted by John Hardin <jh...@impsec.org>.
On Wed, 3 Sep 2014, Spectrum CS wrote:
> I thought I'd share this incase its helpful to any body else. Today a
> series of emails passed though our spamassassin filter cleanly which had
> URLs to Wordpress sites like the following...
>
> hXXp://ticket-deals.de/wp-content/themes/xblog/index.php?id=741693561
> hXXp://vertaser.ru/wp-includes/js/tinymce/plugins/media/xblog/index.php?id=225070296
>
> Clicking those links bounces you over to hXXp://royalmail-service.co.uk
> and using the ruse that they have missed a parcel delivery encourages
> end users to enter the capchta. They then end up downloading a 200KB
> track_c4ca4238a0b923820dc.zip file which contains a track_89258099.exe
> file which is infected with the Cryptolocker virus.
>
> I've just crafted the following rule in order to block any more of these
> messages reaching end users as having now looked though the logs I've
> found about 15 have come though today (all originating from the same IP
> in russia?!)
>
> uri __SCS_HACKED_WORDPRESS_URIa /wp-content\/(plugins|themes)/is
> uri __SCS_HACKED_WORDPRESS_URIb /wp-includes/is
There's already a sandbox rule for wp-admin. These are easy enough to add
to evaluate performance without affecting scores. I will do that.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
All I could think about was this bear is so close to me I can
see its teeth. I could have kissed it. I wished I had a gun.
-- Alyson Jones-Robinson
-----------------------------------------------------------------------
14 days until the 227th anniversary of the signing of the U.S. Constitution