Blogs with 'weakest of the weak' passwords hijacked for bot army

That's odd, because I was imagining it in my head as a late 70s western made in dody 3D. The brave army soldiers out there in the west come under attack by a band of Indians, construction workers, cops and bikers... with the expected outcome...

Nasty stuff

One of the reasons I finally put down my long dying website powered by the php CMS e107, I would get days where bots would bombard the site trying to find a vulnerability or simply to spam everything with an input.

each of which caused infected machines to phone home to a hard-coded command and control domain.

Why does this hard-coded domain still exist?

The purpose of this attack, as near as I can tell, is to serve up the W32/Kuluoz malware from compromised sites.

The attack comes in stages:

1. Launch a brute-force password-guessing attack on Joomla and Wordpress sites;

2. Deposit a malicious backdoor script on the hacked site;

3. Install a file, nowadays usually but not always named "main.php" (earlier versions of the attack used different script names) on the compromised sites. On WordPress sites, it may be installed on the root level of the site, in the /images folder, or in a folder called /img; on Joomla sites, it is often placed at the root level of the site or in the /components directory;

4. Send out spam emails directing marks to the location of the main.php script, usually disguised as DHL or Fedex notifications.

The main.php script is interesting. It checks the browser's user agent when a visitor arrives, and some variants appear to check the IP address against a blacklist as well.

If it sees a vulnerable Windows user agent string, it downloads the W32/Kuluoz malware using a number of different drive-by download exploits.

If it doesn't see a vulnerable user agent string (or if the IP address is blacklisted), early versions presented a phony 404 error page. This error page was generated by the script and looked different from the site's true 404 error page.

More recent versions of the script, which I've seen in the past few weeks, do an internal redirect to a real 404 error page, making them more difficult to detect.

I've written extensively about this attack and the apparent link between the WP/Joomla brute-force hacking and the Kuluoz malware downloaders on my blog:

http://tacit.livejournal.com/580719.html

The attack has been tweaked and modified several times--the earliest versions tried to dupe marks with spam emails pretending to be airline flight confirmations, for instance. It has also scaled rapidly as the attacks on weak WP and Joomla passwords has scaled. In some cases, I have seen ISPs remove the malware script, only to see it reappear a few days later--suggesting that either the passwords haven't been changed or the backdoor scripts are still on the compromised servers.