Google Analyticator Plugin Affected with Malware

Nov 11, 2011

—

Here is what happened. I copied entire WordPress folders to a new domain’s site root. I always do this instead of installing everything from fresh. It saves a lot of time.

I activated all the plugins and while I was changing the Google Analyticator’s settings, I found that it is affected with Malware?

First I thought it might be my theme files so I did a Google search to find if there are any issues with Google Analyticator and Malware. I could see few posts in forums suggesting that Google Analyticator does indeed somehow is affected with Malware or at least the malicious code uses Google Analyticator to spread Malware.

However it might not be the case as Ronald Hoff’s post suggests.

When you are in Google Analyticator’s settings and click on Save, either it redirects to Google’s home page or you get a malware warning in the browser.

Google Analyticator Affected with Malware

Also the affected website shows following warning:

The problematic url is security-laboratory.ru which is notorious for injecting malware in free open source scripts specially in osCommerce. I’ve seen this Malware in some of osComemrce sites and it is pretty nasty. This is the first time that I see it in a WordPress site.

The nasty stuff about security-laboratory.ru is that it doesn’t just add a code in the files which can be easily found in the php files but in adds an eval code which is hard to find.

It affects the header, footer, index and plenty of other common php files in osCommerce and also modifies .htaccess in very clever way. In .htaccess it adds malicious code towards the end by adding many empty lines before. So if open .htaccess file in a text editor you might not see code after the end of normal code but just scroll down and then you will discover the malicious codes.

I disabled the plugin and the malware was no longer seen.

I quickly checked some of other WordPress sites and I didn’t find this issue.

There is a chance that there is malicious code in the files.

I tried to backtrack what has happened. There might be chances that I visited a security-laboratory.ru malware affected website and then I Installed WordPress on this new site. Everything was fine until I tried to update the settings for Google Analyticator and at that point of time the WordPress site might be affected with Malware.

Before Google Analyticator I also changed the settings for various other plugins but I didn’t see any Malware warnings.

Checking the files for malicious code

I did a thorough search by searching for eval( string in all files in WordPress installation and guess what, I found that some files are affected.

There is file in the site root – tmp_1407122956494849.php which contains a piece of jumbled up code and it looks all too familiar.

So it seems Malware has affected the WordPress site.

.htaccess file

As usual I also find bunch of malicious code in .htaccess.

There were a bunch of lines with Error redirect to plasticspark.ru after the normal WordPress .htaccess entries.

Next I did a search for tmp_ files from webhosting root to make sure that non of other sites are affected. The command to search for a file with tmp_ name in it is

find /home/*/public_html/ -name ‘tmp_’

Then another search for entries in .htaccess

find /home/*/public_html/.htaccess -exec grep “plasticspark.ru” ‘{}’ /dev/null \; -print

Nothing found so I can be assured that other sites are not affected.

Conclusion

To conclude I can assume that the malicious code might have been injected to this new WordPress site when I was setting it up after visiting any other malware affected sites.

Now the most important question is how this code was injected into the WordPress? Is WordPress prone to such injection or it was the Google Analyticator plugin which gave way to the malware into WordPress?

Here are some safety tips

When you see the warning in browser for a malware then never ever visit the website.

If you visit a malware affected site then chances are that your computer might get affected as well.

Comments

4 responses to “Google Analyticator Plugin Affected with Malware”

Daniel

November 13, 2011

Hello Ajay,

It seems that you and your wordpress isnt the only one attacked from same Malware. We have a copy of yet unidentified php cms which have the same problem, htaccess redirects in root and child folders to security-laboratory.ru, tmp file with alot of numbers behind which was the part of old Joomla instalation where hackers got into the server in first place and now the biggest of our problems still some part of code which we cant find related to automatic thumbnail resizing and therefore we are still untrusted site on google.
So in another words, we fixed htaccess problem by deleting files or malicious code inside them, also deleted whole old Joomla instalation including tmp.numbers file but we cant get our site back and runing cause there is still some part of code which is doing the redirects. If you can tell us how to find eval code more precisly and how does it look like it would be much appreciated.

Reply
1. Ajay
  
  November 13, 2011
  
  Hi Daniel,
  Yes it can be nasty with any php related cms and I’ve already seen it in osCommerce, WordPress and CRE Loaded. Joomla, the old versions, are prone.
  
  Try using the search command from Linux command prompt and see if you can find it. If you don’t have shell access then download the files in your local system and search using Dreamweaver or textpad. Try textpad it is better. Search for “eval(” and if you see it in any theme related files and if code is a long jumbledup code then delete them. but be careful not to delete the legit ones.
  
  In worst case you will have to forget about that Joomla installation and start from a fresh copy with latest Joomla. Then setup the site and import the data old.
  For the template you will have to carefully search for all the files, specially headers and footers and remove any malicious code.
  
  The redirects are all in .htaccess file only. Remove all code from .htaccess and then see if problem persists. If problem persists then check for any SEO related module or function.
  
  Next is to check the header and footer files.
  
  It is really very difficult to get rid of this malware in Joomla and other php code. In WordPress it was easy.
  
  Even if you manage to clean it up it will come back. Hackers will use the same vulnerability to attack again. I’ve seen it many times.
  
  The best suggestion is to start with the latest version of Joomla and set it up somehow. I would never recommend using old version of any software.
  
  Reply
Daniel

November 14, 2011

Well, thing is we are not using Joomla at all, that was just the old instalation on server which still existed before we took site for maintnance. And that was hackers open invitation to other files. We erased it completly ofc.

We took care of htaccess files, so now we have only two of them and they are not infected.

There is no more tmp files aswell, and by the look of logs they are not getting into server again, but we still have a problem and we are flagged as suspicious site on google. Google says its about this URL: ………./thumbnail{image1} so we are guessing that it can only be a function which do the automatic thumb resizing but so far we coudnt find it. When we call for this URL in browser it takes us to security-laboratory.ru/index.php so problem still persist.

Thing about “eval” code is that there is a thousand of evals in our files and its hard to find it like that.

Well anyways wish us good luck, and if you have any other tip we would be happy to hear it.

Reply
Daniel

November 15, 2011

Latest info:

After we checked root (root, not public.html or ftp) of the site we found more malicious code with redirect. After we cleared those files we are back in track on all browsers.

Reply