Malicious wrongdoings are not always updated. But the attack vectors are. Hackers are constantly evolving their way of attacks. But once the infiltration succeeds they will just use good old techniques as they are already on your server and no further sophisticated obfuscation is required.
We have uncovered a new malware that uses websites to perform DDoS attacks. Malicious code was uploaded to the website and run the bot to perform whatever the hacker wants it to do.
Infecting Websites Through IRC To Later Execute DDoS
Once malicious files are uploaded to the website, they are all accessible via browser and will perform the necessary commands on the server such as:
- Uploading other files
- Modifying the .htaccess file of the site to increase the efficiency of the files being uploaded
The bot that we have unraveled appears to come from Indonesia as the Internet Relay Chat (IRC) channel that it goes to are:
Once the bot was able to login to the IRC channel, it is in standby mode awaiting for the command from the attacker. We have listed below some of the commands that the Bot is prepared to do:
- reload – this will restart the connection of the bot to the IRC channel
- safe – safe mode activation / deactivation
- dns – this will display the dns information and the hostname of the bot
- info / vuln – this will display the information such as the OS used by the bot
- cmd – this will trigger the shell_exec function of the bot on the machine which can do about anything
Having hundreds of thousands of infected sites in the bot just waiting for your command can immediately shut down any server that contains multiple other businesses sites which will damage their reputation and will lead to a profit loss.
Make sure that your server is up to date with the latest releases of the software that you are using to, at least, minimize the risk of being infected and become a hostage of the hacker.
Is your website flagged for malware, blocked by the search engines or disabled by the host?
Our experts are here to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select appropriate ThreatSign! Anti-Malware plan and get back online.
For other issues and help: Quttera help-desk