302 -> hxxp // video.bywhy .com /? k = girdles + pictures & s = google & r = http% 3A% 2F% 2Fwww.google.com% 2Fimgres% 3Fimgurl% 3Dhttp% 3A% 2F% 2Fbcsmusic.me% 2F% 253Fbdd% 253Dgirdles-pictures-Vyhynx % 2FbFO_9rUEvfK72isOTIVpmnmzLxnzp51gHqzVXi5I5jE2lyrsssMFcfbwOFoXk3VR8TwxTQeexe% 2FonLd6RPIG_M6hkLQMh6ACctX4kzsuwbN5w_6YOYxZYj1AJQl1OBCXNjPYQoA% 253D% 253Dxy5.jpg% 26imgrefurl% 3A% 2F% 3Dhttp% 2Fbcsmusic.me% 2F% 253Fbdd% 253Dgirdles-pictures% 26usg% 3D__6ho2Rtl5S4GcwInf2xzUhPN4vkI% 3D% 26h% 3D439% 26w% 3D262% 26sz% 3D98% 26hl % 3Din% 26start% 3D19% 26zoom% 3D1% 26um% 3D1% 26itbs% 3D1% 26tbnid% 3DoHNHWFmQjxIwqM% 3A% 26tbnh% 3D127% 26tbnw% 3D76% 26prev% 3D% 2Fsearch% 253Fq% 253Dsite% 3Abcsmusic.me% 2526um% 253D1 % 2526hl% 253Den% 2526sa% 253DN% 2526channel% 253Dfs% 2526biw% 253D1222% 2526bih% 253D260% 2526tbm% 253Disch% 26ei% 3DnU80TtGDG4mE-wa5vPH9DA & d = http% 3A% 2F% 2Fbcsmusic.me% 2F% 3Fbdd% 3Dgirdles-pictures
302 -> hxxp : // update34.svernick .in / index. php? Q0rhQ9S3be5GTHpOM5RNjiUpBaa7CmPerSb + VBBE57iCXCC1iDs + XgOe4qXsg1ggs5uk7Ck1GcwyRZ2vqM7MPVofO5WM3eBmP5tRpBeBu / kPphowRYvnTq2 + 4BmHNg ==  As you can see, the TDS server receives information about keywords, font, and referrer.  the intermediate domain changes every day . Actually they belong to other hacked sites (mostly created with WordPress)
Here are a few intermediate TDS domains used in this attack:
The domain name of the fake antivirus website consists of a .in domain that changes every day, and a few subdomains "updateNN" or "scanNN", for example, "update82.yourscan.in" or "scan73.moomles.in.
Here are a few .in domains of the fake antivirus sites used in this attack:
] x-scan .in
Most .in sites point to the IP address
220.127.116.11 (United Kingdom, with information contact information of Lithuania.)
Fake antivirus sites launch executable .exe "scareware" with names like
InstallSecurityScanner_225.exe . These files are repackaged every day and their detection range (according to VirusTotal) is quite low. The typical detection range for files currently served is 8/43 (18.6%). This usually improves as long as the malicious file is not used and a new file with low detection range is served from the antivirus server.
As I have commented above, and to specify more, 4,358 have been detected compromised sites . Currently Google has detected less than 5% of them. If you use the Google Safe Browsing diagnostic page it says something like this:
Malicious software is hosted on 2 domain (s), including bastandro .in /, senerino .in /.
It seems that 3 domain ( s) are working as intermediaries to distribute malware to visitors to this site, including hireindians .net /, awalstudios .com /, bywhy .com /.
As I warned a few days ago, it is necessary ] update Timthumb if your subject uses it, there are no excuses, more seen the results seen, do not you think?
But not only Timthumb is to blame ]sites have also been detected in which hackers have created a .htaccess with rewrite rules superior to the root directory of the site. The rewrite rules map the backdoor URLs to some PHP script . There is nothing.
All the backdoor pages are cached somewhere on the server. Unlike other SEO poisoning attacks, these are not made live. If you specify some different keywords in the URL you will get a 404 error. Incidentally, these 404 error pages are different from the normal ones that the hacked site has.
Another proof that the spam content is cached and that not injected into the execution of active WordPress pages are the temporary marks in the background of the HTML code and the old entries in the "Recent entries" section. In some sites, instead of a real template of the site, they use a prefabricated Kubrick template with a final mark that does not change from site to site but is always the same (WordPress 2.3.1, 22 queries, 0.912 seconds). 19659101] What do I do?
There are several checks and / or actions that we can perform:
- So first review your file
.htaccess and eliminate any rewrite rule that you do not know what it does. When in doubt, delete it and save the permanent link structure again in the WordPress Settings so that a clean one is recreated.
- Update TimThumb to the secure version. I have already put the links to the ways to do it above, in the entry that I wrote the other day you have different ways of doing it
- Go to Google Webmaster Tools and check if your site has malicious software
- Install some exploit detector plugin and run it. There are several good ones "in the official repository", do a search for "exploit"
That is nothing
Thanks to Juan for the notice
Yes, you are reading it right: Antivirus for WordPress or did you think that WordPress is oblivious to the injection of malicious code? No, as any software hosted on a server is susceptible to being infected , and we have given some tests .
And of course, there is an antivirus in the form of a plugin: Antivirus for WordPress .
Identify hidden codes in your template and another type of exploits and vulnerabilities. You can activate it manually or automatically, and identify detection errors in the "white list" to avoid receiving more alerts. It will not automatically delete the code injections but it tells you what they are and in what file they are for you to take the appropriate measures yourself.