Injected code is “hidden” and can strike at attacker’s will
The injected code in the present cases is <SCRIPT id="googleblogcontainer"> and it is inserted towards the end of the webpage’s source code. We’ve seen it inserted multiple times into one webpage, having 100 or more code lines in between each injection.
Please note: The missing “L” in googlebogcounter is, most probably, a typo, made by the attackers.
The attackers can adjust the counter.php file to their needs and can include commands to download and install malware or redirect visitors to malicious websites or anything else.
Regarding the given WHOIS information, the server hosting counter.php is/was located in Russia and the exact same IP has been involved in the so-called TimThumb attack, earlier this year. TimThumb is a plug-in for the content management system Wordpress and suffered from a zero day vulnerability which has subsequently been exploited.
The G Data security solutions detect the mentioned script as JS:Downloader-AZF [Trj].
What Wordpress users can do now
By now, we cannot verify whether the infections result from a vulnerability in any of the Wordpress plug-ins installed in the case seen, the Wordpress CMS itself or a password hack (e.g. an automatic attack). But we can definitely advise you to do the following in case you are using a Wordpress page:
- Update your content management system to the latest version!
- Update all of the plug-ins you are using in this CMS and delete plug-ins you are not using!
- Change your CMS passwords!
- If you suffered from the above mentioned code injection, delete all of the malicious scripts and update the aforementioned components!