On Wed, 3 Sep 2014, Spectrum CS wrote:
I thought I'd share this incase its helpful to any body else. Today a
series of emails passed though our spamassassin filter cleanly which had
URLs to Wordpress sites like the following...
hXXp://ticket-deals.de/wp-content/themes/xblog/index.php?id=741693561
hXXp://vertaser.ru/wp-includes/js/tinymce/plugins/media/xblog/index.php?id=225070296
Clicking those links bounces you over to hXXp://royalmail-service.co.uk
and using the ruse that they have missed a parcel delivery encourages
end users to enter the capchta. They then end up downloading a 200KB
track_c4ca4238a0b923820dc.zip file which contains a track_89258099.exe
file which is infected with the Cryptolocker virus.
I've just crafted the following rule in order to block any more of these
messages reaching end users as having now looked though the logs I've
found about 15 have come though today (all originating from the same IP
in russia?!)
uri __SCS_HACKED_WORDPRESS_URIa /wp-content\/(plugins|themes)/is
uri __SCS_HACKED_WORDPRESS_URIb /wp-includes/is
There's already a sandbox rule for wp-admin. These are easy enough to add
to evaluate performance without affecting scores. I will do that.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
All I could think about was this bear is so close to me I can
see its teeth. I could have kissed it. I wished I had a gun.
-- Alyson Jones-Robinson
-----------------------------------------------------------------------
14 days until the 227th anniversary of the signing of the U.S. Constitution
