VisitorTracker Malware – way beyond just JavaScript files

VisitorTracker Malware – way beyond just JavaScript files

September 26, 2015 Blog Drupal Security Javascript Joomla Security Magento Security Miscellaneous Security osCommerce Security PHP Security News & Information vBulletin Wordpress Security 1

Over the past couple of weeks, we’ve seen a fairly new malware show up in sites. It doesn’t appear to be specific to any one type of cms or website which would point to some type of ‘other’ vulnerability such as a compromised FTP, cPanel or other unknown issue. We haven’t been able to track it down through log files (most are rotated by the time we have access to the infected site) Below is more details on what you may find on a site that has been infected with the VisitorTracker Malware.

First, it’s important to note that this will affect several different files. So it’s very important to check everything. Better yet, if you have a known clean backup – wipe your server and restore. The example below is just one case and the files and names may be different on your server/site.

UPDATE 09/29/2015:

We are seeing a similar variation of the VisitorTracker malware, where it’s label in the files has been changed to what appears to be random characters and numbers. The have probably done this because most people know to look for the “visitortracker” in their files so this will not be picked up:


In this specific example, which was wordpress, the following files were infected:

random *.js files (Not all of them)
It will start and end with /*VistorTracker*/ in the injected files and contains several different functions, like visitortracksdel, visitortrackerde and visitorTracker_isMob

VTJs

img.jpg – this will also contain some base64 encoded php code and was probably part of their ‘upload process’

After it’s decoded it looks like this:
imgb64decode

Added a file named ‘visitor.php’ (in another case it was named tracker.php, another was count.php – you will find this file in the code added to the random *.js files.)

visitortracker

And here’s what some of the decoded output looks like:

visitorTracker

added code to the theme’s footer.php which will start and end with

Footer

Decoded output shows that it’s more VistorTracker functions, but written so it echos out in the php file.

FooterDecoded

The code also indicated that there should be a dot.jpg file which is used to log the visitors, however we did not detect this file on any of the compromised systems we saw.

The easiest way to locate this would be to grep your filesystem for ‘visitor’ or ‘visitortracker’, that should return all the infected files and their locations if you don’t have a backup to restore from.

Once you have cleaned and restored your site to normal, if you haven’t already – change ALL passwords, for FTP, cPanel, administrator accounts and make sure you do not have any FTP accounts on your server that should not be there. To make your passwords strong, use something strong between 8-12 alpha-numeric characters, with at least 1 symbol (!,@,#,etc), and make sure you change it often (every 30-60 days). Better yet, if your host allows it – use sFTP (FTP sends your information in plain text which allows for attackers to “sniff” out credentials)

And last but not least – scan your local machine (or your developer, web designer or site admin if it’s not you) for possible viruses, trojans and keyloggers. There are several free scanners available such as avg.com free version and malwarebytes.org. We typically recommend you run multiple because NO anti-virus scan is 100% fail safe.

If you aren’t technical and you need immediate assistance, we can reduce the impact and prevent further damage quickly  –  Now is your chance, we can have the typical site cleaned and secured in just a few hours.  Check out our Pricing page for details on our professional, reliable website malware removal services.