Massive XM1RPC SESS_ Hack

New Malware is sweeping the internet. We’re calling this the SESS Hack.

First identified by the xm1rpc.php that is created and several other files that delete themselves after infecting the website.

The bad news with this Malware is it infects the entire hosting account. So, if you have multiple domains on a server in the same directory structure, they will all be infected by this hack.

Generally the symptoms of this hack are redirection to Porn, this is done with the modification of the .htaccess files which will redirect to (usually) Porn or malware sites if the visitor comes from a search engine.

Example HTACCESS:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^.*$ index.php [L]
</IfModule>

In some cases, all index.php files are overwritten as well.

SESS_RANDOMSTRING & SESS_RANDOMSTRING.zip/rar files are created as well.

This malware makes a curl callback request to a server hosting the Malware, which will check to see if the hack exists,
and if it does not will re-generate the files.

This means you need to clear out all of the hack files at once or reinfection can happen within seconds (it depends how
many visitors you get as when a new visitor goes to your site, it will do the callback to re-infect the site if
it’s not infected.

As with any malware, they are taking advantage of a vulnerability in your sites CMS, plugins or themes. These types
of Malware can generally be prevented by keeping your site up to date.

follow and like us:
Author :