Brazilian Protests Leading to Mass Defacements

June 17, 2013 by Leave a Comment

Lately, Brazil is going through a series of political protests against the current administration and the large amount of over expenses related to the 2014 Soccer/FIFA World cup. When the police started to close down the protesters in the streets, they went online. We won’t go into much more politics, but those online protests recently switched from Twitter/Facebook discussions into a mass defacement of multiple high profiles sites (and Twitter accounts).

It includes the Twitter of the Veja Magazine (with over 2.5m followers – one of the biggest in Brazil):

Revista Veja compromised

And the site for Brazilian’s richest man, Eike Batista:

Screen Shot 2013-06-17 at 5.09.36 PM

Government sites affected too

And that’s not all, many government sites are getting hacked and defaced as part of the protest. All of them begging for the population to join them in the streets and in front of the soccer stadiums to show their dissatisfaction with what is happening. This is a small list of the ones defaced early today:

http://samu192.com.br/

http://www.juazeirinho.pb.gov.br/

http://www.camaradocabo.pe.gov.br/

http://www.macaeprev.rj.gov.br/

http://www.ciscel.mg.gov.br/

http://copa2014.gov.br/

http://www.saofelixdoaraguaia.mt.gov.br/

http://copaemcuiaba.com.br/

http://www.frentedetrabalho.sp.gov.br

We are also seeing some sites suffering from DDOS (denial of service) attacks. We don’t know exactly how those sites are getting hacked, but we will keep monitoring the situation and providing updates as they come. Note that none of the compromised sites were injected to host malware.

Filed Under: hacked, protest Tagged With: ,

Plesk Vulnerability – In the Wild for Months Before Disclosure

June 17, 2013 by Leave a Comment

A few days ago we published a post about the Plesk 0-day vulnerability that we started to see being probed in the wild. It uses an incorrect configuration in Plesk 9.0-9.2 that allows anyone to access the PHP binary from inside phppath (phppath/php)
Read More

Filed Under: 0-day, apache, plesk Tagged With: , ,

Apache PHP Injection to JavaScript Files

June 14, 2013 by Leave a Comment
eval-code-packed

We have been talking about Apache server-side injections for a while. Ranging from malicious modules, like Darkleech, to modified Apache binaries. From an attacker perspective, it is much more lucrative to inject their malicious code at that level,
Read More

Filed Under: apache, hacked, Malware, malware_updates Tagged With: , , ,

vBulletin Conditional Malware – myFTP.biz Malicious iFrames

June 12, 2013 by Leave a Comment
Screen Shot 2013-06-12 at 1.16.01 PM

We have to be honest here, there's no fun in cleaning up infected .htaccess files. It's boring, but it happens a lot! But it's not the case here. I will also caveat that while in this specific instance we'll be talking to one specific platform, we
Read More

Filed Under: Malware, vbulletin

Plesk 0-day Remote Vulnerability in the Wild

June 10, 2013 by Leave a Comment

Just last week another 0-day vulnerability on Plesk was released. It affects Plesk 9.2, 9.3 and 9.5.4 versions. If you have not yet, we recommend that you update Plesk immediately. Note: In our latest analysis of servers with the Apache binaries
Read More

Filed Under: Malware, malware_updates, plesk, zero-day Tagged With: , ,

From a Site Compromise to Full Root Access – Local Root Exploits – Part II

May 30, 2013 by Leave a Comment

When an attacker manages to compromise and get access to a website, they won't likely stop there, they will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they
Read More

Filed Under: exploit, hacked, linux, Malware, malware_updates Tagged With: , , , ,

From a Site Compromise to Full Root Access – Symlinks to Root – Part I

May 23, 2013 by Leave a Comment
Symlink to root

When an attacker manages to compromise and get access to a website, they won't likely stop there, they will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they
Read More

Filed Under: hacked, htaccess, Malware, malware_updates Tagged With: , , , ,

Globo.com redirecting users to Spam ads

May 19, 2013 by Leave a Comment
Globo.com redirection

Globo.com, one of the largest Brazilian web portals (ranked #107 on Alexa and #6 for Brazilian traffic) appears to be compromised and all visits to it are being redirected to a sub page inside pagesinxt.com. If you go to g1.globo.com (or any other of
Read More

Filed Under: hacked, Malware, malware_updates Tagged With: , ,

Sucuri CloudProxy WAF – Fake Bots Explained

May 14, 2013 by Leave a Comment

One of the most common questions we have been getting since launching our CloudProxy WAF is regarding bot activity and why it appears that we are blocking Google and / or Bing bots. Inside the CloudProxy dashboard we provide a full audit log of any
Read More

Filed Under: awareness, cloudproxy, googlebot, Spam, waf Tagged With: , , ,

Auto Generated Iframes To Blackhole Exploit Kit – Following the Cookie Trail

May 6, 2013 by Leave a Comment
Screen Shot 2013-05-05 at 11.28.16 AM

We often talk about websites being compromised and injected with malware that redirect users to exploit kits. We unfortunately don't give you a complete picture of what the distribution payload is doing on your local machine very often. Today we'll
Read More

Filed Under: sucuri Tagged With: , , , , ,
«Older Posts