From a Site Compromise to Full Root Access – Symlinks to Root – Part I

When an attacker manages to compromise and get access to a website, they won’t likely stop there, they will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they will attempt to compromise every single one of them.

How can an attacker escalate their privileges? How can they go from FTP-only access to getting root on the server? In this series of articles we will show some techniques that attackers are using to go from confined FTP/web access, to full root level access on a server.

Read More

Globo.com redirecting users to Spam ads

Globo.com redirection

Globo.com, one of the largest Brazilian web portals (ranked #107 on Alexa and #6 for Brazilian traffic) appears to be compromised and all visits to it are being redirected to a sub page inside pagesinxt.com. If you go to g1.globo.com (or any other of
Read More

Sucuri CloudProxy WAF – Fake Bots Explained

One of the most common questions we have been getting since launching our CloudProxy WAF is regarding bot activity and why it appears that we are blocking Google and / or Bing bots. Inside the CloudProxy dashboard we provide a full audit log of any
Read More

Auto Generated Iframes To Blackhole Exploit Kit – Following the Cookie Trail

Screen Shot 2013-05-05 at 11.28.16 AM

We often talk about websites being compromised and injected with malware that redirect users to exploit kits. We unfortunately don't give you a complete picture of what the distribution payload is doing on your local machine very often. Today we'll
Read More

Malaysian Election and DDOS

Screen Shot 2013-05-04 at 12.51.46 PM

Malaysia is having an election this weekend that has been surrounded by issues. We won't go into the politics, but one of our client's sites (a popular Malaysian news source that we won't name), started to suffer a very large scale DDOS (distributed
Read More

W3 Total Cache and WP Super Cache Vulnerability Being Targeted in the Wild

Screen Shot 2013-05-03 at 8.31.42 PM

As if on queue, almost 7 days since we released the post about the latest W3TC and WP Super Cache remote command execution vulnerability, we have started to see attacks spring up across our network. In our post you might remember
Read More

Who Really Owns Your Website? “Please Stop Hotlinking My Easing Script — Use a Real CDN Instead.”

Screen Shot 2013-05-02 at 4.26.02 PM

For the last few days, we have had some customers come to us worried thinking that their websites were compromised with some type of pop-up malware. Every time they visited their own site they would get a strange pop up: "Please stop hotlinking
Read More

Game of Coins: The Uprise of Bitcoin Mining

Game of Coins

Research by Daniel Cid. Authored by Dre Armeda. One thing you can't take away from some of the attackers we deal with everyday is their creativity. From time to time we write about new trends we're seeing, and this post is no different. We're
Read More

Apache Web Server Attacks Continue to Evolve

Sucuri - Website Security Trends - Server Compromises

For the past few months we have seen a gradual increase in server-level compromises. In fact, every week it seems we're handling half a dozen or so and it continues to increase. It's one of the reasons that I have started including this as a trend in
Read More

LivingSocial Hacked — More Than 50 Million Accounts Compromised

Just as we were thinking we were going to avoid any major enterprise compromises this week, LivingSocial announces that it has been compromised and some 50 million accounts have been compromised. Based on the reports, it doesn't seem that any
Read More