Website Malware Removal – Counter.php

There are many variations to the Counter.php malware floating around the interwebs. This is a malicious redirect that sends your readers to a known bad site, that site houses a payload that responds based on the incoming user-agent.

Check out Sucuri Labs for more variations of Counter.php


If you use our free SiteCheck Scanner you might see a display like this:

Read More

Dreamhost Clients – Possible 500 Errors During Database Migration

This morning Dreamhost released an email to a number of clients notifying them that a database was being moved to a new server. If you’re one of our clients and you receive Website Disabled warnings its likely being generated from this temporary outage.

Please allow the the scanner to run again, once the database server is back up it should update the scanner on the next run.

Here is the message from Dreamshost:

Read More

vBulletin Websites Using VBSEO Being Infected with Malware

We are seeing a large number of vBulletin/vBSEO websites getting compromised lately and we keep getting requests for info as to what’s going on.


Read More

Website Malware Removal – Blackhole Exploit

Here is a quick little write up on how to to deal with one, of many variations, of the Blackhole Exploit.

The Infection


If you scan your site using Sucuri SiteCheck and find yourself with a result that looks like this:

Then you are dealing with an infection that is facilitated through the use of the Blackhole Exploit kit, the infection is classified as a Drive-by-Download type infection.

As the type implies, when someone visits a site with this payload, the infection will be initiated on visit and if the conditions are correct it will attempt to download something on your local environment. Hence the classification.

Another option you have, if you feel the site is functioning funny, is to leverage your terminal environment. On UNIX/LINUX based machines you have the option to use CURL as follows:

$ curl -D googlebot www.infectedsite.com

In this instance you’d see this:

Same infection as what was presented in the SiteCheck results.

The Removal Process


In this specific instance the infection was found across all the following files:

  • index.php

This includes the root, theme directory, plugins directory, admin and includes directories. Every one of those directories had an index file and each file was infected, I mention that to show the scope of the infection.

Hunt The Infection

If you have terminal access to the environment you can quickly identify every file infected by running the following:

$ grep -r ‘72.81.840.918.256’ .

If you’re in a rush and your site is very deep, you could also push the results of the grep to a log file versus waiting for it to display and check back later:

$ grep -r ‘72.81.840.918.256’ . > infectedsite-infection

This will create the infectedsite-infection file in the directory you are in. Once you have time you can come back and analyze the output:

$ cat infectedsite-infection

If you don’t have terminal, don’t sweat it, you can often download the entire install to your local environment and run it there too. When you’re satisfied you have found all the offending files simply push it back to your server.

Now Clean it Up

When you’re cleaning, you don’t have to be a coding rockstar, but you want to be aware of the little things. By little things I mean this:

  • If in a PHP file you’re going to need an opening tag, usually looks like this: ‹?php that will then be followed by a closing tag that looks like this ?›

In this instance, this was the most important to keep in mind.

As for the removal, when you look at the results in SiteCheck or your Curl results you see everything fits inside ‹script› and ‹/script›.

There are a few ways to automate the removal, but that won’t be covered here. The easiest way for you is to open the files from the steps above, find the infection, highlight, and delete.

Verify you don’t pick up any of the important characters I mentioned above.

Opening you have a few different options, you can use terminal editors or a local FTP editor (e.g., Codad, notepad, textpad, etc.. ). If you don’t want to mess with any of that, well then good news, simply sign up with us and we’ll take care of it for you.


Any questions or concerns with the post just let us know at info@sucuri.net.

Fan of Twilight? Be Very Careful If You’re Looking Online For It

If you like the Twilight series, be careful if you plan to do any “research” on it, or if you plan to visit the site of the series author (Stephenie Meyer). Her site is currently hacked, blacklisted, and redirecting users to the Blackhole Exploit Kit.

You can see the results on the sitecheck:

Read More

ASK Sucuri: What should I do if my email is in the Yahoo Leak?

We love to get questions from you, our readers, in our Ask Sucuri series. If you have any questions about website malware, blacklisting, or security in general, send us an email to: info@sucuri.net or hit us on Twitter – @sucuri_security.


Yesterday we released a blog post about the Yahoo Leak, and created an online tool to check if your email was exposed in the leak. Since then, we have received hundreds of emails asking what should be done for anyone whose account was compromised.

Read More

Analysis of Yahoo Voice Password Leak – 453,441 Passwords Exposed

We recently heard that a massive leak of Yahoo passwords has been floating on the interwebs for a few days. According to Ars Technica, the dump is from Yahoo Voice and the data was released in clear-text (yes, clear text in 2012). It seems they were not storing the passwords securely.

We got access to the dump and we can confirm that this leak is valid. We can not however confirm it is from Yahoo, the password analysis does not have many “Yahoo’s” in it (we’ll explain later).

That said, we recommend all Yahoo users to change their passwords ASAP! Specially on other services that you are reusing the same passwords. Better safe than sorry.

Read More

Magento Security Update (1.7.0.2) – Zend_XmlRpc Vulnerability

A few days ago, Magento 1.7.0.2 was released to fix a very serious security vulnerability that allows attackers to read any file on the web server where the Zend XMLRPC functionality is enabled. This might include password files, configuration files, and possibly even databases if they are stored on the same machine as the Magento web server.

The Magento team provides the following info in their post:

Read More

Distributed Malware Network Outbreak Using Stats.php

We are seeing a large and distributed malware network comprised of thousands of infected websites that is growing very quickly. We call it “Stats.php” because all of the infected websites have the following iframe added to them:

<iframe src="http://hackedsite.com/stats.php" name="Twitter" ..

Stats.php malware

Stats.php is an iFrame Injection attack. This is not a new issue by any means, and we have been posting details in Sucuri Labs for a little while. However, lately we started to see an increase in the number of websites getting hacked by it (a significant increase in the last 3 days).

Read More

Google Blacklist Warning: Something’s Not Right Here!

Google recently put out a post talking to the past 5 years offering the Safe Browsing program and summarized in a post titled: Google Safe Browsing Program 5 Years Old – Been Blacklisted Lately?

This got us thinking about the number of Google warnings end-users see every day, and naturally we couldn’t help but take some time to help provide some context around the different warnings and what they mean.

Today it seems there are 5 little words that all end-users are quickly learning to fear when it comes to owning a website:

Courtesy of Chrome

It’s important to note that every browser displays the warning a bit different. Very frustrating to us and clients, but good to recognize.

Courtesy of Firefox

Courtesy of Safari

What Does it Mean?

What most don’t realize is that Google has a number of different warnings and they don’t all mean the same thing. If you are greeted with one of the warning splash pages above, that’s what it is, your site is infected and you should be concerned. This page is reserved to warn all users visiting your site that Google has in fact confirmed that your site is either (1) distributing malicious software, whether via drive-by-downloads, social engineering attacks, etc.. or (2) redirecting users to malicious domains or IP’s that are in turn distributing malicious software.

I know, nothing screams panic more than a page that is bright RED and forces your client to click proceed anyway or ignore warning to access your website. It’s like saying:

Hey, you’ll likely get mugged if you go in that alley.

The odds of your clients and readers disregarding the message is growing less likely every day. What makes it worse is that Google offers an API that most Anti-Virus leverage. This API is updated with the state of your site in the Google Safe Browsing program. What this in turn means is if your site gets blacklisted, that is then pushed to the API, which in turn is reported by AV’s. In short, if your client is using a product from one of the AV’s that too will warn the user that something is wrong.

Now, its easy to say, “buy our product to avoid what is quickly being recognized as the web’s scarlet letter A,” but in addition to saying that, we want to raise awareness around what you can do if you in fact find yourself with this problem.

Know The Warning


The first thing to understand is to know what warning you are seeing. There are three types of warning Google releases. They include:

  • Malicious Software (Malware)
  • Suspicious Activity
  • Phishing

Malicious Software (Malware)

Perhaps the easiest to identify. They are all the warnings posted above. They are usually red splash pages and annoying as heck, what’s worse is they have this way of significantly impacting your websites traffic.

Suspicious Activity

Most don’t realize this but when you use Google search all the results you see are known as Search Engine Result Pages (SERPs). If Google detects something it feels to be inconsistent with your site it will display a little warning titled:

This site may be compromised!!

This is perhaps the most frustrating because unlike Malware and Phishing attempts, it’s treated differently. It’s Google saying it thinks something is amiss. You’ll often find this warning on sites with the Pharma Hack. Please understand though clearing this warning can be painful as the process is slightly different than its blacklisting counterparts.

Phishing

If you read our post on the past 5 years with Google’s Safe Browsing program you’ll notice an interesting trend where Phishing attempts are increasing while malware is decreasing according to Google. With that, it’s only appropriate for Google to put together yet another glaring splash page to warn its users of something being wrong. If you find yourself curious as to how Phishing scams work HowStuffWorks offers a good and easy to understand description.

With an understanding of which warning you ware being flagged with, and yes it could be all three, you can then put together an appropriate course of action.

Course of Action


The really good news is that its only temporary. We get this question a lot, “Is this going to be there forever?” The answer, fortunately, is no. It’s a temporary warning to the users of the site and if you take appropriate actions it’ll be removed. The first thing to know are the various sites you’ll need:

Here is a quick tip:

You don’t have to hire a company like Sucuri to have these warnings removed.

No company has an advantage over the other getting your site cleared by Google. Google is the only one with the ability to reindex and make the final determination on the state of the site. This means if you are able to effectively clear the infection then there is nothing stopping you from submitting for reconsideration on your own.

Here is another quick tip:

When dealing with Google warnings the best place to go to know the status is Google. Do not depend on Scanners as they use the Safe Browsing API and that is often delayed.

With this information in hand you can now work to assess where the issue is. It’s often in your interest to work to identify the issue before submitting it for reconsideration, not doing so will simply leave you stressed and frustrated. Its important to note that sometimes though, Google does make mistakes, and it could be a false positive.

Step 1. Use Live Scanners / Online Tools

Contrary to popular belief, not all scanners are created equal. More often than not, scanners use some level of caching and/or require you to subscribe to a service to get an output worth anything. Make use of free scanners where possible:

Live scanner:

These free scanners are not 100% accurate, its practically impossible. In reality, no remote service is 100% accurate. If they were, there wouldn’t be a need for any other vendors. That being said, its good to note that some malware types are conditional and present themselves only when specific rules are met. Read more on one of our recent posts, Understanding Conditional Malware – IP Centric Variation. To account for this you can use a number of tools to emulate different conditions in the hopes of replicating the issue.

Online tools:

The idea is try to figure out what might have flagged the issue in the first place. Using the Google Bot option is always good as it will display the site as it is being seen by Google. This is especially important for those infections that target Google IP’.

Step 2. Remove the Issues

As in most things, knowing is only half the battle. Now that you know you want to go in and remove the issue.

Please have a basic understanding of coding syntax, the last thing you want to do is blow up your site all because you deleted a closing bracket.

Please also note that the infection may be encoded, encrypted, concatenated or a little bit of everything. In other words, what you see via the web might not be what you see when you log into your server. With that being said there are a few known places you can always look when hunting down issues:

Some of the more common places to look when dealing with drive-by-downloads:

  • Footer
  • Header
  • Index (php or html)
  • template files

More common places for malicious redirects include:

  • .htaccess
  • index (php or html)
  • Core Files

When dealing with Phishing attempts:

  • New Directories
  • HTML files
  • Index (php or html)

Another good tip is that although Google Webmaster Tools might say myhapylizard.html and mykidsplaying.html are showing infected, in reality its the core file generating the content for those files that is the culprit. Looking only at those HTML files is not going to bear you much fruit. Look at the files generating the template for that page, there you’re likely to find the root of the problem. You’ll also want to know what your website is built on. Is it using a CMS like WordPress, Joomla, Durpal, or osCommerce? Is it custom?

If you’re familiar with the command line interface (CLI) you can also try using a few different commands.

Emulate user agents:

$ curl -A “Mozilla/5.0 (compatible; MSIE 7.01; Windows NT 5.0)” http://www.somesite.com

Where you can switch out the agent MSIE 7.0; Windows NT 5.0 at your leisure. It’s always good to check IE as it’s one of the more likely targeted browsers. If you go online and try searching for user agents it could be a bit overwhelming. As you get familiar with them, here is a sweet little list that will help you get going. Simply replace the content in the user agent section of the cURL command.

You can also use cURL to emulate a number of bots and other crawlers.

Emulate bots:

$ curl –location -D – -A “Googlebot” somesite.com

If you’re wondering why you would ever use cURL in the place of your browser, the answer is simple, you don’t want to visit a compromised site and run the risk of compromising your own environment. You’re going to want some understanding of how your website was developed and a basic understanding of HTML at a minimum. To help you out, you’re looking for things that might have something like the following:

  • iframe
  • script

You’re also going to look for things that don’t make sense:

  • Is your site English, but you see Russian writing? Or any language not your own?
  • Do you see long strings of incomprehensible content?

Once you do that you’ll want to become friends with grep. Sample use would be:

$ grep -r ‘[something of interest]’ .

Grep is extremely powerful and allows you to crawl your entire environment. It allows you to pick out pieces of text and search for it in every file on your server. Be sure to check out the 15 tips on how to use the command. Another good resource to help you get acclimated in the terminal environment includes this free online resource.

Step 3. Submit For Review

If you made it through Step 2 then you’re likely pretty pumped right now, and you should be. Only thing left to do is submit to Google for reconsideration. Regardless of which warning you’re fighting with, you’re going to do some type of reconsideration submission. For all of them, you’ll need to log into Google Webmaster Tools and verify your site.

For malicious software (Malware) and Phishing warnings you will submit the reconsideration request via Google Webmaster Tools by:

  1. – Add Site
  2. – Verify Site
  3. – Click on Health option – Hint: Left side table of content
  4. – Click on Malware – Hint: If being flagged for Phishing or Malware you’ll see a yellow / orange warning on the page when you click
  5. – Click to submit a review

For suspicious activity you’ll follow these steps:

  1. – Add Site
  2. – Verify Site
  3. – Go to the Reconsideration Link
  4. – Select your site from the drop down
  5. – Fill in the input boxes, provide as much information as possible

After both, the best thing you can do is sit back and wait. This is a patience game. In most instances you’ll see an update within 10 hours, but in some instances it has been known to take days if not weeks (rarely). Also, be sure to keep an eye on your Google Webmaster account, you’ll see update notices there and in your email.

If you get to the point where you have exhausted all your resources and can’t manage to get the infection removed, then it’d be in your interest to engage with a malware remediation company like Sucuri. If you decide on another provider, that’s ok too, be sure to read our Ask Sucuri: What should I know when engaging a Web Malware Company? post.


If you have any questions on the content in this post please feel free to leave a comment or send us an email at info@sucuri.net .