Sorryforthiscode – iFrame Injection

We were working on a compromised site today that had some hidden iFrames on it. The iFrames were redirecting visitors to what seemed like random domains. This is the iFrame we were seeing:

<iFrame src="httx://directs016. ru/in.cgi?wal" width=1 height=1 ..

Sorryforthiscode

Nothing new, but we decided to check how popular it was, and we were able to detect a few other sites with it. After a while the iFrame being injected changed and as we continued to track it, we noticed that it was changing every few hours. Here are some of the domains used up in the last few days:

Read More

Careful With Fake jQuery Website – jquery-framework. com

A few days ago we posted in our Labs notes about a Fake jQuery website that is distributing malware. The domain was properly chosen to confuse the end-users ( jquery-framework.com ), since it looks like a valid site.

jquery-framework.com

This is what we were seeing injected on some websites:

<script src="httx://jquery-framework.com/jquery-1.7.1.js..


Read More

Joomla 2.5.7 Released (Security Update)

Joomla 2.5.7 was just released today fixing 2 low severity security bugs and added a few other improvements. As always, we recommend all our Joomla users to update to 2.5.7 as soon as they can.

From their announcement page, here are the security bugs fixed:

  • Low Priority – Core – XSS Vulnerability: Inadequate escaping of output leads to XSS vulnerability in language switcher module.
  • Low Priority – Core – XSS Vulnerability: Inadequate escaping of output leads to XSS vulnerability.

Remember, the leading cause for website compromises is outdated software! So as a website owner, you have to do your part to minimize risk and keep your site (and your users) safe. Update now!

Sucuri SiteCheck was also updated to alert users not running version 2.5.7 on their Joomla sites.

Compromised Websites Hosting Calls to Java Exploit

Remember that Java 0 day vulnerability that was discovered a few weeks ago and took a while to get patched by Oracle? You know, the one that caused a large portion of the security community to recommend everyone to disable Java completely in their browsers?

Java Exploits

Well, it wasn’t hype. This vulnerability has been exploited since then, and now it’s the #1 vulnerability exploited by newer exploit kits found on compromised websites. The detection rate is also very low by AntiVirus products (7 out of 42 on Virus total):

Read More

WooThemes Security Audit Process & Development Partner WebDevStudios

WooThemes recently released a post talking to an audit that was performed on their various plugins and framework by our team. While true, it is important to note their level of commitment to providing secure products was second to none, it was actually quite refreshing.

WooThemes

The review was an exceptional process and we felt compelled to share some more information into the process.

Read More

Sociable WordPress Plugin Security Warning

If you are using the Sociable WordPress Plugin (plugin with 1,777,161 downloads), be very careful when visiting the plugin’s page settings. We recommend that you disable it or remove it for now, at least until it gets fixed.

A customer alerted us to the issue, when you visit the settings page (e.g., site.com/wp-admin/options-general.php?page=sociable_select) you get a malware warning from Google (this site may harm your computer).

What is going on?


The issue is that the plugin is loading an image from a site that is currently compromised (inside this file: includes/class-sociable_Admin_Options.php):

http://balon24.com.ar/wp-content/plugins/sociable/images/Fueto_Sociable.png

That causes the browser to redirect to http://commitse.ru/ (known malware site). This is what happens when you load that image:

$ curl -D – -A “” http://balon24.com.ar/wp-content/plugins/sociable/images/Fueto_Sociable.png

HTTP/1.1 302 Found
Date: Fri, 07 Sep 2012 21:02:59 GMT
Server: Apache
Location: httx://commitse .ru
Content-Length: 266
Content-Type: text/html; charset=iso-8859-1

There are some discussions on the WordPress forums about it here: http://wordpress.org/support/topic/plugin-sociable-image-causing-malware-detected-flags, but in the mean time, we recommend users delete or disable the plugin.

It doesn’t look like the plugin was compromised, just an external image was used and the site housing that image is currently compromised.

We will post more details when we have it.

WordPress 3.4.2 Released – Maintenance and Security Update!!

As many know, today the WordPress team released a new patch for WordPress 3.4.2, and have titled it a maintenance and security release.

WordPress 3.4.2 Update

By now many have regurgitated the same post in a number of different blogs and forums pushing the word out, that’s great.

It took us a bit longer because we wanted to better understand the specifics of the security release. Here is what we found:

Read More