Simplifying the language of website security

Screen Shot 2014-07-09 at 3.40.59 PM
A couple of weeks ago, the Sucuri team was at HostingCon. We rubbed elbows with the people who bring your websites to the world and spoke at length with them about the importance of website security. However, the most interesting conversation we had over the whole week was with a small business owner on vacation with his family.

After a long day of conversations with the rest of the tech world, we needed to get a bite to eat and we decided to wait at the bar while the restaurant got our table ready. While there, we started talking to a man sitting next to us. As it turns out, he owns an auto body business in the Philadelphia area. Eventually, our new friend asked us what we were doing in Miami so we told him that we helped to run a firm focused on website security and, from our perspective, that’s when the conversation got really interesting.

That’s for big websites, right?

Our new friend knew about the data breaches at the big retailers like Target and then went on to tell us, “But I’m not worried, because I have a really simple website and just ask people to fill out a form so we can contact them later.”

Tony and I were floored when he told us that. But should we have been? When you live every day in the security space, it can be easy to forget that the rest of the world doesn’t live there with you.

We’ll always use this blog to break security news and to educate the community about the latest malware removal techniques we’re pioneering, but the more we learned about our new friend’s business, the more apparent it became that we also have an obligation to translate the language of website security so that website owner’s everywhere understand its importance. In that spirit, here’s our first primer in a once-in-a-while series for the everyday blogger, website enthusiast and small business owner on why security is important for their site.


Read More

Understanding Google’s Blacklist – Cleaning Your Hacked Website and Removing From Blacklist

Today we found an interesting case where Google was blacklisting a client’s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight to understand what is going on, and how to troubleshoot things when your website is blacklisted.

Get Your Bearing

While investigating the website, we found that some Google shortened URLs were being loaded and redirecting to http://bls.pw/. Two of the goo.gl links were pointing to Wikipedia images, their icon to be specific, and one was redirecting to http://bls.pw/ shortener.

goo.gl/9yBTe - http://bits.wikimedia.org/favicon/wikipedia.ico
goo.gl/hNVXP - http://bits.wikimedia.org/favicon/wikipedia.ico?2x2
goo.gl/24vi1 - http://bls.pw/

A quick search for this last URL took us to /wp-content/themes/Site’sTheme/css/iefix.sct. As malware writers like to do, it was trying to trick us into believing it was good code. In this case, the Sizzle CSS Selector Engine code (Real code here) was the target:

Sucuri  Sizzle CSS Selector Engine Modified III

Read More

WordPress Security: 5 Steps To Reduce Your Risk

Often you hear the question, “What plugins should I use for WordPress Security?”. It’s a valid question, but I don’t think it’s the best approach if it’s the only question you’re asking, or the only action you’re taking. If you’re leaving the security of your blog to a plugin from a 3rd party alone, you’re doing it wrong!

WordPress-Security-Reduce-Risk-With-Less-Plugins
Risk reduction is the name of the game. A collective set of actions, tools, and processes all helping lower the risk of exploitation.

It’s Everyone’s Responsibility!

It starts with you. Follow these steps and you lower your risk floor significantly (without the use of a lot of plugins!):


Read More

Website Security – The Importance of Access

Not sure why more emphasis isn’t put on access, but I’ll spend some time on it today. Understand though that this emphasis is not just something pulled out of the clouds. Instead it has come from months of thought and research – courtesy of client environments, enterprise incident handling cases and our own honey pots.

Website Security - Importance of Access

The Importance of Access

For some reason, what I have gathered, is that website owners, in their minds, think they are really ingenious. We think that what we know, no one else knows; the harsh reality is that’s so far from the truth. The are also those that buy into the idea that information security is an absolute, if only it were. Website owners have to learn to set their expectations, the InfoSec domain is about risk reduction. That is the first thing to understand.

While software vulnerabilities are a real threat, without tangible evidence, I am willing to bet that access is gaining ground on software vulnerabilities more than most realize. Still working on evidence to support this. A good thing to remember is that as a product becomes more secure, and the attack vectors decrease, access only increases in importance.

Read More

Website Malware – Joomla SEP Attack – Pharma Injection

This was a fun, yet painful case. In the past we have written a few different posts targeting search engine poisoning attacks (SEP) that like to use Pharmaceutical keywords and their associated links to poison your search engine results.

Today we had an interesting scenario where Google had not yet blacklisted the client, but our free scanner, SiteCheck, was in fact picking up the injection. From what we could see it was being triggered by a referrer but it wasn’t the typical referrers you’d expect, it’s condition was if it came from itself.

If you’re wondering why that is, allow me to explain. That meant that the payload would not show up the first time you visit the page, only when you visit the same page and the referrer was set to itself. This actually a very good evasive technique, it would make detection that much harder by most conventional scanners. In short, if the user clicks on the paeg once, it wouldn’t appear. This makes it very hard to detect and replicate unless you start testing every option. In this case, it wasn’t until you clicked on the option two consecutive times that the injections would appear.

You could try any other variation and it’d never work, only if you clicked on it two consecutive times. How annoying is that !!! This probably explains why Google and many others never picked it up.

In either event, this was a Joomla site and so the question was, where the heck is this thing.

Read More

Website Malware Removal – FTP Tips & Tricks

When you clean as many sites as we do every day you start to come up with little tricks that help expedite the process, here is one where you can use FTP to your advantage.

This post will cover two features in FileZilla that any novice can quickly employ:

  • Using Filters
  • Using Comparisons

For those wondering I’m running FileZilla on MAC OS, version 3.6.0. But this goes back a couple different versions, it’s not a new feature.

Filter Out the Noise

This is perhaps the coolest little tool. From time to time we have to download sites, although we prefer to work remotely, its inevitable. When we do we have to filter out all the non-essential data, not doing so would add way too much time to the entire process. Some sites like to bloat themselves with images and videos and backup zips – you get the point. So how to get around that?

Glad you asked….

Read More

Dealing with WordPress Malware

A few months back I contributed to a post with Smashing Magazine on the top 4 WordPress Infections, it was released yesterday, and it couldn’t have been at a better time. If any one attended WordCamp Las Vegas you might even find some similarities. Fortunately in the process of preparing for the event and working with the team, we were able to compile a bit more information expanding on the things we originally discussed in the last post. It’s perfect timing for a number of reasons, and will complement this post very nicely.

WordPress Malware
The idea of this post, like many in the past, is to outline and discuss this past weekend’s presentation. In the process, hopefully you take something away. Unfortunately, the presentation was capped off with a live attack and hack, and I won’t be able to include that in this post, but I promise it’s coming.

**Note: If you plan to be at WordCamp Philadelphia 2012 you might be in for some treats, just saying. And if you don’t have it on the calendar, you should.

Read More

WordPress Security – Cutting Through The BS

I recently spoke at WordCamp Chicago 2012 on WordPress Security. In this post I’ll share my presentation but also provide context such that it allows the reader to better digest the presentations content.

Let me know how I do!!!

When putting the presentation together I found myself between a rock and hard spot, I felt as if all the presentations given to date are always about the same stuff. And maybe that’s necessary, repetitiveness is key they say, but is it?

Read More

SiteCheck – Got Blackhat SEO Spam Warning?

As of late it seems like we’re talking about a lot of SPAM related cases, this post will be no different.

Blackhat SEO

Before you start, let me preface this by saying that clearing a Blackhat SEO Spam injection is probably the biggest PITA (Google It) infection there is. They constantly evolve, making them difficult to detect and they employ both new and old techniques that, even after years, still prove to be annoying. This post will demonstrate one such case.

Read More

Automation is Key With Today’s Website Attacks

When trying to undertand the anatomy of attacks on websites you have to break it down into manageable parts. In my mind it really comes down to two types: Targeted and Opportunistic.

More important to understand is how the attack is executed, and that’s what I want to spend some time on in this post.

What do today’s attacks look like?


For most, targeted attacks will be rare, but they do happen every day. You might recall mentions on the news about the CIA website being defaced, or LinkedIn and eHarmony being compromised, in both those instances, I’d categorize those as targeted attacks. There are also examples like the most recent article that talked to the Gizmodo employee who appeared to have lost his entire digital identify, simply because the attacker liked his Twitter handle.

On the flip side, you have opportunistic attacks that are likely what most reading this get affected by. I provide a better discussion on it on our post, Understanding Opportunistic Attacks. The good news though is that in both instances you find many similarities in the attacks, specifically the use of tools that allow for automation.

Read More