From a Site Compromise to Full Root Access – Symlinks to Root – Part I

When an attacker manages to compromise and get access to a website, they won’t likely stop there, they will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they will attempt to compromise every single one of them.

How can an attacker escalate their privileges? How can they go from FTP-only access to getting root on the server? In this series of articles we will show some techniques that attackers are using to go from confined FTP/web access, to full root level access on a server.

Read More

Who Really Owns Your Website? “Please Stop Hotlinking My Easing Script — Use a Real CDN Instead.”

For the last few days, we have had some customers come to us worried thinking that their websites were compromised with some type of pop-up malware. Every time they visited their own site they would get a strange pop up:

“Please stop hotlinking my easing script — use a real CDN instead. Many thanks”

What is going on?

We did some Google searches and found hundreds of threads with people worried about the same thing. Out of no where, that pop-up was showing up on their web sites. Were they all hacked?

Screen Shot 2013-05-02 at 4.26.02 PM

Read More

Brute Force Attacks and Their Consequences

There is a lot of interesting discussion going on at the moment across the interwebs on the intention of the latest string of Brute Force attacks, much of which I find very interesting. While I can’t repudiate what is being said, I can add my own insight into the anatomy post attack success.

How Are These Attacks Happening

First, let’s address the first, and most important piece of information, the how. What we know, based on the data we reported earlier is that a very large majority of the attacks are coming from local PC boxes. How do we know? We’re seeing the IP’s and their incoming signatures.

A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks. – Wikipedia

What is the end-game?


Read More

Website Malware – Fixing Joomla SPAM Hacks – Conditional Payloads

Our Senior Malware Engineer, Fioravante Cavallari, is at it again. I think he has made it his personal mission in life to expel all Joomla hacks, he loves them that much – true story.. ;)

In all seriousness, he found another gem yesterday. It’s well written; it includes comments explaining what they are doing, uses proper syntax, it was broken up and sprinkled throughout another good file generating no errors, it wasn’t obfuscated and it leverages good variable naming conventions. What more can we ask for, right?!?!?!

Don’t ask how we found it, a true gentlemen never discloses his nightly affairs.

The Pretty Payload – Nice Conditional Malware

A few months ago I wrote about Conditional Malware, we’d categorize this one into the same family. In my post it was a very simple explanation and code base, you could clearly see the IP’s being filtered and what it was doing, here we have to think a bit. Remember, you’re not likely to find it in tact like this, it’ll likely be broken and sprinkled through out your file. Here you go:

Read More

WordPress Security: 5 Steps To Reduce Your Risk

Often you hear the question, “What plugins should I use for WordPress Security?”. It’s a valid question, but I don’t think it’s the best approach if it’s the only question you’re asking, or the only action you’re taking. If you’re leaving the security of your blog to a plugin from a 3rd party alone, you’re doing it wrong!

WordPress-Security-Reduce-Risk-With-Less-Plugins
Risk reduction is the name of the game. A collective set of actions, tools, and processes all helping lower the risk of exploitation.

It’s Everyone’s Responsibility!

It starts with you. Follow these steps and you lower your risk floor significantly (without the use of a lot of plugins!):


Read More

Website Security – The Importance of Access

Not sure why more emphasis isn’t put on access, but I’ll spend some time on it today. Understand though that this emphasis is not just something pulled out of the clouds. Instead it has come from months of thought and research – courtesy of client environments, enterprise incident handling cases and our own honey pots.

Website Security - Importance of Access

The Importance of Access

For some reason, what I have gathered, is that website owners, in their minds, think they are really ingenious. We think that what we know, no one else knows; the harsh reality is that’s so far from the truth. The are also those that buy into the idea that information security is an absolute, if only it were. Website owners have to learn to set their expectations, the InfoSec domain is about risk reduction. That is the first thing to understand.

While software vulnerabilities are a real threat, without tangible evidence, I am willing to bet that access is gaining ground on software vulnerabilities more than most realize. Still working on evidence to support this. A good thing to remember is that as a product becomes more secure, and the attack vectors decrease, access only increases in importance.

Read More

Website Malware Removal – FTP Tips & Tricks

When you clean as many sites as we do every day you start to come up with little tricks that help expedite the process, here is one where you can use FTP to your advantage.

This post will cover two features in FileZilla that any novice can quickly employ:

  • Using Filters
  • Using Comparisons

For those wondering I’m running FileZilla on MAC OS, version 3.6.0. But this goes back a couple different versions, it’s not a new feature. If you’re not the type who feels confident cleaning your own site, remember that we detect malware, fix hacks and prevent it from occurring regardless of platform (Ex: WordPress, Joomla, Drupal, or something else).

Filter Out the Noise

This is perhaps the coolest little tool. From time to time we have to download sites, although we prefer to work remotely, its inevitable. When we do we have to filter out all the non-essential data, not doing so would add way too much time to the entire process. Some sites like to bloat themselves with images and videos and backup zips – you get the point. So how to get around that?

Glad you asked….

Read More

New Google Chrome Blacklist Warning for Macs

If you go to a site that is Blacklisted by Google, you will see a new (and prettier) malware warning now if you are using a Mac:

The Website Ahead Contains Malware!
Google Chrome Has Blocked access to site.com for now.
Even if you have visited this site safely in the past, visiting it now may infect your Mac with malware.

Nothing major has changed, but we found this new wording to be more clear for the end user. So good move from the Google/Chrome team.

Sucuri – Decoding Obfuscated PHP

We are happy to release a new tool for you Do It Yourself (DIY) types. Every now and then you might come across a variety of obfuscated injections in your PHP files and might find yourself wondering,

Wonder what that does?

Not to fear, Sucuri is here and we have a cool little tool that will help you take a look up it’s skirt. If nothing else this will you developers better understand how good is used for evil.

The one very cool thing about it is that it will decode as many layers as possible until it reaches a layer it is unable to decode. In our testing we have found a few strands that have gone down 20 different layers of obfuscation before it got to a point where it needed human intervention. Here is an example of 13 layers with a final output: http://ddecode.com/phpdecoder/?results=54a91431e44ab48462d4db6a59ae3db8

You can decode your obfuscated PHP here: http://ddecode.com/phpdecoder/

WordPress Security – Cutting Through The BS

I recently spoke at WordCamp Chicago 2012 on WordPress Security. In this post I’ll share my presentation but also provide context such that it allows the reader to better digest the presentations content.

Let me know how I do!!!

When putting the presentation together I found myself between a rock and hard spot, I felt as if all the presentations given to date are always about the same stuff. And maybe that’s necessary, repetitiveness is key they say, but is it?

Read More