SSH Brute Force – The 10 Year Old Attack That Still Persists

One of the first server-level compromises I had to deal with in my life was around 12 ago, and it was caused by a SSH brute force attack. A co-worker set up a test server and chose a very weak root password for it. A few days later, the box was owned running IRC bots and trying to compromise the rest of the network.

That was just the first of many server-level compromises caused by SSH brute force attacks that I would end up responding to, and even after more than 10 years, quite a few of the server remediations that we do here at Sucuri are actually caused by the same thing.

Read More

vBulletin Infections from Adabeupdate

vBulletin is a popular forum platform that is also starting to become a popular target for web attacks. vBulletin (and vbSEO) had some serious security vulnerabilities in older versions, and when a forum using them is not properly updated, it ends up hosting malware like the one we will analyze here in this post.

vBulletin in SiteCheck

Technical Analysis

vBulletin is very unique on how it stores its templates and plugins, It’s different than WordPress and Joomla, all the content is saved in the database. That makes it a bit more complicated for webmasters because they can’t just use common command line tools (like grep) to search through all their files. They need to use phpMyAdmin or another database tool to try to find and fix those issues.

Read More

Malware Infection – Blocked by Day Limit

This week while working on a compromised site, I found an interesting variation of the Blackhole injection. We work with many sites injected with Blackhole, like this one:

Blackhole Injection

However, on this specific site, instead of the common injection we were expecting, there was an unocommon error:

Read More

New Apache Module Injection

For the last few months we have been talking about the Darkleech Apache Module injection that is being used to insert malicious iframes into every site hosted on a compromised Linux server.

However, this past week we detected a new type of Apache module injection that is more subtle and increasingly difficult to detect. We don’t know if it is a new and improved version of Darkleech or a completely different tool written by a different group. Our team is still working on the binary and trying to scope the reach of this infection, so we will only post our preliminary analysis here.

Identifying the injection

The first sign of this injection can be identified remotely by an iframe injection like this one:

<iframe src=httpx://ajaxfamilies[.]org/go[.]php?sid=3 width=1 ..

That gets randomly prepended at the top of the pages loaded from the compromised server. That injection is conditional, so depending on the browser, referrer or IP address it may not show up. Google also says that 500+ sites have been distributing malware through this domain (ajaxfamilies.org):

Has this site acted as an intermediary resulting in further distribution of malware? Over the past 90 days, ajaxfamilies.org appeared to function as an intermediary for the infection of 562 site(s) including ajbridalwear.co.uk/, global-lcs.com/, trattamento-acque.net/.

Note that the domain ajaxfamilies.org might not be the only one being used (and it might change or rotate soon). However, from the servers we were able to gain access to, it was the main domain being used.

Apache Module injection

The injection is being done in the same way was before, by modifying one of the httpd configuration files (either conf/httpd.conf or conf.d/*.conf) and inserting a new module to be loaded:

LoadModule suphp5_module modules/mod_suphp5.so

Note that mod_suphp5 is a false module and not the popular mod_suphp one. We have also seeing it injected by overwriting the default mod_version.so with a fake one:

LoadModule version_module modules/mod_version.so

Those new modules are very small in size and have 0 detection rate by common anti virus software, according to virus total.

This is their identifier (size and md5 checksum):

$ ls -la *.so
-rwxr-xr-x 1 dcid dcid 15472 19 Jun 14:03 mod_suphp5.so
-rw-r–r– 1 dcid dcid 15472 17 Jun 18:53 mod_version.so
$ md5 *.so
MD5 (mod_suphp5.so) = 0a64f8d809d0a73d1b0b4139126e8f94
MD5 (mod_version.so) = 71e800af61521ff4390bf9845befa33a

It uses Apache’s portable memory pool to store the list of IP addresses that visited the site before and to decide when to inject the malware. It also has a backdoor part of it, allowing the remote attacker to run any command as the user Apache.

This module has some unique signatures that you can use to search for it. At this point we recommend looking for AWAVAUATUS1 on the modules directory:

$ grep -r AWAVAUATUS1 /etc/httpd/modules
Binary file /etc/httpd/modules/mod_version.so matches

You can also search for execl or getppid on the module directory and see if any suspicious file comes up. On the default Apache/PHP install, only libphp5 would have a call for execl or getppid on it.

If you suspect a site might be compromised, our sitecheck scanner should be able to identify this type of injection.

What’s next?

It seems the switch from site-level injections to server-level injections is really here to stay. If you don’t know how an attacker with just basic FTP or restricted access can get root, take a look at this series of posts we are doing:

We will also provide more information as we learn more about it.

Apache PHP Injection to JavaScript Files

We have been talking about Apache server-side injections for a while. Ranging from malicious modules, like Darkleech, to modified Apache binaries. From an attacker perspective, it is much more lucrative to inject their malicious code at that level, instead of having to compromise each site on the server individually.

However, server-side injections are not only limited to Apache modules or binaries. They can also be done via global .htaccess injections and PHP auto appends/preppends, which we will cover in this article.


Read More

Plesk 0-day Remote Vulnerability in the Wild

Just last week another 0-day vulnerability on Plesk was released. It affects Plesk 9.2, 9.3 and 9.5.4 versions. If you have not yet, we recommend that you update Plesk immediately.

Note: In our latest analysis of servers with the Apache binaries or modules compromised (DarkLeech or Cdorked.A), Plesk is often one of the entry points.

Technical Analysis

The exploit was released last week by Kingcope with a sample exploit to “test” if a server is vulnerable. The vulnerability comes from this Plesk configuration:

scriptAlias /phppath/ “/usr/bin/”

This allows any one to execute the PHP interpreter. Upon calling the PHP binary, they can pass commands very similarly to the CVE-2012-1823 (PHP CGI bug):


Read More

From a Site Compromise to Full Root Access – Local Root Exploits – Part II

When an attacker manages to compromise and get access to a website, they won’t likely stop there, they will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they will attempt to compromise every single one of them.

How can an attacker escalate their privileges? How can they go from FTP-only access to getting root on the server? In this series of articles we will show some techniques that attackers are using to go from confined FTP/web access, to full root level access on a server.


Read More

From a Site Compromise to Full Root Access – Symlinks to Root – Part I

When an attacker manages to compromise and get access to a website, they won’t likely stop there, they will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they will attempt to compromise every single one of them.

How can an attacker escalate their privileges? How can they go from FTP-only access to getting root on the server? In this series of articles we will show some techniques that attackers are using to go from confined FTP/web access, to full root level access on a server.

Read More

Globo.com redirecting users to Spam ads

Globo.com, one of the largest Brazilian web portals (ranked #107 on Alexa and #6 for Brazilian traffic) appears to be compromised and all visits to it are being redirected to a sub page inside pagesinxt.com. If you go to g1.globo.com (or any other of their sub domains), you will end up on a page full of ads about Hosting, Internet and fake email products:

Globo.com redirection

That redirection has been going for a few hours at least and we detected it for the first time around 8am EST and it is still live four hours later (noon EST).

What is going on?

We are investigating, but at the bottom of any page inside google.com there is a script being loaded from sawpf.com:

<script defer src="httx://sawpf.com/1.0.js"></script>

That javascript file is being very slow to load, but when it does, it runs the following code:

 window.location = httx://pagesinxt.com/?dn=sawpf.com&fp=3WBUwymfgey…

Which forces the browser to redirect the to pagesinxt.com. At this point, we recommend all users to do not visit any globo.com page (or go there with Javascript disabled).

Who really owns your site?

This brings up a good topic that we brought up before. Who really owns your site? Every time you include a javascript (or widget or iframe), the security of your site becomes dependent on that third party server. It doesn’t looks like Globo in itself got compromised, but since they are including code from sawpf.com, they are only as secure as them.

Every time you add a remote JavaScript (or widget or iFrame) to your site, you are giving the server that houses that code full control of what is displayed to your users. If their servers get compromised, your site will be compromised as well.

Can you imagine if the author of the Easing Plugin was malicious? Instead of just that pop-up, they could have added a URL redirect to send all your users to any site they of their choosing (SPAM, porn, you name it). What if their server was hacked? The attackers could have added malware and it would have loaded to all your users.

*update 1: Lots of users on Twitter are complaining about it as well. Search for sawpf or pagesinxt to see the amount of people complaining or worried about it.

*update 2: If you click on some urls inside sawpf.com, you will be redirected to pagesinxt.com as well ( for example: httx://sawpf.com/libs/jquery/1.7.1.js )

Apache Binary Backdoors on Cpanel-based servers

For the last few months we have been tracking server level compromises that have been utilizing malicious Apache modules (Darkleech) to inject malware into websites. Some of our previous coverage is available here and here.

However, during the last few months we started to see a change on how the injections were being done. On cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one. This new backdoor is very sophisticated and we worked with our friends from ESET to provide this report on what we are seeing.

Read More