Security Archive – Case Study: phpbb.com Compromised

Security Archive: It is important to remember past security incidents to make sure we don’t commit the same mistakes over and over again. The idea is to learn from our mistakes.

You can read other case studies from our security archive here:

Jan 31st, 2009: The website for the popular open source bulletin board, phpbb.com, was compromised and the user list was posted online. That was scary news for anyone using phpBB as they were unsure what was going on. If we are not mistaken (it has been a few years), phpbb.com was actually offline for many days while their team investigated the issue.

Read More

Over 10% of Alexa TOP Million Websites Found Not Safe – Infographic Report

We scan a lot of websites per day. Through our daily work we see all sizes and types of websites compromised, blacklisted, and filled with various security issues. But, we don’t often aggregate the results to provide a public report of what we are seeing.

So last month, we decided to do just that. We decided to scan the most popular websites on the internet to see how bad, or good, they are in terms of web security.

Our testing was very simple. We chose the top 1 million sites (according to Alexa), and checked the sites for those 4 issues:

  • Is the site Blacklisted? Sites were checked on Google, Norton, McAfee, ESET and Sucuri Labs.
  • Is the site infected with hidden SPAM?
  • Is the site infected with malware like drive-by-downloads, exploit kits, and similar issues?
  • Is the site running outdated software?

If the site passed those 4 tests, it would be considered safe for our testing purposes. Let’s see how the sites did.


Read More

Big Increase in Distributed Brute Force Attacks Against Joomla Websites

Update: Brute force protection now available: http://cloudproxy.sucuri.net/brute-force-protection


A few months ago, we discussed and published details about a very large brute force attack targeting WordPress sites.

The attackers (bad guys) had thousands of servers at their disposal, and were attempting all types of passwords on wp-admin (WordPress admin panel) to try to get access to as many WordPress sites as possible. The attacks lasted for a few weeks and then it calmed down. I can’t attest to their successes, but knowing how bad people are at choosing passwords, I guess it worked well for them.

Lately, we started to see the same thing happen to Joomla sites. While most of the sites we monitor would get a few brute force attempts per day in the past, the last couple of days all of them are getting thousands of requests daily.

Against one website, we saw 11,349 requests during the course of a few hours coming from 1,737 different IP addresses. Each IP address was trying to log in once or twice. And after a few hours, it would try again, making this type of attack very hard to detect and block.

Joomla Brute force timeline

We have seen an average of 6,000 brute force attempts against Joomla sites daily across our honeypots and CloudProxy networks. Some days the attacks increased to almost 13k, and dipped as low as 3k attempts. However, for the last 3 days, you can see a big increase, reaching almost 269,976 scans yesterday, September 2nd, 2013. That’s a very big increase out of nowhere.

We also started to see customers complaining about excessive resources utilization, similar to what happened with the WordPress attacks.

Joomla Brute Force Chart

Read More

Potential vBulletin Exploit (4.1+ and 5+)

The vBulletin team just posted a pre-disclosure warning on their announcements forum about a possible exploit in versions 4.1+ and 5+ of vBulletin.

They don’t provide many details, but did state that webmasters need to remove the /install and /core/install from their websites. This is the full message:

A potential exploit vector has been found in the vBulletin 4.1+ and 5+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, it is recommended that you delete the install directory for your installation. The directories that should be deleted are:

4.X – /install/
5.X – /core/install

After deleting these directories your sites can not be affected by the issues that we’re currently investigating.

vBulletin 3.X and pre-4.1 would not be affected by these issues. However if you want the best security precautions, you can delete your install directory as well.

Going back to our logs, we don’t see any specific scans for /core/install, but we see constant discovery requests for /install. We don’t yet know if that is related to vBulletin or other CMS’s.

Our team will be watching it closely, and any client under our CloudProxy WAF is already protected by it since we only allow access to the “install” directories by white listed IP addresses.

HideMeBetter – SPAM injection Variant

Compromised sites being injected with SPAM SEO is something we deal very often. A few months ago we wrote about a wave of SPAM injections known as HideMe.

However, the bad guys are always getting more and more “creative”, and they’ve developed a better version of that SPAM, called “HideMeBetter”. Yes, that’s their own naming scheme.

Read More

Dissecting a WordPress Brute Force Attack

Update: Brute force protection now available: http://cloudproxy.sucuri.net/brute-force-protection


Over the past few months there has been a lot of discussion about WordPress Brute Force attacks. With that discussion has come a lot of speculation as well. What are they doing? Is it a giant WordPress botnet? Is it going to destroy the internet? Well, as you would expect of any good geeks we set out to find a way to find out.

This is not to be exhaustive case study or meant to be a representative sample of what all attacks look like, but it does have similar characteristics to the types of attacks and infections we deal with on a daily basis.

In this post, my goal is to highlight a hack that occurred this weekend, July 20th to be exact, against one of our several honeypots. In this specific instance, it was setup and configured approximately 2 months ago. It had been hacked about a month and a half ago and silly me I forgot to configure what I needed to do real forensics, oops. In any event, everything was cleared and pushed out again to see what happened, it was nothing more than a matter of sitting back and waiting.

Sure enough, about 30 days later and it was hacked, this time we were ready to see what happened..

Read More

Auto Generated Iframes To Blackhole Exploit Kit – Following the Cookie Trail

We often talk about websites being compromised and injected with malware that redirect users to exploit kits. We unfortunately don’t give you a complete picture of what the distribution payload is doing on your local machine very often. Today we’ll try to improve that analysis by giving you a more complete picture of the full life cycle of a specific distribution payload.

In this example, we’ll be showing you how an attacker is injecting a site with a dynamic iFrame generator, which then attempts to install a malicious payload on your machine. More importantly, we’ll show you what that file is doing locally.

We were actually very lucky in this instance. Instead of a banking trojan, we were able to get our hands on a payload that is designed to steal not only your Browser information, but your FTP credentials as well. This can then be used to compromise any website you own, completing the life cycle of the injection:

compromised site -> compromised desktop -> stolen FTP passwords -> more compromised sites


Read More

Who Really Owns Your Website? “Please Stop Hotlinking My Easing Script — Use a Real CDN Instead.”

For the last few days, we have had some customers come to us worried thinking that their websites were compromised with some type of pop-up malware. Every time they visited their own site they would get a strange pop up:

“Please stop hotlinking my easing script — use a real CDN instead. Many thanks”

What is going on?

We did some Google searches and found hundreds of threads with people worried about the same thing. Out of no where, that pop-up was showing up on their web sites. Were they all hacked?

Screen Shot 2013-05-02 at 4.26.02 PM

Read More

Game of Coins: The Uprise of Bitcoin Mining

Research by Daniel Cid. Authored by Dre Armeda.


One thing you can’t take away from some of the attackers we deal with everyday is their creativity. From time to time we write about new trends we’re seeing, and this post is no different. We’re seeing a new tactic recently, and it may be affecting your pockets, even if you’re not into the latest trend of using digital currency.

Game of Coins

Digital currency you say?

I sure did! Bitcoin to be exact.

Read More

Joomla Version 2.5.10 Released – Security Updates

This morning the Joomla development team released a new version of the Joomla platform. This is a Security release, so please be sure to update if you’re on the 2.x branch. If you’re on the 1.x branch the odds of updating seamlessly is highly unlikely so please do so only if you’re engaging a developer to assist you.

This release address 7 security issues, all of them appear to be low to moderate and revolve around Cross-Site Scripting (XSS), Denial of Service (DOS) and Privilege Escalation. It also contains another 38 bug fixes.

Security Fixes include:

If you can, please be sure to update, you can get your latest releases off the Joomla website here.