Thumb Wars: Sucuri Acquires Google Webmaster Tools

Today Sucuri unofficially acquires Google Webmaster Tools.

Google Webmaster Tools

In an effort to combine forces of good, Sucuri officials challenged Google to a thumb wrestling war. Here is a breakdown of the event.

Over The Top

In a best-of-5 style tournament, the competition got heated. The underdog had fought well, and stayed in it to win it, they weren’t letting the big dog walk away with this. In what turned into an exciting but nerve recking competition, the tournament was at a 2-2 going into the final match. With great confidence, Matt Cutts from the Google team belted out that, “Google does no harm, but that doesn’t extend to your thumbs.” He was so confident that he bet the ranch, saying “winner takes all, including Google Webmaster Tools”.

The room went silent. You could see sweat on the faces of each of the competitors, no more than on the faces of our trusty Labs team. They knew what this meant. It was go hard now or go home empty handed.

The last match was about to start, and you could see white knuckles showing from the great pressure in grip arrangements. It was time, thumbs were arched, and hats were turned backwards. This could be the very moment where everything changed.

The start was called, and Google aggressively launched their attack, a quick launch sneak pin attack, but the Sucuri competitor saw it a mile away. Google missed their kill shot and Sucuri took advantage with an over-arching attack from the top ropes. Sucuri slammed down with the power of Zeus…Google was in trouble.

Coming to an End

One quick glance to the right and you could see Matt’s face twisted in horror. One quick glance to the left and you could see the Sucuri CTO, Daniel Cid, his face emotionless as he enjoyed his popcorn.

You could see the strain and distress across faces of team Google as they realized what was happening, as they realized how it was about to go down. The tip of their thumb was moving from shades of red to signs of failed purple. The counter by Sucuri was risky, but as strong as Eddie Bravo’s triangle to beat Royler Gracie in 1993. This was epic. You could just imagine what was going through team Google’s mind, “Sergey will never understand”

The crowd. Silent. Almost as if the hand of death had grabbed their shoulder. Stuck in sudden disbelief as to what was transpiring, and in complete anticipation as to what was next.

The referee started to count. It was as if slow motion was being called in slow motion. The ref kept counting, and counting. Then you had it. As quick as it had started, it was over.

Sucuri had won. On the line was Google Webmaster Tools which will now slowly be migrated to Sucuri Labs over the coming weeks.

In this moment of great triumph, the David-sized security firm looks forward to expanding website security efforts to all webmasters across the world, with the inclusion of this Goliath-sized prize.

No Fooling Around

If you’re interested in helping fight the good fight, make sure to check out our open job requisitions.

If you have questions about this fever dream of a completely fake post, please leave them in the comments below.

Understanding Denial of Service and Brute Force Attacks – WordPress, Joomla, Drupal, vBulletin

Many are likely getting emails with the following subject header Large Distributed Brute Force WordPress Attack Underway – 40,000 Attacks Per Minute. Just this week we put out a post titled More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack.

What’s the Big Deal?

Remember life before social media? How quiet and content we seemed to be? How the only place we got our information was from the local news or cable outlet? Maybe a phone call, or via email? Today however, we seem to be inundated with information, with raw unfiltered data, left to our thoughts and perceptions of what they really mean. Every day there is some new tragedy, a plane goes missing, a child is abducted, a school shooting, the brink of WWW III. Is it that we live in a time where we are all losing our mind? Or maybe, could it be that the only difference between now and then, is the insane amount of information at our finger tips?

With this in mind, yes, it’s true, there are ongoing Distributed Denial of Service (DDoS) and Brute Force attacks against WordPress sites. In fact it extends far beyond that specific platform, it’s affecting many other platforms like vBulletin, Joomla, Drupal. The reality is that these attacks have been ongoing for many months now, so much so, that they’ve become part of our daily life and it’s not when they happen that we’re surprised, quite the contrary, when they don’t.

Read More

More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack

Distributed Denial of Service (DDOS) attacks are becoming a common trend on our blog lately, and that’s OK because it’s a very serious issue for every website owner. Today I want to talk about a large DDOS attack that leveraged thousands of unsuspecting WordPress websites as indirect source amplification vectors.

Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites. Note that XMLRPC is used for pingbacks, trackbacks, remote access via mobile devices and many other features you’re likely very fond of. But, it can also be heavily misused like what we are seeing.

Read More

Joomla Security Updates – Version 2.5.19 and 3.2.3 Released

The Joomla team just released 2 security updates and pushed out the stable versions for Joomla 2.5.19 and 3.2.3. If you run your site on Joomla, you need to update and apply these patches ASAP to ensure that your site continues to run securely.

If you are behind our CloudProxy Firewall, we will virtually patch these for you so you’re protected even if you do not upgrade. The Joomla website has more details on the security updates.

Issues fixed

On Joomla 2.5.19, these two issues were listed fixed:

Medium Priority – Core XSS Vulnerability More information
Medium Priority – Core XSS Vulnerability More information

But on Joomla 3.2.3, the following issues were fixed:

High Priority – Core SQL Injection More information
Medium Priority – Core XSS Vulnerability More information
Medium Priority – Core XSS Vulnerability More information
Medium Priority – Core Unauthorised Logins More information

As you can see, there are some high priority SQL injection vulnerabilities along with some unauthorized login vulnerabilities in their Gmail login module (disabled by default).

The SQL injection seems to be related to an exploit released almost a month ago on the weblinks-categories id that was not escaped properly, and seems very easy to exploit.

Our team is still investigating the impact of this one and other vulnerabilities, and we will post more details as we identify them.

Sucuri CloudProxy Website Firewall Improvements

If you are are a regular reader of our blog you probably know about our CloudProxy Website Firewall, it launched publicly a year ago. Since then, our team has been extremely focused on improving it, making it more effective and efficient for everyday website owners.

If you are not familiar with CloudProxy, I highly recommend reading some of the documentation and benefits of it:

In fact, if you have a website, why not try it out?

Read More

SiteCheck Chrome Extension Now Available

Have you ever wondered if the websites you (or your family) visit contain code that is potentially harmful to you or your computer? If you are a Chrome user, then you’re in luck because we’ve made it much simpler for you to utilize SiteCheck, our website malware scanner. Whether you want to scan your own website or check up on other sites, install our new Chrome extension to make it easier. If you love the extension, let us know in the comments and make sure to tell your friends about this cool new tool.

All right, we’re done selling the benefits of this thing so here are the instructions to install it and try it out for yourself:

First, install the extension from the Google Chrome Web Store.

Next, you’ll be asked to allow access to your webpages. Once you do that, you’ll notice the little Sucuri “S” embedded on the right of your toolbar.

SiteCheck Extension

Finally, to scan any site you’re visiting, just click the Sucuri “S” and our sitecheck will scour the site and return results to you in no time. If you’re visiting a site infected with malware, you will receive a warning like the one below.

SiteCheck Extension - Warn results

Some Technical Details

It’s important to remember that you will need to choose to scan sites when you visit them and that this extension will not automatically scan every site you visit, nor will it prevent you from visiting an infected or blacklisted site (though you could quickly find out if you were on such a site). Our goal is to help consumers of the web as well as webmasters by providing a tool to scan any site on the web without referring back to SiteCheck each time.

Finally, remember that this extension will not automate scans of any website. If you’re in need of consistent monitoring and alerts, just sign up for one of our website protection or prevention plans and let us keep your site malware-free.

Malicious iFrame Injections Host Payload on Tumblr

It’s always fun to watch malware developers using different techniques to code their creations. Sometimes it’s a matter of obfuscation, placement, injection, but this time it’s how they code it to be dynamic.

I believe this is not the first one that uses this service, but it’s the first time I’m seeing it. The concept is not new, we have often seen Twitter and Ask.fm accounts being used as malware Command & Control (C&C) servers, but now we can add Tumblr to the list.

A few weeks ago we found an iFrame injection that was relying on Tumblr to trigger the payload.

Tumblr lets you effortlessly share anything. – Tumblr

It appears they take this motto to heart!

How Does It Work?

The anatomy of this attack is very interesting.

Read More

PHP Backdoors: Hidden With Clever Use of Extract Function

When a site gets compromised, one thing we know for sure is that attackers love to leave malware that allows them access back to the site; this type of malware is called a backdoor. This type of malware was named this because it allows for remote control of a compromised website in a way that bypasses appropriate authentication methods. You can update your site, change passwords, along with any of your admin procedures, and the backdoor would still be there allowing unexpected access to an attacker.

Backdoors are also very hard to find because they don’t have to be linked in the site, they can be very small and be easily confused with “normal” code. Some of them have passwords, some are heavily encrypted/encoded and can be anywhere on your site, file system or database.

We have written extensively about website backdoors (generally in PHP) that allow for continuous reinfections and control of hacked websites.

You can read something more about backdoors on these links:


Read More

Mysterious Zencart Redirects Leverage HTTP Headers

About a week ago we got an interesting Zencart case. Being that we don’t often write about Zencart we figured it’d be good time to share the case and details on what we found.

The Scenario

The site was redirecting to “www .promgirl .de”. I know, not very unique.

Additionally, it was only affecting “www” instances, all “non-www” instances were working correctly with no redirects. We also noticed that it would only trigger with specific User Agents and Referrers. This shouldn’t be new as we’ve talked at length about conditional malware.

Sucuri-Zencart-Analysis

Read More

Not Just Pills or Payday Loans, It’s Essay SEO SPAM!

Remember back in school or college when you had to write pages and pages of long essays, but had no time to write them? Or maybe you were just too lazy? Yeah, good times. Well, it seems like some companies are trying to end this problem. They are offering services where clients pay them to write these essays for you.

Essay SEO SPAM

The problem is that this is not only wrong, but it’s also becoming a competitive market where some companies are leveraging SEO SPAM to gain better rankings on search engines (i.e., Google, Bing). They are also using popular sites like bleacherreport.com and joomlacode.org to add their spam links.

Here are a couple example URL’s from sites that got hit (URL’s are still showing SPAM):

Read More