Archives for April 2011

WordPress 3.1.2 released – Security fixes

The WordPress team just released a new version of WordPress (3.1.2) to fix a security issue where contributor-level users were allowed to publish posts. It is a small release, and everyone using WordPress should upgrade to it!

From the WordPress site:

WordPress 3.1.2 is now available and is a security release for all previous WordPress versions.
This release addresses a vulnerability that allowed Contributor-level users to improperly publish posts.
The issue was discovered by a member of our security team, WordPress developer Andrew Nacin, with Benjamin Balter.
We suggest you update to 3.1.2 promptly, especially if you allow users to register as contributors or if you have untrusted users. This release also fixes a few bugs that missed the boat for version 3.1.1.
Download 3.1.2 or update automatically from the Dashboard → Updates menu in your site’s admin area.

So do what they say and upgrade it asap! Download link:

Using WordPress? Check out our WordPress Security plugin (1-click hardening, audit trail and blocking attackers). – Malware update – Fake AV Redirections

Weekly (kinda daily) malware update. You can track all our updates by following our malware_updates category.

*If your site has been affected with any of these issues, contact us at or visit to get help, or if you want to share some information with us.

Today we started to see a lot of sites infected with an iFrame malware from (yes, always the What is funny is that when we tried to access this site to identify what was going on, we were greeted with a page from the registrar saying that the domain was available:

The domain is available Continue to registration >>

If you want to build a site at this address, please visit us at

Read More

Mass infections –

We first detected malware from almost a month ago, and posted on our blog about it. But in the last few days, we started to see a big increase in the number of sites infected with it.

We were able to catalog almost 3 thousand sites with this malware and Google lists almost 2 thousand sites in their safe browsing page (and it is growing each day – just yesterday it was less than 1 thousand):

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 1815 domain(s), including,,

Read More

CBS Money Watch / ZDnet hacked and blacklisted by Google

We are getting reports that the CBS Money Watch and some ZDNet web sites are currently distributing malware and blacklisted by Google. We are still investigating it, but if you try to visit the CBS Money watch site (, you will get a warning from Google:

Read More

Ask Sucuri: What is the most common type of malware out there?

If you have any questions about malware, blacklisting, or security in general, send it to us: and we will answer here. For all the “ask sucuri” answers, go here.

Question: What is the most common type of malware (on web sites) that you find?

Unfortunately the answer to this question changes every few months. For the months of February and March (2011), we scanned more than 200,000 web sites (211,520 to be more precise) and almost half of those sites had some type of malware (A high percentage of users scanning sites via our scanners are already infected or suspect some type of funny business with their web property).

To be exact, 90,870 (around 42%) had some type of malware. This is the breakdown (some may have more than 1 issue identified, so the numbers may not add up):

Read More

CreateCSS malware update

We have been talking about this CreateCSS malware for a little while, but recently we started to see a shift on how the attackers are using it.

*If you don’t remember what it is, the CreateCSS malware has been used to infect thousands of osCommerce sites over the last 3 or 4 weeks. It got this name because it tries to disguise itself as a valid javascript function to create CSS entries.

Anyway, in previous versions of the malware it would infect the sites with the following piece of code:

<script>function createCSS(selector,declaration)
var ua=navigator.userAgent.toLowerCase();
var isIE=(/msie/.test(ua))&&!(/opera/.test(ua))&&(/win/.te..
.. multiple lines..

Read More

Automattic / WordPress hacked – Security incident

The guys from Automattic (WordPress) posted today a brief statement about a security incident that they suffered.

Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

They didn’t provide much details, but the common guideline applies: If you have an account at,, or any of their web properties, change them asap (specially if you reuse on some other location).

It seems that the attackers got root access in there, and based on what they mentioned in the blog post, it was through brute force or stolen passwords…

We will post more details when we hear it.

Link injection on hacked WordPress sites – Blackhat SEO spam

The last few months we’ve been tracking, and helping webmasters affected by a very large blackhat SEO spam campaign initiated by, and many other domains located at

This campaign has infected thousands of WordPress sites, and has injected spam links directly into their databases (the wp-post table). These are some of the links you will see in an infected site:

<a href="http://basicpills . com/">online prescription drugs without  a prescription..

<a href="http://generic-ed-pharmacy . com/">Buy  Generic  Viagra Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..

Read More

Database Injection on Joomla Websites – yourstatscounter dot cz dot cc

It seems that a good amount of Joomla sites are being infected with malware from the infamous “.cc” domains. All of the hacked sites have the malicious code injected directly in to their databases (SQL injection), via an unknown source (probably a vulnerable extension, but we are still researching the entry point).

This is what is being added to the infected sites (at the top of every post in the jos_content table):

<script type="text/javascript" src=""></script>

There are many others domains being used in this attack, including:

Read More

WordPress 3.1.1 is available (security fixes)

There is a new version of WordPress available (3.1.1) that includes multiple security fixes.

These are the changes according to

Some security hardening to media uploads, performance improvements, fixes for IIS6 support and fixes for taxonomy and PATHINFO (/index.php/) permalinks.

Version 3.1.1 also addresses three security issues discovered by WordPress core developers Jon Cave and Peter Westwood, of our security team. The first hardens CSRF prevention in the media uploader. The second avoids a PHP crash in certain environments when handling devilishly devised links in comments, and the third addresses an XSS flaw.

If you are curious about the changes, here are the modified files:

Read More