Archives for April 2012

New WooThemes Vulnerability Patched – Update Framework Now!

Yesterday a vulnerability on the WooThemes Framework was disclosed by Jason Gill on githumb:gist. The vulnerability allows a visitor to see and run the output of any shortcode configured on the WordPress site.

At this time this does not appear to be linked to the DDoS they experienced this week.

We are currently assessing the severity of this vulnerability in our labs. If in fact we find that something severely adverse can be performed with it, the next big concern will be that it can be exploited even if the theme is not active.
Read More

Ransomware Malware on the Web?

As the week comes to a close I wanted to take a minute to talk about something we haven’t yet – Ransomware Malware.

The idea came from a case this week where a client was defaced. Instead of engaging the host or malware professional she took it upon herself to to plead with the attacker via the provided email (you have to love egos). What was most amusing though was the attacker finally gave in and restored her site in an attempt to get her off his back.

Obviously not something we recommend, but an amusing story none the less. She turned his defacement and retaliated with a little something we like to call, “Begware.”

And so this got us thinking about something that has predominantly been isolated to the notebook and desktop environments – Ransomware malware.
Read More

Lockdown WordPress – A Security Webinar with Dre Armeda

We had the opportunity to do a webinar about WordPress security with the guys from iThemes yesterday. Here’s the video for those of you who missed out on the fun:

Dre Armeda from Sucuri Security presented on various WordPress related areas that help reduce risk for website owners and administrators. The webinar includes a high level discussion about the growth of the internet, he goes over some of the more popular malware attacks affecting WordPress users, then offers various tips, tools, and resources to help you reduce risk.

Hope you enjoy!

If you have any questions, feel free to email us at

Sucuri Security WordPress Plugin Free To Clients: Getting Proactive with Web Malware

We are happy to announce that our premium WordPress plugin is now for free to all our existing and new clients. The plugin is a great compliment to our malware scanning and remediation services and provides a large array of features designed to help you combat the growing web malware problem.

Note: the plugin is available under all our existing plans for all our users.

We have started to get questions that ask whether this is the only plugin required for all your security needs, the answer is “no”. It is meant to compliment your arsenal and help you become more proactive when it comes to securing your WordPress instance.

Read More

Malware campaign against WordPress sites (recovery-hdd dot eu)

We have been tracking a new malware campaign that has been compromising thousands of WordPress sites over the last 3 days. They are not doing anything new, but using old vulnerabilities in plugins and themes, specially TimThumb, to add iframes to as many sites they can. Unfortunately, they have been very successful so far.

They are using many domains, but the most common one is, followed by, hence the name of the campaign.

Another tactic they are using is hijacked domain names from legitimate sites and free domain registration services to host their malware (at for the iframe url).

Here are some of the iframes we are seeing they using lately:

Read More

Ask Sucuri: What should I know when engaging a Web Malware Company?

We work in a business in which it is always chaos. In most situations the client is often distraught, vulnerable, and is plagued with this feeling of being out of control. It is the business of web malware cleanup. The last thing any website owner wants is to delay the cleanup process because of silly things that could have been easily prevented.

In our mind, there are three things you must know before engaging with any web malware company:

  • Know Your Host
  • Know How to Access Your Server
  • Have a Backup

As simple as they may appear, they still remain allusive to many.
Read More

Ask Sucuri: How to Stop The Hacker and ensure Your Site is Locked!!

With the rise in web malware over the last 6 – 12 months, it’s important that we take some time to continue to educate and offer insight into ways that can help you stay ahead, in the hopes of stopping the hacker.

Understanding The Hacker

Before we get started, lets take a look at the name “Hacker.” What many folks don’t realize is that while “Hacker” is often associated with bad, it also has a good association.

To the popular press, “hacker” means someone who breaks into computers. Among programmers it means a good programmer. But the two meanings are connected. To programmers, “hacker” connotes mastery in the most literal sense: someone who can make a computer do what he wants—whether the computer wants to or not. – source: Paul Graham

Read More

Nikjju SQL injection update (now hgbyju. com/r.php)

We posted a few days ago about a Mass SQL injection campaign that has been compromising thousands of sites. Our latest numbers show more than 200,000 pages got infected with the malware.

However, since the last two days, the attackers switched domain names and are now using to distribute their malware (also hosted at So the following code is now getting added to the compromised web sites:

<script src = <</script>

This domain name was registered just a few days ago (April 17) by James Northone, same name/email used on and many other domains from similar malware campaigns (probably fake):

Registrant Contact:
James Northone
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803

So they have been at this for a while with no sign at stopping.

Web Malware Trends and the Mac Flashfake / Flashback Outbreak

This has been an interesting couple of weeks in the Anti-Virus world, specifically in the malware business for notebooks and desktops running the MAC OS.

Securelist put out a very interesting post yesterday talking to the anatomy of the Flashfake / Flashback outbreak. While we can’t objectively quantify their claims, we wanted to take a look to see if we saw anything that might present itself as a possible correlation.

Low and behold, I think it is safe to say that “yes” a correlation does appear to exist.
Read More

WordPress Security Release – Upgrade to 3.3.2 TODAY

It’s that time again, to upgrade all your WordPress installs. This morning the core team released WordPress 3.3.2 which includes security updates for three external libraries:

  • Plupload (version 1.5.4), which WordPress uses for uploading media.
  • SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
  • SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

Here are a few other bugs addressed in WordPress 3.3.2:

  • Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
  • Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
  • Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.

Here is the official WordPress News release on

So do it, go upgrade to WordPress 3.3.2 today!

If you have questions about your site security email Sucuri Info. Make sure to run a free malware scan with Sucuri SiteCheck.