Archives for August 2012

Network Outage

UPDATE: Issue has been resolved. Please see timeline below for details.

One of the data centers we currently use is experiencing an unusual network level outage. This is impacting a couple of our external website properties, specifically the Sucuri Login area and SiteCheck.

Rest assured that none of the monitors scanning your sites are affected, only the servers housing our external facing properties. We’re working with the data center and network provider to better understand the issue. The minute we learn more we will pass it on.

This will impact our ability to:

  • Respond to your support inquiries
  • Perform cleanups

We sincerely apologize for the inconvenience. As we learn more we will pass it on.

Please direct any questions or concerns to


8.31.12 12.42pm PST – Data Connectivity Issues (Affecting User dashboard login, SiteCheck)

8.31.12 12:52pm PST – Network Provider update: NAC has informed us of a power issue affecting at least some portion of the datacenter. As soon as power is restored we are poised to execute our recovery procedures to all affected systems.

8.31.12 1.06pm PST – Data Connectivity Restored. Power restored at datacenter.

WordPress Security – Cutting Through The BS

I recently spoke at WordCamp Chicago 2012 on WordPress Security. In this post I’ll share my presentation but also provide context such that it allows the reader to better digest the presentations content.

Let me know how I do!!!

When putting the presentation together I found myself between a rock and hard spot, I felt as if all the presentations given to date are always about the same stuff. And maybe that’s necessary, repetitiveness is key they say, but is it?

Read More

The Password Dilemma – Unique and Complex is the Key

A lot of attention is being applied to passwords lately, and rightfully so.

Most everyone is trying to understand how easy or hard reverse engineering passwords is, and trying to better grasp the role it plays in today’s compromises. What is being realized is that it plays an instrumental role, and ranks easily amongst the top 5 reasons why web applications are compromised.

Read More

Java Zero-Day In The Wild

A Java Zero-Day vulnerability was disclosed today, and its being distributed through the use of websites.

If you visit an infected site you’ll see something like this if you have Java disabled. It will not always show though:

Read More

WordPress Security Presentation (in Portuguese)

Bruno Borges (from our security team), did a great presentation at WordCamp Sao Paulo (Brazil) about WordPress security and how to keep a site secure.

WordPress Security

The video is in Portuguese (pt-br), and can be viewed here:

Watch live streaming video from primaestudio at

Rebots.php JavaScript Malware Being Actively Injected

Holy JavaScript malware, Batman! On August 11th we started seeing the Rebot JavaScript malware string injected on various websites. Since then, it has increased its appearances, and has variated the way it’s being included on the infected sites.


When you visit a compromised site, it will attempt to load an additional JavaScript, like one of these:

<script src=""..

<script; src=""..

Read More

SiteCheck – Got Blackhat SEO Spam Warning?

As of late it seems like we’re talking about a lot of SPAM related cases, this post will be no different.

Blackhat SEO

Before you start, let me preface this by saying that clearing a Blackhat SEO Spam injection is probably the biggest PITA (Google It) infection there is. They constantly evolve, making them difficult to detect and they employ both new and old techniques that, even after years, still prove to be annoying. This post will demonstrate one such case.

Read More

WordPress Pluggable.php Being Compromised

The last few days we have seen a large number of WordPress sites compromised with a hidden malware payload that lands inside wp-includes/pluggable.php. This is not a WordPress vulnerability, WordPress is simply being targeted as the host.

WordPress pluggable.php

This malware is not new and we have been seeing variations of it since June, 2012. However, for the last few days the number of sites compromised have multiplied, prompting this post.

We are still tracking down how the sites are getting hacked, but so far we noticed a few similarities between them.

Read More

Automation is Key With Today’s Website Attacks

When trying to understand the anatomy of attacks on websites, you have to break it down into manageable parts. In my mind it really comes down to two types: Targeted and Opportunistic.

It is important to understand is how the attack is executed. That’s what I want to spend some time on in this post.

What Do Today’s Attacks Look Like?

For most, targeted attacks will be rare, even though they happen every day. You might recall mentions on the news about the CIA website being defaced, or LinkedIn and eHarmony being compromised. These are targeted attacks. There are also examples like the most recent article that talked to the Gizmodo employee who appeared to have lost his entire digital identity, simply because the attacker liked his Twitter handle.

On the flip side, you have opportunistic attacks that are the most common. I provide a better discussion on it in our post, Understanding Opportunistic Attacks. The good news though is that in both instances you find many similarities in the attacks, specifically the use of tools that allow for automation.

Read More

Sucuri Blog Gets a Face Lift

Most of you that follow us have probably noticed something different today, yes, that’s right, we gave our blog a face-lift. I think most will agree that it was about time, especially with the most recent change to our main page for Sucuri.

No need to fret though, all your favorites are still on the blog, but we do hope that the over-all experience is improved. You’ll also notice a change in branding, this is no longer known as the Sucuri Research Blog.

Instead, we’ll now be classifying it as the Sucuri Blog.

This will now be our central gateway to all our information, yes this means we have also ported over the learn blog over to this new property. We will continue to provide posts as often as possible and topics will range between research, learn and basic awareness. The only element not being migrated is the Company News, that will continue to reside on our main page.

Feel free to let us know what you think.