vBulletin Exploits in the Wild


**Update: CheckPoint disclosed more details here: Check Point Discovers Critical vBulletin 0-Day.

The vBulletin team patched a serious object injection vulnerability yesterday, that can lead to full command execution on any site running on an out-of-date vBulletin version. The patch supports the latest versions, from 5.1.4 to 5.1.9.

The vulnerability is serious and easy to exploit; it was used to hack and deface the main vBulletin.com website. As a precaution, all passwords were reset; you will have to create a new one before you can access vbulletin.com again and download the patches.

Exploits in the Wild

This vulnerability seems to have been around for a bit. We were able to trace exploit attempts to the end of October, they were targeting a few high profile vBulletin sites protected by our Website Firewall.

The exploit was shared publicly yesterday. It attacks the decodeArguments Ajax API hook. Here is an example of an exploit attempt in the wild:

108.47.xx.yy – – [02/Nov/2015:22:18:21 -0500] “GET /vbforum[/]ajax/api/hook/decodeArguments?

Once decoded, it executes:


This shows the attacker the result of phpinfo indicating that his exploit succeeded. If this test payload works, the attacker will proceed with a full compromise. We are not seeing widespread exploitation attempts yet, as just a few high profile sites were targeted, but we expect it to change soon as it makes its way into the automation engines.

Patch and Protect

If we have not emphasized before, you have to patch your vBulletin site now! Websites behind our WAF are (and always were) protected against this vulnerability due to our virtual hardening technology. If you can not patch your vBulletin site, we recommend looking at a solution to stop these exploits before they reach you.

Joomla SQL Injection Attacks in the Wild

Last week, the Joomla team released an update to patch a serious vulnerability on Joomla 3.x. This vulnerability is an SQL injection (CVE-2015-7858) that allows for an attacker to take over a vulnerable site with ease. We predicted that the attacks would start in the wild very soon, due to the popularity of the Joomla platform along with how easy the exploitation was.
Read More

Joomla 3.4.5 Released, Fixing a Serious SQL Injection Vulnerability


The Joomla team just released a new Joomla version (3.4.5) to fix some serious security vulnerabilities. The most critical one is a remote and unauthenticated SQL injection on the com_contenthistory module (included by default) that allows for a full take over of the vulnerable site.

Update October 26, 2015: We posted a follow up looking at the prevalence of Joomla SQL injection attacks in the wild less than 24 hours after this disclosure.

Directly from the Joomla announcement:

Read More

Brute Force Amplification Attacks Against WordPress XMLRPC

BruteForce Banner
Brute Force attacks are one of the oldest and most common types of attacks that we still see on the Internet today. If you have a server online, it’s most likely being hit right now. It could be via protocols like SSH or FTP, and if it’s a web server, via web-based brute force attempts against whatever CMS you are using.

These attacks are often not very complex and are theoretically easy to stop and mitigate, but they still happen and are successful; mostly, because people are very bad at choosing good passwords, or employing good access control habits. There is a catch however, while simple, these Brute Force attacks are noisy. Traditionally, to try 500 different passwords, the attackers would need to attempt 500 different login attempts that would be captured in a 1 to 1 relationship with each request to the server. By design, this simplifies the mitigation approach, as every single attempt is logged and can be blocked once a certain limit is reached.

Read More

WordPress Malware – VisitorTracker Campaign Update

For the last 3 weeks we have been tracking a malware campaign that has been compromising thousands of WordPress sites with the VisitorTracker malware code.

We initially posted some details about this issue on this blog post: WordPress Malware – Active VisitorTracker Campaign, but as the campaign and the malicious code has evolved, we decided provide an update to what is going on.

To give an idea of the size of this campaign, we tracked the number of compromised sites we have detected over the last 3 weeks:


As you can see from the above graph, it started relatively small, peaked about 10 days ago, slowed down again and gained a lot of traction over the last 3 days.

Read More

WordPress Malware – Active VisitorTracker Campaign

We are seeing a large number of WordPress sites compromised with the “visitorTracker_isMob” malware code. This campaign started 15 days ago, but only in the last few days have we started to see it gain traction; really affecting a large number of sites.

Here is a quick snapshot of what we’re seeing with the infection rates over the past two weeks, but the most interesting trend is over the past 48 hours, as it has grown significantly. These are the daily infection rates:


We initially shared our thoughts on it via our SucuriLabs Notes, but as the campaign has evolved we have been able to decipher more information as we investigate the affects on more compromised sites. This post should serve as a resource to help WordPress administrators (i.e., webmasters) in the WordPress community.

Technical Description

This malware campaign is interesting, its final goal is to use as many compromised websites as possible to redirect all their visitors to a Nuclear Exploit Kit landing page. These landing pages will try a wide variety of available browser exploits to infect the computers of unsuspecting visitors.

If you think about it, the compromised websites are just means for the criminals to get access to as many endpoint desktops as they can. What’s the easiest way to reach out to endpoints? Websites, of course.

This malware campaign adds the following code to all javascript files on the site:

function visitorTracker_isMob( ){
var ua = window.navigator.userAgent.toLowerCase();
if(/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|mi..|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc .. |vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(ua.substr(0,4))) {
return true;
return false;
} /* .. visitorTracker .. */ /*

Which interacts with a secondary backdoor inside the site to force the browser to load a malicious iframe from one of their Nuclear Exploit Kit landing pages. The current landing page is pointing to vovagandon.tk (, but that domain changes very often.

We named this malware campaign “VisitorTracker“, because of the function name used in all injected javascript files: visitorTracker_isMob().

At the network level, here is what you would see when visiting a compromised site (thanks to Jerome Segura from MalwareBytes for sharing this with us):


In this case, a large security provider (Coverity) has their site hacked and you can see the iframe being loaded and the browser connecting being sent to the exploit kit landing page at vovagandon.tk. We already reached out to Coverity about the issue, and they should be addressing it soon.

Protect your sites!

We detected thousands of sites compromised with this malware just today and 95% of them are using WordPress. We do not have a specific entry point determined yet, but it seems to be a campaign targeting latest vulnerabilities in plugins. Out of all the sites we detected to be compromised, 17% of them already got blacklisted by Google and other popular blacklists.

If you are a WordPress user, make sure you keep all your plugins updated, including premium ones. I also recommend checking your site via our Free Security / Malware Scanner (SiteCheck) to verify if you’re currently being affected by this campaign. If you’re a system administrator and have access to your server you can use the following command (grep) to search for the infection on your files:

grep -r “visitorTracker_isMob” /var/www/

Once identified, we recommend you proceed with removing the infection and looking for any other indicators of compromise. If you need professional response, our team is standing by to assist.

WordPress Brute Force Attacks – 2015 Threat Landscape


One of the first server-level compromises I had to deal with in my life was around 15 years ago, and it was caused by an SSH brute force attack. A co-worker set up a test server and chose a very weak root password. A few days later, the box was compromised and the attackers installed IRC bots and used that server as a stepping stone to hack others.

You would think that after 15 years of improvements on security, brute force attacks would be a thing of the past.

However, brute force attacks are still going strong. In fact, they are one of the leading causes of website compromises. When you have an unprotected login page, you will see brute force attempts. With WordPress sites, same rule applies. We see thousands of failed login attempts to /wp-login.php on the websites we protect per minute.

We see so many that we decided to create a separate page to track the state of brute force attacks against WordPress sites in our network:

Screen Shot 2015-09-15 at 9.33.24 AM

This page is updated daily with new data that we see on brute force attacks live in the wild. We will be adding more data to it soon, but for now it can give a good idea of the current threat level.

If you have any suggestions or ideas on what to add, let us know.

Analyzing Popular Layer 7 Application DDoS Attacks


Distributed Denial of Service (DDoS) attacks have been a major concern for website owners for a while. All types of sites, from small to big, have been taken down and kept offline because of them. Even over-provisioned servers can be taken offline by the smallest of DDoS attacks; caused by IP addresses being null routed by hosting providers and kept offline for days. Websites behind load balancers and cloud infrastructures are also susceptible, since very few of them are designed to handle DDoS Attacks and the variety of ways they can happen.
Read More

Ask Sucuri: How Did My WordPress Website Get Hacked? – A Tutorial


With the proliferation of Infrastructure and Platform as a Service providers, it is no surprise that a majority of today’s websites are hosting in the proverbial cloud. This is great because it allows organizations and individuals alike to quickly deploy their websites, with relatively little overhead on their own infrastructure/systems. While there are so many positive attributes associated with hosting in cloud, there are also limitations, specifically when it comes to security and what you as a website owner are allowed to do (it depends on the host and what features you have enabled, learn more on how hosts manage your website security).

For example, this comes in to play with retention and collection of vital information in the form of logs, specifically, audit/security logs.

Over the past few months we have shared a number of articles on  How websites get hacked? and the Impacts of said hacks.. Last year,  we spent some time dissecting another WordPress hack using our free WordPress Security plugin. Today, I want to dig a bit further into the world of Incident Response, specifically, forensics – or the art figuring out what happened.

Read More

BIND9 – Denial of Service Exploit in the Wild

Bind9 DNS Vulnerability

BIND is one of the most popular DNS servers in the world. It comes bundled with almost every cPanel, VPS and dedicated server installation and is used by most DNS providers.

A week ago, the Internet Systems Consortium (ISC) team released a patch for a serious denial of service vulnerability (CVE-2015-5477) that allows a remote and unauthenticated attacker to crash the BIND (named) daemon, taking down a DNS server.

This happens because of an error in the way BIND handles TKEY queries, which with a single UDP packet can trigger a required assertion failure, causing the DNS daemon to exit.

Exploits in the Wild

Because of its severity we’ve been actively monitoring to see when the exploit would be live. We can confirm that the attacks have begun. DNS is one of the most critical parts of the Internet infrastructure, so having your DNS go down also means your email, HTTP and all other services will be unavailable.

Read More