Server Update Time: OpenSSH Vulnerability Disclosed

The OpenSSH team just released a security advisory about a vulnerability affecting both OpenSSH 6.2 and 6.3.

If you are not familiar with OpenSSH, it’s the software used by a large majority of servers and hosting providers to provide SFTP and SSH services. Any vulnerability discovered in OpenSSH could have a major impact to website owners, and the Internet in general.

The good news is that this vulnerability only affects newer versions of OpenSSH, which are not widely used yet. If you are using Ubuntu 13.10 or Fedora 19, you are likely vulnerable. All other Linux distributions appears to be safe. To double check, log into your server via SSH and type the following command:

# sshd -h
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010

If you see OpenSSH_6.2 or OpenSSH_6.3, you know you are using the affected versions.

Read More

New WordPress and Joomla Updates Available

If you are a WordPress or Joomla user, you better start updating your sites now.

Joomla 2.5.14

Joomla 2.5.14 was released containing some critical security fixes. They didn’t provide much details, but by the summary is seems serious enough to allow users to bypass upload restrictions:

Project: Joomla!
Severity: Critical
Versions: 2.5.13 and earlier 2.5.x versions. 3.1.4 and earlier 3.x versions.
Exploit type: Unauthorised Uploads
Reported Date: 2013-June-25
Fixed Date: 2013-July-31
Description: Inadequate filtering leads to the ability to bypass file type upload restrictions.

More information on Joomla 2.5.14 update here:

WordPress 3.6

WordPress 3.6 (a major release) was also announced with multiple new features and bug fixes. It doesn’t have any specific security fix, but keeping your site updated is a must, so we recommend all users to update.

More information on WordPress 3.6 is available here:

We recommend upgrading as soon as possible to reduce the risk of issue. Make sure you test your upgrades in a development environment before you go hot.

If you have any questions, feel free to drop an email.

Ubuntu Forums Hacked

Ubuntu’s official forum web site ( was hacked, defaced and all user names and
passwords stolen. The forum was very popular with over 1.8 million registered users. The site is now disabled with this warning:

What we know:

-Unfortunately the attackers have gotten every user’s local username, password, and email address from the Ubuntu Forums database.

-The passwords are not stored in plain text. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.

The site was running vBulletin and according to some sources, it was outdated and didn’t have the admin panel protected. During the time it was defaced, it was redirecting to “”, which had this image:

Ubuntu forums hacked

Size of the attack and consequences

The Ubuntu forum was very large with over 1,800,000 registered members. Even though the passwords were not stored in plain text, they should be considered compromised and known by the attackers. And since the site used vBulletin, it is likely that they were just hashed with md5, which makes the job a lot easier to the attackers.

If you have an account there and you use the same password some where else, please
change the password asap. redirecting users to Spam ads, one of the largest Brazilian web portals (ranked #107 on Alexa and #6 for Brazilian traffic) appears to be compromised and all visits to it are being redirected to a sub page inside If you go to (or any other of their sub domains), you will end up on a page full of ads about Hosting, Internet and fake email products: redirection

That redirection has been going for a few hours at least and we detected it for the first time around 8am EST and it is still live four hours later (noon EST).

What is going on?

We are investigating, but at the bottom of any page inside there is a script being loaded from

<script defer src="httx://"></script>

That javascript file is being very slow to load, but when it does, it runs the following code:

 window.location = httx://…

Which forces the browser to redirect the to At this point, we recommend all users to do not visit any page (or go there with Javascript disabled).

Who really owns your site?

This brings up a good topic that we brought up before. Who really owns your site? Every time you include a javascript (or widget or iframe), the security of your site becomes dependent on that third party server. It doesn’t looks like Globo in itself got compromised, but since they are including code from, they are only as secure as them.

Every time you add a remote JavaScript (or widget or iFrame) to your site, you are giving the server that houses that code full control of what is displayed to your users. If their servers get compromised, your site will be compromised as well.

Can you imagine if the author of the Easing Plugin was malicious? Instead of just that pop-up, they could have added a URL redirect to send all your users to any site they of their choosing (SPAM, porn, you name it). What if their server was hacked? The attackers could have added malware and it would have loaded to all your users.

*update 1: Lots of users on Twitter are complaining about it as well. Search for sawpf or pagesinxt to see the amount of people complaining or worried about it.

*update 2: If you click on some urls inside, you will be redirected to as well ( for example: httx:// )

Malaysian Election and DDOS

Malaysia is having an election this weekend that has been surrounded by issues. We won’t go into the politics, but one of our client’s sites (a popular Malaysian news source that we won’t name), started to suffer a very large scale DDOS (distributed denial of service attack). Reuters also has a similar story about another site and we can confirm what they are saying:

(Reuters) – Ahead of Malaysia’s elections on Sunday, independent online media say they are being targeted in Internet attacks which filter content and throttle access to websites, threatening to deprive voters of their main source of independent reporting.

This specific Malaysian site has been targeted for a couple of weeks, but since May 1st, their sites were hit by a very large botnet.

Malaysia site DDOS

To protect the innocent, we won’t go into much details, but the green in the graph is the outbound data and the blue is the inbound. And that means thousands of simultaneous connections per second being sustained for the last 4 days against them.

Technical details

This DDOS is httpd-based and is targeting their web server. It started by targeting their 404 handler by trying to visit pages that do not exist. What was interesting is the choice of URL they decided to use “FloodFloodFLOOD”: – – [01/May/2013:10:00:38 -0400] “GET /wp-content/uploads/2013/05/FloodFLOODFloodFLOOD.png HTTP/1.1″ 404

w – – [01/May/2013:10:00:38 -0400] “GET /wp-content/uploads/2013/05/FloodFLOODFloodFLOODFloodFLOODFLOOD.png HTTP/1.1″ 404 0 – – [01/May/2013:10:00:38 -0400] “GET /wp-content/uploads/2013/05/FloodFLOODFloodFLOODFloodFLOOD.png HTTP/1.1″ 404

That can be easily blocked and filtered, so they quickly switched to more complex types of attacks. Since the site is WordPress, they decided to target the search function to bypass any internal caches and make sure that each page is actually loaded: – – [02/May/2013:11:57:30 -0400] “GET /?s=1367683016682 HTTP/1.1″ 200 154 “” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.56 Safari/537.36″ – – [02/May/2013:11:57:30 -0400] “GET /?s=1367683016683 HTTP/1.1″ 200 154 “” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.56 Safari/537.36″ – – [02/May/2013:11:57:30 -0400] “GET /?s=1367682722241 HTTP/1.1″ 200 154 “” “Mozilla/5.0 (Linux; Android 4.0.3; GT-P5100 Build/IML74K) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.169 Safari/537.22″ – – [02/May/2013:11:57:30 -0400] “GET /?s=1367682708689 HTTP/1.1″ 200 154 “” “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; BOIE9;ENUS)”
.. thousands more per second ..

Notice that those referers and user agents are likely fake and just being used to try to bypass any security filter.

Size of the DDOS and their Botnet

What is actually impressive about this attack is the number of IP addresses (bots) being used. Just in the last 24 hrs, 36,367 (yes, 36 thousand different IP addresses ) were used to attack this site. It means that the people behind it have good power. What is interesting is that all IP addresses also come from Malaysian IP ranges and it seems to come from compromised desktops.

Since it is an ongoing event, we won’t give more details and we are working with the proper authorities and the Malaysian CERT to stop them.

Joomla 2.5.8 and 3.0.2 Released (Security Updates)

Joomla 2.5.8 and 3.0.2 were just released today fixing a medium severity security bug related to a clickjacking/XSS vulnerability. You can find more details on their release notes:

If you are not familiar with ClickJacking, Wikipedia explains it well:

Clickjacking is a malicious technique of tricking a Web user into clicking on something different to what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function.

And remember, the leading cause for website compromises is outdated software! So as a website owner, you have to do your part to minimize risk and keep your site (and your users) safe. Update now!

Sucuri SiteCheck was also updated to alert users not running version 2.5.8/3.0.2 on their Joomla sites.

New Google Chrome Blacklist Warning for Macs

If you go to a site that is Blacklisted by Google, you will see a new (and prettier) malware warning now if you are using a Mac:

The Website Ahead Contains Malware!
Google Chrome Has Blocked access to for now.
Even if you have visited this site safely in the past, visiting it now may infect your Mac with malware.

Nothing major has changed, but we found this new wording to be more clear for the end user. So good move from the Google/Chrome team.

If you have additional concerns regarding getting your site removed from a blacklist the one above, let us know and we will be happy to help.

Joomla 2.5.7 Released (Security Update)

Joomla 2.5.7 was just released today fixing 2 low severity security bugs and added a few other improvements. As always, we recommend all our Joomla users to update to 2.5.7 as soon as they can.

From their announcement page, here are the security bugs fixed:

  • Low Priority – Core – XSS Vulnerability: Inadequate escaping of output leads to XSS vulnerability in language switcher module.
  • Low Priority – Core – XSS Vulnerability: Inadequate escaping of output leads to XSS vulnerability.

Remember, the leading cause for website compromises is outdated software! So as a website owner, you have to do your part to minimize risk and keep your site (and your users) safe. Update now!

Sucuri SiteCheck was also updated to alert users not running version 2.5.7 on their Joomla sites.

WordPress Security Presentation (in Portuguese)

Bruno Borges (from our security team), did a great presentation at WordCamp Sao Paulo (Brazil) about WordPress security and how to keep a site secure.

WordPress Security

The video is in Portuguese (pt-br), and can be viewed here:

Watch live streaming video from primaestudio at

Fan of Twilight? Be Very Careful If You’re Looking Online For It

If you like the Twilight series, be careful if you plan to do any “research” on it, or if you plan to visit the site of the series author (Stephenie Meyer). Her site is currently hacked, blacklisted, and redirecting users to the Blackhole Exploit Kit.

You can see the results on the sitecheck:

Read More