Ask Sucuri: How Does Sucuri Clean a Website?

03212016_HowClean

Question: How does Sucuri clean hacked websites? What is the process?

We clean a lot of websites, ~ 400 / 500, daily during our normal load. To understand how we do it, you have to understand where it all comes from.

The biggest challenge with providing incident response services (remediation) on compromised websites is that a majority of website owners (webmasters) are not prepared. Most website owners lack security knowledge and fail to invest the time necessary to become familiarized with its concepts and how it’s applicable to their environment. They fail to get their websites ready for when, not if, an attack or disaster happens. In many instances, if the webmaster had been prepared, the entire remediation process would’ve been streamlined.


Read More

Ransomware Strikes Websites

Website Ransomware

Ransomware is one of the most insidious types of malware that one can come across. These infections will encrypt all files on the target computer as well as any hard drives connected to the machine – pictures, videos, text files – you name it. This means that all of your files are locked. The attackers will then demand an extortion fee to have them decrypted, usually in the form of untraceable Bitcoin ransom. Like any ransom, you can never be sure they’ll stay true to their word or instead continue to demand more money.

The Evolution of Ransomware

Ransomware infections started appearing in 2013 and have been steadily on the rise since then. Today it is one of the most pervasive online threats that Internet users and businesses face. Traditionally, ransomware has only affected personal computers and the malware is often distributed through hacked websites.

Over the last few months there has been a new development with ransomware attacks: They’ve started to infect websites themselves.

Read More

Redirect to Microsoft Word Macro Virus

Wordredirect_Blog

These days we rarely see Microsoft Word malware on websites, but it still exists and compromised websites can distribute this kind of malware as well. It’s not just email attachments when it comes to sharing infected documents.

For example, this malicious file was found on a hacked Joomla site by our analyst Krasimir Konov.
Read More

.htaccess Tricks in Global.asa Files

htaccess_v1

As you might know a lot of hacks use Apache configuration .htaccess files to override default web site behavior: add conditional redirects, create virtual paths (e.g mod_rewrite), auto-append code to PHP scripts, etc.

In the world of IIS/ASP there is also an equivalent — Global.asa files. This file contains common declarations for all ASP scripts and should be placed in an ASP application root directory. If this file exists, ASP sessions include this file automatically.

Read More

Webutation Distributing Malware Through Safety Badge

webutation_disclosure

If you are using the Webutation badge on your site, remove it now. It appears they got hacked and are distributing malware to mobile devices through redirects hidden within the badge’s code.

We were analyzing a website that was compromised and redirecting visitors to bogus apps on the Apple App Store and the Google Play Store. The website looked clean, but the redirect kept happening for mobile users. Upon further inspection, we found out that the Webutation safety badge was responsible for the redirect.

The file load_badge.js – which is used to generate the badge – has some additional JavaScript from jquaryr[.]com that is only displayed for mobile user agents. That code from jquaryr (obviously an intentional typo of jQuery) forces a page reload, which then pushes the user to the bogus apps. This is dangerous because visitors rely on security badges to confirm the credibility and security of the website they are visiting. This is the first time we have seen one hacked in this way to distribute malware and malicious redirects.
Read More

Fake jQuery Scripts in Nulled WordPress Plugins

fake-jquery-scripts

We recently investigated some random redirects on a WordPress website that would only happen to certain visitors. Traffic analysis showed us that it was not a server-side redirect, rather it happened due to some script loaded by the web pages.

A quick look through the HTML code revealed this script:

Fake jQuery script injection

Fake jQuery script injection

It was very suspicious for a few reasons:
Read More

Hacked Websites Redirect to Bitcoin

bitcoin

Recently, we began to notice that some hacked websites were redirecting traffic from certain browsers to the BitCoin site, bitcoin.org. What’s going on? Is Bitcoin using black hat SEO? Is their site malicious?

Redirect to bitcoin.org

Redirect chain to bitcoin.org in Unmask Parasites results

As you can see, the hacked website doesn’t redirect to bitcoin.org directly. It first redirects to 194 .6 .233 .7/mxjbb . cgi?default, which acts a at raffic directing system (TDS). This piece analyzes request parameters specific to the visitor (IP, browser, referrer, etc.) and makes a decision as to what to do with the particular request. The TDS may have different routes for users from different countries or users with different browsers. Furthermore, the TDS may be completely uninterested in certain requests (e.g. requests from search engine and security bots, or requests from browsers that can be very hard to exploit). A typical TDS would either return some HTTP error (e.g. 404 Page Not Found) or redirect unwanted traffic to some neutral third-party site. Most TDS are configured to dump unwanted traffic to google.com.
Read More

My Website Was Blacklisted By Google and Distributing Email Spam

Image by Benson Kua licensed under Creative Commons

Image by Benson Kua licensed under Creative Commons

Being blacklisted by Google is one of the worst things that can happen to a website. The public shame coming from every visitor being stopped by the Big Red Warning page can literally destroy any online business, I am speaking from personal experience before joining the Sucuri team. When a website is blacklisted, users are unable to access the website without specifically agreeing to take on the risks. As a result, blacklisted websites lose around 95% of their traffic.

The following is a true story, based on my personal experience with a blacklisted website. This is actually how I came to know of Sucuri, and how I now work for them as their Social Media Specialist. Have no fear, nothing has been changed; these are real names and events. No additional websites have been harmed during the writing process.


Read More

The Impacts of a Hacked Website

02222016_ImpactsofWebsiteHack

Today, with the proliferation of open-source technologies like WordPress, Joomla and other Content Management Systems (CMS) people around the world are able to quickly establish a virtual presence with little to no cost. In the process however, a lot is being lost in terms of what it means to own a website.

We are failing each other, we are not setting ourselves up for success. We are learning the hard way what large organizations already learned – being online is a responsibility and will eventually cost you something.

I recently shared a post talking to the motivations behind hacks. This post was important as it helped provide context and I encourage you to spend some time digesting the information. What it fails to do is what I want to focus on in this post.

What are the impacts of these hacks to your website? To your business?
Read More

Website Backdoors Leverage the Pastebin Service

We continue our series of posts about hacker attacks that exploit a vulnerability in older versions of the popular RevSlider plugin. In this post we’ll show you a different backdoor variant that abuses the legitimate Pastebin.com service for hosting malicious files.


Read More