Magento Shoplift (SUPEE-5344) Exploits in the Wild

As warned a few days ago, the Magento Shoplift (SUPEE-5344) vulnerability details have been disclosed by the CheckPoint team. They show step by step how it can be exploited to take over a vulnerable Magento site.

They have prepared the following video showing a Proof of Concept (PoC) in which they create a fake coupon:

That’s a simple example. This vulnerability can be exploited in much more devastating ways.

Magento ShopLift in the Wild

As expected, it is now actively being exploited.

In less than 24 hours since the disclosure, we have started to see attacks via our WAF logs trying to exploit this vulnerability. It seems to be coming from a specific crime group, since they all look the same:


Read More

New Malware Campaign – WPcache-Blogger – Affects Thousands more WordPress Websites via RevSlider

If SoakSoak wasn’t enough, we are starting to see a new malware campaign leveraging the RevSlider vulnerability and compromising thousands of WordPress sites in the last few days.

Unlike SoakSoak, it’s comprised of 3 distinct malframes – creating one new campaign. We’re tracking each closely:

1- wpcache-blogger:

This campaign is using the domain wpcache-blogger.com as the main malware distributor and command and control. So far is has been responsible for the Google Blacklist of 12,418 sites:

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 12418 domain(s), including bertaltena.com/, polishexpress.co.uk/, maracanafoot.com/.

2- ads.akeemdom.com

This second campaign seems to be done by the same team behind SoakSoak, but at a smaller scale. Google has blacklisted 6,086 sites so far:

Yes, this site has hosted malicious software over the past 90 days. It infected 6086 domain(s), including fitforabrideblog.com/, notjustok.com/, notanotherpoppie.com/.

3- 122.155.168.0

: This campaign has been going for a almost a week and started shortly after SoakSoak. It seems to be slowing down and was responsible for the blacklist of 9,731 domains.

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, 122.155.168.0 appeared to function as an intermediary for the infection of 9731 site(s) including kitchenandplumbing.com/, salleurl.edu/, radiorumba.fm/.

WPcache-blogger Malframes

Together, these 3 campaigns have caused 28,235 websites to be blacklisted by Google (according to their safebrowsing stats) in a very short time frame. Our internal analysis has identified more than 50,000 WordPress websites compromised via this new campaign, not all have been blacklisted yet.

However, the WPcache-blogger variation is picking up a lot of traction the past 24 hours; it’s by far the most aggressive in it’s growth trajectory. When it compromises a site, it adds the following code to the footer of the theme:

eval ( base64_decode("ZnVuY..

This payload contacts http://wpcache-blogger.com/getlinks.php, retrieving the malicious iframe to be displayed for the user. What is interesting about this injection is that it is highly conditional and if you try to re-load the page, it will load “google” via an iframe, instead of the malware site.

This is the real malframe:

<iframe src="httx://theme.wpcache-blogger.com/css&quot...

But it will also display an iframe to Google from time to time to make it harder to be detected:

<iframe src="http://google.com"..

If you see an iframe to Google.com on your site, consider yourself hacked.

Cleanup and Protection

As the previous RevSlider issues, you have to update it asap to close the door for new attacks. It won’t clean your site, but will help control the problem.

Once Revslider is updated, you have to do a full clean up of your site. Just reinstalling WordPress won’t fix the problem; as mentioned before, this campaign is similar to #soaksoak in that it’s using a wide range of backdoors, allowing the attackers to regain access to your website, bypassing all existing controls in place.

We are recommending everyone to take security seriously, add your website behind a Website Firewall asap, the scale of these attacks are increasing daily. We’re cleaning thousands of sites all leveraging the latest Security Tips, the coolest security plugins. Yes, we have a product that does it, but you don’t have to use it. Leverage Google and find alternatives, if you’re a sysadmin / DIY type person, try leveraging the open-source project, ModSecurity or any other variation available.

Whatever you do, it’s time you start taking security seriously!

Popular Brazilian Site “Porta dos Fundos” Hacked

A very well known Brazilian comedy site, “Porta dos Fundos,” was recently hacked and is pushing malware (drive-by-download) via a malicious Flash executable, as you can see from our Sitecheck results:

SiteCheck Found Malware on Porta dos Fundos

SiteCheck Found Malware on Porta dos Fundos

If you do not want the joke to be on you, do not visit this site (portadosfundos) until it has been cleaned.

The infection starts with malicious javascript injected at the top of the code, which loads content from another compromised site, www.gpro.co.mz:


Read More

PHP Backdoors: Hidden With Clever Use of Extract Function

When a site gets compromised, one thing we know for sure is that attackers love to leave malware that allows them access back into the site; this type of malware is called a backdoor. This type of malware was named this because it allows for remote control of a compromised website in a way that bypasses appropriate authentication methods. You can update your site, change passwords, along with any of your admin procedures, and the backdoor would still be there allowing unexpected access to an attacker.

Backdoors are also very hard to find because they don’t have to be linked directly in the website, they can be very small and be easily confused with “normal” code. Some of them have passwords, some are heavily encrypted/encoded and can be anywhere on your site, file system or database.

We have written extensively about website backdoors (generally in PHP) that allow for continuous reinfections and control of hacked websites.
Read More

Understanding Google’s Blacklist – Cleaning Your Hacked Website and Removing From Blacklist

Today we found an interesting case where Google was blacklisting a client’s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight to understand what is going on, and how to troubleshoot things when your website is blacklisted.

Get Your Bearing

While investigating the website, we found that some Google shortened URLs were being loaded and redirecting to http://bls.pw/. Two of the goo.gl links were pointing to Wikipedia images, their icon to be specific, and one was redirecting to http://bls.pw/ shortener.

Read More

vBulletin.com Compromised

The vBulletin team recently announced that they suffered a compromise which allowed the attackers access to vbulletin.com servers and database. On their own words:

We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.


Read More

Case Study: Analyzing a WordPress Attack – Dissecting the webr00t cgi shell – Part I

November 1st started like any other day on the web. Billions of requests were being shot virtually between servers in safe and not so safe attempts to access information. After months of waiting, finally one of those not so safe request hit one of our honeypots.

We won’t get into the location of the site because it really doesn’t matter, a fact that most critics don’t realize. As is often the case, the honeypot site was quiet without much traffic and the weakness was access control.

We intentionally left the password to the site to one of the top 10 passwords, with continuous attempts it took about 3 months before it was accessed.

This time though we were ready and this is how it went..

Read More

Blackhat SEO and ASP Sites

It’s all too easy to scream and holler at PHP based websites and the various malware variants associate with the technology, but perhaps we’re a bit too biased.

Here is a quick post on ASP variant. Thought we’d give you Microsoft types some love too.

Today we found this nice BlackHat SEO attack:

Sucuri SiteCheck ASP Malware

Read More

Backdoor Evasion Using Encrypted Content

A few weeks ago on the Sucuri Research Labs we mentioned a new type of malware injection that does not use base64_decode, and instead conceals itself as a variable and is built with a combination of “base_” + (32*2) + “_decode”. This is the part of the code where it is hidden:

$g___g_='base'.(32*2).'_de'.'code';

Any tool that looks for eval, followed by base64_decode, or just flags on any base64_decode usage, will not find it.

Read More

Avira, AVG and WhatsApp Defaced

If you visited the web sites for Avira, AVG or WhatsApp this morning, you probably saw that they didn’t look like they should. All of them were defaced and looked like this:

02 avira defaced

It is a bit horrifying when you see such big sites, including security sites from major Anti Virus products (like AVG and Avira) getting compromised. But what really happened? Did they really get hacked?

DNS redirection

In a broader sense, they did get hacked, but not through a compromise on their servers or network. It looks like the attackers got access to their domains registration panels at Network Solutions and modified their name servers.

For example, these were the new name servers for Avira:

$ host -t NS avira.com
avira.com name server ns1.radioum.com.br.
avira.com name server n1.ezmail.com.br.
avira.com name server n2.ezmail.com.br.
avira.com name server ns2.radioum.com.br.

And these new names servers were pointing Avira’s IP address to 173.193.136.42, instead of the real IP address. That’s why visitors to the site were greeted with a defacement page.

What causes a bit of suspicion is that all these domains are hosted at Network Solutions, so we have to wait a bit more to see if it was caused by a breach on their end or something else.

Update: Avira posted the following on their tech blog: “It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request which was honoured by the provider. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers.” So it doesn’t looks like Netsol was directly hacked, but the attackers found a way to reset the passwords for certain accounts.