Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Sucuri Research Labs

The home of our Security Operations Group, including our Malware Research and Incident Response teams.

In order to avoid detection and maintain access to compromised websites, attackers use different techniques to hide their malicious code.

During our cleanup investigation we identified an interesting malicious code that pretended to be a legit Joomla core file. In this particular case the attackers based their malware on the libraries/application/application.php file from the 1.5.26 version.

The malware acts like a regular backdoor, allowing arbitrary command execution on affected websites.

Here is a snippet of the code that reveals the backdoor:

Read More ...

During an incident response process performed in our client’s website, one of our analysts found a very interesting web shell. Our tools detected a suspicious file called "./v8.php" and after some time decoding it, we found out that it was a backdoor giving full shell access to the attackers.

The shell itself is very similar to the well known c99 webshell in which provides a variety of commands to manipulate the victim’s website (file structure) and database, also allowing him to execute commands the start malicious campaigns.

First, the encoded malware had an interesting comment at the top of the file:

"This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited."

Attackers usually use that technique in order to somewhat avoid detection and further investigation from a suspicious eye.

What was so interesting about it? Well... how it was named: "<title> SEU MADRUGA Shell Recoded </title>".

This (and this note's title) may not seem to be funny for anyone outside latin America, so let me explain: "Seu Madruga" or “Don Ramón”, as the character is originally called, is one of the characters from a 1970’s Mexican super popular TV show called "El Chavo del Ocho". This show was translated to portuguese and other 49 different languages and it is still very popular in Brazil, I would risk to say that every brazilian knows who “Seu Madruga” is, even if they weren't big fans of the show. And the note's title is based on one of his famous quotes.

So, when I saw that shell, this is the face that instantly came to my mind:

"Seu Madruga", an unemployed former boxer who gets beat up by a lady almost daily can now be found on your site. So, as we always say, keep your website update, always check the core files, use a monitoring system to keep an eye on everything and make sure to have your website behind a firewall.

We wrote multiple times about various attacks on e-commerce sites that try to steal credit card details of their customers. In most cases, all such attacks need is the shortest moment when the site processes the payment details. It can be an injected JavaScript that steals your data as you enter it in the order form. Or it can be a server side script that builds itself as a middleman between the code that receives the data from user and the code that sends that data to a secure payment gateway. Note, in both of these scenarios e-commerce sites don’t even try to save the credit card information on their servers. The mere fact that they have the payment form on their own domain is enough for hackers to hijack it once they break into the site.

However, hijacking a payment form means that hackers can only steal details of ongoing payments. They have to wait for people to buy something from the compromised sites. But if hacked sites use really poor security practices and save all the payment details on their own servers, the attackers can easily steal credit card details of their customers without having to wait for new victims.

For example, in some versions of PrestaShop, there are standard tables (ps_payment_cc and ps_order_payment) for storing all credit card information (card number, expiration, card holder, etc.). Unfortunately, some PrestaShop payment modules indeed save credit card details in the database, so hackers just couldn’t help taking advantage of this.

Read More ...

Recently we cleaned a site that had a malicious wp-page.php file at the root of the WordPress site. It was responsible for pharma spam doorways created on this site. The file was quickly located and deleted. To our surprise, when we loaded that wp-page.php in a browser to verify that the problem was resolved, the malicious content was still there. And the headers stated that it was not a cached page.

We checked the file on server - indeed it was there with a very fresh modification date. We deleted the file again and a few seconds later the file was recreated. This behavior was typical for malware that used cronjobs to reinfect sites. However, when we checked the user’s crontab, we didn’t find any suspicious cron jobs there.

Read More ...

Sharing spam content and getting blacklisted is not a matter of choice when a website is hacked, these are just some of the consequences when attackers compromise a blog/website and that is why it is so important to have security measures/policies in place to prevent such issues from happening.

Read More ...

Latest malware entries

Hidden iframes

Latest hidden iframes our scanner have identified on compromised web sites.

# of sites infectedTypeMalware / Domains
16iframehttp://google-analistyc.net/in.cgi?12
8iframehttp://ptpjpllmxj.hopto.org/wordpress/?ARX8
8iframehttp://kryxeb.ddnsking.com/wordpress/?ARX8
7iframehttp://lkhfbd.ddnsking.com/wordpress/?ARX8
6iframehttp://tkmbosrv.hopto.org/wordpress/?ARX8
5iframehttp://orzkkxehm.ddnsking.com/wordpress/?ARX8
5iframehttp://ljkwgw.ddnsking.com/wordpress/?ARX8
4iframehttp://zdfsdd.ddnsking.com/wordpress/?bf7N
4iframehttp://mjizxlqced.hopto.org/wordpress/?ARX8
4iframehttp://kcxsobmr.hopto.org/wordpress/?ARX8
4iframehttp://auhgbn.ddnsking.com/wordpress/?ARX8
3iframehttp://xnjypzoo.ddnsking.com/wordpress/?bf7N
3iframehttp://wdkuaao.hopto.org/wordpress/?ARX8
3iframehttp://oceanseven.in/
1iframehttp://jfvnhq.ddnsking.com/wordpress/?ARX8
Limited view... Only the top entries being displayed.

Conditional redirections

Conditional redirections we have detected (based on user agents or referers).

# of sites infectedTypeMalware / Domains
37redirectionshttp://asunagira.ru/in.cgi?2
28redirectionshttp://default7.com
16redirectionshttp://traf-extractor.ru
12redirectionshttp://go60.ru
12redirectionshttp://asunagira.ru/in.cgi?3
6redirectionshttp://dp.000.in/
5redirectionshttp://luxurytds.com/go.php?sid=1
3redirectionshttp://top-24h-can-store.com/redirect.php?z=viagra
3redirectionshttp://jmp1.ru/22372/lovemeet7/source/campaign-ads/
3redirectionshttp://alfsystem.com.my/includes/domit/1.php
2redirectionshttp://search-box.in/in.cgi?4
2redirectionshttp://mediciron.ru/
2redirectionshttp://error.net4.in/
2redirectionshttp://base-portal.ru/games/index.php
2redirectionshttp://ahtung.co.in/
1redirectionshttp://www.pornvideo.us.com/?folio=9PO6Z3MVF
1redirectionshttp://www.magic-lolita.com/?folio=9PO6Z3MVF
1redirectionshttp://ww1.whatsaap.com/?folio=9POGF6H4I
1redirectionshttp://update-account-seccure.com/?folio=9POGF6H4I
Limited view... Only the top entries being displayed.

Spammers

Latest spammers we have detected sending comment, forum or SEO spam.

# of sites infectedTypeMalware / Domains
20spammerhttp://123livesex.com/,forumspam,2014-01
20spammerhttp://20min.ch,forumspam,2014-01
20spammerhttp://90210daily.com/,forumspam,2014-01
20spammerhttp://EzAdBlaster.com,forumspam,2014-01
20spammerhttp://absolutefringe.com,forumspam,2014-01
20spammerhttp://adaptfunrun.org/,forumspam,2014-01
20spammerhttp://andresmarcossanchez.com/MichaelKors/ ,forumspam,2014-01
20spammerhttp://appliancelandinc.com/,forumspam,2014-01
20spammerhttp://audiobookkeeper.ru/,forumspam,2014-01
20spammerhttp://australiainternetsearch.com/,forumspam,2014-01
20spammerhttp://autism.sedl.org/index.php/about-us,forumspam,2014-01
20spammerhttp://axanaxplease.com/,forumspam,2014-01
20spammerhttp://ayurvedatradicional.com/wordpress/ ,forumspam,2014-01
20spammerhttp://azezhomeloans.com/body.html,forumspam,2014-01
20spammerhttp://baltimorecomiccon.com/sponsors/,forumspam,2014-01
20spammerhttp://bashkiaprrenjas.com/,forumspam,2014-01
20spammerhttp://bellezzaamica.it/Moncler-Sale-With-Free-Shipping.html,forumspam,2014-01
20spammerhttp://birdsofstkittsnevis.com/files/,forumspam,2014-01
20spammerhttp://bmaphoenix.org/young-professionals/,forumspam,2014-01
20spammerhttp://bradblaze.com.au/,forumspam,2014-01
Limited view... Only the top entries being displayed.

Encoded javascript

Encoded javascript (redirecting to blackhole and other exploit kits) or to build a remote call.

# of sites infectedTypeMalware / Domains
10javascripthttp://div-class-container.ru/m/": var abb6741=[102,162,202,207,220,134,217,218,223,210,203,163...
2javascripthttp://53221f.wghxkpaaaa.getmyip.com:777: v="val";try{ebgserb++;}catch(snregrx){try{(v+"")()}ca...
65javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
58javascript<script language='JavaScript' src='http://lrbdd6.green-code.mrbasic.com/in.php?i=26501'></script>
51javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
48javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
40javascript<script>var a=''; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var...
36javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
36javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
34javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
30javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
28javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
27javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
27javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
27javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
27javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
26javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
24javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
22javascript<script>var a=''; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var...
22javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
Limited view... Only the top entries being displayed.