Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Sucuri Research Labs

The home of our Security Operations Group, including our Malware Research and Incident Response teams.

Since PHP 5.3.0, PHP includes support for configuration INI files on a per-directory basis that has the same effect (depending on the case) that the .htaccess files have on Apache. With that in mind, attackers are exploiting this feature to manipulate the search engine results in order to benefit malicious websites and redirect users to arbitrary spam content.

Read More ...

Throughout the last few months, we published multiple articles about simple but powerful backdoors and how attackers get creative. Virtually in all cases, the code is designed to avoid detection and it’s not always highly encoded. Actually, we are seeing that most attackers are following the KISS ("Keep it simple, stupid”, “keep it short and simple”) principle and PHP is a vast programming language that can be used to implement malicious code in agreement with it.

Read More ...

Over the years, attackers have used different techniques for hiding malicious files on websites. They obfuscated code, changed legit functions to execute malware, modified whole core files to execute their malicious activity and much more.

Read More ...

Often times we will encounter websites that have been injected with a redirect and these can vary from blackhat SEO tactics for boosting domain rankings all the way to phishing pages trying to steal login credentials. In this case, the redirect was contained within random alphanumerically named PHP files and it redirected visitors to the specified files and then to a pharmacy spam website that contained all of the drug names that you will commonly see in your emails located within your spam folder. This seems to indicate that the attacker was spamming from other third-party servers and within the pharmacy spam email they would include the URLs to the malicious file on our client’s web server. Let us analyze parts of this malicious file:

Read More ...

In the last few months, our Incident Response Team detected an interesting malicious code that affected a high number of websites. This malware is a variation of the "Realstatistics" campaign described in details in our blog here and although the code is extremely simple, the damages are devastating.

The following snippet is being injected into the theme files (mostly header.php) and database (wp_posts).

Read More ...

Latest malware entries

Hidden iframes

Latest hidden iframes our scanner have identified on compromised web sites.

# of sites infectedTypeMalware / Domains
14iframehttp://lussqbp.hopto.org/wordpress/?ARX8
12iframehttp://wfiyagleou.hopto.org/wordpress/?ARX8
11iframehttp://wojqwbbja.hopto.org/wordpress/?ARX8
9iframehttp://sitigadget.altervista.org/televideoframe.html
9iframehttp://frcyugso.hopto.org/wordpress/?ARX8
9iframehttp://ciaccia.altervista.org/Calendario-HelloKitty.html
4iframehttp://ywpkrcnr.ddnsking.com/wordpress/?ARX8
4iframehttp://wxgmlwa.ddnsking.com/wordpress/?ARX8
4iframehttp://gkmpvftdrc.ddnsking.com/wordpress/?ARX8
3iframehttp://qrkroeteyz.hopto.org/wordpress/?ARX8
3iframehttp://czwdtuod.hopto.org/wordpress/?ARX8
2iframehttp://www.ridersonline.it/planetblunt001/d.php
2iframehttp://upcmoxfeyl.ddnsking.com/wordpress/?ARX8
1iframehttp://www.maximsilencers.com/cgi-bin/tpwFDbM7.php
1iframehttp://kjyhkjedewhc.cu.cc/main.php?page=e1a5f2bf09ad6790
1iframehttp://jrtxcm.ddnsking.com/wordpress/?ARX8
1iframehttp://javachek.tk/507H
Limited view... Only the top entries being displayed.

Conditional redirections

Conditional redirections we have detected (based on user agents or referers).

# of sites infectedTypeMalware / Domains
17redirectionshttp://traf-extractor.ru
5redirectionshttp://supasweb.ru/blackmuscats?5
5redirectionshttp://osta-x.ru
5redirectionshttp://luxurytds.com/go.php?sid=1
3redirectionshttp://modrewrite.ru
3redirectionshttp://go60.ru
2redirectionshttp://www.brochure.eu.com/?folio=9PO6Z3MVF
2redirectionshttp://ww1.totalprogramasdwn.com/?folio=9POGF6H4I
1redirectionshttp://u22zz.ddldownload-now.7889523.com/?sov=1114707199
1redirectionshttp://olimptds.com/in.cgi?6
1redirectionshttp://nice.sbigg.cn/jord/?alaskafishon.com
1redirectionshttp://my-biziness.ru
1redirectionshttp://maxporn.biz/
1redirectionshttp://kpero.ddns.me.uk/index.html
Limited view... Only the top entries being displayed.

Spammers

Latest spammers we have detected sending comment, forum or SEO spam.

# of sites infectedTypeMalware / Domains
20spammerhttp://123livesex.com/,forumspam,2014-01
20spammerhttp://20min.ch,forumspam,2014-01
20spammerhttp://90210daily.com/,forumspam,2014-01
20spammerhttp://EzAdBlaster.com,forumspam,2014-01
20spammerhttp://absolutefringe.com,forumspam,2014-01
20spammerhttp://adaptfunrun.org/,forumspam,2014-01
20spammerhttp://andresmarcossanchez.com/MichaelKors/ ,forumspam,2014-01
20spammerhttp://appliancelandinc.com/,forumspam,2014-01
20spammerhttp://audiobookkeeper.ru/,forumspam,2014-01
20spammerhttp://australiainternetsearch.com/,forumspam,2014-01
20spammerhttp://autism.sedl.org/index.php/about-us,forumspam,2014-01
20spammerhttp://axanaxplease.com/,forumspam,2014-01
20spammerhttp://ayurvedatradicional.com/wordpress/ ,forumspam,2014-01
20spammerhttp://azezhomeloans.com/body.html,forumspam,2014-01
20spammerhttp://baltimorecomiccon.com/sponsors/,forumspam,2014-01
20spammerhttp://bashkiaprrenjas.com/,forumspam,2014-01
20spammerhttp://bellezzaamica.it/Moncler-Sale-With-Free-Shipping.html,forumspam,2014-01
20spammerhttp://birdsofstkittsnevis.com/files/,forumspam,2014-01
20spammerhttp://bmaphoenix.org/young-professionals/,forumspam,2014-01
20spammerhttp://bradblaze.com.au/,forumspam,2014-01
Limited view... Only the top entries being displayed.

Encoded javascript

Encoded javascript (redirecting to blackhole and other exploit kits) or to build a remote call.

# of sites infectedTypeMalware / Domains
11javascripthttp://jqueryapi.info/?getsrc=ok
8javascripthttp://div-class-container.ru/m/": var a8a09b1=[62,122,162,167,180,94,177,178,183,170,163,123,9...
241javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
163javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
121javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
106javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
102javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
101javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
85javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
85javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
77javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
71javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
66javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
65javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
64javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
63javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
61javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
60javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
60javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
59javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
Limited view... Only the top entries being displayed.