Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Sucuri Research Labs

The home of our Security Operations Group, including our Malware Research and Incident Response teams.

Search and Backdoor

2017-01-18  by  Luke Leal  

The ubiquity of “unlimited” shared hosting platforms has incentivized malware in trying to infect as many adjacent website directories as it can to increase its overall surface area. The more infected the area is, the more likely that at least one piece of malware can evade detection long enough to successfully reinfect the web hosting environment.

When a website is infected or compromised, the malicious user will often times leave a backdoor that can be used to regain unauthorized access to the website or system. A backdoor doesn’t necessarily have to be an existing malicious file; it can also be within a database or running process. A database backdoor could be a shell script included within a row of a table that is loaded on a certain URL. Or in some cases, it can involve an actual user being inserted into a CMS database with full privileges by the malicious user.

I encountered a malicious file that upon execution will go one level above the root of the infected WordPress or Joomla site:

Read More ...

Often times a malware author will try to provide some type of camouflage to their malware’s coding in an effort to disguise an unsuspecting eye from its true intentions. I recently came across an interesting example from a malicious file used to bypass authentication when accessing wp-admin:

Read More ...

Magento malware that steals details of customer credit cards is a prevalent problem during the last couple of years. We write a lot about various modifications of such malware and the tricks hackers use. When you look back, it’s interesting to see how common ideas may be reused in different steps of the attack.

Read More ...

We wrote multiple times about malware attacks that store their scripts on Pastebin.com and load them either to the server once they break into it or directly to the infected web pages

However Pastebin.com can’t be called a reliable hosting for malware. You can report any paste and it will be removed if Pastebin.com finds it inacceptable. For example, when we find that a certain paste is being used in ongoing attacks, we report them.

What happens when a paste is removed from Pastebin.com? Of course, hackers eventually notice it and create new pastes and reconfigure the attack to use them, but for some period of time their attack is disrupted. From time to time we find signs of such disrupted attacks on infected sites. For example, recently our scanner found this file on a hacked site: skin/adminhtml/default/kontools/promailerv2.php.

Read More ...

When webmasters or hosting companies look for malware, they usually search for encrypted code, encoded payloads, suspicious functions and much more. If they happen to find any of those instances, it’s a common practice to either remove or rename the file in question.

If the file being flagged hits a certain amount of suspicious code or raises red flags based on different variables, hosting companies may rename those files from file.php to file.php.suspected (Appending .suspected in the end) - this way the file loses its ability to be interpreted by the webserver. However, sometimes there are backdoors nearby ready to release the prisoners.

The following code was found during an incident response investigation:

Read More ...

Latest malware entries

Hidden iframes

Latest hidden iframes our scanner have identified on compromised web sites.

# of sites infectedTypeMalware / Domains
14iframehttp://lussqbp.hopto.org/wordpress/?ARX8
12iframehttp://wfiyagleou.hopto.org/wordpress/?ARX8
11iframehttp://wojqwbbja.hopto.org/wordpress/?ARX8
9iframehttp://sitigadget.altervista.org/televideoframe.html
9iframehttp://frcyugso.hopto.org/wordpress/?ARX8
9iframehttp://ciaccia.altervista.org/Calendario-HelloKitty.html
4iframehttp://ywpkrcnr.ddnsking.com/wordpress/?ARX8
4iframehttp://wxgmlwa.ddnsking.com/wordpress/?ARX8
4iframehttp://gkmpvftdrc.ddnsking.com/wordpress/?ARX8
3iframehttp://qrkroeteyz.hopto.org/wordpress/?ARX8
3iframehttp://czwdtuod.hopto.org/wordpress/?ARX8
2iframehttp://www.ridersonline.it/planetblunt001/d.php
2iframehttp://upcmoxfeyl.ddnsking.com/wordpress/?ARX8
1iframehttp://www.maximsilencers.com/cgi-bin/tpwFDbM7.php
1iframehttp://kjyhkjedewhc.cu.cc/main.php?page=e1a5f2bf09ad6790
1iframehttp://jrtxcm.ddnsking.com/wordpress/?ARX8
1iframehttp://javachek.tk/507H
Limited view... Only the top entries being displayed.

Conditional redirections

Conditional redirections we have detected (based on user agents or referers).

# of sites infectedTypeMalware / Domains
17redirectionshttp://traf-extractor.ru
5redirectionshttp://supasweb.ru/blackmuscats?5
5redirectionshttp://osta-x.ru
5redirectionshttp://luxurytds.com/go.php?sid=1
3redirectionshttp://modrewrite.ru
3redirectionshttp://go60.ru
2redirectionshttp://www.brochure.eu.com/?folio=9PO6Z3MVF
2redirectionshttp://ww1.totalprogramasdwn.com/?folio=9POGF6H4I
1redirectionshttp://u22zz.ddldownload-now.7889523.com/?sov=1114707199
1redirectionshttp://olimptds.com/in.cgi?6
1redirectionshttp://nice.sbigg.cn/jord/?alaskafishon.com
1redirectionshttp://my-biziness.ru
1redirectionshttp://maxporn.biz/
1redirectionshttp://kpero.ddns.me.uk/index.html
Limited view... Only the top entries being displayed.

Spammers

Latest spammers we have detected sending comment, forum or SEO spam.

# of sites infectedTypeMalware / Domains
20spammerhttp://123livesex.com/,forumspam,2014-01
20spammerhttp://20min.ch,forumspam,2014-01
20spammerhttp://90210daily.com/,forumspam,2014-01
20spammerhttp://EzAdBlaster.com,forumspam,2014-01
20spammerhttp://absolutefringe.com,forumspam,2014-01
20spammerhttp://adaptfunrun.org/,forumspam,2014-01
20spammerhttp://andresmarcossanchez.com/MichaelKors/ ,forumspam,2014-01
20spammerhttp://appliancelandinc.com/,forumspam,2014-01
20spammerhttp://audiobookkeeper.ru/,forumspam,2014-01
20spammerhttp://australiainternetsearch.com/,forumspam,2014-01
20spammerhttp://autism.sedl.org/index.php/about-us,forumspam,2014-01
20spammerhttp://axanaxplease.com/,forumspam,2014-01
20spammerhttp://ayurvedatradicional.com/wordpress/ ,forumspam,2014-01
20spammerhttp://azezhomeloans.com/body.html,forumspam,2014-01
20spammerhttp://baltimorecomiccon.com/sponsors/,forumspam,2014-01
20spammerhttp://bashkiaprrenjas.com/,forumspam,2014-01
20spammerhttp://bellezzaamica.it/Moncler-Sale-With-Free-Shipping.html,forumspam,2014-01
20spammerhttp://birdsofstkittsnevis.com/files/,forumspam,2014-01
20spammerhttp://bmaphoenix.org/young-professionals/,forumspam,2014-01
20spammerhttp://bradblaze.com.au/,forumspam,2014-01
Limited view... Only the top entries being displayed.

Encoded javascript

Encoded javascript (redirecting to blackhole and other exploit kits) or to build a remote call.

# of sites infectedTypeMalware / Domains
11javascripthttp://jqueryapi.info/?getsrc=ok
8javascripthttp://div-class-container.ru/m/": var a8a09b1=[62,122,162,167,180,94,177,178,183,170,163,123,9...
241javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
163javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
121javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
106javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
102javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
101javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
85javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
85javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
77javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
71javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
66javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
65javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
64javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
63javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
61javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
60javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
60javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
59javascript<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+6...
Limited view... Only the top entries being displayed.