Published: 2013-05-16 by Daniel B. Cid
A backdoor injector code we found on a compromised site:
It looks for a writable directly either inside wp-includes, wp-content or inside uploads to inject a backdoor.
Published: 2013-02-15 by Daniel B. Cid
Lots of compromised sites redirecting to TDS:
And that's just a small sample. We have detected just in February over 500 sites compromised exactly like that.
Published: 2012-12-10 by Daniel B. Cid
If you look at the top domains distributing malware for the last days (and months), what
do you see in common?
Most of them are using a ChangeIP.com (dynamic DNS) sub domain as the first level of injection. Just check ddns.info, qhigh.com,
mynumber.org, pcanywhere.net, etc, etc. They are all part of: http://www.changeip.com/. Just in the last 60 days, we
identified more than 15,000 different sub domains from them being used to distribute malware.
Don't get us wrong, Dynamic DNS is a very useful service, but we would love if they would implement more serious filtering/blacklisting
and some type of captcha to prevent their service from being abused by criminals.
However, in the current state, we can only recommend against using their service to avoid being thrown in the mix with the
thousands of malicious domains that they host.
*If you look past 6 months ago, .co.cc was the main domain distributing malware, but since it was shut down, the attackers have migrated to changeip.com. Hopefully they will do something about it.
Published: 2012-11-22 by Daniel B. Cid
We keep seeing fake jQuery sites popping up and being used to distribute
malware. One was jquerys.org
, other was jquery-framework.com
and the new one
is jqueryc.com (188.8.131.52).
And this new one seems to be affecting many web sites in the last few days. All of them have the following on their header or index.php files:
Which redirects any visitor to the web site to jqueryc.com where it is then sent to other random spammy domains (seems like a TDS is in place).
*Note that the domain was just registered (20-nov-2012), so it is not being flagged anywhere.
**The official jquery sites are jquery.org or jquery.com. Other variations are likely fake.
Published: 2012-11-20 by Daniel B. Cid
It seems that the .co.cc (sub TLD) that used to be mass used by
spammers and malware is now gone.
Their registration page is offline:
And we hope it stays that way.
Published: 2012-10-25 by Daniel B. Cid
If your site is loading hidden iframes from *.ftp1.biz/pony, look for a curl
or file_get_contents call to http://wordpresstest2.info/1.txt.
When you visit this site, it generates random iframes:
That are displayed on the compromised sites.
Published: 2012-10-11 by Daniel B. Cid
We are seeing a large number of sites compromised with an iframe pointing to http://fenwaywest.com/media/index.php .
Just in the last 3 days, we identified almost 10,000 sites with it:
On all the compromised sites have the iframes similar to this one:
The domain is hosted at 184.108.40.206
, but currently offline (redirecting to Google), so we can't really tell what it is doing. But on previous requests, it was redirecting to a TDS (traffic distribution system) and from there, being sent to multiple spam or malicious domains.
Published: 2012-10-04 by Daniel B. Cid
Update 2012/Oct/12: Their site was fixed and is not loading malware anymore.
If you are using any widget/code from http://badgeplz.com/, remove it asap
from your site. It has been compromised and is serving malicious code. So if
you have any widget from there, it will be loaded from your site as well (blackhole exploit kit).
Note only that, but their main site is compromised as well.
Published: 2012-09-12 by Daniel B. Cid
A New batch of compromised sites are being infected with hidden iframes leading to the Redkit exploit kit. A site gets hacked and an iframe similar to this one is added:
Once that is loaded into the browser, it redirects anyone visiting the site to:
Where it tries to make the browser load some malicious PDFs or Jar files:
And if you are running an outdated version of Java or Adobe PDF, your personal computer would get compromised as well.
Published: 2012-09-07 by Daniel B. Cid
Seeing many sites with a fake jquery links on them from jquery-framework.com (just
registered on 2012/08/05):
If you use jquery, make sure to link to reliable sources (either jquery.org or googleapis). This one is redirecting users
Published: 2012-09-04 by Daniel B. Cid
We are seeing a new batch of the "rebots.php" infections on WordPress and one thing
is intriguing us. On many sites we are analysing, WordPress is updated and no suspicious
The only thing in common on them is a single login to wp-admin, followed by a visit to
wp-admin/theme-editor.php to modify the theme:
So it seems someone was able to steal the wp-admin password and edit the theme. It was done automatically, since no CSS or .JS files were loaded.
Another intereting issue is that on some of these sites, we didn't identify any brute force attack trying to guess the passwords. Just this single login.
Since we don't know how these passwords got stolen, we recommend people to change their wp-admin passwords asap until we have more info (specially if you have been compromised with the rebots.php injection).
Published: 2012-08-14 by Daniel B. Cid
Dennis (from unmask) posted about some iframe injections that he has been
seeing lately: RFI: Server-wide iframe injections
The post is interesting, so read that first. We are also seeing many variations
of this attack, always with the iframes being injected as domain.com/[randomnumbers].html and redirecting the user to Fake AV. This are some of the URLs we are seeing:
Note that all (or most) of these sites are compromised and being used by the attackers to spread malware "botnet" style. Dennis also questioned how are these sites being hacked.
Initially, all of them were running Plesk (at least I could access it as site.com:8443). However, as the infection is growing, I am seeing many sites not using Plesk with this type of malware, so we can't know for sure. We assume it is a mix of attacks (brute force FTP + outdated Plesk + anything they can find).
Published: 2012-08-02 by Daniel B. Cid
We posted yesterday about the Blackmuscats
.htaccess redirection that was affecting thousands of web sites.
They are still happening (and growing), but the attackers decided to switch names to "nonalco", "mimosa" and other
random keywords for their files:
The redirection is still the same, going from those .ru domains, to additional second level .ru domains and them
to a .pl:
So far we have identified more than 17,000 sites with this type of malware. More details as we track them.
Published: 2012-07-27 by Daniel B. Cid
We are seeing thousands of sites compromised with an iframe from cndexit.com:
This is the iframe that we detected:
Google has already flagged this domain and found it to be responsible for the infection of more than
We can't say for sure how sites got hacked, but we will post more details when we have them. If your site
is compromised, our team can clean it for you: http://sucuri.net/signup
Published: 2012-07-12 by Daniel B. Cid
You can check if your email is part of the yahoo leak here: http://labs.sucuri.net/?yahooleak
Published: 2012-07-09 by Daniel B. Cid
This is a simple way to know when a vulnerability in Plesk (or any other software) is being exploited in the wild:
When the mass scans for it starts. The data is from ISC (isc.sans.org) and shows a massive increase in the
number of queries for port 8443 (used by Plesk).
Published: 2012-07-08 by Daniel B. Cid
Top malware entry for the day: poseyhumane.org/stats.php
It seems to be the stats.php "malware" of the day. Related to our post here: Distributed Malware Network Outbreak Using Stats.php
We also identified a CC (command and control server) for these infections: http://botstatisticupdate.com/stat/stat.php. More info to come soon.
Published: 2012-07-02 by Daniel B. Cid
A few weeks ago we reported the case of a few compromised sites with an .htaccess redirection to msn.com
. Now we are
seeing a few sites with the same redirection but to google.com.
This is what we are seeing on some hacked sites (.htaccess file):
We have no idea why this hapening. Maybe a bug in the attackers malware injection code, but we can't say for sure. We will post more details when we find out what is going on.
Published: 2012-06-28 by Daniel B. Cid
While looking at a compromised site, we found an interesting mass mailer in there. The content
was encoded using eval/gzinflate and base64_decode:
But when switching the "eval" for "print" we could see the mass mailer hidden and what it was doing:
What I found interesting is that this spam tool stored all the emails in the database and the script supported
options to update the email list, change content and many things like that. And every few hours the attackers
would access it, update the emails and spam everyone in there.
Published: 2012-06-21 by Daniel B. Cid
Yesterday we listed www.google.com as being used for .htaccess conditional redirections
on hacked sites. Google does no evil, so what happened?
We identified the source of the malware, which looks for certain user agents and IP addresses
and redirects to www.google.com if it comes from them or to the real malware if not.
This is the code:
So, if you are not familiar with PHP, what this code is doing is checking for the user agent of some bots (Googlebot, MSN, Bing, etc) and for a few IP addresses for bots and anti virus companies (Trend, Bitdefender, etc). If the requests are
coming from them, they ignore the connection and redirect to www.google.com.
That's why we were seeing www.google.com and listed it on our malware dump (already fixed).
For all the other users (the victims), the malware was contacting http://220.127.116.11/api.php?action=link to get the URL to redirect (generally in the .tk domain). Any questions, let us know.
Published: 2012-06-18 by Daniel B. Cid
We are seeing something very strange on a few compromised sites lately. Instead of
doing .htaccess redirections to malware sites, the attackers added the "malware" to redirect users to msn.com.
This is what we are seeing on some hacked sites (.htaccess file):
If you are not familiar with the .htaccess syntax, it is basically redirecting any users coming from search
engines (Google, Bing, Yahoo and even Twitter/Facebook) to msn.com instead of going to the real site.
Anyone have ideas? It seems like a bug in the attackers malware injection code, but we can't say for sure. And no, we do not think Microsoft is behind those (conspiracy theory). :)
Published: 2012-06-11 by Daniel B. Cid
We are seeing many sites compromised with malware from thesea.org/media.php. All sites
had the following added to the .htaccess file:
So far we detected more than 500 sites with this type of redirection
in the last few days.
Published: 2012-06-07 by Daniel B. Cid
Seeing many sites compromised with malware from paysafecard.name/analitics.js. This is the js inserted on the hacked pages:
Published: 2012-06-06 by Daniel B. Cid
We talk a lot about sites that get hacked to redirect their users to malicious exploit kits (blackhole
Those are some of the URLs we saw just this last week being used by the attackers.
Published: 2012-06-05 by Daniel B. Cid
Interesting redirection from lolotrololo.1dumb.com:
Which redirects to http://indefw.bee.pl/info.php?n=40&p=n.
Published: 2012-06-04 by Daniel B. Cid
Which are pointing to multiple URLs on the .gg.biz and .rr.nu TLD ( ex: http://dmujkkz.igg.biz/d/404.php?go=1
, odzyzjyyi.rr.nu, mqvtrt.got-game.org, etc). More details to come.
Published: 2012-05-31 by Daniel B. Cid
A few days ago, we posted a list of domains hosting webshells for
related attacks. We identified more than 420 different URLs hosting those backdoors.
What is interesting is that during the same period, we identified almost 1,000 ip addresses scanning
sites for vulnerable thimthumb scripts on WordPress themes and plugins. Those are all the ips and the number
of hits we detected:
And we will keep monitoring them.
Published: 2012-05-28 by Daniel B. Cid
We have been tracking timthumb.php related attacks for a little while. And they are
still at full force. Just for the month of May, tohse are the domains we identified hosting
backdoors that were used by the attackers (420 different urls).
And most of them are still live. If you download them you will see many backdoor variations:
And we will keep monitoring them.
Published: 2012-05-25 by Daniel B. Cid
Seeing many sites compromised with an iframe pointing to http://lowresolutionit.in/in.cgi?6, mostly
on outdated WordPress. That domain is currently redirecting to http://hewjzkgvkhwec.tk/27973751.html
and then to fake AV.
Published: 2012-05-24 by Daniel B. Cid
Magno (from our support team ) found this pretty backdoor on a compromised site. As we keep
saying, just searching for evals + base64_decode wouldn't cut anymore.
*If you enjoy decoding backdoors, please try this one and send the results to
Yes, that's all for the backdoor.
Published: 2012-05-21 by Daniel B. Cid
Another interesting backdoor:
You may not be aware, but the preg_replace function with the "e" parameter, allows full code execution (eval). When you transform the hex chars, you get "eval ( gzinflate ( base64_decode ( " which runs all the code in the long block of characters inside the preg_replace.