Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About
We are seeing a large number of sites compromised with an iframe pointing to http://fenwaywest.com/media/index.php . Just in the last 3 days, we identified almost 10,000 sites with it:



On all the compromised sites have the iframes similar to this one:



The domain is hosted at 50.28.53.157, but currently offline (redirecting to Google), so we can't really tell what it is doing. But on previous requests, it was redirecting to a TDS (traffic distribution system) and from there, being sent to multiple spam or malicious domains.

Update 2012/Oct/12: Their site was fixed and is not loading malware anymore.

If you are using any widget/code from http://badgeplz.com/, remove it asap from your site. It has been compromised and is serving malicious code. So if you have any widget from there, it will be loaded from your site as well (blackhole exploit kit).

Example:



Note only that, but their main site is compromised as well.

A New batch of compromised sites are being infected with hidden iframes leading to the Redkit exploit kit. A site gets hacked and an iframe similar to this one is added: :



Once that is loaded into the browser, it redirects anyone visiting the site to:



Where it tries to make the browser load some malicious PDFs or Jar files:



And if you are running an outdated version of Java or Adobe PDF, your personal computer would get compromised as well.

Fake jquery site

2012-09-07  by  Daniel B. Cid
Seeing many sites with a fake jquery links on them from jquery-framework.com (just registered on 2012/08/05): :



If you use jquery, make sure to link to reliable sources (either jquery.org or googleapis). This one is redirecting users to http://browser-31.com/s/3013.

We are seeing a new batch of the "rebots.php" infections on WordPress and one thing is intriguing us. On many sites we are analysing, WordPress is updated and no suspicious backdoors or plugins were found. All in order, except for the javascript injected inside the theme.

The only thing in common on them is a single login to wp-admin, followed by a visit to wp-admin/theme-editor.php to modify the theme:



So it seems someone was able to steal the wp-admin password and edit the theme. It was done automatically, since no CSS or .JS files were loaded.

Another intereting issue is that on some of these sites, we didn't identify any brute force attack trying to guess the passwords. Just this single login.

Since we don't know how these passwords got stolen, we recommend people to change their wp-admin passwords asap until we have more info (specially if you have been compromised with the rebots.php injection).

Dennis (from unmask) posted about some iframe injections that he has been seeing lately: RFI: Server-wide iframe injections.

The post is interesting, so read that first. We are also seeing many variations of this attack, always with the iframes being injected as domain.com/[randomnumbers].html and redirecting the user to Fake AV. This are some of the URLs we are seeing:



Note that all (or most) of these sites are compromised and being used by the attackers to spread malware "botnet" style. Dennis also questioned how are these sites being hacked.

Initially, all of them were running Plesk (at least I could access it as site.com:8443). However, as the infection is growing, I am seeing many sites not using Plesk with this type of malware, so we can't know for sure. We assume it is a mix of attacks (brute force FTP + outdated Plesk + anything they can find).

We posted yesterday about the Blackmuscats .htaccess redirection that was affecting thousands of web sites.

They are still happening (and growing), but the attackers decided to switch names to "nonalco", "mimosa" and other random keywords for their files:



The redirection is still the same, going from those .ru domains, to additional second level .ru domains and them to a .pl:



So far we have identified more than 17,000 sites with this type of malware. More details as we track them.

We are seeing thousands of sites compromised with an iframe from cndexit.com:

This is the iframe that we detected:



Google has already flagged this domain and found it to be responsible for the infection of more than 1.5k sites:



We can't say for sure how sites got hacked, but we will post more details when we have them. If your site is compromised, our team can clean it for you: http://sucuri.net/signup

Yahoo Leak

2012-07-12  by  Daniel B. Cid
You can check if your email is part of the yahoo leak here: http://labs.sucuri.net/?yahooleak.

This is a simple way to know when a vulnerability in Plesk (or any other software) is being exploited in the wild:



When the mass scans for it starts. The data is from ISC (isc.sans.org) and shows a massive increase in the number of queries for port 8443 (used by Plesk).