Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Search and Backdoor

2017-01-18  by  Luke Leal

The ubiquity of “unlimited” shared hosting platforms has incentivized malware in trying to infect as many adjacent website directories as it can to increase its overall surface area. The more infected the area is, the more likely that at least one piece of malware can evade detection long enough to successfully reinfect the web hosting environment.

When a website is infected or compromised, the malicious user will often times leave a backdoor that can be used to regain unauthorized access to the website or system. A backdoor doesn’t necessarily have to be an existing malicious file; it can also be within a database or running process. A database backdoor could be a shell script included within a row of a table that is loaded on a certain URL. Or in some cases, it can involve an actual user being inserted into a CMS database with full privileges by the malicious user.

I encountered a malicious file that upon execution will go one level above the root of the infected WordPress or Joomla site:

Read More ...

Often times a malware author will try to provide some type of camouflage to their malware’s coding in an effort to disguise an unsuspecting eye from its true intentions. I recently came across an interesting example from a malicious file used to bypass authentication when accessing wp-admin:

Read More ...

Magento malware that steals details of customer credit cards is a prevalent problem during the last couple of years. We write a lot about various modifications of such malware and the tricks hackers use. When you look back, it’s interesting to see how common ideas may be reused in different steps of the attack.

Read More ...

We wrote multiple times about malware attacks that store their scripts on Pastebin.com and load them either to the server once they break into it or directly to the infected web pages

However Pastebin.com can’t be called a reliable hosting for malware. You can report any paste and it will be removed if Pastebin.com finds it inacceptable. For example, when we find that a certain paste is being used in ongoing attacks, we report them.

What happens when a paste is removed from Pastebin.com? Of course, hackers eventually notice it and create new pastes and reconfigure the attack to use them, but for some period of time their attack is disrupted. From time to time we find signs of such disrupted attacks on infected sites. For example, recently our scanner found this file on a hacked site: skin/adminhtml/default/kontools/promailerv2.php.

Read More ...

When webmasters or hosting companies look for malware, they usually search for encrypted code, encoded payloads, suspicious functions and much more. If they happen to find any of those instances, it’s a common practice to either remove or rename the file in question.

If the file being flagged hits a certain amount of suspicious code or raises red flags based on different variables, hosting companies may rename those files from file.php to file.php.suspected (Appending .suspected in the end) - this way the file loses its ability to be interpreted by the webserver. However, sometimes there are backdoors nearby ready to release the prisoners.

The following code was found during an incident response investigation:

Read More ...

When dealing with compromised scenarios, our team has to be very thorough to remove all pieces of malware in the infected website. Most of the time attackers don’t inject single bits of code but a variety of malware to increase the chances of maintaining access to the compromised resource while reducing the chances of getting caught.

Read More ...

There is often a misconception regarding the tools that attackers implement in their malicious activity, and that misconception is that they must be using advanced computer programs to target and exploit other computers.

Read More ...

On a daily basis we find different kinds of malware like backdoors, credit card stealers, injected scripts, and phishing pages. While each one of those catches our attention, we recently found an interesting WordPress administration login bypass script.

Read More ...

Each and every day the attackers get more clever and exploit new attack vectors. Sucuri Labs recently found a malicious JavaScript hidden in the database of a WordPress website.

Read More ...

A very common pattern in compromised websites is the presence of backdoors and other malicious codes. Attackers use different techniques and malware to abuse of server resources, distribute spam and at the same time, maintain access to the site for as long as they can.

Read More ...