Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Sucuri Research Labs

The home of our Security Operations Group, including our Malware Research and Incident Response teams.

At the end of February, we wrote about a massive wave of site infections that pushed fake browser updates.

In the beginning of March, the attack evolved into redirecting site visitors to sketchy ad URLs.

Read More ...

We found this backdoor in the middle of the logrss.php file that defined the JDocumentRendererRSS class.

Read More ...

A client reported some weird spam URLs injected on their WordPress website and after an investigation, it turned out that the hacker was hiding the encoded spam injector malware in the following theme file:

./wp-content/themes/toolbox/functions.php

The hacker formatted the encoded injector to look like a theme’s license key trying to distract eyes from suspecting this code and finding the malware:

Read More ...

We continue to see an increase in the number of these PHP injections that use multiple obfuscation methods to evade detection, but lately one method has been increasingly utilized:

Read More ...

We've been cleaning many sites infected by the so-called site_url hack–the result of the WP GDPR Compliance plugin vulnerability. The sites are broken because their static resource links point to some third party site. However, this is not the only issue.

Read More ...

Latest malware entries

Hidden iframes

Latest hidden iframes our scanner have identified on compromised web sites.

# of sites infectedTypeMalware / Domains
55iframehttp://poseyhumane.org/stats.php
6iframehttp://zumobtr.ru/gate.php?f=1041671
6iframehttp://ads.rzb.ir/image.php?size_id=7
4iframehttp://www.cascadecowcutters.org/wp-content/upgrade/update.php
4iframehttp://couriertracking247.in/
2iframehttp://stjohnsdryden.org/img/common/download.php
2iframehttp://bucknine.cf/visionovni17.html
1iframehttp://www.trypie.info/update.php
1iframehttp://vefire.ru/apps/11/
1iframehttp://criosfera.cf/marahmerah17.html
Limited view... Only the top entries being displayed.

Conditional redirections

Conditional redirections we have detected (based on user agents or referers).

# of sites infectedTypeMalware / Domains
9redirectionshttp://goodhotwebmart.in/
6redirectionshttp://www.mpzbearing.in/
5redirectionshttp://portal-d.pw/XcTyTp
4redirectionshttp://default7.com
4redirectionshttp://alfsystem.com.my/includes/domit/1.php
2redirectionshttp://wwwjazztel.com/?folio=9PO6Z3MVF
2redirectionshttp://ww1.zibahairsalon.com/?folio=9POGF6H4I
2redirectionshttp://ww1.mtclassificados.net/?folio=9POGF6H4I
2redirectionshttp://top-24h-can-store.com/redirect.php?z=viagra
2redirectionshttp://summerphotography.net/?folio=9PO6Z3MVF
2redirectionshttp://slonova-gora.com/?folio=9POGF6H4I
2redirectionshttp://nubiangraphics.com/?folio=9PO6Z3MVF
2redirectionshttp://myflippincoach.biz/Deals/MyFlippinCoach/
2redirectionshttp://mathaids.com/?folio=9PO6Z3MVF
2redirectionshttp://luxurytds.com/go.php?sid=
2redirectionshttp://luckyherbssupply.in/
2redirectionshttp://laatminute.com/?folio=9PO6Z3MVF
2redirectionshttp://huaweidevices.es/?folio=9POGF6H4I
2redirectionshttp://hotmp3s.com/?folio=9PO6Z3MVF
2redirectionshttp://goldpole.com/?folio=9PO6Z3MVF
Limited view... Only the top entries being displayed.

Spammers

Latest spammers we have detected sending comment, forum or SEO spam.

# of sites infectedTypeMalware / Domains
20spammerhttp://123livesex.com/,forumspam,2014-01
20spammerhttp://20min.ch,forumspam,2014-01
20spammerhttp://90210daily.com/,forumspam,2014-01
20spammerhttp://EzAdBlaster.com,forumspam,2014-01
20spammerhttp://absolutefringe.com,forumspam,2014-01
20spammerhttp://adaptfunrun.org/,forumspam,2014-01
20spammerhttp://andresmarcossanchez.com/MichaelKors/ ,forumspam,2014-01
20spammerhttp://appliancelandinc.com/,forumspam,2014-01
20spammerhttp://audiobookkeeper.ru/,forumspam,2014-01
20spammerhttp://australiainternetsearch.com/,forumspam,2014-01
20spammerhttp://autism.sedl.org/index.php/about-us,forumspam,2014-01
20spammerhttp://axanaxplease.com/,forumspam,2014-01
20spammerhttp://ayurvedatradicional.com/wordpress/ ,forumspam,2014-01
20spammerhttp://azezhomeloans.com/body.html,forumspam,2014-01
20spammerhttp://baltimorecomiccon.com/sponsors/,forumspam,2014-01
20spammerhttp://bashkiaprrenjas.com/,forumspam,2014-01
20spammerhttp://bellezzaamica.it/Moncler-Sale-With-Free-Shipping.html,forumspam,2014-01
20spammerhttp://birdsofstkittsnevis.com/files/,forumspam,2014-01
20spammerhttp://bmaphoenix.org/young-professionals/,forumspam,2014-01
20spammerhttp://bradblaze.com.au/,forumspam,2014-01
Limited view... Only the top entries being displayed.

Encoded javascript

Encoded javascript (redirecting to blackhole and other exploit kits) or to build a remote call.

# of sites infectedTypeMalware / Domains
12javascripthttp://div-class-container.ru/m/": var a910ab1=[855,915,955,960,973,887,970,971,976,963,956,916...
22javascript<script>var b="red";c="mod";function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c...
20javascript<script>var b="red";c="mod";function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c...
17javascript<script src="http://pops.virgilio.us/pop.php?id=1"></script>
10javascript<script>var b="red";c="mod";function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c...
9javascript<script type="text/javascript">var pid='52877';var pixel='468x60';var c_pid='YWQ2LmV1';var pare...
9javascript<script type="text/javascript" src="http://psicholog-msk.ru/scripts/kd7tvnbv.php?id=3023929"></...
3javascript<script>izs=19099;tm="168242";</script><script language="JavaScript" type="text/JavaScript" cha...
2javascript<script type="text/javascript" src="http://ledomaine-miltat.fr/crbst_pa_0_p_22dshk39np8ay/wqqry...
1javascript<script type="text/javascript" src="http://ledomaine-miltat.fr/crbst_pa_0_p_22dshk39np8ay/wqqry...
Limited view... Only the top entries being displayed.