Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

We've been cleaning many sites infected by the so-called site_url hack–the result of the WP GDPR Compliance plugin vulnerability. The sites are broken because their static resource links point to some third party site. However, this is not the only issue.

Read More ...

There is a long-lasting malware campaign (dating back to at least 2016) that injects fake jQuery scripts:

<script type="text/javascript" src="hxxps://www.XX[X]wp[.]org/jquery.js"></script>

Where XX[X] are 2 or 3 random characters.

This Twitter thread mentions some of them:

Read More ...

This September, we’ve been seeing a massive infection wave that injects malicious JavaScript code into .js, .php files and the WordPress database.

The script looks like this:

Read More ...

Seeing malicious campaigns using domain names that resemble big market players is not news anymore. This time I'll talk about the new redirects of cloudflare.pw.

Read More ...

During an incident response investigation, we detected an interesting piece of heavily obfuscated JavaScript malware. Once decoded,  Crypto Miners were ran on customers visiting the website.

Read More ...

I recently came across an interesting index.php file and its corresponding directory on a compromised website. I loaded it in a testing environment and immediately it was apparent that this malicious PHP file was different than your average spam tool:

Read More ...

All across the internet we find guides and tutorials on how to keep your WordPress site secure, and they all approach the concept of user roles, but not many actually approach the capabilities of those roles.

Read More ...

I came across some interesting defacement pages recently and noticed a peculiar JavaScript injection included within each source code of the defaced websites. As shown below, this JavaScript injection was peculiar as it seemingly provided no benefit to the hacker:

<script>
	ANCHORFREE_VERSION = "623161526"

<script type='text/javascript'>
	var _AF2$ = {
    	'SN': 'HSSHIELD00TN',
    	'IP': '69.22.172.11',
    	'CH': 'HSSCNL000393',
    	'CT': '0',
    	'HST': '&sessStartTime=0&SFLAG=1&in=1423962910_84044764|d,1553137850|w,1553137850|m,1553137850|t&out=1423962910_23400718|d,305397307|w,305397307|m,305397307|t&NUM_VID=2&NUM_VID_TS=1423962310&bChrome=40&pv=5&clsBtnCnt=14&fav=8&fvidat=0&fvidv=0&accessLP=1',
    	'AFH': 'hss306',
    	'RN': Math.floor(Math.random() * 999),
    	'TOP': (parent.location != document.location || top.location != document.location) ? 0 : 1,
    	'AFVER': '3.69',
    	'fbw': false,
    	'FBWCNT': 0,
    	'FBWCNTNAME': 'FBWCNT_CHROME',
    	'NOFBWNAME': 'NO_FBW_CHROME',
    	'B': 'c',
    	'VER': 'nonus'
	};
	if (_AF2$.TOP == 1) {
    	document.write("<scr" + "ipt src='http[:]//box.anchorfree.net/insert/insert.php?sn=" + _AF2$.SN + "&ch=" + _AF2$.CH + "&v=" + ANCHORFREE_VERSION + 6 + "&b=" + _AF2$.B + "&ver=" + _AF2$.VER + "&afver=" + _AF2$.AFVER + "' type='text/javascript'></scr" + "ipt>");
	}

The injected javascript code contains some details from the client's connection to the HotSpot Shield VPN server, then runs a javascript file from box.anchorfree.net

Read More ...

Fake Font Dropper

2018-06-14  by  Moe Obaid

A website owner reached out to us to investigate a weird behavior on their site. It was randomly showing a popup window for a missing font and telling the visitors that they are unable to view the content of the site because their own computers are missing a required font by the website called “HoeflerText”, as shown in this screenshot:

Read More ...