Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

I recently came across an interesting index.php file and its corresponding directory on a compromised website. I loaded it in a testing environment and immediately it was apparent that this malicious PHP file was different than your average spam tool:

Read More ...

All across the internet we find guides and tutorials on how to keep your WordPress site secure, and they all approach the concept of user roles, but not many actually approach the capabilities of those roles.

Read More ...

I came across some interesting defacement pages recently and noticed a peculiar JavaScript injection included within each source code of the defaced websites. As shown below, this JavaScript injection was peculiar as it seemingly provided no benefit to the hacker:

<script>
	ANCHORFREE_VERSION = "623161526"

<script type='text/javascript'>
	var _AF2$ = {
    	'SN': 'HSSHIELD00TN',
    	'IP': '69.22.172.11',
    	'CH': 'HSSCNL000393',
    	'CT': '0',
    	'HST': '&sessStartTime=0&SFLAG=1&in=1423962910_84044764|d,1553137850|w,1553137850|m,1553137850|t&out=1423962910_23400718|d,305397307|w,305397307|m,305397307|t&NUM_VID=2&NUM_VID_TS=1423962310&bChrome=40&pv=5&clsBtnCnt=14&fav=8&fvidat=0&fvidv=0&accessLP=1',
    	'AFH': 'hss306',
    	'RN': Math.floor(Math.random() * 999),
    	'TOP': (parent.location != document.location || top.location != document.location) ? 0 : 1,
    	'AFVER': '3.69',
    	'fbw': false,
    	'FBWCNT': 0,
    	'FBWCNTNAME': 'FBWCNT_CHROME',
    	'NOFBWNAME': 'NO_FBW_CHROME',
    	'B': 'c',
    	'VER': 'nonus'
	};
	if (_AF2$.TOP == 1) {
    	document.write("<scr" + "ipt src='http[:]//box.anchorfree.net/insert/insert.php?sn=" + _AF2$.SN + "&ch=" + _AF2$.CH + "&v=" + ANCHORFREE_VERSION + 6 + "&b=" + _AF2$.B + "&ver=" + _AF2$.VER + "&afver=" + _AF2$.AFVER + "' type='text/javascript'></scr" + "ipt>");
	}

The injected javascript code contains some details from the client's connection to the HotSpot Shield VPN server, then runs a javascript file from box.anchorfree.net

Read More ...

Fake Font Dropper

2018-06-14  by  Moe Obaid

A website owner reached out to us to investigate a weird behavior on their site. It was randomly showing a popup window for a missing font and telling the visitors that they are unable to view the content of the site because their own computers are missing a required font by the website called “HoeflerText”, as shown in this screenshot:

Read More ...

We have seen many times in the past few months how attackers are infecting Magento installations to scrape confidential information such as credit cards, logins, and PayPal credentials, but we haven’t approached the methods that they use to ensure that their malicious code is added back, if removed.

Read More ...

Three months ago @ninoseki revealed a group of sites with cryptomining scripts inside jquory.js files (yes, jquory instead of jquery).

Read More ...

Since the new website cookie usage regulations in the EU have come into place, many websites have added a warning on their website about how they use cookies on it and as well, ask for your consent.

Read More ...

During an investigation on a recent case, we came across a malware infection that came directly from the server.

Upon further inspection, we found that there were at least two servers showing the same symptom: cryptominers had been automatically injected into every web page after the</head> or </title> tag. The sites themselves had not been infected. The malware was coming from the web server itself, which modifies web pages on the fly. The servers we have identified so far are 5.196.91.117 and 104.243.40.34, with around 60 and 120 sites respectively.

This is the code being injected (line breaks added for readability):

Read More ...

Since CoinHive domain made it into many blacklists, attackers began avoiding linking to the hosted library file https://coinhive .com/lib/coinhive.min.js. Instead, they uploaded this file to third-party sites. Some of the attempts to get rid of the coinhive.com domain look pretty naive. For example, injecting the whole library code into web pages.

Read More ...

We are seeing hundreds of infected WordPress sites with the following scripts (in one line) injected in random places in wp_posts table.

Read More ...