Clik here to view.
WordPress Pluggable.php Being Compromised
The last few days we have seen a large number of WordPress sites compromised with a hidden malware payload that lands inside wp-includes/pluggable.php. This is not a WordPress vulnerability, WordPress...
View ArticleSociable WordPress Plugin Security Warning
If you are using the Sociable WordPress Plugin (plugin with 1,777,161 downloads), be very careful when visiting the plugin’s page settings. We recommend that you disable it or remove it for now, at...
View ArticleClik here to view.
Compromised Websites Hosting Calls to Java Exploit
Remember that Java 0 day vulnerability that was discovered a few weeks ago and took a while to get patched by Oracle? You know, the one that caused a large portion of the security community to...
View ArticleClik here to view.
Careful With Fake jQuery Website – jquery-framework. com
A few days ago we posted in our Labs notes about a Fake jQuery website that is distributing malware. The domain was properly chosen to confuse the end-users ( jquery-framework.com ), since it looks...
View ArticleClik here to view.
Sorryforthiscode – iFrame Injection
We were working on a compromised site today that had some hidden iFrames on it. The iFrames were redirecting visitors to what seemed like random domains. This is the iFrame we were seeing: <iFrame...
View ArticleWeb Malware – Working with Evil Backdoors – Part III
The most complicated part of our job, when cleaning compromised web sites, is ensuring we find all backdoors. If we miss one, the site can be reinfected. We have done a few posts about backdoors...
View ArticleServer Compromises – Understanding Apache Module iFrame Injections and Secure...
There are many ways to inject a malicious payload onto a website. The attacker can modify any of the web files (index.php for example), the .htaccess file or php.ini (if the site is using PHP). There...
View ArticleMalware Redirection with a Delay
You visit a site and it looks good and clean. However, if you keep the page open, after maybe 20-30 seconds, you get redirected to a casino or pharma affiliate page. What is going on? We call these...
View ArticleClik here to view.
Large Scale Compromises Leading to Traffic Distribution System
For the last few weeks we’ve been tracking a large scale decentralized Traffic Distribution System (TDS). It’s using hundreds of compromised sites as their first entry point. Anyone that visits the...
View ArticleClik here to view.
Payday Loan Spam affecting Thousands of Sites
One of the most important metrics used by search engines to rank a site is the number of link backs that it has. The more links a site has for a specific keyword, the higher it will rank when someone...
View ArticleClik here to view.
When Good Plugins Go Bad – SEO Spam on Joomla Websites
We recently published an article about an interesting case where a very popular WordPress Plugin (Social Media Widget), with more than 900,000 downloads, got sold and the new owners decided to use...
View ArticleMass WordPress Brute Force Attacks? – Myth or Reality
We are seeing in the media some noise about a large distributed brute force attacks against all hosts targeting WordPress sites. According to reports, they are seeing a large botnet with more than...
View ArticleApache Binary Backdoors on Cpanel-based servers
For the last few months we have been tracking server level compromises that have been utilizing malicious Apache modules (Darkleech) to inject malware into websites. Some of our previous coverage is...
View ArticleClik here to view.
Globo.com redirecting users to Spam ads
Globo.com, one of the largest Brazilian web portals (ranked #107 on Alexa and #6 for Brazilian traffic) appears to be compromised and all visits to it are being redirected to a sub page inside...
View ArticleClik here to view.
From a Site Compromise to Full Root Access – Symlinks to Root – Part I
When an attacker manages to compromise and get access to a website, they won’t likely stop there, they will aim to gain full root (admin) access to the entire server. If there are more websites hosted...
View ArticleFrom a Site Compromise to Full Root Access – Local Root Exploits – Part II
When an attacker manages to compromise and get access to a website, they won’t likely stop there, they will aim to gain full root (admin) access to the entire server. If there are more websites hosted...
View ArticlePlesk 0-day Remote Vulnerability in the Wild
Just last week another 0-day vulnerability on Plesk was released. It affects Plesk 9.2, 9.3 and 9.5.4 versions. If you have not yet, we recommend that you update Plesk immediately. Note: In our latest...
View ArticleClik here to view.
Apache PHP Injection to JavaScript Files
We have been talking about Apache server-side injections for a while. Ranging from malicious modules, like Darkleech, to modified Apache binaries. From an attacker perspective, it is much more...
View ArticleNew Apache Module Injection
For the last few months we have been talking about the Darkleech Apache Module injection that is being used to insert malicious iframes into every site hosted on a compromised Linux server. However,...
View ArticleClik here to view.
Malware Infection – Blocked by Day Limit
This week while working on a compromised site, I found an interesting variation of the Blackhole injection. We work with many sites injected with Blackhole, like this one: However, on this specific...
View Article