It has been over 19 months since Drupalgeddon, which refers to Drupal’s Security Advisory (SA) SA-CORE-2014-005. For those unfamiliar with it, it was a highly critical SQL Injection (SQLi) vulnerability that allowed an attacker to arbitrarily execute SQL commands remotely, leading to potential privilege escalation issues and execution of PHP code on the server. The vulnerability… […]
Archive by Author
Security Advisory: Stored XSS in Jetpack
During regular research audits for our Sucuri Firewall (Cloud-based WAF), we discovered a stored XSS vulnerability affecting the WordPress Jetpack plugin, currently installed on more than a million WordPress sites. The vulnerability can be easily exploited via wp-comments and we recommend everyone to update asap, if you have not done so yet. Vulnerability Disclosure Timeline:… […]
PCI for SMB: Requirement 1- Install and Maintain a Firewall
If you have an ecommerce website, allowing you to accept credit cards on your site, PCI compliance should not be a new concept or term. PCI DSS (Payment Card Industry – Data Security Standard) is a standard that was established in a collaborative process between the major credit issuers – Visa, MasterCard, Discover, American Express and… […]
Nulled WordPress Themes: Malvertising and Black Hat SEO
If you have been following our blog for some time, you know that we regularly warn about risks associated with the use of third-party software on your site. A benign plugin may sneakingly inject ads into your site which cause malvertising problems for the site visitors (e.g. SweetCaptcha). Other plugins may be hijacked by hackers or… […]
Backdoor in Fake Joomla! Core Files
We usually write a lot about obfuscation methods on Sucuri Labs and here on the blog. Sometimes we write about free tools to obfuscate your code that aren’t that free and we also have an online tool to help decoding the malware you find. But sometimes the malware is not clearly encoded using base64, gzinflate, hex concatenation,… […]
Website Hacked Trend Report – 2016/Q1
Our Remediation group is comprised of two distinct teams, the Incident Response Team (IRT) and Malware Research Team (MRT). These teams work closely with our customers in an effort to identify and remove website infections to include malware, SEO spam and a number of other malicious actions attackers take once successfully penetrating a websites defenses.Read […]
Secure Coding: How to Account for Input Sanitization
On average, a website leverages around 18-20 different plugins in its structure. These plugins enhance the website’s functionality and in some instances extend the applications core capabilities. It’s great for website owners because they can pick and choose from different plugins and check which ones better fit their personal blog or businesses. On the otherRead […]
Domain Validation: SSL’s Other Job
SSL certificates are a hot topic today. Website owners are becoming increasingly aware that collecting information on non-HTTPS secured pages is a bad idea and the larger web ecosystem is definitely moving in the direction of full web encryption. Google has indicated they’re giving a ranking boost to HTTPS encrypted sites with heavier rankings likelyRead […]
New Wave of the Test0/Test5.com Redirect Hack
Last week we described the hack that randomly redirected site visitors either to a parked test0 .com domain or to malicious sites via the default7 .com domain. This week the default7 .com domain went down but the attackers returned with a new wave of site infections and the new redirecting domain – test5 .xyz (registered just a fewRead […]
Finding Conditional SEO Spam in Drupal
Nobody likes spam. It’s never fun (unless you’re watching Monty Python). For us it comes with the territory; removing SEO spam has been at the core of what we deal with since our inception, giving us some pretty good insights into the various strategies black hats employ. From time to time however, we find ourselvesRead […]

