Readers of this blog should already be familiar with SocGholish: a widespread, years-long malware campaign aimed at pushing fake browser updates to unsuspecting web users. Once installed, fake browser updates infect the victim’s computer with various types of malware including remote access trojans (RATs). SocGholish malware is often the first step in severe targeted ransomware […]
Tag Archives: Website Backdoor
Wordfence Evasion Malware Conceals Backdoors
Malware authors, with some notable exceptions, tend to design their malicious code to hide from sight. The techniques they use help their malware stay on the victim’s website for as long as possible and ensure execution. For example — obfuscation techniques, fake code comments, naming conventions for injections that deploy SEO spam, redirect visitors to […]
Top 5 Most Common WordPress Malware Infections: An Anatomy Lesson
WordPress security is serious business – and an essential consideration for anyone using the world’s most popular CMS (Content Management System). While the WordPress team quickly addresses known security issues in WordPress’ core to protect the millions of website owners who rely and depend on the software, the reality is that the same cannot be […]
How to Find & Clean Up the AnonymousFox Hack
The AnonymousFox hack targets insecure websites and actively exploits them to spread phishing, spam, and other malware. A major nuisance for website owners, it also happens to be one of the more prevalent types of malware seen on client sites in the past two years. In this post we’ll describe what AnonymousFox is and how […]
2021 Threat Report Webinar
The threat landscape is constantly shifting. As attackers continue to hone their tools and exploit new vulnerabilities, our team works diligently to identify and analyze threats posed to webmasters. So – what do you need to do to stay one step ahead of attackers? Join Sucuri researcher Ben Martin on July 6th in our latest […]
Analysis of the Massive NDSW/NDSX Malware Campaign
Recently, Avast’s researchers Pavel Novák and Jan Rubín posted a detailed writeup about the “Parrot TDS” campaign involving more than 16,500 infected websites. Such massive infections don’t go unnoticed by Sucuri and we immediately recognized that the infection in their writeup belonged to the campaign we internally refer to as “ndsw/ndsx” malware. We’ve been tracking […]
Examining Unique Magento Backdoors
During a recent investigation into a compromised Magento ecommerce environment, we discovered the presence of five different backdoors that would provide attackers with code execution capabilities. The techniques used by the attackers in these backdoors illustrates the ever-changing landscape of website security and highlights some of the tactics used to avoid traditional backdoor detection. Reflection […]
PHP Repository Exploited by Hackers
The official PHP git repository, http://git.php.net/, was compromised this Sunday, March 28. An attacker was able to modify the PHP source code twice and inject a backdoor into it. Thankfully, both attempts were quickly detected and removed by the PHP team. Per a statement released in PHP’s internal mailing list, the current investigation believes the […]
SQL Triggers in Website Backdoors
Over the past year, there’s been an increasing trend of WordPress malware using SQL triggers to hide malicious SQL queries within compromised databases. These queries inject an admin level user into the infected database whenever the trigger condition is met. What makes this especially problematic for website owners is that most malware cleanup guides focus […]
Whitespace Steganography Conceals Web Shell in PHP Malware
Last November, we wrote about how attackers are using JavaScript injections to load malicious code from legitimate CSS files. At first glance, these injections didn’t appear to contain anything except for some benign CSS rules. A more thorough analysis of the .CSS file revealed 56,964 seemingly empty lines containing combinations of invisible tab (0x09), space […]
