News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
October 30, 2014, 04:57:57
Pages: 1 ... 31 32 [33] 34 35 ... 86   Go Down
  Print  
Topic: SPAM frauds, fakes, and other MALWARE deliveries...  (Read 301752 times)
0 Members and 5 Guests are viewing this topic.
« Reply #480 on: July 27, 2011, 04:36:37 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8365



FYI...

SpyEye's target list - US, UK, Canada, Germany, and Australia now on top
- http://www.trusteer.com/blog/us-uk-canada-germany-and-australia-now-top-spyeyes-target-list
July 26, 2011 - "Research findings from the Trusteer Situation Room and our anomaly detection service Pinpoint indicate that the number of financial institutions targeted by the SpyEye Trojan is growing. In parallel with this, our risk analysis teams have also observed an increase in the number of countries where financial institutions are being targeted by fraudsters using SpyEye. Analyzing the SpyEye command and control centers that our risk analysis team reviews every month revealed that 60% of the SpyEye bots target financial institutions in the US. This is followed by the UK with 53%, Canada with 31%, Germany 29%, and Australia 20%... the percentage of SpyEye bots targeting Canadian banks has more than doubled from 14% in May to 31% in June... SpyEye continues to expand its “hit list”... SpyEye developers appear to have figured how these defenses operate and are now constantly trying to ensure their code activity flies under the radar of these detection systems. SpyEye seems to follow Agile software development practices, namely it is flexibly and simply coded, and new configurations are being rolled out as quickly as possible by its developers. At certain times, we have even seen two new versions of the malware released every week... A new version means that the program code itself has been modified, while a new variant is just new packing around the same code... early versions of the malware included a feature to remove Zeus from an infected host machine. This feature was, of course, in place to ensure that SpyEye is the only financial malware on the infected computer..."
___

SpyEye Tracker
- https://spyeyetracker.abuse.ch/
"... quick statistics about the SpyEye Trojan:
SpyEye C&C servers tracked: 381
SpyEye C&C servers online: 184
SpyEye C&C server with files online: 38
• Average SpyEye binary Antivirus detection: 26.14% ..."

ZeuS Tracker
- https://zeustracker.abuse.ch/
"... quick statistics about the ZeuS crimeware:
ZeuS C&C servers tracked: 659
ZeuS C&C servers online: 223
ZeuS C&C servers with files online: 53
ZeuS FakeURLs tracked: 19
ZeuS FakeURLs online: 6
• Average ZeuS binary Antivirus detection rate: 38.67% ..."

(... as of 2011.08.04)

 Evil or Very Mad
« Last Edit: August 04, 2011, 01:34:51 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #481 on: July 29, 2011, 03:12:24 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8365



FYI...

SPAM/fraud aimed at credit card users...
- http://community.websense.com/blogs/securitylabs/archive/2011/07/28/has-my-credit-card-really-been-compromised.aspx
28 Jul 2011 - "Websense... has been monitoring and tracking a recent wave of email attacks being spread and aimed at credit card users and holders. The attack comes in the form of a short email with fairly detailed text alerting the recipient that their credit card has been blocked, and that they should open the attached file to find out more.  The format seems old, with the content and attached file properties being the distinctive factor. With the recent attacks and data breaches of organizations in the press, this seems to be worth the buzz as personal details and credit card details were part of the information leaked... There is less the wording within the message body and the header information with regards to sender address or connecting IP's which are listed in this blog post*... The file is also VM-Aware, as the resulting execution of a download for fake AV only works if host based analysis is used (as opposed to a guest virtual machine)..."
* http://garwarner.blogspot.com/2011/07/mastercard-spam-leads-to-fake-av.html

- http://labs.m86security.com/2011/07/malicious-hotel-transaction-spam/
July 29, 2011

>> http://tools.cisco.com/security/center/viewAlert.x?alertId=23741
July 29, 2011
___

Sophisticated injection abuses the Twitter trend service
- http://community.websense.com/blogs/securitylabs/archive/2011/07/27/sophisticated-injection-abuse-twitter-trend-service.aspx
27 Jul 2011 - "... Websense... has detected a mass injection campaign that has infected more than 10,000 Web sites. What is surprising is the size of injected code; it’s very big – over 6,000 kbs. Surely such a large injection code can contain a lot of malicious content.  The attacker used 5 layers of obfuscated methods to conceal the final redirect code. The redirect target is determined based on Twitter trend services... The redirect target is  different every day, and even different at day and at night... The URL redirects customers to the Blackhole Exploit Kit where a rogue AV application will be installed. Below are IP addresses that host the Blackhole Exploit Kit.
46.165.192.232
46.20.119.80
66.135.59.143
216.155.147.12
64.150.187.129
200.35.147.150
108.59.2.202 ..."

 Evil or Very Mad Evil or Very Mad
« Last Edit: July 29, 2011, 12:47:30 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #482 on: July 29, 2011, 05:11:31 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8365



FYI...

Zeus SPAM continues...
- http://garwarner.blogspot.com/2011/07/government-related-zeus-spam-continues.html
Update: New Zeus distribution site, July 29th AM:
"We are receiving SPAM emails this morning from "nacha .org" From: addresses that direct us to this Zeus distribution site.
hxxp ://federalreserve-alert .com/transaction_report.pdf.exe
... VirusTotal report... (5 of 43) detections. Only 2 of those are calling this Zeus.
---
July 28, 2011 - "... new example of this capability in the form of the two most recent installments of a long-running "government-related" Zeus campaign.
One of the two spammed destinations is:
alert-irs .com /00000700973770US.exe MD5 = 0691a4856713edc97664e60db735747c
This malware is currently showing a (12 of 43) detection rate at VirusTotal...
The other spammed destination is:
fdic-updates .com /system_update_07_28.exe MD5 = 7a0303fdb809ac0c1a84123b106992c2
This malware is currently showing a (8 of 43) detection rate at VirusTotal...
Both files are 172,032 bytes in size, but currently the FDIC one is showing a dramatically wider distribution via email than the IRS one, which may be an indication of "targeting" by the latter.
The FDIC version has been seen almost 500 times, despite the fact that the campaign is less than 45 minutes old as of this writing..."
(Much more detail at the garwarner.blogspot URL above.)

> http://www.cis.uab.edu/forensics/

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #483 on: August 01, 2011, 04:40:28 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8365



FYI...

willysy .com mass injection... more than 3.8 million pages
- http://blog.armorize.com/2011/07/willysycom-mass-injection-has-hit-more.html
7.31.2011 - "... As of July 31th, Google shows more than 3,410,000 (willysy) + 386,000 (exero) = 3.8 million infected pages. Note this number is for individual infected pages, -not- sites or domains. And so we've largely updated and reformatted (so new info appears at the front) the initial report*, adding to it the infection number, source IP of attack, log entries, osCommerce vulnerabilities used, and more."
* http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html
"... 5. Browser exploits used:
CVE-2010-0840 - Java Trust - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0840
CVE-2010-0188 - PDF LibTiff - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0188
CVE-2010-0886 - Java SMB - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0886
CVE-2006-0003 - IE MDAC - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0003
CVE-2010-1885 - HCP - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885
6. Exploit domain:
arhyv .ru, counv .ru ...
IP: 46.16.240.18 (AS51632 Ukrain - Inet Ltd)
Related domains: xlamv .ru, vntum .ru
7. Malware URL:
hxxp ://46.16.240.18 /9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot ..."
___

- http://www.google.com/safebrowsing/diagnostic?site=AS:51632
"... last time suspicious content was found was on 2011-08-01..."

 Evil or Very Mad
« Last Edit: August 01, 2011, 10:37:15 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #484 on: August 01, 2011, 15:12:51 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8365



FYI...

Fake Flash for Mac ...
- http://www.f-secure.com/weblog/archives/00002206.html
August 1, 2011 - "We've come across a fake FlashPlayer.pkg installer for Mac... Once installed, the trojan adds entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, et cetera) to the IP address 91.224.160.26, which is located in Netherlands. The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site... Even though the page looks fairly realistic, clicking on any of the links does not take the user to any other sites. Clicking on the links does however open new pop-up pages, which are all pulled from a separate remote server... At the time of writing, the pop-up pages aren't displaying anything, though we presume they are ads of some sort. It appears that the remote server serving the pop-up pages is down. The other remote server returning fake search requests appears to be still active. We detect this trojan as Trojan:BASH/QHost.WB."
(Screenshots available at the f-secure URL above.)

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #485 on: August 02, 2011, 03:44:37 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8365



FYI...

'Work from home' SPAM scam floods Twitter
- http://nakedsecurity.sophos.com/2011/08/01/compromised-twitter-accounts-spam-out-money-making-adverts/
August 1, 2011 - "Compromised Twitter accounts are once again being used by criminals to spam out adverts to unsuspecting users. In the latest attack, Direct Messages (DMs) have been sent between Twitter users promoting a "make money fast" website... Clicking on the link takes the unsuspecting recipient to a website which claims, in breathless tones, to help single mothers and teenagers to make "thousands of dollars" every day... The likelihood is, however, that all that will happen is that you end up out of pocket if you invest in the site's Home Wealth Formula. Interestingly, the website tries to attempt to customise its content to appear more attractive to you. For instance, I visited the site from Sophos's British HQ in Abingdon, Oxfordshire, and the website duly described itself as the "Abingdon Business Journal" (no such publication really exists)... there will no doubt be Twitter users who trust DMs sent to them by their friends and may click on the link, and some of them may be tempted to sign-up for the scheme...
Update: ... SPAM messages are also being sent as classic messages, not just DMs..."
(Screenshots available at the Sophos URL above.)

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #486 on: August 03, 2011, 01:45:04 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8365



FYI...

Cisco 2Q11 Global Threat Report
- http://blogs.cisco.com/security/cisco-2q11-global-threat-report/
August 1, 2011 - "... highlights from the Cisco 2Q11 Global Threat Report* include:
• A more than double increase in unique Web malware in the second quarter;
• Average encounter rates per enterprise peaked in March (455) and April (453);
• Companies with 5,001-10,000 employees and companies with 25,000+ employees experienced significantly higher Web malware encounters compared to other size segments;
Brute force SQL login attempts increased significantly during the second quarter, coinciding with increased reports of SQL injection attacks throughout the period;
Denial of Service attempts also increased during the second quarter and were observable in IPS logs;
• Global spam volumes remained fairly steady throughout the first half of 2011, while phishing increased in 2Q11, peaking at 4% of total volume in May 2011..."
* http://www.cisco.com/go/securityreport

 Evil or Very Mad Shocked
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #487 on: August 04, 2011, 10:25:58 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8365



FYI...

Rapid relief for osCommerce administrators...
- http://h-online.com/-1324235
17 August 2011
___

willysy osCommerce now over 6M infected pages - Mass Injection ongoing...
- http://blog.armorize.com/2011/08/willysy-oscommerce-injection-over-6.html
8.03.2011 - "... With the number of infected pages now over 6 million, we've again updated our initial report on this willysy mass injection incident*..."
* http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html

- http://www.youtube.com/watch?v=1Jh_H4qQzqo
Uploaded by ArmorizeTech on Aug 3, 2011
"... recorded when infection number reached 6 million pages..."
___

Is That a Virus in Your Shopping Cart?
- https://krebsonsecurity.com/2011/08/is-that-a-virus-in-your-shopping-cart/
August 5, 2011
___

- http://h-online.com/-1317410
3 August 2011
- http://h-online.com/-1323427
16 August 2011

- http://www.usatoday.com/money/industries/technology/2011-08-11-mass-website-hacking_n.htm
"... A single criminal gang using computer servers located in the Ukraine is responsible for the latest twist in converting legit web sites into delivery mechanisms for 'driveby downloads'..."

 Evil or Very Mad Evil or Very Mad
« Last Edit: August 18, 2011, 06:24:53 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #488 on: August 04, 2011, 11:42:12 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8365



FYI...

HTran and APT ...
- http://www.secureworks.com/research/threats/htran/
August 3, 2011 - "... 'not surprising that hackers using a Chinese hacking tool might be operating from IP addresses in the PRC. Most of the Chinese destination IPs belong to large ISPs, making further attribution of the hacking activity difficult or impossible without the cooperation of the PRC government.
Conclusion: Over the past ten years, we have seen dozens of families of trojans that have been implicated in the theft of documents, email and computer source code from governments, industry and activists. Typically when hacking or malware traffic is reported on the Internet, the location of the source IP is not a reliable indicator of the true origin of the activity, due to the wide variety of programs designed to tunnel IP traffic through other computers. However, occasionally we get a chance to peek behind the curtain, either by advanced analysis of the traffic and/or its contents, or due to simple programmer/user error. This is one of those cases where we were lucky enough to observe a transient event that showed a deliberate attempt to hide the true origin of an APT. This particular hole in the operational security of a certain group of APT actors may soon be closed, however it is impossible for them to erase the evidence gathered before that time. It is our hope that every institution potentially impacted by APT activity will make haste to search out signs of this activity for themselves before the window of opportunity closes."
(More detail at the secureworks URL above.)

https://www.computerworld.com/s/article/9218857/Researcher_follows_RSA_hacking_trail_to_China
August 4, 2011 - "... attackers gained access to RSA's network by convincing a small number of the company's employees to open malware-infected Excel spreadsheets. The spreadsheets included an exploit for a then-unpatched vulnerability in Adobe's Flash Player. Later attacks on the defense contractor Lockheed reportedly utilized information obtained in the RSA hack... Joe Stewart uncovered the location of the malware's command servers by using error messages displayed by a popular tool called "HTran," which Chinese hackers often bundle with their code. HTran bounces traffic between multiple IP addresses to mask the real identity of the order-giving servers, making it appear, for instance, that the C&C servers are in the U.S. when they are not... more than 60 malware families he's found that were custom-made for RSA-style attacks..."

 Exclamation
« Last Edit: August 04, 2011, 12:09:28 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #489 on: August 06, 2011, 03:00:12 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8365



FYI...

Malware variants turn UAC off ...
- https://blogs.technet.com/b/mmpc/archive/2011/08/03/uac-plays-defense-against-malware.aspx
3 Aug 2011 - "... more and more malware opening a new front and turning UAC off itself. Malware does this to prevent users from seeing UAC prompts on every reboot for their payloads. The Sality virus family, Alureon rootkits, Rogue antivirus like FakePAV, Autorun worms, and the Bancos banking Trojans all have variants turning UAC off. So many are doing this that Microsoft Security Essentials, Windows Intune, and Forefront Endpoint Protection now uses behavior monitoring to find software that manipulates UAC settings, and the MMPC is finding brand new malware disabling UAC regularly. The key factor here is that for malware to successfully turn UAC off, the malware must itself be elevated to run as administrator. This elevation either requires an exploit in a service with administrator access, UAC to already be turned off, or a user clicking "OK" on a UAC prompt to allow the malware to elevate. Unfortunately, many Windows users have disabled UAC. While malware was mostly avoiding UAC altogether, legitimate software was also being rewritten to not require elevation prompts, so there are fewer UAC prompts than ever to wrangle, which should make it easier to spot any suspicious activity... UAC is not intended as malware protection, but it's another layer of security to help improve the safety of Windows. If you've been attacked from malware, please check the UAC setting in the control panel to see if it's been tampered*..."
* http://windows.microsoft.com/en-US/windows-vista/Turn-User-Account-Control-on-or-off

 Shocked  Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #490 on: August 08, 2011, 03:07:18 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8365



FYI...

Fake Firefox update email...
- http://nakedsecurity.sophos.com/2011/08/08/fake-firefox-update-email-malware/
August 8, 2011 - "... email which was spammed out this weekend pretending to be an advisory about a new update to the popular Firefox web browser... no surprises here. The link downloads an executable file, which bundles together an installer for Mozilla Firefox 5.0.1 -and- a password-stealing Trojan horse. Sophos already detected the Trojan horse as Troj/PWS-BSF... Firefox automatically updates itself - so you should never have to act upon an email like this. If you want to manually look for the latest update, simply open Firefox and go to the Help menu and select About Firefox..."

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #491 on: August 11, 2011, 03:40:10 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8365



FYI...

LinkedIn box to Uncheck...
- https://brandimpact.wordpress.com/2011/08/10/a-box-you-want-to-uncheck-on-linkedin/
August 10, 2011 - "Apparently, LinkedIn has recently done us the “favor” of having a default setting whereby our names and photos can be used for third-party advertising. A friend forwarded me this alert (from a friend, from a friend…) this morning. Devious. And I expect that you, like me, don’t want to participate... graphic shows you how to Uncheck The Box*... Nice try, LinkedIn. But, no thanks!
*UPDATE: After you finish with Account, check the new default settings under E-mail Preferences (such as Partner InMails); and Groups, Companies & Applications (such as Data Sharing with 3rd-party applications). It’s a Facebook deja vu!
* https://brandimpact.files.wordpress.com/2011/08/linkedin_social.png

> http://www.theregister.co.uk/2011/08/11/linkedin_privacy_stuff_up/

 Sad  Shocked
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #492 on: August 12, 2011, 08:54:17 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8365



FYI...

Zeus SPAM campaign...
- http://blogs.appriver.com/blog/digital-degenerate/zeus-works-the-tax-angle
August 10, 2011 - "The past couple of days we have been seeing a fairly large Zeus-laden campaign hitting our filters. These emails are also taking on a few different personas, the majority of which being the Internal Revenue Service. The other two, to a lesser extent, are the Federal Reserve, and the Nacha Electronic Payments Association which is a non-profit group that provides the rules and regulations for electronic transactions such as insurance premiums and mortgage loans. The group claims to have one of the largest and safest payment systems in the world. This may be true, but these imposters are anything but... Zeus is currently the most frequently seen pieces of malware circulating through interwebs. It works its way onto victim machines, and installs malicious software that siphons off bank account credentials. In this campaign in particular we have seen over 1 million pieces of these caught in our filters, at an average rate of around 1 every 2 seconds. Each of the emails contain a link to a remotely hosted file. The domains on which they're hosted are: irs-report-file .com, nacha-transactions .com, irs-tax-reports .com, federal-taxes .us, irs-alerts-report .com, federalresrve .com, files-irs-pdf .com, nacha-files .com, and nacha-security .com. The filenames vary depending on the facade being used. These include: wire-report.pdf.exe, your-tax-report.pdf.exe, 00000700955060US.pdf.exe, alert-report.pdf.exe, tax_00077034772.pdf.exe, transaction_report.pdf.exe, and 3029230818209.pdf.exe..."
(Screenshots available at the appriver URL above.)

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #493 on: August 15, 2011, 10:18:05 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8365



FYI...

SPAM - Virus Outbreak In Progress
- http://www.ironport.com/toc/
August 15, 2011

http://tools.cisco.com/security/center/threatOutbreak.x?currentPage=1&sortOrder=d&pageNo=1&sortType=d

Website Profile Inquiry E-mail Msg...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23906
Misleading Tourism E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23905
Fake Personal Photo Attachment E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23881
Fake Blocked Credit Card Notification E-mail Msgs...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=23820

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #494 on: August 16, 2011, 04:54:02 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8365



FYI...

Updates:

Attacks Against Timthumb.php in the Wild...
- http://blog.sucuri.net/2011/08/attacks-against-timthumb-php-in-the-wild-list-of-themes-and-plugins-being-scanned.html
August 17, 2011 - "We are seeing large scale attacks against the vulnerable timthumb.php script in the wild. Thousands of sites are getting compromised... please verify them for the TimThumb script. If they contain the script ensure it is updated immediately. Attacks in the wild: We are seeing many attacks in the wild, basically they scan all these plugins and themes, then attempt to compromise the site..." 
(More detail at the URL above.)

WordPress sites with .htaccess hacked
- http://blog.sucuri.net/2011/08/wordpress-sites-with-htaccess-hacked.html
August 17, 2011 - "The TimThumb.php vulnerability is causing a lot of WordPress sites to get compromised with the superpuperdomain .com and superpuperdomain2 .com remote JavaScript injection...  many of the sites we are analyzing, the .htaccess file is also getting modified to redirect search engine and organic traffic to some Russian domains..."
(More detail at the URL above.)
___

WordPress plugin vuln - compromised WordPress blogs...
- http://community.websense.com/blogs/securitylabs/archive/2011/08/15/vulnerability-in-timthumb-wordpress-plugins-the-effects.aspx
15 Aug 2011 - "... code injected into WordPress Web sites. At first we saw the injected domain name hxxp: //superpuperdomain .com/ injected at the foot of compromised WordPress blogs.  This code appears to have been delivering advertisements to end users via redirects to search engines. Last Friday, we saw a slight adaptation within the injected code. This time, browsers to compromised sites led to the domain hxxp: //superpuperdomain2 .com/, which seemingly was a placeholder for more nefarious malicious activity... The research team over at Sucuri Security also noticed the same over the weekend. Their blog is here*..."
* http://blog.sucuri.net/2011/08/wordpress-sites-hacked-with-superpuperdomain-com-attacking-timthumb-php.html
August 11, 2011 - "... large number of WordPress sites compromised with a malicious JavaScript loading from superpuperdomain .com/count.php. That JavaScript redirects visitors that were going to the WordPress site to fake search engines... This script basically loads a bunch of encoded JavaScript that redirects the user to upliftsearch .com, filmannex .com and other “search engines” full of ads. On the sites we’ve analyzed, they were hacked through the timthumb.php vulnerability** that was published a few days ago. The attackers are also creating a bunch of backdoors to maintain their access to the hacked sites... This is not a vulnerability in WordPress, it is a vulnerability found in various WordPress themes that include TimThumb! You have to make sure that you are using an updated theme, and from a legitimate source..."
> http://blog.sucuri.net/2011/08/update-to-the-superpuperdomain2-com-malware.html
August 15, 2011 - "... malware infection that has been affecting thousands of WordPress sites with the vulnerable timthumb.php script... acts as a backdoor, so they can control the site and add more injections/malware whenever they want. If you are running WordPress, check if your theme (or plugin) have this timthumb.php script. If it has, update or remove it now! You can also scan it here to see if it is infected:
- http://sitecheck.sucuri.net "

** http://boards.cexx.org/index.php?topic=15339.msg82607#msg82607
4 August 2011

 Evil or Very Mad Sad
« Last Edit: August 18, 2011, 06:42:51 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
 
Pages: 1 ... 31 32 [33] 34 35 ... 86   Go Up
  Print  
 
Jump to:  

Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Page created in 2.331 seconds with 18 queries.