Our take on the “soaksoak” (revslider) infection

Ethical reportingHere’s our review of the recent revslider plugin exploit – or as some call it, “soaksoak” (ouch).

On November 22, 2014 while removing malware from a number of sites, we noticed a large number of them had backdoor shells buried in the revslider folder. After the first 100+ sites, we noticed the pattern.

A little Google searching found this site:

Our first notification was to hosting providers we work with. We told them what to search for so they could alert their customers. The problem was that we did not report it to the right people. That was our mistake.

The first sites did not have any code injected into the swfobject.js or collect.js files, or the .html or .php files. The sites simply had numerous backdoor shells spread throughout the wp-includes, wp-admin and wp-content folders. It appears as if the hackers were looking for the deepest level folders they could find.

Some online searching showed very few infected sites. 1,100 sites. We did reach out to those website owners to let them know – not to try and drum up business but to be responsible. And discrete.

Many of the forums are reporting links to 122.155... but we’re also seeing links to other IP addresses as well. The injected malscript can be in just the swfobject.js files or all .js files, all .html and selected .php files.

Some of the sites have code injected into the collect.js file which apparently is the same code that the malicious links point to. This leads us to believe that the hackers could use these infected sites in their future malicious links and most recently we see the infectious code using the local sites URL pointing to the infected collect.js file.

You’ll find the malicious code in the template-loader.php file located in wp-includes folder. This should be replaced with a copy of the original file downloaded directly from the WordPress site.

We choose not to alert all the script kiddies
I know what you’re thinking, if we knew about this back in November, why didn’t we blog about it?

Our searches showed a growing number of sites being infected. As of December 17, 2014, we saw 307,000 sites still infected with this – and they have all been verified by us as well.

We did not want to be the one to let every script-kiddie know so they could go out searching for these sites and take advantage of the backdoor shell on all these sites. We’ve been contacting these site owners to let them know and we feel that is the responsible thing to do.

I’m not saying that this was reported wrong. I’m just saying we made the decision to not report it to the masses.

Maybe a missed opportunity. It’s not the first time and it won’t be the last.


The main difference – between those that do and those that don’t

We are the ones who do malware removal. We work in the trenches

We are the ones who do malware removal. We work in the trenches

The main difference – between those that do and those that don’t.

This is something I’ve been toiling over for some time now and it’s reached a full boil.

I continually read blog posts and articles about what “you” should do to protect your website from hackers.

I read it, then read the bio at the end and it all makes sense – these people are not living in the world of website security. They’re not even vacationing here.

One article I read actually focused on one main actionable item for website owners looking to increase their website security – add a section in your agreement with your web developer that makes it their responsibility for all website security issues.


How many of you web devs out there, think that’s justified?

And more to the point, does it really make your website more secure?

Today I read a blog post about what you can do about website security. It started off with keeping software updated. Which is totally sound advice. However, after that the author talked about SQL injection and cross-site scripting. Not what you should do to prevent it, but what it is.

Does awareness make you more secure by itself?

Knowing one way that SQL injection can be successful does nothing to the majority of website owner’s website security.


That’s like saying that since I know it’s illegal to drive 60 miles per hour in a 45 mile per hour zone, that I’m qualified to be a lawyer. Does that little bit of knowledge make me qualified to practice law? I think not.

To turn this around and not have this just be my rant, here are some things you can do to increase your website security. This is advice from someone “in the trenches” (someone that “does”).

  1. First, make certain that someone is responsible for updating your software and your plugins. Don’t even think this is the same as that blog post referenced above about making it your web developer’s responsibility.

    I want you to be certain that it’s someone’s responsibility to login to your WordPress, Joomla, etc… and check for any core updates or any plugins, components, modules, etc. updates at least once every two days.

    You check your Facebook, Twitter, (insert other social media sites here) numerous times a day and that does nothing for your website security. So why not login to your website and see if there are any updates?

  2. Next, activate your log files. If you’re on a hosting account with cPanel, most hosting providers will have the Access logs off by default. They know that storage costs can sky rocket and drives their prices up and they know that probably nobody ever, other than us, ever reads them so they have access logs deactivated. However, that is the first thing we do when we log into your cPanel account is to activate them.

    In your main cPanel window, look for the section titled, “Statistics”. You’ll see an icon for “Access Logs”. Click on that and put a check in the top two boxes. This activates the logs and “flushes” the previous months logs at the end of each month. This prevents your local storage from going through the roof and having your account deactivated for performance issues.

    As much as I hate to admit it, nobody can guarantee your website will never get infected. However, with a forensic audit trail, we can at least determine how it happened so we can take steps to insure that the possibility of your website getting infected again, is less.

  3. Consider your circle of trust. Shameless plug:

    We created this video to help you understand the concept of trust. If you use a web developer, an SEO expert, a blogger, an administrator, or a security company, you must realize that you’re trusting people they trust – without even knowing them. You should start analyzing your circle of trust.

    Watch the above video. Start thinking about who you trust.

  4. Create a separate FTP account for each user.

    If you have a web developer, an SEO expert and yourself all accessing your files, create a separate FTP account for each of you. That way if your website is infected via FTP, you (or us) can see in the FTP logs which user account was compromised and used to upload infectious/infected files to your website.

    Without that, you’ll only see one account and now you have no idea who’s computer was used to steal the FTP password.

    Often times, we see websites infected due to stolen passwords. These passwords are stolen by a virus/trojan on someone’s local computer and when that person logs into the website, either through FTP, CMS login, cPanel, etc., the virus/trojan steals the login URL, the username and password, sends it to the hacker’s server where it logs in as a valid user and uploads or injects malicious code.

  5. If you are using cPanel, create a separate cPanel account for each website.

    Then, if one website gets infected, the chances are the other sites will not due to the separation of accounts.

    You can suspend the infected website (cPanel account), get the malware removed and the website secured, then reactivate it – all without disrupting the other websites.

  6. Monitor your files.

    No, this is not another shameless plug. But the fact is that hackers are constantly changing their tactics. The only sure way to detect when your website has been infected is to monitor the files constantly. Not just once a day. Not from the outside like a browser. But actually monitor all the files and folders frequently to see if any file or folder has been added or changed.

Notice the slant above?

It presumes that your website will get re-infected.

That’s right!

Nobody can guarantee that your website will not get infected – NOBODY!

Understand the hackers are making money off of their work. They will not stop. All you can do is to follow advice from someone “in the trenches” and take the necessary steps to make your site less prone to being infected, setup a strategy for early detection and remediation and get back to doing what it is you do.

Post a comment about your thoughts on this.


Website security – gone phishing

website security addresses phishing spam

A friend of mine used to say, “fishing is a jerk at one of the line waiting for a jerk on the other end”.

We’ve been seeing many, many more phishing scams and here is our insight and our experiences.

Points covered in this post:

  • Hackers are focusing on VPS and dedicated servers
  • Why you should be concerned
  • Why they want access to your VPS or dedicated server
  • What can be done about it

Over the past 60 days, the number of phishing scams has drastically increased. With this we’ve also seen an enormous rise in the amount of spam being sent from VPS’s and dedicated servers.

Some of the servers we’ve removed malware from have had as many as 5 million messages in the email queue – most of them are phishing emails.

The subject lines vary but will typically be something like:

Your Apple ID was disabled: 23%

You have received a voice mail: 29%

I’ve shared a document
Important Doc file 27% (combined)

The rest were mostly focused on pharmaceuticals (viagra, levitra, cialis, etc.)

Why this is important

If you’re the owner of a VPS or dedicated server hosting websites, then this should concern you. You might think, “It’s an easy fix. I’ll restore all my sites from before the malware attack and I’ll have all my customers up in no time.”

A few negative points here for you:

  1. Your websites will be shut-down by your hosting provider
  2. Your domain(s) could be listed on
  3. Your IP address could be blacklisted by a number of SPAM blacklist sites
  4. Restoring files will not “close the hole” – the hackers will be back
  5. Your website(s) could drop in the search engine rankings
  6. Sites backlinking to your website(s) could remove their links – thereby lowering your search engine rankings
  7. Browsers could show a warning page before people try to visit your websites

Point 1 is temporary. Many hosting providers will deactivate your server until the issues are resolved – but most often you will suffer some downtime.

Point 2 may or may not cause you any issues. Some sites and browsers using the phishtank list block your site if you’re listed on there.

Point 3 is more severe if you’re hosting email for your websites on the same server. While many of the SPAM blacklists will remove your IP address or domain from their list quickly (sometimes within 10 – 15 minutes) others like Gmail will take weeks. Gmail doesn’t have a request process like Google does for websites. They monitor email coming from your IP address to their addresses for up to 4 weeks. If they don’t receive any other SPAM, then they’ll delist your IP address.

Point 4 we hear quite frequently. All this does is prolong the process of root cause analysis – how did this happen? Not to sound all “CSI” on you, but you could be writing over forensic information. Then it’s an educated guess as to how it happened.

Point 5 can be serious. Many of you spend large amounts of time getting your sites or your customer’s sites ranked highly for keywords. That will drop quickly if your website gets listed by one of the search engines for sending SPAM or hosting phishing files. Sometimes your rankings will return in about a week or so. However, if your server is infected again, the repeated drops will accumulate and it may take a lot more work to regain your search engine rankings.

Point 6 also affects your search engine rankings – backlinks. You spend a lot of time building up reputable backlinks. If the websites that link back to your site drop you, can you get them back? What will they need to know that your site or sites are safe again?

The last point, browsers showing a warning page, will usually go away within 24 to 48 hours after the infection has been removed and steps taken to secure the websites.

Possibly the best reason for you to be concerned is that anyone you know could fall victim to one of these phishing scams and lose their identity, lose their bank account balance or any number of potentially damaging events.

Why VPS and dedicated servers?

Why would hackers focus on VPS and dedicated servers? We believe the hackers know that these aren’t monitored by the hosting companies quite like the shared hosting accounts are. Some of the managed servers are, but many of people buying the VPS or dedicated server service don’t go with the managed offerings.

Hackers love VPS’s and dedicated servers because they have control over all the resources.

Some of the phishing sites we see are actually subdomains of a domain on the server. For instance, if you had a VPS with a website domain of The hackers could setup a subdomain of Would you notice that?

Probably not.

Hackers could send out millions of SPAM emails from your server and you wouldn’t know until you started getting bounce-backs of emails that were blocked or were sent to non-existent email addresses. Or your hosting provider shuts you down or worse yet, your website customers start complaining.

Often times the reseller and shared hosting accounts are monitored by the hosting provider and those types of accounts don’t have the resources that a server (VPS or dedicated) has. That’s why hackers love VPS and dedicated servers.

What can done?

Prevention can take many paths. First, you can be certain that your server is not being used to send phishing SPAM. The second path is to reduce the amount of phishing SPAM your clients are subjected to. Next, make certain your server isn’t being used to distribute this phishing SPAM. Last, be diligent about the files on your server. Are any of them phishing files? If so, how did they get there?

One of the easiest steps to take is to make certain your SPF record is setup correctly. This works toward reducing the potential of hackers spoofing or forging one of your domains. Here’s our slideshare about this:

How to stop hackers from sending emails as you or your domain

There are many ways to reconfigure SpamAssassin in your cPanel to reduce the amount of SPAM your webhosting customers are subjected to. If they don’t see as much SPAM, there’s a greater chance they won’t be fooled by any of it and fall victim to the phishing SPAM.

Have your email queue checked frequently. If you see a higher than normal amount of email being sent out, have it investigated to be sure it’s not SPAM.

Finally setup file integrity monitoring on your website files. You’ll want to be notified quickly if any phishing files have been uploaded to your server. You’ll not only want to be notified, but you’ll also want to know how it happened.

The external website scanners don’t see the phishing files because there is no link from the website to the phishing files. The only way sites like phishtank can find these phishing files is from the large volunteer network they have. These volunteers will collect the phishing SPAM emails and record the phishing URL and post it on


It’s important that you focus on SPAM in general but definitely phishing files. A few steps, that require little time, can help you help others.

Education is the first step. Please share this with other VPS or dedicated server owners, web developers and others.

We all need to do our part to help make the Internet a safer place.

Thank you.


Website malware hijacks 500,000 computers

Proofpoint security researcher Wayne Huang has released a report detailing the inner workings of a cybercrime group that reportedly had control of about 500,000 devices.

The entire scheme begins with the cybercrime group buying stolen passwords from others. What passwords did they seek?

Website passwords!

They would upload a backdoor shell, which still allowed the website to function normally, but as the website owner would draw more visitors to the site, the cybercriminals would inject their code into the website’s files and infect the devices (computers, tablets, smartphones…) of those visitors. Website malware was used to infect the visitor’s devices.

The infected devices would be used as usual, but the cybercriminals would be receiving any banking login information and other logins – which was their original plan.

As an additional bonus, the cybercriminals would also rent access to these infected (now controlled by the cybercriminals) devices for other underground criminals to use as they wish.

Since most of us have anti-virus programs on all our devices, how did they get so many devices infected?

This group of hackers (cybercriminals if you prefer), used a service that checks their malicious code against all the anti-virus programs available. If the service found any that detected the malicious code, the hackers would use a variety of techniques to change the malicious code enough to “fly under the radar”.

Their website malware would only attempt to infect the devices of “regular” looking visitors. They had lists of IP addresses for various security companies and sites and their malicious website code would only be displayed for IP addresses not in their list.


This graphic is from the Proofpoint research.

Notice where it all starts on the far left – infected websites.

Still don’t think hackers want your website?

Guess again.

This research shows how important your website, or if you’re a website developer or webmaster, how important all the websites you work on, are to the cybercriminals. They need your websites. They want your websites.

The security researcher Huang was able to find the address of the cybercriminals control panel. Believe it or not, they had left it unprotected – no password required. Once in he was able to grab more information and presented it in his research paper.

Huang contacted some of the website owners when he found out who had the website malware on their sites. Many of them checked their sites with some of the online scanners and the reports came back clean. This was due to the work with the IP address list the hackers had built-in to their malicious website code.

Please understand that cybercriminals are not all going after the Targets, Home Depots and banks. Quite often they need your website to start their money making schemes.

If you have any questions about this or website malware in general, please either contact me at or post a comment.

Thank you for reading.


Website security plugins exploited

website security is only as strong as your weakest link
This post is not to bash or degrade the work that some security plugins do for website security.

We don’t believe in them, but that’s our opinion. You’re free to have your own opinion.

The purpose of this post is to drive home 3 main points:

  • There is no “set it and forget it” website security strategy
  • There is no substitute for updating – daily
  • Sometimes the function of website security is also the point of entry

During the month of September 2014, three main WordPress security plugins had some major vulnerabilities.

First (I believe) was WordFence. This plugin provides many security features for a WordPress site:

  1. Two-factor authentication
  2. File Integrity Montioring
  3. Firewall
  4. Blocks ranges of IP addresses
  5. Scans for over 44,000 different forms of malware
  6. and many other features

As of 9-29-2014, according to the WordPress Plugin repository, there were 3,223,158 downloads. This plugin receives some very high ratings as well.

In early September it was disclosed that this plugin suffered from some vulnerabilities.

Next, came the vulnerabilities of the All In One WP Security & Firewall plugin. This plugin:

  • Helps you change the admin username
  • Protects against brute-force attacks
  • Block ranges of IP addresses
  • Adds CAPTCHA to login forms
  • Automates backups
  • and other features

As of October 11, 2014 this plugin shows 475,663 downloads and again is very highly rated.

September of 2014 closed out with vulnerabilities in the BulletProof Security plugin. Some of the features of this plugin are:

  • htaccess Website Security Protection (Firewalls)
  • Login Security & Monitoring
  • Security Logging
  • Backups
  • HTTP Error Logging
  • and other features

As of October 7, 2014 this plugin has been downloaded 1,290,979 times.

For all 3 that’s potentially almost 5 million vulnerable websites. It’s actually less than that because quite often we remove malware from WordPress sites with all three plugins installed. I’m sure they’re not all properly configured, but they are installed.

You see, quite often people are looking for “plug and play” security. We know it doesn’t quite work that way. It sounds cliche but security is a journey, not a destination. You don’t someday do this and this and that and then you’re secure – forever.


That’s done.

website security is all finished!

Not quite.

If there was a website security strategy that was “set it and forget it” then there wouldn’t be any need for our industry (website security). Someone would have published a YouTube video or a downloadable PDF report detailing the steps involved in this apply once and never worry again strategy.

Instead, website security is more like, “lather, rinse, repeat”, only the lather is applying new layers of shampoo. In this case, updating WordPress and your plugins is the shampoo. It must be done consistently. I’m sure you don’t wash your hair once and then you’re good for life, right?

Website security strategy is the same way. What’s safe today, could be vulnerable tomorrow. You can’t rest on what you’ve done today.

While you’re scouring the Internet or the WordPress Plugin repository for that “one” magic plugin that will end all your website security worries, just remember, it too has to be updated. There is no substitute for good, sound security principals.

This isn’t the website security blame game

You’ll notice I didn’t elaborate on the specific vulnerabilities of these plugins. That doesn’t really matter. What matters is that each of these had updates very soon after learning of the vulnerabilities. They did what they’re responsible for.

Or as some of our customers say, “they did the needful”. After that, it’s your responsibility to apply their updates.

I’ve said it before, hackers only need one way in. You need to keep every potential point of entry secured. Your website security is only as strong as your weakest link. Don’t forget that.

If you have any opinions about this post, please post a comment. If you feel this is something to be shared, please do.

Thank you.


Website security and the 5 million hacked Google accounts

Google-DocsYou’ve undoubtedly heard of this by now. But please read this as you’ll see how this could affect you. I’ll tie this in with the other report of hackers stealing over 1.2 billion login credentials recently and how it relates to website security.

Hackers have reportedly posted a list of approximately 5 million compromised Google accounts on a forum. If you’d like to check to see if your account is one of them you can go here:

If you have a Google account, you should change your password immediately and while you’re at it, change your Google password. If you’re logged into your Gmail account, look in the upper right-hand corner for this icon:website security affected by hacked Google accounts

Hover your cursor over it and select “Settings”. Then select “Accounts and Import”. The first category is “Change password”. Click that, enter your current password (the one the hackers may already have) and then type a new password in twice.

With all the recent hacking news, you should be knowledgeable enough now to know not to re-use passwords. When you’re changing your Google password, please create something entirely new. Make it different from all your other passwords.

Why all of your passwords should be unique

Hackers will use your email address and your password on thousands of different sites to see if any of them work.

In recent news, this could have been the strategy behind various accounts being “hacked” at Here is some information on that:

If hackers crack into a website that contains usernames (email addresses usually) and passwords, they will try those same login credentials on a multitude of websites knowing that many people use the same password on most of their logins.

While you’re updating your Google password, switch on 2 factor authentication. It’s a great way to protect your online presence.

What does this have to do with website security?


You have login credentials for your hosting account, your hosting account email addresses, your database, your WordPress, Joomla or other website software. Do you use the same password across those accounts? If so, be prepared for some work. You’re going to change all of them – now. Not when you have time this weekend – NOW!

Ever wonder how hackers “break” into websites? Often times, they don’t have to. They just login. There’s no hacking there. You can have the most expensive firewall in the world. If hackers have your username and password, there is no website security in the world that will prevent them from infecting your website.

How did the hackers get these login credentials?

We believe that they may have obtained many of them from phishing scams. Over the past 60 days, we’ve removed 7,218 Googledocs phishing setups on websites.

The scam usually begins with a fake email from someone who wants to “share” a document with you. It could be a business offer, secret photo’s or anything else that might make you curious enough to open it. The original email could even appear to be from someone you know.

Hackers frequently infect people’s computers with viruses. These viruses steal the victim’s email address books which are then used to send email to all the people in the address and it appears to be from the original person.

Let’s say one day you get an email from a friend. Maybe someone you correspond with frequently. The email states they want to share a personal document with you. Sounds legitimate doesn’t it?

You open it, enter your Google docs username and password, as your curiosity gets the best of you, only to discover there’s nothing there! Would you find that odd?

Maybe. Maybe not.

Well my friend, your Google login credentials have just been stolen in a phishing scam.

It all comes back to website security

You must be certain your website is not used in any phishing scam. These phishing files are often buried deep in the folder structure of a website. We’ve seen them 11 sub-folders deep and they can be anywhere on a website.

Next, you have to be wary of all emails. Yes, even those sent by what appears to be someone you know. We will be posting a new article about how to increase your spam filtering in cPanel accounts. We’ve tested it and it works well.

Some of our clients running VPS’s for their client’s websites, have expressed concerns over the amount of incoming spam. We conducted some in-depth research, created a strategy, implemented it for a few clients, tested and tweaked it and we now make it as part of our standard services. Contact us if you need help in filtering out more incoming spam.

Normally, you could hover your cursor over the link in an email and you could probably tell with some degree of certainty, whether or not a link was phishing or not. However, with some of the Googledocs phishing, the fake login page is frequently hosted on Google’s servers and uses SSL.

What the hackers have done is created a folder inside of a Google drive account. Then it’s configured to be public and then use the Preview feature to get a URL that publicly accessible. That URL is then pasted into their emails and blasted out to millions.

Need for more website security

In this scenario, the hackers will typically use an infected VPS or dedicated server to send out the spam messages. During the past 60 days, we have removed over 100 million spam messages from email queues. These were messages that were ready to be sent, but hadn’t been delivered yet. Many of these were being used in the Googledocs scam.

Keeping a close watch on your email queue is something that vitally important and something our VPS and dedicated software does.

Enough about us, all of this really needs to be addressed in your overall website strategy. Reputation means everything online and one careless step with your website security could drop you in the search engine rankings, get your VPS or dedicated server blacklisted with the spam blacklists, or you could get listed on a website for hosting phishing files.

None of which will be good for your website’s reputation.

Do you have a website security strategy in place?

If not, let’s talk. The discussion costs you nothing. Give us a call or send us an email. We’ll be glad to discuss what a good website security plan should include. You’ll be glad you did.

Thank you for reading this far.


revslider plugin vulnerability

website hackedBack in July the revslider WordPress plugin was discovered to have a vulnerability that allowed arbitrary files to be downloaded. This was specifically for version 4.1.4.

This vulnerability has been actively used to infect WordPress websites.

Normally, being able to download a file to your local computer isn’t a huge news flash. However, when you consider this allows people to download your wp-config.php, which contains all the login information for your database, it can be used in a variety of ways by cybercriminals.

I bring this up because we’ve been seeing a number of websites infected this way.

When the hackers download the wp-config.php file, they strip out the database login credentials and then try to login to the database remotely. If successful, they either add another user with administrative rights or change the password to one of the existing users with administrative rights.

Next, they login and either upload a malicious backdoor or use the theme-editor to inject malicious code in the theme files.

I would like to mention that some hosting providers, Bluehost, Hostmonster, JustHost and many others, don’t allow remote access to phpMyAdmin in the cPanel by default. You have to whitelist an IP address to enable remote access to phpMyAdmin.

That basically kills this specific attack in their environments. However, that’s only this specific attack. Other files could be downloaded that would provide the attackers enough information to be able to infect the website.

Also, some website owners use the same username and password as their cPanel. This could be disastrous. Never use the same password as your cPanel. Never.

As always, keep all your plugins and WordPress updated.


Thank you for reading. If you have this plugin contact me for a way to test your site (no charge).

Send me an email:


Research predicts websites likely to be infected with malware

Research into website malwareResearch conducted by Kyle Soska and Nicolas Christin of Carnegie Mellon University proves that with some degree of accuracy, they can predict which websites will be successfully infected with malware.

“Our approach relies on an online classification algorithm that can automatically detect whether a server is likely to become malicious,” the researchers stated.

Their research uses an algorithm that analyzed websites before they were infected and after they were infected.

“we use machine-learning tools to attempt to detect websites that have not been compromised yet, but
that are likely to become malicious in the future, over a reasonably long horizon (approximately one year)” they stated in their research paper.

Whether or not their predictions come true, it could be used to alert website owners before their website becomes infected with malware.

Many website owners are more reactive – they often don’t consider website security until after they’ve been infected. However, with this research, they could be warned ahead of time and take corrective action before their website and their business becomes victimized by website malware.

“Our goal is to build a classifier which can predict with high certainty if a given website will become malicious in the future.”

“At a high level, the classifier determines if a given website shares a set of features with websites known to have been malicious. A key aspect of our approach is that the feature list used to make this determination is automatically extracted from a training set of malicious and benign webpages, and is updated over time, as threats evolve.”

Could this actually help?

Only time will tell, but it does present some interesting ideas.


The latest round of WordPress infections

WordPress plugin custom-contact-forms used to infect websites
This past week has seen another influx of infected WordPress sites. This time, it’s another plugin: custom-contact-forms.

Their website shows a total of 630,792 downloads as of this blog post, so it appears to be quite popular.

It was last updated on August 4, 2014, however, again, it does not seem like many people are keeping their WordPress AND plugins updated.

What we’re seeing is in the wp-content/plugins/custom-contact-forms/import folder, typically 2 files that have a series of numbers and end with .sql.php. The files we’ve seen usually have some bogus looking Joomla code in them. Yes, you read that correctly, Joomla looking code.

There have other files as well, but these appear to be the hackers first uploads to a vulnerable website.

From there the hackers have uploaded phishing files, other backdoors, emailers and other malicious code.

Many of the most recent infections we’ve found are on either VPS’s or dedicated servers. If they have all the websites on one cPanel, then the hackers can and do, infect many of the other websites as well.

A scenario we see frequently is where there are let’s say 10 websites on a single cPanel. The hackers will find a way in on website number 3. They don’t leave their code there, because they don’t want to attract your attention to that site. They’ll infect say, websites 5, 6, 7 and 8.

That way you focus your malware removal efforts on that site and they keep coming in on website number 3. They may also put backdoor shells on websites 1 and 2. These backdoor shells allow them to have remote access to your files after you remove their original point of entry on website number 3.

For this reason, we recommend that each website be on it’s own cPanel. Yes, it’s a hassle, but so is having all of your websites down while the one is the original point of entry.

This entire sequence of events can be prevented if you’re very diligent about keeping your WordPress and it’s plugins updated – daily.

Thank you for reading. If you have any questions, please do not hesitate to ask here. Also, if you want to share this, please do.


Website malware on the attack

sharkattackI was reading an article about how a group of researchers found some new malware and I was floored.



We’ve been removing this from websites for months. The first instance we found of this was on February 5, 2014. I guess I really need to write more blogs.

Yes, we’ve been finding the .sd0 and files on many compromised websites. What the article doesn’t share is an explanation about the .php file that enables these files to be executed.

Typically you’ll have a few “extra” processes running named “host”. These will run the resource utilization up and must be killed after finding and removing the .sd0 and other .so files in the web folders. Be careful not to just do a:

find . -name “*.so” -exec rm -f {} \;

As sometimes we see ioncube files with .so extensions in the web folders as well.

The .php file contains code for both 32-bit and 64-bit architectures.

It opens /usr/bin/host for reading/binary and contains strings for the .so bytecodes. One other file that gets created is

The php file then creates a cron job and a file. The cron job runs constantly.

All of these must be deleted and the host process must be killed.

These files have been uploaded a variety of ways, but typically we see them in non-updated CMS’s.

Moral to this story,


Thank you for reading…

Edited on Monday July 28, 2014:

Just as I had suspected. The hackers are no longer using just the .sd0. They are using basically the same format, but the filename can be anything starting with period (.) and any random filename.

On servers where you have SSH access, you can go to the public_html folder on your server and try:

find . -type f -executable -exec file -i ‘{}’ \; | grep ‘x-executable; charset=binary’

The key to this whole infection is the server load with skyrocket as the hackers are running their own “host” process which must be killed.

From a command line we used:

kill -KILL pid

You have to get the pid and enter it instead of the pid above. Normall you can get the pid from the top command.

Thank you.