I cleaned my Wordpress site but the malware came back!

Malware and trojans return after cleaning Wordpress site!

While remediating an appliance distributor's (who shall remain nameless) websites from the SoakSoak exploit, the site owner complained about malware "coming back" after being cleaned over-and-over by the former service provider. I logged into their InMotion Hosting control panel where I was greeted with a warning that there was a potential man-in-the-middle attack due to an expired certificate! Then I got another warning that their version of MySQL was obsolete and needed to be upgraded. Digging deeper, I found a variety of user accounts in both the application and the database that had the signature of a hacker - not totally random, but cryptic and/or occasionally named to sound official, like "system account" and such. I'm not sure how InMotion Hosting's certificates were invalid, but once I saw warnings about the host themselves and the back-door, system-wide user accounts I figured it was time to get the hell out of there.


Russian Hacker Group? SoakSoak.ru malicious site & code injections

SoakSoak will serve pages that attempt to infiltrate your users' computers, stealing their data!

Last week, Wordpress sites worldwide were hacked with the following simple line of code:


Let's not go into details here and now, but if you have an old version of the "Revolution Slider" installed you better grep around for the following string:


Drupal Sites Hacked Worldwide in October 2014

Security Exploit revealed in October allows total control of YOUR Drupal site

In mid-October Drupal announced a serious defect in the Database Abstraction Layer allowing guest users to gain full access to a site and server. The security noticed can be found at the FAQ on SA-CORE-2014-005 on the Drupal website.

This exploit creates the ability for attackers to place their own PHP files on your server for remote execution, or to inject their own code into pre-existing files.

Ways to detect a breached system - and steps to remediate:

Look for files with a datestamp in October 2014

If you didn't upload any new versions or modules in October 2014, there should be no php or include files with these datestamps. Use the Linux FIND command to find files last edited on or after October 1st, 2014 and then check those files.

Locate files with PCT4BA6ODSE_ in them


CodeSpaces Service Attacked and Destroyed!

Boom!  DDOS attack takes CodeSpaces OUT in one fell swoop!

CodeSpaces, a popular service for housing and archiving developers' source code, was attacked last night and put PERMENANTLY OUT OF BUSINESS by a Distributed Denial of Service (DDOS) attack!!! Their web page today reads as follows:

We are experiencing massive demand on our support capacity, we are going to get to everyone it will just take time.

Code Spaces : Is Down!

Dear Customers,

On Tuesday the 17th of June 2014 we received a well orchestrated DDOS against our servers, this happens quite often and we normally overcome them in a way that is transparent to the Code Spaces community. On this occasion however the DDOS was just the start.


Ubuntu Forums have been Hacked!

From http://UbuntuForums.org on July 27th:

Ubuntu Forums is down for maintenance

There has been a security breach on the Ubuntu Forums. The Canonical IS team is working hard as we speak to restore normal operations. This page will be updated with progress reports.

What we know

Unfortunately the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database.
The passwords are not stored in plain text, they are stored as salted hashes. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.
Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach.
Progress report


Subscribe to RSS - Hackers