Luke Leal

Sucuri Blog

During a recent investigation, we found an infected website was redirecting to YouTube after its main index.php file had been modified to include the following line of HTML: <meta http-equiv='refresh' content='2;url=https://youtu.be/fsqzjDAO2Ug'> This technique works because it’s possible to use HTML within .php files — as long as the HTML is ... Read More

PHP hack tools are created and used by attackers to help automate frequent or tedious tasks. During a recent investigation, we came across a hack tool used to simplify the process of sending predefined HTML emails to a list of email addresses. The tool runs on top of PHPMailer’s library, ... Read More

In an attempt to avoid detection, attackers and malware authors are always experimenting with different methods to obfuscate their malicious code. During a recent investigation, we came across an interesting backdoor that was leveraging encoding along with common PHP functions to conceal its operations from any active security systems on ... Read More

Employees at companies of all sizes can be targets of phishing attacks, but certain corporations or industries can be more valuable to an attacker than others. For instance, employees at telecom companies will often have some level of elevated access that is unavailable to a non-employee. In fact, this access ... Read More

Website reinfections are a serious problem for website owners, and it can often be difficult to determine the cause behind the reinfection — especially if you lack access to necessary logs, which is usually the case for shared hosting services. Some of the more common causes of reinfections are issues ... Read More

It’s common for hackers to utilize post-compromise tools that contain a graphical user interface (GUI) that can be loaded in the web browser. A GUI generally makes the tool easier to use — and certainly more visually appealing than just raw text. One example of web malware that uses GUIs ... Read More

An alarm or monitoring system is a great tool that can be used to improve the security of a home or website, but what if an attacker can easily disable it? I’ve previously written about malware that reverses security hardening measures enacted either manually by the owner, or through the ... Read More

The Magento 1 EOL date has already passed, however it’s evident that a large number of websites will continue to use it for the foreseeable future. Unfortunately, attackers are also aware that many websites are straggling with their Magento migrations and post compromise tools have been created to support deployment ... Read More

A recent SiteCheck scan of an organization’s website showed an interesting pharmacy spam injection targeting COVID-19-related pages of websites. The HTML that was flagged by our SiteCheck signature, spam-seo.hidden_content?100.2, shows why the pharmacy spam text was not displayed on the infected web page: This spammer is trying to obfuscate their ... Read More

This is a simple script that allows hackers to block specific crawlers based upon website requests from specific user-agents. This is useful when you don’t want certain traffic from being able to load certain content – usually a phishing page or a malicious download. if(preg_match('/bot|crawler|spider|facebook|alexa|twitter|curl/i', $_SERVER['HTTP_USER_AGENT'])) { logger("[BOT] {$_SERVER['REQUEST_URI']} - ... Read More