HackDig : Dig high-quality web security articles for hackers

Who’s Blocked by Bad Guys?

Just a quick post about an interesting file found in a phishing kit. Bad guys use common techniques to prevent crawlers, scanners or security companies from accessing their pages. Usually, they deploy a .htaccess file to achieve this. Today, I found a phishing kit related to a bank (ANZ) with such protection. But, in this case, the attackers took the time to
Publish At:2017-08-22 00:10 | Read:5533 | Comments:0 | Tags:Security htAccess Phishing

Website Malware – Curious .htaccess Conditional Redirect Case

I really enjoy when I see different types of conditional redirects on compromised sites. They are really hard to detect and always lead to interesting investigations. Take a look at this last one we identified: The curious aspect about it is the usage of a not so common .htaccess feature: variables. Most conditional injections rely only on the user agent (
Publish At:2014-09-23 18:40 | Read:4281 | Comments:0 | Tags:Website Malware htaccess malware cleanup redirects

Most Contradictive Doorway Generator

Check this thread on WordPress.org forum. The topic starter found a suspicious PHP file and asked what it was doing. The code analysis shows that it’s some sort of a spammy doorway. But it’s a very strange doorway and the way that it works doesn’t make sense to me. First of all, this script has a random text and code generator. The output
Publish At:2014-09-13 04:40 | Read:4011 | Comments:0 | Tags:Short Attack Reviews doorway htaccess redirect

Rotating Iframe URLs – One a Minute

Earlier this week, Sucuri wrote about auto generated iframes in hacked WordPress blogs. The malicious PHP code fetched the iframe URLs from a remote server (hxxp://82 .200 .204 .151/config.inc.php) on-the-fly every time someone loaded infected web pages. This trick helped regularly update the malicious URLs without having to change the code on each hacked si
Publish At:2014-08-15 20:40 | Read:18809 | Comments:0 | Tags:Website exploits htaccess iframe Joomla nginx redirects Unit

Not quite the average exploit kit: Zuponcic

A couple of weeks ago at the FOX-IT SOC, we noticed Zuponcic attempting to infect one of our clients protected networks. The incident was caused by a person visiting the website of Suriname’s Ministry of Finance, minfin.sr. This post connects three recent developments in the realm of malware infections: .htaccess server compromise, the Zuponcic exploit
Publish At:2014-08-15 08:52 | Read:4877 | Comments:0 | Tags:Blog Uncategorized certificate exploit exploitkit htaccess j


Tag Cloud