Just a quick post about an interesting file found in a phishing kit. Bad guys use common techniques to prevent crawlers, scanners or security companies from accessing their pages. Usually, they deploy a .htaccess file to achieve this. Today, I found a phishing kit related to a bank (ANZ) with such protection. But, in this case, the attackers took the time to

I really enjoy when I see different types of conditional redirects on compromised sites. They are really hard to detect and always lead to interesting investigations. Take a look at this last one we identified: The curious aspect about it is the usage of a not so common .htaccess feature: variables. Most conditional injections rely only on the user agent (

Check this thread on WordPress.org forum. The topic starter found a suspicious PHP file and asked what it was doing. The code analysis shows that it’s some sort of a spammy doorway. But it’s a very strange doorway and the way that it works doesn’t make sense to me. First of all, this script has a random text and code generator. The output

Earlier this week, Sucuri wrote about auto generated iframes in hacked WordPress blogs. The malicious PHP code fetched the iframe URLs from a remote server (hxxp://82 .200 .204 .151/config.inc.php) on-the-fly every time someone loaded infected web pages. This trick helped regularly update the malicious URLs without having to change the code on each hacked si

A couple of weeks ago at the FOX-IT SOC, we noticed Zuponcic attempting to infect one of our clients protected networks. The incident was caused by a person visiting the website of Suriname’s Ministry of Finance, minfin.sr. This post connects three recent developments in the realm of malware infections: .htaccess server compromise, the Zuponcic exploit