SQL Triggers in Website Backdoors

Over the past year, there’s been an increasing trend of WordPress malware using SQL triggers to hide malicious SQL queries within compromised databases. These queries inject an admin level user into the infected database whenever the trigger condition is met.

What makes this especially problematic for website owners is that most malware cleanup guides focus on the website files and data within specific database tables  — for example, wp_users, wp_options, and wp_posts.

Continue reading SQL Triggers in Website Backdoors at Sucuri Blog.


Realtime Blackhole Lists (RBLs) can be a great tool in your security arsenal. You may not know you’re using them, but all email providers and company email servers leverage these services to verify whether servers and IP addresses are sending spam or other abusive content against a known list of offenders.

These services use a number of methods to compile lists of IP addresses reputed to send spam, mostly populating them using honeypots drawing them in with “poison” email addresses to act as victims.

Continue reading UCEPROTECT: When RBLs Go Bad at Sucuri Blog.

Optimizing Performance and Behavior with WordPress and the Sucuri WAF

Aside from providing significant protection from a wide range of threats, the Sucuri WAF also acts as a CDN due to its caching capabilities and regional PoPs — often performing even better than dedicated CDNs based on recent tests.

CDNs can significantly help speed up your website by storing and delivering content as close to the browser as possible, using servers dedicated to that task. What’s more, properly configured caching settings are the best defense against DDoS attacks.

Continue reading Optimizing Performance and Behavior with WordPress and the Sucuri WAF at Sucuri Blog.

Whitespace Steganography Conceals Web Shell in PHP Malware

Last November, we wrote about how attackers are using JavaScript injections to load malicious code from legitimate CSS files.

At first glance, these injections didn’t appear to contain anything except for some benign CSS rules. A more thorough analysis of the .CSS file revealed 56,964 seemingly empty lines containing combinations of invisible tab (0x09), space (0x20), and line feed (0x0A) characters, which were converted to binary representation of characters and then to the text of an executable JavaScript code.

Continue reading Whitespace Steganography Conceals Web Shell in PHP Malware at Sucuri Blog.

Phishing & Malspam with Leaf PHPMailer

It’s common knowledge that attackers often use email as a delivery mechanism for their malicious activity — which can range from enticing victims to click a phishing URL or download a malicious attachment.

To support these activities, attackers seek out tools that assist in the mass sending of malspam (malicious spam) emails from a compromised website. PHP scripts like Leaf PHPMailer are well suited for this task.

Hacktool Analysis: Leaf PHPMailer

Leaf PHPMailer is a PHP mailer hacktool that lets an attacker send out large amounts of malspam emails from a compromised website’s web server.

Continue reading Phishing & Malspam with Leaf PHPMailer at Sucuri Blog.

Pin It on Pinterest