Attacks in Pagelines for WordPress themes

PageLines

Last few days we have seen very much attacks this old Pagelines WordPress theme vulnerability. Sucuri discovered Pagelines vulnerability on January 2015. Technical Details Any website using vulnerable version of the platform theme (<1.4.4) is risk Privilege Escalation and Remote Code Execution. ModSecurity Audit log, Payload [27/May/2017:02:32:09 +0300] WSi6@VQikyQAAErqcawAAAAg 93.170.77.90 37930 127.0.0.1 80 –5367c063-B– POST … Read more

Delegate subdomain cloudflare to other DNS servers

There are many examples where you may need to have a specific subdomain’s DNS be managed by a different nameserver. The example we want delegate rbl.malware.expert another Bind DNS server for RBL database queries. First we need Primary Domain (malware.expert) add new NS Records rbl.malware.expert: Then we need also A-Record rbl2.malware.expert to point BIND-DNS server … Read more

SQL Injection Vulnerability com_fields in Joomla 3.7

The vulnerability is caused by a new component, com_fields, which was introduced Joomla in version 3.7. If you use this version, you are affected and should update as soon as possible. This vulnerable component is publicly accessible, which means this issue can be exploited by any malicious individual visiting your site. Given the nature of … Read more

case.php malware

This case.php malware uses Obfuscation PHP code. Decoding Obfuscation There is tools to Decoding ObfuscatePHP code: https://www.unphp.net http://ddecode.com/phpdecoder/ http://lombokcyber.com/en/detools/decode-fopo ,but they don’t always work as except. That’s why we decrypted this manually. Source case.php Again, this malware tries load more backdoor files to the server to get full control. plug.php FilesMan Shell FilesMan Shell crypted … Read more