Home » Archive by categoryMalware Analysis

CVE-2014-3117 OpenCart <= 4.3 Reflective XSS

Older versions of OpenCart < v5 had a reflective Cross Site Scripting Vulnerability. I requested this CVE, but never published it because I got busy with other work. So I thought better late than never 🙂 Discovery Date: 04/28/2014 Vendor Notified: 04/30/2014 CVE Assigned: 05/01/2014 Update Released: 06/01/2014...
Continue reading

formtoemail (free email form) – XSS

* Exploit Title: Reflective XSS * Discovery Date: 02/09/2016 * Public Disclosure Date:03/10/2016 * Exploit Author: CJ Chamberland * Contact: @cjchamberland - http://cjchamberland.com * Vendor Homepage: formtoemail.com * Software Link: formtoemail.com (formtoemail.php free is available for download from this site) * Version: 2.5 * Tested on: apache/mac os...
Continue reading

WordPress soaksoak.ru – swfobject.js hides a secret

Today I came across a nasty little booger. It’s added to the wp-includes/swfobject.js file and they used the wp-includes/tempate-loader.php to load it. I did noticed from another message board that it has been around for at least a few weeks, but apparently people are just now discovering it...
Continue reading

Clickjacking and Frame breakout

I have had a few clients ask about their sites being framed to load on other sites without their permission and if their is anything they can do about it. Attackers sometimes do this in “Phishing” attempts. Visitors think they are going to the legitimate site, when in...
Continue reading

Joomla index.php redirects to lyblynoski.isa-geek.com

lyblynoski.isa-geek.com
This was uncovered in several joomla installs last week. Apparently the attackers install some “Fake” modules (in these cases it was  mod_administrator, mod_msn, and mod_araticlhess that were discovered and removed) not sure yet if they are related, but it appears they are, I just need to do more...
Continue reading

Sneaky code injection

Found this nugget the other day while cleaning out a wordpress site. It was put in a file called ‘widget-footer.php’ which was a part of their wordpress theme: So, you may be asking – what does it do? It checks to see if the user is logged in,...
Continue reading

Decoding a Shell

Original filename: zt.php If you just executed the file, you simply see a password prompt – this indicates that it’s more than likely some type of php shell. To find out what it does, we have to de-obfuscate it.
Continue reading