Hi, I am looking for some assistance, tips and guidance on the Website Malware. Recently i have seen many of my friends who had a website were infected by some malware which got illegal content on the site. Most of them were either Wordpress or Joomla. I see this in two ways : 1. Possibly their admin credentials for ftp, sftp, or admin to these applications were compromised. This is possibly due to some malware or stuff on the system they use to mange these sites 2. Second possibility is that there were knows/unknown security bugs in the web that were exploited. I want to understand what are the other possibilities and what are the general rules that one should follow for securing the sites after infection. Any pointers from your own blog, paper or tips from your own experience would be helpful. -- Regards, Gautam

Gautam, I have quoted two sentences from your e-mail: On Sun, Jun 16, 2013 at 9:31 AM, Gautam <gautam.edu@gmail.com> wrote: > Most of them were either Wordpress or Joomla. On Sun, Jun 16, 2013 at 9:31 AM, Gautam <gautam.edu@gmail.com> wrote: > 2. Second possibility is that there were knows/unknown security bugs in the web that were exploited. Are you seeking the CVE(s) of the injection vulnerabilities within Joomla and Wordpress? -- Regards, Christian Heinrich http://cmlh.id.au/contact

Hi, StopBadware has a comprehensive guide to help webmasters with badware in their websites: https://www.stopbadware.org/common-hacks https://www.stopbadware.org/webmaster-help/ And resources to help find badware and avoid it in the future: https://www.stopbadware.org/hacked-sites-resources Regards Emilio >________________________________ > De: Christian Heinrich <christian.heinrich@cmlh.id.au> >Para: Gautam <gautam.edu@gmail.com> >CC: websecurity@webappsec.org >Enviado: Domingo 16 de junio de 2013 4:08 >Asunto: Re: [WEB SECURITY] WebSite Malware and Samples > > >Gautam, > >I have quoted two sentences from your e-mail: > >On Sun, Jun 16, 2013 at 9:31 AM, Gautam <gautam.edu@gmail.com> wrote: >> Most of them were either Wordpress or Joomla. > >On Sun, Jun 16, 2013 at 9:31 AM, Gautam <gautam.edu@gmail.com> wrote: >> 2. Second possibility is that there were knows/unknown security bugs in the web that were exploited. > >Are you seeking the CVE(s) of the injection vulnerabilities within >Joomla and Wordpress? > > > >-- >Regards, >Christian Heinrich > >http://cmlh.id.au/contact > >_______________________________________________ >The Web Security Mailing List > >WebSecurity RSS Feed >http://www.webappsec.org/rss/websecurity.rss > >Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > >WASC on Twitter >http://twitter.com/wascupdates > >websecurity@lists.webappsec.org >http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > >

Hi Christian & Emilo, I was looking for something which Emilo mentioned and more from your experience. I know google gives lots of result on this however i was looking at something which you guys use as good source. This will help to start some reading. If you guys by any chance have access to any list where i can get sample of a vulnerable (malware infected) WordPress or joomla site then please share. I like to practice while i am reading to make more sense to what i am reading. Thanks Guys. I will go through this. On Mon, Jun 17, 2013 at 4:58 PM, Emilio Casbas <ecasbasj@yahoo.es> wrote: > Hi, > > StopBadware has a comprehensive guide to help webmasters with badware in > their websites: > https://www.stopbadware.org/common-hacks > https://www.stopbadware.org/webmaster-help/ > > And resources to help find badware and avoid it in the future: > https://www.stopbadware.org/hacked-sites-resources > > Regards > Emilio > > > ------------------------------ > *De:* Christian Heinrich <christian.heinrich@cmlh.id.au> > *Para:* Gautam <gautam.edu@gmail.com> > *CC:* websecurity@webappsec.org > *Enviado:* Domingo 16 de junio de 2013 4:08 > *Asunto:* Re: [WEB SECURITY] WebSite Malware and Samples > > Gautam, > > I have quoted two sentences from your e-mail: > > On Sun, Jun 16, 2013 at 9:31 AM, Gautam <gautam.edu@gmail.com> wrote: > > Most of them were either Wordpress or Joomla. > > On Sun, Jun 16, 2013 at 9:31 AM, Gautam <gautam.edu@gmail.com> wrote: > > 2. Second possibility is that there were knows/unknown security bugs in > the web that were exploited. > > Are you seeking the CVE(s) of the injection vulnerabilities within > Joomla and Wordpress? > > > > -- > Regards, > Christian Heinrich > > http://cmlh.id.au/contact > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > -- Regards, Gautam

I would recommend our labs for web site malware samples: http://labs.sucuri.net And our blog is only about it: http://blog.sucuri.net thanks, On Mon, Jun 17, 2013 at 3:58 AM, Emilio Casbas <ecasbasj@yahoo.es> wrote: > Hi, > > StopBadware has a comprehensive guide to help webmasters with badware in > their websites: > https://www.stopbadware.org/common-hacks > https://www.stopbadware.org/webmaster-help/ > > And resources to help find badware and avoid it in the future: > https://www.stopbadware.org/hacked-sites-resources > > Regards > Emilio > > > ________________________________ > De: Christian Heinrich <christian.heinrich@cmlh.id.au> > Para: Gautam <gautam.edu@gmail.com> > CC: websecurity@webappsec.org > Enviado: Domingo 16 de junio de 2013 4:08 > Asunto: Re: [WEB SECURITY] WebSite Malware and Samples > > Gautam, > > I have quoted two sentences from your e-mail: > > On Sun, Jun 16, 2013 at 9:31 AM, Gautam <gautam.edu@gmail.com> wrote: >> Most of them were either Wordpress or Joomla. > > On Sun, Jun 16, 2013 at 9:31 AM, Gautam <gautam.edu@gmail.com> wrote: >> 2. Second possibility is that there were knows/unknown security bugs in >> the web that were exploited. > > Are you seeking the CVE(s) of the injection vulnerabilities within > Joomla and Wordpress? > > > > -- > Regards, > Christian Heinrich > > http://cmlh.id.au/contact > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

I would also recommend www.exploit-db.com as a place where you can find plenty of known joomla and wordpress exploits, among others. Best off all, the site often has a link to the vulnerable version of the software, so you can download it and install it in your lab. Great way to learn! -Seth On Jun 17, 2013 9:02 AM, <dd@sucuri.net> wrote: > I would recommend our labs for web site malware samples: > > http://labs.sucuri.net > > And our blog is only about it: > > http://blog.sucuri.net > > thanks, > > On Mon, Jun 17, 2013 at 3:58 AM, Emilio Casbas <ecasbasj@yahoo.es> wrote: > > Hi, > > > > StopBadware has a comprehensive guide to help webmasters with badware in > > their websites: > > https://www.stopbadware.org/common-hacks > > https://www.stopbadware.org/webmaster-help/ > > > > And resources to help find badware and avoid it in the future: > > https://www.stopbadware.org/hacked-sites-resources > > > > Regards > > Emilio > > > > > > ________________________________ > > De: Christian Heinrich <christian.heinrich@cmlh.id.au> > > Para: Gautam <gautam.edu@gmail.com> > > CC: websecurity@webappsec.org > > Enviado: Domingo 16 de junio de 2013 4:08 > > Asunto: Re: [WEB SECURITY] WebSite Malware and Samples > > > > Gautam, > > > > I have quoted two sentences from your e-mail: > > > > On Sun, Jun 16, 2013 at 9:31 AM, Gautam <gautam.edu@gmail.com> wrote: > >> Most of them were either Wordpress or Joomla. > > > > On Sun, Jun 16, 2013 at 9:31 AM, Gautam <gautam.edu@gmail.com> wrote: > >> 2. Second possibility is that there were knows/unknown security bugs in > >> the web that were exploited. > > > > Are you seeking the CVE(s) of the injection vulnerabilities within > > Joomla and Wordpress? > > > > > > > > -- > > Regards, > > Christian Heinrich > > > > http://cmlh.id.au/contact > > > > _______________________________________________ > > The Web Security Mailing List > > > > WebSecurity RSS Feed > > http://www.webappsec.org/rss/websecurity.rss > > > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > > > WASC on Twitter > > http://twitter.com/wascupdates > > > > websecurity@lists.webappsec.org > > > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > > > > > _______________________________________________ > > The Web Security Mailing List > > > > WebSecurity RSS Feed > > http://www.webappsec.org/rss/websecurity.rss > > > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > > > WASC on Twitter > > http://twitter.com/wascupdates > > > > websecurity@lists.webappsec.org > > > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

www.malware.lu @firebitsbr 2013/6/18 Seth Art <sethsec@gmail.com> > I would also recommend www.exploit-db.com as a place where you can find > plenty of known joomla and wordpress exploits, among others. > > Best off all, the site often has a link to the vulnerable version of the > software, so you can download it and install it in your lab. Great way to > learn! > > -Seth > On Jun 17, 2013 9:02 AM, <dd@sucuri.net> wrote: > >> I would recommend our labs for web site malware samples: >> >> http://labs.sucuri.net >> >> And our blog is only about it: >> >> http://blog.sucuri.net >> >> thanks, >> >> On Mon, Jun 17, 2013 at 3:58 AM, Emilio Casbas <ecasbasj@yahoo.es> wrote: >> > Hi, >> > >> > StopBadware has a comprehensive guide to help webmasters with badware in >> > their websites: >> > https://www.stopbadware.org/common-hacks >> > https://www.stopbadware.org/webmaster-help/ >> > >> > And resources to help find badware and avoid it in the future: >> > https://www.stopbadware.org/hacked-sites-resources >> > >> > Regards >> > Emilio >> > >> > >> > ________________________________ >> > De: Christian Heinrich <christian.heinrich@cmlh.id.au> >> > Para: Gautam <gautam.edu@gmail.com> >> > CC: websecurity@webappsec.org >> > Enviado: Domingo 16 de junio de 2013 4:08 >> > Asunto: Re: [WEB SECURITY] WebSite Malware and Samples >> > >> > Gautam, >> > >> > I have quoted two sentences from your e-mail: >> > >> > On Sun, Jun 16, 2013 at 9:31 AM, Gautam <gautam.edu@gmail.com> wrote: >> >> Most of them were either Wordpress or Joomla. >> > >> > On Sun, Jun 16, 2013 at 9:31 AM, Gautam <gautam.edu@gmail.com> wrote: >> >> 2. Second possibility is that there were knows/unknown security bugs in >> >> the web that were exploited. >> > >> > Are you seeking the CVE(s) of the injection vulnerabilities within >> > Joomla and Wordpress? >> > >> > >> > >> > -- >> > Regards, >> > Christian Heinrich >> > >> > http://cmlh.id.au/contact >> > >> > _______________________________________________ >> > The Web Security Mailing List >> > >> > WebSecurity RSS Feed >> > http://www.webappsec.org/rss/websecurity.rss >> > >> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> > >> > WASC on Twitter >> > http://twitter.com/wascupdates >> > >> > websecurity@lists.webappsec.org >> > >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> > >> > >> > >> > _______________________________________________ >> > The Web Security Mailing List >> > >> > WebSecurity RSS Feed >> > http://www.webappsec.org/rss/websecurity.rss >> > >> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> > >> > WASC on Twitter >> > http://twitter.com/wascupdates >> > >> > websecurity@lists.webappsec.org >> > >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> > >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > >