By

Website malware on the attack

sharkattackI was reading an article about how a group of researchers found some new malware and I was floored.

New?

Really?

http://thehackernews.com/2014/07/mayhem-new-malware-targets-linux-and_24.html

We’ve been removing this from websites for months. The first instance we found of this was on February 5, 2014. I guess I really need to write more blogs.

Yes, we’ve been finding the .sd0 and bruteforce.so files on many compromised websites. What the article doesn’t share is an explanation about the .php file that enables these files to be executed.

Typically you’ll have a few “extra” processes running named “host”. These will run the resource utilization up and must be killed after finding and removing the .sd0 and other .so files in the web folders. Be careful not to just do a:

find . -name “*.so” -exec rm -f {} \;

As sometimes we see ioncube files with .so extensions in the web folders as well.

The .php file contains code for both 32-bit and 64-bit architectures.

It opens /usr/bin/host for reading/binary and contains strings for the .so bytecodes. One other file that gets created is libworker.so

The php file then creates a cron job and a 1.sh file. The cron job runs constantly.

All of these must be deleted and the host process must be killed.

These files have been uploaded a variety of ways, but typically we see them in non-updated CMS’s.

Moral to this story,

UPDATE YOUR CMS’s!!!

Thank you for reading…

Edited on Monday July 28, 2014:

Just as I had suspected. The hackers are no longer using just the .sd0. They are using basically the same format, but the filename can be anything starting with period (.) and any random filename.

On servers where you have SSH access, you can go to the public_html folder on your server and try:

find . -type f -executable -exec file -i ‘{}’ \; | grep ‘x-executable; charset=binary’

The key to this whole infection is the server load with skyrocket as the hackers are running their own “host” process which must be killed.

From a command line we used:

kill -KILL pid

You have to get the pid and enter it instead of the pid above. Normall you can get the pid from the top command.

Thank you.

By

wysija-newsletters WordPress infection

infected wordpress websiteThis weekend (yes we work weekends) we saw an outbreak of VPS and dedicated servers infected by what appears to be a vulnerability in the wysija-newsletters (MailPoet) WordPress plugin.

This plugin was identified as vulnerable over 2 weeks ago and the authors have released a new version. If you’re reading this, then please, please, please, update your plugins immediately and set a reminder in your smartphone, your computer or anywhere and every where else, to check your WordPress and your plugins for updates every 3 days at a minimum.

Hosting accounts, whether the are VPS’s, dedicated servers for on a shared hosting account were hit.

Basically almost every .php file on an account was injected with code across the top of each file. In addition two files were uploaded as well. Usually we saw one license.php file and then another backdoor shell either in the wp-admin or wp-includes folders. Most of the license.php files we found were 201 bytes in size.

One other point of entry left by the hackers is an administrator user with no name. This user must be deleted and all plugins updated.

You’ll notice that all the original date/time stamps of the files are kept. This leads us to believe that the backdoor shell they’ve uploaded allows them to modify almost anything about a file.

The vulnerability allows hackers to bypass admin authentication in wysija-newsletters plugin and upload files. The hackers access those files remotely and start injecting their malicious payload into every .php file their program can find. This means that it will cross sub-domains on the same account.

The attacker will upload a file to: wp-content/uploads/wysija/themes and run it. Fortunately, our protection does not allow php files to be executed in the uploads folder – so even before this was discovered, many of our customers were already protected.

If you have a VPS or dedicated server with only one cPanel and all your sites under that, then basically every website is probably infected on your server. If you’re on a shared hosting account with multiple websites and one of them has the wysija-newsletters plugin (MailPoet), then chances are that all of your websites are infected.

We’ve been working feverishly to get this cleaned up, but some of the infections overwrite the existing file and they’re not always very good. Frequently we’ve have to replace plugins and/or themes because there is code missing from the file after the infection.

By

Email scam alert

I would like to alert you to a scam. It’s not new, but I wanted to let you know so you don’t fall for this.

It started as an email that looks like this:

A scam that was caught in our in-box

A scam that was caught in our in-box

In the section: “To view copy of the court notice click here” when you click on the link “here” you are taken to:

http://www.avedomestica.com.br/cocad/components/api/wwMg/YHBZLEwMLv6DusGNSlXw5TapuV1oLceFaZLX3M=/notice

This link no longer works, but it was trying to infect the computer of the person who clicked on the above link. You must be wary of all emails sent to you that it designed to scare you into some action.

Typically if you hover over the link, depending on your browser, you can see the URL of the intended link. If it has nothing to do with the email, then it’s probably a scam and it should be deleted.

Quite often we’ll see emails where you must click on a link or open an attachment in order to “play along”. This should be your first tip-off.

For this scam, if there is someone taking legal action against you, they will contact you either through mail (snail mail), Fed-X, UPS or some other physical means – not email.

Hopefully you wouldn’t have fallen for this, but I did want to alert you.

Thank you.

By

The proof is in the logs

Website security made easier by reading log filesEver since I started this business of website security back in 2007 I’ve been reading log files.

Select my favorite easy chair, grab a tablet, a glass of scotch and dive into reading log files. Sound like a fun time?

Most of you will cringe at that. However, I’ve found that with few exceptions, the proof is in the log files. Unfortunately, many hosting providers have the log files off by default. When a new customer comes to us to remove the malware from their website, they always want to know how it happened.

Seems logical doesn’t it?

However, without log files all we have is comparing similar situations. We actually know of one competitor that deletes the log files after we told them what 3rd party services they were using based on the information in the log files.

You see, the log files don’t lie. They may not contain all the information, but they don’t lie.

For instance, often times we remove malware from a WordPress website. That’s not to imply that WordPress is more vulnerable than other CMS’s (Content Management Systems). But they are the most popular which by itself, makes them a huge target.

While removing malware from a WordPress website we look for clues. If the log files have been activated, we run them through our analyzer (automated and written in-house) which either pinpoints the exact point of entry or at least gives us enough evidence to make a highly educated guess.

Too often, we determine the point of entry to be stolen WordPress passwords. This is due to a virus/trojan on someone’s local computer that is waiting for them to login to their WordPress website. It then records the login URL, username and password.

Quite often we’ll see a sequence like this:

POST /wp-login.php HTTP/1.0″ 302

Followed by and entry like this:

GET /wp-admin/theme-editor.php?file=footer.php&theme=

You can only get to the theme-editor if you’re logged in with the proper rights. When we see this in a log file, we know that some WordPress user with administrator rights has logged in and used the theme-editor to modify the footer.php file.

We open the footer.php file and 99.9999% of the time, we find infectious code. The theme-editor can also be used to inject code in any of the of the other files as well. While they’re logged in they might also upload a “media” (not really) file, which is nothing more than a backdoor shell.

You can find so much information in the log files that we get really excited when we have log files to analyze because we know it will lead us to the final reckoning. We find the evidence and we state, “I reckon that’s how the hackers got in!”

If your security company deletes log files or just doesn’t ever activate them, you have to wonder, “Do they really know how my site was infected? Or are they just telling me to install 3 or 4 security plugins and they’re hoping for the best?”

That my friends is something for you to consider.

If you have log files you’d like us to analyze for you, put them in a zip file and email them to me at: traef@wewatchyourwebsite.com. I’ll run them through our analyzer and give you our opinion of how your site was infected – no charge.

Thank you.

By

Has security moved from prevention to detection and response?

Recently, Symantec’s senior vice president of information security Brian Dye declared that anti-virus is dead, as told to the Wall Street Journal.

Is it?

Has the security industry moved away from prevention to early detection and quick response?

I know when I started WeWatchYourWebsite back in 2007, I started preaching prevention. However, it became evident that nobody was interested. It appeared that people, even then, were more interested in early detection and quick remediation.

If you look at many of the startups and large security companies, it becomes real clear that most of the industry is focused on early detection and quick remediation. Is this like closing the barn door after the horses are out?

Is this giving up on prevention and focusing instead on early detection? That, to me, is like admitting defeat to the cyber criminals of the world.

Or, is it a different strategy?

In combat, whether your battlefield is on soil or a chess board, one key strategy is to lure your opponent into an area and then close in and destroy them.

Could this work in cyber security?

Of course, we’ll never catch the cyber criminals, unless they’re really lazy, but can we capture their methods? That would be considered a victory.

battleIn the book, “The Art of War” it states:

All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.

If our deception is to lure the cyber criminal into our website, but record and report everything, then we can consider that a victory for the masses. That information can be used to protect other websites and prevent other sites from being successfully breached.

What do you think?

Should focus be placed on detection and response? Is that a sound strategy?

Share your thoughts…

Thank you.

By

Real live password hacking

password

Bad passwords

We recently worked on an infected website that was a bit unusual.

Often times we see websites hacked due to stolen passwords. Some times we remove malware from websites that were infected due to easily guessable passwords. Passwords like:

  • p@ssw0rD
  • pa$$woRd
  • pA55W0Rd
  • etc…

These are all passwords that the hackers try in their “brute force” attacks. In the event you’re not familiar with a brute force attack, it’s essentially the hackers trying thousands or millions of usernames with thousands or millions of passwords.

When the hackers know what the username is, it reduces their attempts, but a strong password always prevails.

In this unusual case, we found the infected code on a cPanel account. That’s not unusual. Not that cPanel is easy to hack – it’s not, but often times the username for a cPanel account is easy to ascertain.

For instance, if you’re main domain for your cPanel account is rumplestiltskin.com and there is no other domain similar to that, you might have a cPanel username of rumplest – or some variation of that.

Knowing that, you can start putting together a list of potential passwords:

  • rump1e$t
  • rumpl3st
  • rump1e5t
  • rumpl3$t
  • rumpl35t
  • rump1es+
  • rump1es7
  • rumpl3s7
  • etc…

Basic premise here is to replace each l (“L”) with either the number 1, or an upper-case I, or the vertical bar (|). The number 3 can represent an e, an s can be replaced with either the $ or a number 5. The letter “t” can be replaced with either the plus sign “+” or the number 7. The letter “a” can be replaced with the “@” sign, etc…

passwords

We’ve seen programs the hackers have that will take a word or phrase and by applying some basic password rules to it, will generate a long list of potential passwords. In this specific case, their program generated 72 different potential passwords.

The infected files we found were in a folder above public_html. So we almost rule out an application type infection. It did not appear to come from an outdated version of WordPress. However, we scanned the log files, which luckily for us, were already activated, and they turned up nothing.

We have files above public_html, no forensic trace in the log files – how could this be?

It seems the customer was using a password that was just an obfuscated version of the cPanel username.

Our conclusion on this one was that since this site had the tools the hackers were using to try and infect other cPanel accounts, we presumed, due to lack of any other evidence, that this one, with it’s password falling into the parameters of the tools hackers use, was infected the same way. Accompany that with where the files were and that the log files looked like they had been tampered with, lead us to believe our conclusion was correct.

Moral to this story is never use easy guessable passwords – never. Don’t think you can get away with just obfuscating the username into a password. Obviously that doesn’t work either.

If you have an infected website and would like to see if we can figure out how it happened, send me an email: traef@wewatchyourwebsite.com. We’ll have questions for you, but we should be able to give you an idea of how it happened.

Go ahead, give a try…

Thank you.

By

Why we don’t have an affiliate program

affiliates-3Quite often after we’ve removed malware from someone’s website, we’re asked, “Do you guys have an affiliate program?”

Many, many internet marketing people have strongly suggested that in order to “get into the big leagues” we need to help other people make money.

We’re asked so often, I thought it needed to be addressed.

I started this business to help people. Not to be the next Internet billionaire. It’s my nature to want to help others.

When you look at affiliate programs, you have to think about where the commission is coming from.

Does the producer, WeWatchYourWebsite in this case, make a lower margin? We try to offer our customers – (you!) the lowest price possible. Many of you are either not making any money with your websites or making very little. Even if your site is making money, everyone is watching their expenses closely.

To be charging larger fees might mean you go without website security. Or maybe you try to remove the malware yourself – either way, it’s probably not what you’re looking for.

Does the consumer, you, pay more so that others can make money? After all, you’re the one with the infected website. Why shouldn’t you pay more?

Somewhere the affiliate commission must be added to the cost.

Are you willing to pay someone else a fee for bringing our service to you?

I’m not against affiliate programs, but I’m just having a difficult time with charging you more money in order for us to bring you in.affiliates

Most of the people we talk with on the phone do not want to be charged a higher fee. The majority of our customers thank us for doing what we do at the prices we ask.

New Product Development

This is why we focused so much time and effort on our VPS and Dedicated server software. We saw that the market for VPS and dedicated servers was growing. The prices were coming down on those. Many of these servers have between 5 and 200 websites on them.

To ask the webmaster to pay for each site, is old-school. We looked at the currently available software like ClamAV, Maldet and other commercial packages. We tested them with our database of over 400,000 infected files. Some are backdoors, some have malicious code injected into them. Others are phishing files.

Our software obviously detects 100%. ClamAV only detected 17%, Maldet, which can use ClamAV was only 17% and other commercially available packages were all under 35%.

You might think that for our price of $199.95 for our software that we would have room for an affiliate commission. However, with all the extra work we do for VPS and dedicated servers, we really don’t.

We could raise the price, but then you’re the one paying for the affiliate commission.

Very soon we will have a few very big announcements. Stay tuned. Until then, if you know how we can spread the word about our service, we’re all ears. We just need to let the public know we’re here, we’re inexpensive and we’re highly effective – and we use tools that we developed!

What do you think? What would you do if you were in our situation? Please share your thoughts.

Thank you in advance.

By

Scams, scams everywhere!

Over the past few days I’ve seen a few scams on the Internet.

But wait!

According to the TV commercial, everything on the Internet is true. How do scams exist?

The first one was a Facebook post featuring Bill Gates:

Facebook scam

While Bill Gates is known for his philanthropy, he does not randomly give away money to increase his Facebook followers.

The second one was also a Facebook scam. I will not post the fake pictures of this one, but it involves Porsha Williams and a supposedly released sex tape. I won’t even go into the details behind this, but needless to say, some people are falling for it.

The original Facebook messages are something like:

OMG Kenya Moore Leaked Porsha Williams SexTape Because of their brawl

porsha is so much angry after watching this

or another one:

OMG Porsha Williams Sextape Leaked by Ex-Boyfriend

People who click on these links will be taken to a fake Facebook page which informs you that you can only view the “restricted” video if you share the link with your online Facebook friends.

If you do follow their instructions and share with your Facebook friends, before seeing the video (part of the tip-off this is a scam), you’re directed to a YouTube page where you’re asked to fill out an online survey before watching the video.

Okay, really?

You can’t be so desperate to see her in a scandalous video that you’d share this with your Facebook friends and fill out a survey all before seeing the video? Come on people.

Why do the scammers do this?

MONEY!!!

How?

It’s all about affiliate commission. They earn money for every completed survey.

When you want to get something to spread across the Internet, make it something scandalous, sexy and secret and it will spread like wild fire. This is something that is spread first and then you still don’t get to see what you thought you might, but you’ve already passed it on.

Sometimes, these scams are also used to spread malware. What if at the end of filling out the survey you were directed to a page that said you needed to install a special video viewer.

Your mind quickly thinks, “I’ve gone this far, why not?”

Similar scams will include the lure of winning iPads, Samsung phones, $500 gift cards or other such highly desirable items.

In the case of the fake Bill Gates Facebook post, the scammers might be getting paid to increase Facebook likes.

One of the merits of social media is that you should be able to “safely” share information with friends and customers. However, in that context, when you unknowingly invite scammers and hackers into your circle of trust by spreading their messages, you open all your friends and customers to their scams as well.

circle-of-trust

Don’t trust everything. With the work we do, I always think, “what’s their motive for publishing this?”

Yes, being doubtful of everyone and everything might mean I miss something. But I know I’ll also miss many opportunities for falling victim to a scam.

My sister-in-law sent me a short video clip of my nephew walking around saying “Battery” with his best James Hetfield (Metallica) voice. I couldn’t watch it because I didn’t have the video player required installed on the computer I was on at the moment. I eventually did see it and was quite proud that my habits have inherited by my nephew.

That’s how I am though. I doubt everyone and everything. This work has made me that way.

Please be careful out there.

Have you come across any scams you want to share? Please post a comment or send an email to me at: traef@wewatchyourwebsite.com

By

Large website used to attack other websites

As a player in the website security space, we frequently find research of other organizations and we like to bring it to your attention so you learn more about the cybercriminals who want to infect your website with malware for their nefarious purposes.

In research announced by Incapsula: http://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html, a website in the Alexa’s Top 50 was used to launch DDoS (Distributed Denial of Service) attacks on other websites.

As usual, you might ask, “Tom, why is this website security news important to me?”

It’s important that you learn why hackers want your website. You need to know why website malware is so prevalent. Yes, even if it’s a small blog that only covers events in your local community. Hackers can use your website for any of their money making schemes.

which flooded our client with over 20 million GET requests originating from the browsers of over 22,000 Internet users

In this report, which gets a little technical, they also mention that the new code is tracking the attack for what appears to be for billing purposes. Yet another income stream for cybercriminals.

The hackers could be offering this as a service, for which they charge a fee.

If you have questions about this, please ask in the comment section.

Thank you.

By

Previewing Outlook messages can lead to infected computer

Microsoft has announced a vulnerability in Word 2010. For those of you who aren’t intimately familiar with Microsoft Office products, Microsoft Word is the default reader for Outlook 2007, Outlook 2010 and Outlook 2013.

https://technet.microsoft.com/en-us/security/advisory/2953095

If you’re using Microsoft Outlook as your email program, this could affect you.

Why would a company dedicated to website security make you aware of this?

This particular vulnerability exposes your local computer to remote code execution exploitation. This means that if a hacker sends you a carefully crafted email message in RTF format, just previewing the message in Outlook, with Word 2010 as your default reader, would allow remote code to be executed on your computer – which means your computer could be infected.

We want to bring this to your attention so that you update all your software. If your local computer gets infected the hackers could steal your login credentials to your hosting account, your CMS (WordPress, Joomla, etc.), login to your account and infect your website.

We are concerned with your website security, but along with this comes being concerned about your local computer security as well.

We’ve stated this before, but it becomes clear in Microsoft’s announcement that the attacker, if successful, will have the same rights as the currently logged in user. If you login to your local computer as administrator, guess what? The hacker will have the same rights – administrator.

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.

It’s advised that you create a separate “user” account on your computer. This user does not have the ability to install programs. If you want to install a new program on your computer, you logout as this user, login as administrator, install the software, then logout as administrator, login as the user and proceed with your normal activity.

Yes, this is not the most convenient way, however, neither is having your computer compromised.

Always keep your local computer software updated. This helps us keep your website security at the highest level.

Please post a comment if you find this helpful. Tweet this to your friends and family.