By

Google’s newest warning

Google has increased it’s warning system for suspicious, compromised or hacked websites.

If you use Google for online search, you may start seeing warnings like:

This site may be compromised.

According to Google’s Support page:
To protect the safety of our users, we show this warning message for search results that we believe may have been hacked or otherwise compromised. If a site has been hacked, it typically means that a third party has taken control of the site without the owner’s permission. Hackers may change the content of a page, add new links on a page, or add new pages to the site. The intent can include phishing (tricking users into sharing personal and credit card information) or spamming (violating search engine quality guidelines to rank pages more highly than they should rank).

This means that when the Google bot was indexing your website, it didn’t see any malscripts that could harm your computer, but they did see something that indicates to them, that the website has been tampered with. Maybe the hackers are trying to poison Search Engine Result Pages (SERPs), or the site has some files added to it that allow hackers to use it for phishing schemes (fake bank sites, etc).

For website owners, it means that Google is once again trying to protect their users – the website visitors. While this may seem out of their realm of responsibilities, think of this way. If Google didn’t protect their users, website visitors, then people may not be so quick to use Google as their default search engine.

We see many times in the various forums we frequent, where a website owner has had one of their websites flagged by Google and the website owner is complaining about where Google’s responsibilities end. However, if Google didn’t champion this cause, then who would?

They are taking various precautions – they send out emails to various webmaster accounts notifying the warning label placed on the suspicious website. Some say they should do more before blocking a website.

That decision remains with Google.

Also, keep in mind that Google could just drop the listed website from the search engine listings altogether. But no, they decided to reach out to the website owner in ways they know, and try to alert the website owner to potential problems.

Is it flawless?

Probably not. But in the time we’ve been cleaning websites, 4 years, we’ve seen only a handful of cases where Google was wrong. According to some statistics, there are approximately 40,000 websites infected every week. If Google has been wrong only a few times, we think that a pretty good batting average.

What’s your opinion about this?

Leave a comment.

If your website has been infected, email me at traef@wewatchyourwebsite.com and we’ll get you cleaned up and back in Google’s good graces (SERPs) as quickly as possible.

By

Twitter and Google’s goo.gl – a deadly combination

If you or anyone you know uses Twitter, you should know about a virus that’s spreading.

Twitter, the 140 character online micro-blogging service, has become the victim of a virus that is spreading through malicious hyperlinks that are meant to look like Google’s URL shortener (http://goo.gl).

URL shortening services are needed with Twitter because of the 140 character limitation. Google’s recent entry into this market is goo.gl. You could use goo.gl and cut and paste the URL for this blog post into their box and you might see something like: http://goo.gl/6Ftmj. Which, when you’re limited to 140 characters, allows you to also comment about the blog post as well. (I’m just sayin’)

Yesterday, December 7th, messages using the Google URL shortener were being posted on Twitter’s site. Many of these are malicious redirects. Any unsuspecting reader who clicks on one of these will first be sent to the website of Artcan Development a French furniture seller and then redirected to a variety of infectious websites.

If you see a Tweet (ouch) that uses this URL: http://goo.gl/R7f68, don’t click on it. That’s the redirect URL and you will be subject to an infectious website.

One website, The Next Web (http://thenextweb.com/twitter/2010/12/07/new-twitter-worm-on-the-loose-watch-the-links-you-click/) has reported that hackers apparently infiltrated the furniture company’s website and loaded it with forwarding scripts, which redirect users to malicious sites. The source also notes that these hyperlinks are included in messages that offer users an easy way for them to track who follows and unfollows them, so beware of these messages as well.

It appears that this scheme is not only using newly created Twitter accounts, but valid, legitimate, existing accounts as well. This makes the virus/worm even more effective as quite frequently those of us in the security industry tell users not to click on any link unless you know who it’s from. In this case, that could get you infected.

Reports indicate that Twitter is aware of the situation and is taking corrective action – but readers should alert any friends, relatives or associates who might be Twitter fans.

If you have already clicked on one of the links you should immediately revoke all followers’ access to your feed to try and stop the spreading of this infection.

I have been preaching against using these URL shortening services for some time. Back on Februrary 24, 2009 I blogged about this type of infection: http://wewatchyourwebsite.com/wordpress/2009/02/social-networks-social-engineering-twitter-round-1/

I understand the marketing potential in a service like Twitter, I just want you to be safe out there. If you have a comment, please leave it below. If you like this, share it with people you know.

Thank you.

By

Securing osCommerce

We’ve been cleaning many websites that use osCommerce as their shopping cart and felt it necessary to shed some light on what we’ve been seeing and what we’ve done to help our clients stay safe.

First of all, the two most common files that hackers search for on an osCommerce based website are: file_manager.php AND define_language.php.

Often times we’ve seen hacker forums where working exploit code is posted and in about 99% of the cases, the code targets these two files.

One site used this string in their attack:

/admin/file_manager.php/login.php?action=save HTTP/1.1\r\n

Other attacks use the login.php file in addition to another .php file to do various nefarious activities. The hackers can use your osCommerce site to send out mass emails, or to see the last group of orders placed on your site.

What can you do to prevent this?

A few things. First, you have to rename the admin folder. This by itself won’t end it, but it’s what referred to as “security by obscurity”. You’re basically not fixing the problem, just hiding it better.

We suggest that you follow these steps:

  • Edit /admin/includes/configure.php and change the location of the admin folder. There will be two lines you have to edit:
  1. define(‘DIR_WS_ADMIN’, ‘/admin/’);  
  2. define(‘DIR_FS_ADMIN’, ‘/home/whatever/public_html/admin/’);

In both of the above lines, you’ll want to change ‘admin’ to whatever you’re going to rename your admin folder to.

  • Next, edit admin/includes/boxes/tools.php and comment out these two lines:

‘<a href=”‘ . tep_href_link(FILENAME_FILE_MANAGER) . ‘”>’ . BOX_TOOLS_ FILE_MANAGER. ‘</a><br>

‘<a href=”‘ . tep_href_link(FILENAME_DEFINE_LANGUAGE) . ‘”>’ . BOX_TOOLS_ DEFINE_LANGUAGE. ‘</a><br>

Note: comment them out by adding two ‘/’ to the beginning of the line

Next, delete file_manager.php and define_language.php. You will not need them and they are no longer functional so you may as well get rid of them.

Now rename your admin folder to whatever you set in the configure.php file above.

So far, you’ve hidden the admin folder (security by obscurity), disabled the two most sought after files for hackers, now let’s really lock this down.

In your /newly renamed admin folder/includes/application_top.php file, locate the following code:

// redirect to login page if administrator is not yet logged in
if (!tep_session_is_registered(‘admin’)) {
    $redirect = false;

Replace it with this code:

// redirect to login page if administrator is not yet logged in
$doublephp_test = strtolower($_SERVER[‘PHP_SELF’]);
if((substr_count($doublephp_test,’.php’)) > 1 ) {
       tep_redirect(tep_href_link(FILENAME_LOGIN));
}
if (!tep_session_is_registered(‘admin’)) {
$redirect = false;

This prevents the hackers from using two .php files in the same URL, thus thwarting many of their other attacks.

One other suggestion we have. Since we often times find malicious .php files hidden in the images folders, you can use a simple .htaccess file to disable php functionality in any folder it shouldn’t be in.

Here’s what we’ve been using:

htaccess

add this to includes and images folder for better website security


This will not allow any .php files from functioning or if placed in an includes folder will not allow any of the .php files to be accessed directly from a URL. The files in includes folders are typically that, “included” in other files. The above .htaccess file placed in an includes folder restricts them to just be “included” and not accessed directly.

The last thing to check is file and folder permissions. When we monitor sites, we always check the file and folder permissions. When securing an osCommerce, file and folder permissions become critical.

All files, except the configure.php files, should not have permissions any higher than 644. The two configure.php files should be set to 444 or 400 depending on your hosting provider. We have heard of reports where osCommerce will not work on some servers without some files and folders being set to 777 which is world readable and world writable (bad, very, very bad). The common suggestion here is to switch hosting providers – immediately.

Folder permissions should be set no higher than 755 when securing osCommerce. Quite often while cleaning a new client’s website, we’ll see many folders set to 777. We’re not sure how they got that way, if the hackers did it after they infected the website or if they were set that way to begin with and it made the hacker’s job that much easier – but either way, we set them to 755 and then test the site to make sure nothing “breaks” after applying security settings.

With any of the suggestions we’ve provided here, please make a full back-up of your site before making any modifications. Then try one at a time and test. If it doesn’t work, then remove it. But these are steps we’ve taken with our clients who are based on osCommerce and they’ve all worked well.

In closing, if you would like us to apply these changes to your site, please send an email to: info@wewatchyourwebsite.com. We know how important software updates like this are which is why this and many software updates are “included” in our standard service along with our monitoring and cleaning services (now only $39.95 per year per site). It’s our way of helping you prevent website infections.

By

CBI website hacked by ‘Pakistani Cyber Army’

According to the website: hindustantimes.com, the website for the Central Bureau of Investigation (CBI) cbi.gov.in, was defaced by a group calling themselves ‘Pakistani Cyber Army’. CBI is connected to the world police organization called Interpol.

Anyone visiting that page was redirected to another page claiming the defacement was in response to Pakistani websites being hacked by a group calling themselves, ‘Indian Cyber Army’.

In addition to the CBI website, the Pakistani Cyber Army also claims to have hacked 270 other websites.

What’s also interesting is that the Pakistani Cyber Army has a Facebook page and a few of the websites we visited in researching this, international news sites, were infected as well, but apparently not from the Pakistani Cyber Army.

This is what’s referred to as ‘hacktivism’ or hacking for a group of activists.

However, keep in mind that while it was simply a defacement, imagine if they had setup some type of ‘drive-by’ download. All the people visiting a trusted .gov.in site would have been infected, or at least been subjected to an infection attempt.

Website security is no longer an option.

Let’s be careful out there, huh?

By

ftp.proftpd.org compromised

According to Proftpd’s website:

The ProFTPD Project team is sorry to announce that the Project’s main FTP server, as well as all of the mirror servers, have carried compromised versions of the ProFTPD 1.3.3c source code, from the November 28 2010 to December 2 2010. All users who run versions of ProFTPD which have been downloaded and compiled in this time window are strongly advised to check their systems for security compromises and install unmodified versions of ProFTPD.

Anyone running a dedicated server or anyone responsible for updating software on dedicated servers, please read and upgrade accordingly.

This just shows how focused hackers are at attacking whatever they can. Please follow their suggestion:

To verify the integrity of your source files, use the PGP signatures which can be found here as well as on the FTP servers.