By

Website malware on the attack

sharkattackI was reading an article about how a group of researchers found some new malware and I was floored.

New?

Really?

http://thehackernews.com/2014/07/mayhem-new-malware-targets-linux-and_24.html

We’ve been removing this from websites for months. The first instance we found of this was on February 5, 2014. I guess I really need to write more blogs.

Yes, we’ve been finding the .sd0 and bruteforce.so files on many compromised websites. What the article doesn’t share is an explanation about the .php file that enables these files to be executed.

Typically you’ll have a few “extra” processes running named “host”. These will run the resource utilization up and must be killed after finding and removing the .sd0 and other .so files in the web folders. Be careful not to just do a:

find . -name “*.so” -exec rm -f {} \;

As sometimes we see ioncube files with .so extensions in the web folders as well.

The .php file contains code for both 32-bit and 64-bit architectures.

It opens /usr/bin/host for reading/binary and contains strings for the .so bytecodes. One other file that gets created is libworker.so

The php file then creates a cron job and a 1.sh file. The cron job runs constantly.

All of these must be deleted and the host process must be killed.

These files have been uploaded a variety of ways, but typically we see them in non-updated CMS’s.

Moral to this story,

UPDATE YOUR CMS’s!!!

Thank you for reading…

By

wysija-newsletters WordPress infection

infected wordpress websiteThis weekend (yes we work weekends) we saw an outbreak of VPS and dedicated servers infected by what appears to be a vulnerability in the wysija-newsletters (MailPoet) WordPress plugin.

This plugin was identified as vulnerable over 2 weeks ago and the authors have released a new version. If you’re reading this, then please, please, please, update your plugins immediately and set a reminder in your smartphone, your computer or anywhere and every where else, to check your WordPress and your plugins for updates every 3 days at a minimum.

Hosting accounts, whether the are VPS’s, dedicated servers for on a shared hosting account were hit.

Basically almost every .php file on an account was injected with code across the top of each file. In addition two files were uploaded as well. Usually we saw one license.php file and then another backdoor shell either in the wp-admin or wp-includes folders. Most of the license.php files we found were 201 bytes in size.

One other point of entry left by the hackers is an administrator user with no name. This user must be deleted and all plugins updated.

You’ll notice that all the original date/time stamps of the files are kept. This leads us to believe that the backdoor shell they’ve uploaded allows them to modify almost anything about a file.

The vulnerability allows hackers to bypass admin authentication in wysija-newsletters plugin and upload files. The hackers access those files remotely and start injecting their malicious payload into every .php file their program can find. This means that it will cross sub-domains on the same account.

The attacker will upload a file to: wp-content/uploads/wysija/themes and run it. Fortunately, our protection does not allow php files to be executed in the uploads folder – so even before this was discovered, many of our customers were already protected.

If you have a VPS or dedicated server with only one cPanel and all your sites under that, then basically every website is probably infected on your server. If you’re on a shared hosting account with multiple websites and one of them has the wysija-newsletters plugin (MailPoet), then chances are that all of your websites are infected.

We’ve been working feverishly to get this cleaned up, but some of the infections overwrite the existing file and they’re not always very good. Frequently we’ve have to replace plugins and/or themes because there is code missing from the file after the infection.

By

Email scam alert

I would like to alert you to a scam. It’s not new, but I wanted to let you know so you don’t fall for this.

It started as an email that looks like this:

A scam that was caught in our in-box

A scam that was caught in our in-box

In the section: “To view copy of the court notice click here” when you click on the link “here” you are taken to:

http://www.avedomestica.com.br/cocad/components/api/wwMg/YHBZLEwMLv6DusGNSlXw5TapuV1oLceFaZLX3M=/notice

This link no longer works, but it was trying to infect the computer of the person who clicked on the above link. You must be wary of all emails sent to you that it designed to scare you into some action.

Typically if you hover over the link, depending on your browser, you can see the URL of the intended link. If it has nothing to do with the email, then it’s probably a scam and it should be deleted.

Quite often we’ll see emails where you must click on a link or open an attachment in order to “play along”. This should be your first tip-off.

For this scam, if there is someone taking legal action against you, they will contact you either through mail (snail mail), Fed-X, UPS or some other physical means – not email.

Hopefully you wouldn’t have fallen for this, but I did want to alert you.

Thank you.

By

The proof is in the logs

Website security made easier by reading log filesEver since I started this business of website security back in 2007 I’ve been reading log files.

Select my favorite easy chair, grab a tablet, a glass of scotch and dive into reading log files. Sound like a fun time?

Most of you will cringe at that. However, I’ve found that with few exceptions, the proof is in the log files. Unfortunately, many hosting providers have the log files off by default. When a new customer comes to us to remove the malware from their website, they always want to know how it happened.

Seems logical doesn’t it?

However, without log files all we have is comparing similar situations. We actually know of one competitor that deletes the log files after we told them what 3rd party services they were using based on the information in the log files.

You see, the log files don’t lie. They may not contain all the information, but they don’t lie.

For instance, often times we remove malware from a WordPress website. That’s not to imply that WordPress is more vulnerable than other CMS’s (Content Management Systems). But they are the most popular which by itself, makes them a huge target.

While removing malware from a WordPress website we look for clues. If the log files have been activated, we run them through our analyzer (automated and written in-house) which either pinpoints the exact point of entry or at least gives us enough evidence to make a highly educated guess.

Too often, we determine the point of entry to be stolen WordPress passwords. This is due to a virus/trojan on someone’s local computer that is waiting for them to login to their WordPress website. It then records the login URL, username and password.

Quite often we’ll see a sequence like this:

POST /wp-login.php HTTP/1.0″ 302

Followed by and entry like this:

GET /wp-admin/theme-editor.php?file=footer.php&theme=

You can only get to the theme-editor if you’re logged in with the proper rights. When we see this in a log file, we know that some WordPress user with administrator rights has logged in and used the theme-editor to modify the footer.php file.

We open the footer.php file and 99.9999% of the time, we find infectious code. The theme-editor can also be used to inject code in any of the of the other files as well. While they’re logged in they might also upload a “media” (not really) file, which is nothing more than a backdoor shell.

You can find so much information in the log files that we get really excited when we have log files to analyze because we know it will lead us to the final reckoning. We find the evidence and we state, “I reckon that’s how the hackers got in!”

If your security company deletes log files or just doesn’t ever activate them, you have to wonder, “Do they really know how my site was infected? Or are they just telling me to install 3 or 4 security plugins and they’re hoping for the best?”

That my friends is something for you to consider.

If you have log files you’d like us to analyze for you, put them in a zip file and email them to me at: traef@wewatchyourwebsite.com. I’ll run them through our analyzer and give you our opinion of how your site was infected – no charge.

Thank you.

By

Real live password hacking

password

Bad passwords

We recently worked on an infected website that was a bit unusual.

Often times we see websites hacked due to stolen passwords. Some times we remove malware from websites that were infected due to easily guessable passwords. Passwords like:

  • p@ssw0rD
  • pa$$woRd
  • pA55W0Rd
  • etc…

These are all passwords that the hackers try in their “brute force” attacks. In the event you’re not familiar with a brute force attack, it’s essentially the hackers trying thousands or millions of usernames with thousands or millions of passwords.

When the hackers know what the username is, it reduces their attempts, but a strong password always prevails.

In this unusual case, we found the infected code on a cPanel account. That’s not unusual. Not that cPanel is easy to hack – it’s not, but often times the username for a cPanel account is easy to ascertain.

For instance, if you’re main domain for your cPanel account is rumplestiltskin.com and there is no other domain similar to that, you might have a cPanel username of rumplest – or some variation of that.

Knowing that, you can start putting together a list of potential passwords:

  • rump1e$t
  • rumpl3st
  • rump1e5t
  • rumpl3$t
  • rumpl35t
  • rump1es+
  • rump1es7
  • rumpl3s7
  • etc…

Basic premise here is to replace each l (“L”) with either the number 1, or an upper-case I, or the vertical bar (|). The number 3 can represent an e, an s can be replaced with either the $ or a number 5. The letter “t” can be replaced with either the plus sign “+” or the number 7. The letter “a” can be replaced with the “@” sign, etc…

passwords

We’ve seen programs the hackers have that will take a word or phrase and by applying some basic password rules to it, will generate a long list of potential passwords. In this specific case, their program generated 72 different potential passwords.

The infected files we found were in a folder above public_html. So we almost rule out an application type infection. It did not appear to come from an outdated version of WordPress. However, we scanned the log files, which luckily for us, were already activated, and they turned up nothing.

We have files above public_html, no forensic trace in the log files – how could this be?

It seems the customer was using a password that was just an obfuscated version of the cPanel username.

Our conclusion on this one was that since this site had the tools the hackers were using to try and infect other cPanel accounts, we presumed, due to lack of any other evidence, that this one, with it’s password falling into the parameters of the tools hackers use, was infected the same way. Accompany that with where the files were and that the log files looked like they had been tampered with, lead us to believe our conclusion was correct.

Moral to this story is never use easy guessable passwords – never. Don’t think you can get away with just obfuscating the username into a password. Obviously that doesn’t work either.

If you have an infected website and would like to see if we can figure out how it happened, send me an email: traef@wewatchyourwebsite.com. We’ll have questions for you, but we should be able to give you an idea of how it happened.

Go ahead, give a try…

Thank you.

By

Why we don’t have an affiliate program

affiliates-3Quite often after we’ve removed malware from someone’s website, we’re asked, “Do you guys have an affiliate program?”

Many, many internet marketing people have strongly suggested that in order to “get into the big leagues” we need to help other people make money.

We’re asked so often, I thought it needed to be addressed.

I started this business to help people. Not to be the next Internet billionaire. It’s my nature to want to help others.

When you look at affiliate programs, you have to think about where the commission is coming from.

Does the producer, WeWatchYourWebsite in this case, make a lower margin? We try to offer our customers – (you!) the lowest price possible. Many of you are either not making any money with your websites or making very little. Even if your site is making money, everyone is watching their expenses closely.

To be charging larger fees might mean you go without website security. Or maybe you try to remove the malware yourself – either way, it’s probably not what you’re looking for.

Does the consumer, you, pay more so that others can make money? After all, you’re the one with the infected website. Why shouldn’t you pay more?

Somewhere the affiliate commission must be added to the cost.

Are you willing to pay someone else a fee for bringing our service to you?

I’m not against affiliate programs, but I’m just having a difficult time with charging you more money in order for us to bring you in.affiliates

Most of the people we talk with on the phone do not want to be charged a higher fee. The majority of our customers thank us for doing what we do at the prices we ask.

New Product Development

This is why we focused so much time and effort on our VPS and Dedicated server software. We saw that the market for VPS and dedicated servers was growing. The prices were coming down on those. Many of these servers have between 5 and 200 websites on them.

To ask the webmaster to pay for each site, is old-school. We looked at the currently available software like ClamAV, Maldet and other commercial packages. We tested them with our database of over 400,000 infected files. Some are backdoors, some have malicious code injected into them. Others are phishing files.

Our software obviously detects 100%. ClamAV only detected 17%, Maldet, which can use ClamAV was only 17% and other commercially available packages were all under 35%.

You might think that for our price of $199.95 for our software that we would have room for an affiliate commission. However, with all the extra work we do for VPS and dedicated servers, we really don’t.

We could raise the price, but then you’re the one paying for the affiliate commission.

Very soon we will have a few very big announcements. Stay tuned. Until then, if you know how we can spread the word about our service, we’re all ears. We just need to let the public know we’re here, we’re inexpensive and we’re highly effective – and we use tools that we developed!

What do you think? What would you do if you were in our situation? Please share your thoughts.

Thank you in advance.

By

Scams, scams everywhere!

Over the past few days I’ve seen a few scams on the Internet.

But wait!

According to the TV commercial, everything on the Internet is true. How do scams exist?

The first one was a Facebook post featuring Bill Gates:

Facebook scam

While Bill Gates is known for his philanthropy, he does not randomly give away money to increase his Facebook followers.

The second one was also a Facebook scam. I will not post the fake pictures of this one, but it involves Porsha Williams and a supposedly released sex tape. I won’t even go into the details behind this, but needless to say, some people are falling for it.

The original Facebook messages are something like:

OMG Kenya Moore Leaked Porsha Williams SexTape Because of their brawl

porsha is so much angry after watching this

or another one:

OMG Porsha Williams Sextape Leaked by Ex-Boyfriend

People who click on these links will be taken to a fake Facebook page which informs you that you can only view the “restricted” video if you share the link with your online Facebook friends.

If you do follow their instructions and share with your Facebook friends, before seeing the video (part of the tip-off this is a scam), you’re directed to a YouTube page where you’re asked to fill out an online survey before watching the video.

Okay, really?

You can’t be so desperate to see her in a scandalous video that you’d share this with your Facebook friends and fill out a survey all before seeing the video? Come on people.

Why do the scammers do this?

MONEY!!!

How?

It’s all about affiliate commission. They earn money for every completed survey.

When you want to get something to spread across the Internet, make it something scandalous, sexy and secret and it will spread like wild fire. This is something that is spread first and then you still don’t get to see what you thought you might, but you’ve already passed it on.

Sometimes, these scams are also used to spread malware. What if at the end of filling out the survey you were directed to a page that said you needed to install a special video viewer.

Your mind quickly thinks, “I’ve gone this far, why not?”

Similar scams will include the lure of winning iPads, Samsung phones, $500 gift cards or other such highly desirable items.

In the case of the fake Bill Gates Facebook post, the scammers might be getting paid to increase Facebook likes.

One of the merits of social media is that you should be able to “safely” share information with friends and customers. However, in that context, when you unknowingly invite scammers and hackers into your circle of trust by spreading their messages, you open all your friends and customers to their scams as well.

circle-of-trust

Don’t trust everything. With the work we do, I always think, “what’s their motive for publishing this?”

Yes, being doubtful of everyone and everything might mean I miss something. But I know I’ll also miss many opportunities for falling victim to a scam.

My sister-in-law sent me a short video clip of my nephew walking around saying “Battery” with his best James Hetfield (Metallica) voice. I couldn’t watch it because I didn’t have the video player required installed on the computer I was on at the moment. I eventually did see it and was quite proud that my habits have inherited by my nephew.

That’s how I am though. I doubt everyone and everything. This work has made me that way.

Please be careful out there.

Have you come across any scams you want to share? Please post a comment or send an email to me at: traef@wewatchyourwebsite.com

By

Large website used to attack other websites

As a player in the website security space, we frequently find research of other organizations and we like to bring it to your attention so you learn more about the cybercriminals who want to infect your website with malware for their nefarious purposes.

In research announced by Incapsula: http://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html, a website in the Alexa’s Top 50 was used to launch DDoS (Distributed Denial of Service) attacks on other websites.

As usual, you might ask, “Tom, why is this website security news important to me?”

It’s important that you learn why hackers want your website. You need to know why website malware is so prevalent. Yes, even if it’s a small blog that only covers events in your local community. Hackers can use your website for any of their money making schemes.

which flooded our client with over 20 million GET requests originating from the browsers of over 22,000 Internet users

In this report, which gets a little technical, they also mention that the new code is tracking the attack for what appears to be for billing purposes. Yet another income stream for cybercriminals.

The hackers could be offering this as a service, for which they charge a fee.

If you have questions about this, please ask in the comment section.

Thank you.

By

SPAM for law firms

Since we started offering our VPS and dedicated server software, we’ve been handling many SPAM issues for clients. Not only outgoing, but incoming as well.

One recent rash of SPAM seems to focus on law firms. I’m sure others are receiving these as well, but our experience has mostly seen these emails sent to law firms.

The scenario begins with an email with a subject line like:

New Fax: 2 pages

The body of the message will be something like:

Scanned from MFP61725171 by (domain of recipient).com
Date: Tue, 1 Apr 2014 20:17:54 +0800
Pages: 2
Resolution: 200×200 DPI

It appears to be an internal fax. It will usually show the sender (From:) as fax@(domain of recipient).com and the number of pages will vary.

The email contains an attachment, typically a .zip file – obviously infectious.

When we look at the headers here’s what we see:

Return-path:

Envelope-to: willie.james@(domain of recipient).com
Delivery-date: Mon, 31 Mar 2014 10:15:53 +0000
Received: from [106.79.10.18] (port=49927)
by server.(server for client).com with esmtp (Exim 4.82)
(envelope-from )
id 1WUZFv-0005zC-8e; Mon, 31 Mar 2014 10:15:53 +0000
Received: from 289-SN2MPN2-345.582d.mgd.msft.net ([106.79.10.18]) by
115-SN2MMR2-207.895d.mgd.msft.net ([106.79.10.18]) with mapi id
14.03.0563.358; Mon, 31 Mar 2014 15:45:51 +0530
Message-ID:
<6BY1VKL42LR58X56ARUF4VNG59U3YS6B@316-SN2MPN2-342.397d.mgd.msft.net>
From: "FAX"
To: john.assistant@(domain of recipient).com

Subject: New Fax : 5 pages
Thread-Topic: New Fax : 5 pages
Thread-Index: 9P7N7EWX4M3T3HCICOQW==
Date: Mon, 31 Mar 2014 15:45:51 +0530
Message-ID:

Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/mixed;
boundary="----=_Part_49160_3775187661.5707552433783"
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:

MIME-Version: 1.0
X-MS-Exchange-Organization-AuthSource: 092-SN2MMR2-965.296d.mgd.msft.net
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 09
X-Originating-IP: [106.79.10.18]
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Spam-Status: No, score=3.0
X-Spam-Score: 30
X-Spam-Bar: +++
X-Ham-Report: Spam detection software, running on the system
"server.(server for client).com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
root\@localhost for details.

Content preview: You have received a new fax (fax-954672.zip). Date/Time:
Mon,
31 Mar 2014 15:45:51 +0530. Number of pages:5 [...]

This is a case where the spammers are spoofing the from email address so it appears to be an internal fax communication.

This line tells us it did not originate internally:
Received: from [106.79.10.18] (port=49927)

According to whois.domaintools.com (an awesome service, you should subscribe!) that IP address is in India. Our client was here in the United States. Therefore we know it was fake.

If you use Outlook for email, you can see how to view the full headers by Googling “outlook view full headers”. If you use Outlook 2007, Outlook 2010, etc. you can further refine your search by adding that version. For instance you can use this in Google for Outlook 2007:

outlook 2007 view full headers

If you start getting these, just mark them as SPAM and move on with life. Your server is not infected. Your local computer is not infected either.

By

How hackers use your website

Due to our work in website security, quite often we’re asked “Why?”

As in, “why do hackers want my website?”

From this article by Webroot: http://www.webroot.com/blog/2013/07/11/new-commercially-available-mass-ftp-based-proxy-supporting-doorwaymalicious-script-uploading-application-spotted-in-the-wild/

you can see that sometimes hackers use your website as a proxy. A proxy is a buffer to their real location. Some of you ask if we can tell you exactly where the hacker is. Unfortunately we can’t. Not for any legal reason, but because hackers hide behind multiple layers of these proxies.

The website security industry would love to be able to track down hackers, but it’s rarely possible.

For instance, they might be in one country. Their computer connects to a server in South America (that they’ve already compromised), from there to a server in Switzerland, then to a compromised server in North America. The last IP address is all that will appear in your log files. In our example here, the last IP address would be from the compromised server in North America.

When we have access to the log files, we mine the IP addresses out of the log files and report them to the proper abuse department. This is a small step toward making the Internet safer, and is some what time consuming, but we do it to help notify others that they have an infected website or server.

The tool mentioned in that article also shows one of the tools used by hackers to upload infectious content to your site – automatically. Many of you believe that someone is sitting behind a computer and attacking your website, or uploading malicious files to your site.

Not at all.

Most, if not all, of today’s website infections are the result of an automated tool.

After one of the screen captures this caught my attention:

The tool works in a fairly simple way. It requires a list of user names and passwords, which it will then use to automatically upload any given set of files/scripts through the use of automatically syndicated fresh lists of proxies.

So, when the hackers have a list of compromised FTP users, they load it up in this tool and then they can send the same infectious code to hundreds or thousands of websites.

With the log files activated, we can see the FTP account used and the IP address of where the connection originated (the last proxy IP address).

Here’s our Website Security Best Practices for FTP accounts:

  • Create a separate FTP account for each user. Not all hosting providers allow this. Many only allow one. But if you’re with a hosting provider who provides cPanel, then you can create separate FTP accounts. Also make certain they have good strong passwords.
  • Activate the logs. Most hosting providers have the logs turned off by default. They know that nobody other than us, ever read the logs so why consume so much disk space? Again, if you’re on a cPanel account, scroll down to the section labeled “Statistics” and select the “Access Logs” icon. It might be different on various hosts, but that should get you in the general area. You can check both boxes. If you’re not on a cPanel account, then ask your hosting provider.
  • If you provide access to a web developer or anyone else, ask them what anti-virus program they use on their local computers. Every potential point of entry needs to be accounted for. If they have a virus on their computer and it steals the login credentials for the FTP account you provided them, guess what? You could have the best website security team in the world (yes – us!) and your website will still get infected.
  • Be diligent about the FTP accounts. If someone that you’ve provided FTP access to no longer needs that access, then delete their FTP account. Remember, hackers only need one way in. Yes, this is a pain, but so is getting your website infected.

You’ll notice that we didn’t recommend SFTP as many do.

Why?

We understand how hackers work. While SFTP sounds more secure, the reality of it is – that it really isn’t.

All SFTP does is encrypt the traffic between your computer and the destination – your website. However, a few things to mention.

Most hosting providers will only allow you to create one SFTP account and frequently it’s the same account used to login to your hosting account. If you want to provide access to someone who will be making changes to your website – legitimate changes, you have to give them access to your hosting account. If you have 3 or 4 people who need access to your website files, now you have 3 or 4 more potential points of entry for hackers.

With only one account, you have lost the advantage of FTP logging. There will only be one account listed in there. If your website security is compromised, looking in your log files will tell you how it happened, but you have no idea who has the virus that is stealing the account information.

Which brings me to the last reason we don’t recommend SFTP.

We’ve seen the way the viruses/trojans work. They steal the login URL, username and password from your computer. It doesn’t matter if you you’re using SFTP or FTP, it steals the login address and protocol. The hackers will login and upload their malicious files using an encrypted channel (SFTP). They can thank you later for thinking of their need for security.

This is the same reason we don’t recommend changing the login URL and username for WordPress. When hackers steal the information you may have changed your login URL to http://(yoursite.com)/Supercalifragilisticexpialidocious and your admin user to: rumpelstiltskin, but when the hackers steal the information, they steal that as well.

Let me know your thoughts about this. Post a comment. Ask a question.

Thank you for your time.