By

SPAM for law firms

Since we started offering our VPS and dedicated server software, we’ve been handling many SPAM issues for clients. Not only outgoing, but incoming as well.

One recent rash of SPAM seems to focus on law firms. I’m sure others are receiving these as well, but our experience has mostly seen these emails sent to law firms.

The scenario begins with an email with a subject line like:

New Fax: 2 pages

The body of the message will be something like:

Scanned from MFP61725171 by (domain of recipient).com
Date: Tue, 1 Apr 2014 20:17:54 +0800
Pages: 2
Resolution: 200×200 DPI

It appears to be an internal fax. It will usually show the sender (From:) as fax@(domain of recipient).com and the number of pages will vary.

The email contains an attachment, typically a .zip file – obviously infectious.

When we look at the headers here’s what we see:

Return-path:

Envelope-to: willie.james@(domain of recipient).com
Delivery-date: Mon, 31 Mar 2014 10:15:53 +0000
Received: from [106.79.10.18] (port=49927)
by server.(server for client).com with esmtp (Exim 4.82)
(envelope-from )
id 1WUZFv-0005zC-8e; Mon, 31 Mar 2014 10:15:53 +0000
Received: from 289-SN2MPN2-345.582d.mgd.msft.net ([106.79.10.18]) by
115-SN2MMR2-207.895d.mgd.msft.net ([106.79.10.18]) with mapi id
14.03.0563.358; Mon, 31 Mar 2014 15:45:51 +0530
Message-ID:
<6BY1VKL42LR58X56ARUF4VNG59U3YS6B@316-SN2MPN2-342.397d.mgd.msft.net>
From: "FAX"
To: john.assistant@(domain of recipient).com

Subject: New Fax : 5 pages
Thread-Topic: New Fax : 5 pages
Thread-Index: 9P7N7EWX4M3T3HCICOQW==
Date: Mon, 31 Mar 2014 15:45:51 +0530
Message-ID:

Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/mixed;
boundary="----=_Part_49160_3775187661.5707552433783"
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:

MIME-Version: 1.0
X-MS-Exchange-Organization-AuthSource: 092-SN2MMR2-965.296d.mgd.msft.net
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 09
X-Originating-IP: [106.79.10.18]
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Spam-Status: No, score=3.0
X-Spam-Score: 30
X-Spam-Bar: +++
X-Ham-Report: Spam detection software, running on the system
"server.(server for client).com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
root\@localhost for details.

Content preview: You have received a new fax (fax-954672.zip). Date/Time:
Mon,
31 Mar 2014 15:45:51 +0530. Number of pages:5 [...]

This is a case where the spammers are spoofing the from email address so it appears to be an internal fax communication.

This line tells us it did not originate internally:
Received: from [106.79.10.18] (port=49927)

According to whois.domaintools.com (an awesome service, you should subscribe!) that IP address is in India. Our client was here in the United States. Therefore we know it was fake.

If you use Outlook for email, you can see how to view the full headers by Googling “outlook view full headers”. If you use Outlook 2007, Outlook 2010, etc. you can further refine your search by adding that version. For instance you can use this in Google for Outlook 2007:

outlook 2007 view full headers

If you start getting these, just mark them as SPAM and move on with life. Your server is not infected. Your local computer is not infected either.

By

How hackers use your website

Due to our work in website security, quite often we’re asked “Why?”

As in, “why do hackers want my website?”

From this article by Webroot: http://www.webroot.com/blog/2013/07/11/new-commercially-available-mass-ftp-based-proxy-supporting-doorwaymalicious-script-uploading-application-spotted-in-the-wild/

you can see that sometimes hackers use your website as a proxy. A proxy is a buffer to their real location. Some of you ask if we can tell you exactly where the hacker is. Unfortunately we can’t. Not for any legal reason, but because hackers hide behind multiple layers of these proxies.

The website security industry would love to be able to track down hackers, but it’s rarely possible.

For instance, they might be in one country. Their computer connects to a server in South America (that they’ve already compromised), from there to a server in Switzerland, then to a compromised server in North America. The last IP address is all that will appear in your log files. In our example here, the last IP address would be from the compromised server in North America.

When we have access to the log files, we mine the IP addresses out of the log files and report them to the proper abuse department. This is a small step toward making the Internet safer, and is some what time consuming, but we do it to help notify others that they have an infected website or server.

The tool mentioned in that article also shows one of the tools used by hackers to upload infectious content to your site – automatically. Many of you believe that someone is sitting behind a computer and attacking your website, or uploading malicious files to your site.

Not at all.

Most, if not all, of today’s website infections are the result of an automated tool.

After one of the screen captures this caught my attention:

The tool works in a fairly simple way. It requires a list of user names and passwords, which it will then use to automatically upload any given set of files/scripts through the use of automatically syndicated fresh lists of proxies.

So, when the hackers have a list of compromised FTP users, they load it up in this tool and then they can send the same infectious code to hundreds or thousands of websites.

With the log files activated, we can see the FTP account used and the IP address of where the connection originated (the last proxy IP address).

Here’s our Website Security Best Practices for FTP accounts:

  • Create a separate FTP account for each user. Not all hosting providers allow this. Many only allow one. But if you’re with a hosting provider who provides cPanel, then you can create separate FTP accounts. Also make certain they have good strong passwords.
  • Activate the logs. Most hosting providers have the logs turned off by default. They know that nobody other than us, ever read the logs so why consume so much disk space? Again, if you’re on a cPanel account, scroll down to the section labeled “Statistics” and select the “Access Logs” icon. It might be different on various hosts, but that should get you in the general area. You can check both boxes. If you’re not on a cPanel account, then ask your hosting provider.
  • If you provide access to a web developer or anyone else, ask them what anti-virus program they use on their local computers. Every potential point of entry needs to be accounted for. If they have a virus on their computer and it steals the login credentials for the FTP account you provided them, guess what? You could have the best website security team in the world (yes – us!) and your website will still get infected.
  • Be diligent about the FTP accounts. If someone that you’ve provided FTP access to no longer needs that access, then delete their FTP account. Remember, hackers only need one way in. Yes, this is a pain, but so is getting your website infected.

You’ll notice that we didn’t recommend SFTP as many do.

Why?

We understand how hackers work. While SFTP sounds more secure, the reality of it is – that it really isn’t.

All SFTP does is encrypt the traffic between your computer and the destination – your website. However, a few things to mention.

Most hosting providers will only allow you to create one SFTP account and frequently it’s the same account used to login to your hosting account. If you want to provide access to someone who will be making changes to your website – legitimate changes, you have to give them access to your hosting account. If you have 3 or 4 people who need access to your website files, now you have 3 or 4 more potential points of entry for hackers.

With only one account, you have lost the advantage of FTP logging. There will only be one account listed in there. If your website security is compromised, looking in your log files will tell you how it happened, but you have no idea who has the virus that is stealing the account information.

Which brings me to the last reason we don’t recommend SFTP.

We’ve seen the way the viruses/trojans work. They steal the login URL, username and password from your computer. It doesn’t matter if you you’re using SFTP or FTP, it steals the login address and protocol. The hackers will login and upload their malicious files using an encrypted channel (SFTP). They can thank you later for thinking of their need for security.

This is the same reason we don’t recommend changing the login URL and username for WordPress. When hackers steal the information you may have changed your login URL to http://(yoursite.com)/Supercalifragilisticexpialidocious and your admin user to: rumpelstiltskin, but when the hackers steal the information, they steal that as well.

Let me know your thoughts about this. Post a comment. Ask a question.

Thank you for your time.

By

BlackOS helps website hackers automate their “business”

Trend Micro has released a report which gives some details about the automation of website hacking. Their report: http://blog.trendmicro.com/trendlabs-security-intelligence/new-blackos-software-package-sold-in-underground-forums/ set us off on a search for more information.

We found that this software allows hackers to manage large lists of stolen FTP credentials. The hackers can easily inject custom iframe code into compromised websites. The code can be modified to redirect visitors depending on their operating system (Mac, Windows, etc.), browser (Safari, FireFox, Internet Explorer, Chrome, etc.) and even different versions of those operating systems and browsers.

They can even customize their code to redirect based on the referrer (Google, Yahoo, Bing…) and country of origin.

When you see how the hackers talk about easily finding 10,000 websites, it becomes very alarming. One clip we found is this:

Approximately 15-20% have access to FTP SSH, you can also check behind mail + pass on base have access to FTP or SSH. – all accounts reviewed by our SSH server exploits to get root. With 10k SSH accounts you can get in the area of 500 root access to the servers!

What it appears they’re saying is that 15-20% of FTP accounts are also the credentials for SSH. If so, the hackers can gain “root” access via SSH.

Out of 10K accounts you can get about 500 with server root access! Simple backdoor is installed for all ‘root’s to elevate the rights for consequent access.

If you’re on a VPS or dedicated server, this type of access typically means complete server rebuild or reload. When they have root access it’s game over. They won.

Why do we bring this to your attention?

You have to constantly think about all the possible ways hackers have of getting into your server – always.

Frequently we see many FTP accounts created for the various websites on a VPS or dedicated server. If you’re going to host multiple websites on your server, please create a separate cPanel account for each site. That creates a separation between your sites.

By

Let’s be careful out there

If you’ve read anything online, undoubtedly there have been headlines about exploits, vulnerabilities, identities stolen and other compromises.

Are you one of the 9.3% using Internet Explorer 10 (IE10)? Hopefully, you keep your software updated, as Microsoft did squeak in a patch last Tuesday. However, if you haven’t, please stop reading this and update it and all other Microsoft patches immediately.

FireEye recently found a combination of watering-hole attack and drive-by download that utilizes the exploit in IE10.

You don’t know what a watering-hole attack is?

Let’s say the hackers find an exploit in a particular browser and they want to use that to infect the computers of people most likely to use that browser. They will find one or more websites that focus on that particular group of people. The hackers will then try to infect those websites with some drive-by download code. This means that anyone visiting those websites will be subject to the download which will infect their computer.

After the websites have been infected with the drive-by download code, hackers will blast out a series of SPAM emails that include a link to one of their infectious sites. The SPAM will be targeted to people in the targeted industry. This is called a watering-hole attack.

Just so you don’t think I’m focusing on Microsoft, these same types of attacks happen on FireFox, Chrome and yes, even on Macs.

Your best defense against these and other attacks is to keep your software updated – constantly. This doesn’t mean just your browser, but all Adobe products, your operating system and all other software programs installed on your computer.

April of 2014 will see the end of support for Windows XP and Office 2003. If you haven’t upgraded these yet, you should make plans. Without support from Microsoft, you will no longer get updates to that software. Hackers know there will be many people refusing to upgrade so not upgrading will make you the “low hanging fruit” for hackers.

In addition to keeping your software updated, please let everyone you know to use strong passwords. This cannot be emphasized enough. About 30% of the websites we clean are the result of compromised passwords. Make it at least 9 characters long and DO NOT use common, related words.

A recent informal survey we conducted shows that many passwords end with either the year, 123 or the exclamation mark (!). If this sounds familiar, please change your passwords immediately.

One other key point that we’ve been “pushing” for some time now is to schedule daily full system scans with your anti-virus software.

Here’s why.

If the anti-virus company finds a new virus “in the wild” on Monday, they will analyze it and create a rule to detect that virus. Then on Tuesday, you update your anti-virus software – either automatically or manually, this means your computer is protected from getting infected by that virus from Tuesday moving forward. However, if your computer was infected by that virus on Monday, your anti-virus program won’t remove it until you run a full system scan.

That’s why it’s critical that you run full system scans – EVERY DAY!

If you have any questions, please either email me at: traef@wewatchyourwebsite.com or post a comment.

Let’s be careful out there, huh?

Thank you for reading.

By

Our business is a painkiller, not a vitamin.

I recently read an article on entrepreneur.com that asked the question, “Is your product a vitamin, or a painkiller?”

It got me thinking about the thousands of website owners we’ve talked with over the years of removing website malware.

We’ve been told, “You’re a saint!”, “You’re so awesome!”, “I love you for fixing this.” “You’re a genius!” and many other compliments.

You see, rarely do people “want” our service – until they need it. Then, it becomes a must have – immediately.

It appears that most website owners don’t believe they’re on the radar of today’s cyber criminals. They believe that hackers focus more on companies like Target and other high profile websites.

We get asked, “what do they want with my little website?”

I remember years ago, there was a book, “Multiple Streams of Income” by Robert Allen. In that book he describes the need to create multiple streams of income so that you slowly, but purposefully, build your net worth. This strategy protects you from the “all your eggs in one basket” disaster.

Hackers (cyber criminals), use this same strategy. A report from a few years ago by Symantec showed that hackers can make up to $1,000 per computer they infect. I believe this number might be a little high now as the cyber criminal world has increased in members, but it must still be relatively accurate.

Websites are at or very near the 1 billion mark. This creates various opportunities for cyber criminals. They can infect a 1,000 or websites in a week (yes they can!) and use 250 to try and infect the computer of anyone visiting those sites. The next 250 websites out of that 1,000, can be used for a phishing campaign that steals the banking login credentials of unsuspecting people. The remaining 500 websites can be sold to another cyber criminal who wishes to send out spam emails that lead people to the phishing based websites.

Ah, all in a days work!

Hackers have many ways to use your website – for their nefarious purposes.

When it happens, people call us to remove the pain. We become their painkiller.

The pain they encounter includes:

  • Loss of search engine rankings
  • Complaints from visitors
  • A sense of being violated

Website owners want and need our services at that point. Then we become their painkiller. Not a vitamin.

Thank you for reading.

By

FTP Password Stealing Malware

For years now, I’ve been writing about how often websites are infected by hackers stealing their CMS (WordPress, Joomla, etc.), FTP or hosting account login credentials.

I know that some of our competitors roll their eyes whenever we help someone in a forum seeking help with an infected website and we determine that their site was compromised due to stolen login credentials. However, our experience shows this to be a widely used method by today’s cybercriminals.

Here is a link to an article about how this malware works: http://vinsula.com/hunting-down-ftp-password-stealer-malware-with-vinsula-execution-engine/

In the article you’ll see how this malware works. It seeks certain files on your local computer and sends them to the hackers CnC server (Command ‘n Control server). You’ll see in that article that it also seeks out certain anti-virus programs and either disables them or reconfigures them.

One other interesting point of this article is how they obtained the malware – via an infected email. You have to be suspicious of all emails. We constantly see one that looks like it’s from LinkedIn, but if you hover over the link to see their profile before accepting their invitation to connect, you’ll see it does not go to www.linkedin.com. This is a very cleverly crafted email designed to infect the unsuspecting recipient.

Please share this others. The more knowledge shared about how hackers (cybercriminals) work the better and safer we’ll all be. Have any incidents like this to share? Let me know…

Thank you for reading.

By

What’s the best anti-virus program?

In cleaning infected websites and protecting them, we constantly see infected websites that have been infected due to stolen passwords.

Which passwords?

That all depends. Sometimes it’s the CMS (WordPress, Joomla, Drupal, etc.) or the ecommerce (Zen Cart, osCommerce, etc.). Other times it’s either the hosting account or the FTP account’s password that is stolen.

How can we tell?

There are numerous ways of determining when stolen passwords were used as the point of entry into a hosting account or website, but frequently we can see successful logins in the log files from places all over the world. Mind you, these are not attempted logins, but actual logins.

Often times we can tell by the type of infection or where the infectious code is located, whether or not the point of entry to an infected website is via stolen passwords.

How does this happen?

Typically there is a virus on someone’s local computer that is stealing the password. When this happens you can “cloak” your WordPress login page, you can have a 52 character password with multiple special characters, you can rename the admin account, but none of this matters as the password stealing viruses and trojans steal: the login URL, the username and the password.

This can also happen if you’re using SFTP or FTPS, the “secured” file transfer protocol.

Yes, this even happens to Mac users. Quite often we find that Mac owners don’t have any anti-virus program or they’re using ClamAV for Mac.

With everyone seeking “free” anti-virus programs, we typically recommend: Free version of Avast for Mac, or Sophos for Mac.

On PCs, the most used anti-virus program is Microsoft Security Essentials. That is not what we recommend, but that is what most people are using.

Today, I read an article that gives some details into why Microsoft Security Essentials may not be a reliable program to use if you’re trying to keep your PC safe.

Here is the article I read:

Please understand I am not a Microsoft hater. I don’t hate anyone. But in our efforts to lower our already low re-infection rate (currently at .048%) we like to recommend products that will save you money and be highly effective.

If you could take a minute, let me know what anti-virus program you use and whether you’re on a Mac or a PC.

Thank you.

By

Unauthorized access to drupal.org

We received an email yesterday:

Dear community member,

We respect the privacy of your information, which is why, as a precautionary measure, we are writing to let you know about an incident that involves your personal information. The Drupal.org Security and Infrastructure Teams have discovered unauthorized access to account information on Drupal.org and groups.drupal.org. Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly.

This unauthorized access was made via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within the Drupal software itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally.

We have implemented additional security measures designed to prevent the recurrence of such an attack, and to protect the privacy of our community members.

The next time you attempt to log into your account, you will be required to create a new password.

Below are steps you can take to further protect your personal information online. We encourage you to take preventative measures now to help prevent and detect the misuse of your information.

First, we recommend as a precaution that you change or reset passwords on other sites where you may use similar passwords, even though all passwords on Drupal.org are stored salted and hashed. All Drupal.org passwords are both hashed and salted, although some older passwords on groups.drupal.org were not salted. To make your password stronger:

* Do not use passwords that are simple words or phrases
* Never use the same password on multiple sites or services
* Use different types of characters in your password (uppercase letters, lowercase letters, numbers, and symbols).

Second, be cautious if you receive emails asking for your personal information and be on the lookout for unwanted spam. It is not our practice to request personal information by email. Also, beware of emails that threaten to close your account if you do not take the “immediate action” of providing personal information.

For more information, please review the security announcement and FAQ at https://drupal.org/news/130529SecurityUpdate. If you find any reason to believe that your information has been accessed by someone other than yourself, please contact the Drupal Association immediately, by sending an email to password@association.drupal.org.

We regret that this incident has occurred and want to assure you we are working hard to improve security.

If you have an account with drupal.org or groups.drupal.org you should definitely be changing your password. Also, if you use the same email address and password on other sites, you should change those as well.

Please note, if you read this carefully, the unauthorized access was due to a third-party software on the server – NOT a vulnerability with the drupal software and does not affect your own drupal installation.

Just an FYI…

By

The recent widespread attack on WordPress sites

While we may not have been the first to report this, we have been quietly gathering information and watching.

First, I’d like to start off by saying that this is the “current” attack and most of the suggestions online are temporary fixes for this attack. What about the rest of the time? What about the next attack?

Next, blocking by IP is not going to work. This botnet is so large that the IP addresses could come from anywhere: overseas or even here in the US. This is like blocking user-agents and other easily spoofable settings. Hackers are too smart for this.

Setting your .htaccess to only allow access to your wp-admin or wp-login.php is not going to work for everyone. Most people are still on dynamic IP addresses, so locking it down to a select group of IP’s will lock you out and yes you could go into FTP and delete, but who is going to do that on a regular basis? And, are you going to go back after you’ve logged in and change that .htaccess again? and again?

We have seen in more recent attacks that once the hackers infect a local computer, they can launch their attack from there. So the IP address looks like the attack came from your computer.

Also, changing the location of the wp-admin or wp-login.php file is going to help you on this attack, but the more frequent attack we see is the password stealing trojan.

This trojan has infected PCs and Macs and it steals the URL, username and password sequence. You could change the URL to:www.yourdomain.com/wp-dontthinkyoulleverguessthis.php and change your username to: rumplestiltskin and have a password that’s twice as long as the english alphabet and you’re still going to have an infected website if you have the password stealing trojan.

If you want to know the username, even if it’s been changed and admin removed, try this with your URL:

http://yourdomain.com/blog/?author=1

Replace the above URL before the ? with the exact URL to your blog. If you get a valid response, you know that you have the admin user still intact. If you’ve changed the admin user or deleted it, you’ll get a response that says something like:

Sorry, but you are looking for something that isn’t here.

To keep searching, change the 1 to a 2 and see what happens. If you get a valid response your URL will have something like:

http://yourdomain.com/author/newadminhere/

Now you know the userID and the username name. Add your dictionary of passwords and continue.

You could also password protect the wp-admin folder with an .htaccess file. Guess what? The password stealing trojan steals all the information to a successful login even the secondary passwords.

Over the past 2 weeks, we’ve cleaned 1,978 infected websites and 1,755 of them were compromised due to the password stealing trojan. (62% of the people we’ve helped were using Macs). We have the log files to prove it. We see a website owned by someone here in the US and we see successful logins from all over the world. That is proof.

We hear all the time, “I don’t need anti-virus because I’m on a Mac”. Or, “I don’t have a virus. I know what websites to stay away from.” Really? Because that persons website was infected and was attacking a browser exploit on the computer’s of visitors to his site. Surely that person must stay away from their own website then, right?

What does work?

Keep your local computer clean. Install something to detect malicious behavior.

Two-factor authentication works. Captcha is good for now, but we keep seeing reports where hackers have cracked many captchas. But for the automated attacks of hackers, it works well.

Use something like LastPass or on a Mac use KeyChain. Do not save the login credentials in your browser – DO NOT! This is too easy for hackers to steal.

Create a separate user on your local computer and use that for day-to-day work and only log in as administrator when you need to do updates or install software. Keep in mind that when a virus/trojan breaches your computer it has the same access as the currently logged in user. If you have admin rights, guess what? So does the virus/trojan.

In our honeypot analysis of this current attack, it appears that while the hackers are using a dictionary attack of pre-created passwords, they also have buried in their password lists legitimate passwords stolen from computers.

We see the attempted passwords and too many of them are so bizarre that they couldn’t have been part of a computer generated password dictionary.

If you want to hide your real intention, why not bury it inside a larger attack that will cause a lot of frenzy and confusion?

We believe the hackers responsible for this attack are sitting back and laughing at the frenzy they’ve created knowing that their real intention totally slipped by everyone – well almost everyone.

By

Hackers using errors to redirect websites

Our website malware removal service has removed malware from over 151,000 websites, our most recent cleanings have seen hackers adding malicious code to 500.php files (which handles website errors of a specific type), and then creating some hidden error in a website to cause the site to call the 500.php file and thus run their malicious code.

The strategy isn’t new, but the method we found recently was quite unique.

The sites we were working on were WordPress sites. The owners of these sites were very diligent about keeping their WordPress core files updated and their plugins too, however, they were less diligent about keeping their own local computers safe.

You see, all of these particular site owners were Mac users. I don’t have anything against Macs, but the fact that Mac users have been told for so long that they don’t need any anti-virus software leaves them vulnerable.

Whether it’s because Macs have finally reached enough popularity, or hackers know most Mac users don’t have any method to detect them, Macs are on the radar of hackers.

We will be posting steps to follow to make your Mac more difficult for hackers to infect your Mac investment.

The specific malicious code found in the 500.php files won’t be posted here because we found some quite radically different code in the sites we’ve recently cleaned. Let’s just say that you check all of your error pages for anything that doesn’t look like it belongs.

The common thread in these most recent website malware cleanings was that they were all WordPress sites and each one of them, after we removed the malicious code in the error files, would redirect to the /wp-admin/install.php file and give us a 500 error. Upon further investigation (thank you Ty) it was discovered that the database table prefix in the wp-config.php file specified wp_ but the actual tables in the database had prefixes that were quite different. This was the error that the hackers were producing.

By changing the table name prefix, there wasn’t any specific file evidence of anything being changed, except for the 500.php files, but most people see those, know they were put there by the hosting provider and never think twice about them.

The strategy here was to infect the page that an error would redirect to and then create a hidden error to cause that error page to be run. Wile-E-Coyote, Super Genius!

I know what you’re thinking (did he fire 6 shots or only 5…) not that. If the website owners had kept everything up-to-date, how did the hackers gain access?

As mentioned, each of these specific infected websites were owned or operated by people with Macs. In our forensic analysis of website infections we always review the log files if available. In each case we found evidence of IP addresses from outside the country of the website owner being used to login to the WordPress dashboard.

Of course many people tell us that’s impossible because they have passwords that are 12 characters long and have a combination of upper and lower case letters, numbers and special characters. Or in a few of these cases, the people had followed the popular WordPress security recommendations and removed the admin user and also used plugins that allowed them to change the name and location of the wp-admin folder. How does a hacker breach a website that has followed all of these steps?

With WordPress being so popular and many people having websites, hackers know that if they infect a local computer, chances are good that the user will have some login to a website. The hackers put keyboard loggers on local computers and just wait for the user to login to a website.

What do they record?

The URL, the username and password. Even if your login URL has been changed to mydomain.com/837ujdndtgkdhghs6s0d6 and your username changed to Rumplestiltskin and your password is nothing short of “Supercalifragilisticexpialidocious” with every other “a” replaced with @ and every third “i” replaced with either a “1″ a “l” or an “!”, the hackers malware on your local computer will steal all that information.

Keep in mind, hackers only need one way in to your website. You must know their methods and block them all.

In order to keep your website safe and secure you must be certain that everyone who you provide login rights to for your website, has their local computer fully secured. Otherwise, you’ll be calling us to help you clean your site.