"so you don't have to!"


BlackOS helps website hackers automate their “business”

Trend Micro has released a report which gives some details about the automation of website hacking. Their report: http://blog.trendmicro.com/trendlabs-security-intelligence/new-blackos-software-package-sold-in-underground-forums/ set us off on a search for more information.

We found that this software allows hackers to manage large lists of stolen FTP credentials. The hackers can easily inject custom iframe code into compromised websites. The code can be modified to redirect visitors depending on their operating system (Mac, Windows, etc.), browser (Safari, FireFox, Internet Explorer, Chrome, etc.) and even different versions of those operating systems and browsers.

They can even customize their code to redirect based on the referrer (Google, Yahoo, Bing…) and country of origin.

When you see how the hackers talk about easily finding 10,000 websites, it becomes very alarming. One clip we found is this:

Approximately 15-20% have access to FTP SSH, you can also check behind mail + pass on base have access to FTP or SSH. – all accounts reviewed by our SSH server exploits to get root. With 10k SSH accounts you can get in the area of 500 root access to the servers!

What it appears they’re saying is that 15-20% of FTP accounts are also the credentials for SSH. If so, the hackers can gain “root” access via SSH.

Out of 10K accounts you can get about 500 with server root access! Simple backdoor is installed for all ‘root’s to elevate the rights for consequent access.

If you’re on a VPS or dedicated server, this type of access typically means complete server rebuild or reload. When they have root access it’s game over. They won.

Why do we bring this to your attention?

You have to constantly think about all the possible ways hackers have of getting into your server – always.

Frequently we see many FTP accounts created for the various websites on a VPS or dedicated server. If you’re going to host multiple websites on your server, please create a separate cPanel account for each site. That creates a separation between your sites.


Let’s be careful out there

If you’ve read anything online, undoubtedly there have been headlines about exploits, vulnerabilities, identities stolen and other compromises.

Are you one of the 9.3% using Internet Explorer 10 (IE10)? Hopefully, you keep your software updated, as Microsoft did squeak in a patch last Tuesday. However, if you haven’t, please stop reading this and update it and all other Microsoft patches immediately.

FireEye recently found a combination of watering-hole attack and drive-by download that utilizes the exploit in IE10.

You don’t know what a watering-hole attack is?

Let’s say the hackers find an exploit in a particular browser and they want to use that to infect the computers of people most likely to use that browser. They will find one or more websites that focus on that particular group of people. The hackers will then try to infect those websites with some drive-by download code. This means that anyone visiting those websites will be subject to the download which will infect their computer.

After the websites have been infected with the drive-by download code, hackers will blast out a series of SPAM emails that include a link to one of their infectious sites. The SPAM will be targeted to people in the targeted industry. This is called a watering-hole attack.

Just so you don’t think I’m focusing on Microsoft, these same types of attacks happen on FireFox, Chrome and yes, even on Macs.

Your best defense against these and other attacks is to keep your software updated – constantly. This doesn’t mean just your browser, but all Adobe products, your operating system and all other software programs installed on your computer.

April of 2014 will see the end of support for Windows XP and Office 2003. If you haven’t upgraded these yet, you should make plans. Without support from Microsoft, you will no longer get updates to that software. Hackers know there will be many people refusing to upgrade so not upgrading will make you the “low hanging fruit” for hackers.

In addition to keeping your software updated, please let everyone you know to use strong passwords. This cannot be emphasized enough. About 30% of the websites we clean are the result of compromised passwords. Make it at least 9 characters long and DO NOT use common, related words.

A recent informal survey we conducted shows that many passwords end with either the year, 123 or the exclamation mark (!). If this sounds familiar, please change your passwords immediately.

One other key point that we’ve been “pushing” for some time now is to schedule daily full system scans with your anti-virus software.

Here’s why.

If the anti-virus company finds a new virus “in the wild” on Monday, they will analyze it and create a rule to detect that virus. Then on Tuesday, you update your anti-virus software – either automatically or manually, this means your computer is protected from getting infected by that virus from Tuesday moving forward. However, if your computer was infected by that virus on Monday, your anti-virus program won’t remove it until you run a full system scan.

That’s why it’s critical that you run full system scans – EVERY DAY!

If you have any questions, please either email me at: traef@wewatchyourwebsite.com or post a comment.

Let’s be careful out there, huh?

Thank you for reading.


Our business is a painkiller, not a vitamin.

I recently read an article on entrepreneur.com that asked the question, “Is your product a vitamin, or a painkiller?”

It got me thinking about the thousands of website owners we’ve talked with over the years of removing website malware.

We’ve been told, “You’re a saint!”, “You’re so awesome!”, “I love you for fixing this.” “You’re a genius!” and many other compliments.

You see, rarely do people “want” our service – until they need it. Then, it becomes a must have – immediately.

It appears that most website owners don’t believe they’re on the radar of today’s cyber criminals. They believe that hackers focus more on companies like Target and other high profile websites.

We get asked, “what do they want with my little website?”

I remember years ago, there was a book, “Multiple Streams of Income” by Robert Allen. In that book he describes the need to create multiple streams of income so that you slowly, but purposefully, build your net worth. This strategy protects you from the “all your eggs in one basket” disaster.

Hackers (cyber criminals), use this same strategy. A report from a few years ago by Symantec showed that hackers can make up to $1,000 per computer they infect. I believe this number might be a little high now as the cyber criminal world has increased in members, but it must still be relatively accurate.

Websites are at or very near the 1 billion mark. This creates various opportunities for cyber criminals. They can infect a 1,000 or websites in a week (yes they can!) and use 250 to try and infect the computer of anyone visiting those sites. The next 250 websites out of that 1,000, can be used for a phishing campaign that steals the banking login credentials of unsuspecting people. The remaining 500 websites can be sold to another cyber criminal who wishes to send out spam emails that lead people to the phishing based websites.

Ah, all in a days work!

Hackers have many ways to use your website – for their nefarious purposes.

When it happens, people call us to remove the pain. We become their painkiller.

The pain they encounter includes:

  • Loss of search engine rankings
  • Complaints from visitors
  • A sense of being violated

Website owners want and need our services at that point. Then we become their painkiller. Not a vitamin.

Thank you for reading.


Our automated malware removal software for VPS and dedicated servers

As some of you know, we’ve been busy adding more features to our VPS and dedicated server software.

I thought it was time to let you know what we’ve been working on.

Currently our software works amazingly well at detecting the instant any files are changed or added to a VPS or dedicated server. If infected, it quarantines the original file and cleans it. If the infected file is a backdoor, it automatically removes it.

However, that is where our software stops – until now.

Our latest upgrade now reads the log files as well. So when a file in the themes folder is infected for a WordPress site, our software reads the log files and knows that it was the result of a stolen passwords. We know get a notification like this:

2013/12/23:06:03PM Samplewebsite.com had /public_html/wp-content/theme/xyz/index.php, header.php, footer.php files infected with the following code:
(malicious code would be displayed here)
According to the log files, a successful login was recorded from: 123.456.789.000 (show country of origin). This indicates that a stolen password was used.

So, not only will our software be able to clean the site, but it can also determine how it happened so we know, as your website security department, what to do to protect it.

Currently,  for VPS and dedicated servers that are using cPanel, we can also determine if the infection came in through a form on the infected website, if it was FTP and many other methods.

As part of our next development, we are working on tying into cPanel so we can change passwords on the fly as well. Imagine that your site was infected due to stolen FTP passwords. Wouldn’t it be nice to have our software, change the password for you, record it and save it? That would be like self-healing.

This would prevent a reoccurrence of that infection. We get notified, you get notified. It’s a beautiful thing.

We’re also working on auto-reporting to hosting providers. In our above scenario, we see that the IP address of: 123.456.789.000 is for a certain hosting provider. Our system will send an email with sanitized log file entries to abuse@… notifying that hosting provider that they have an infected site/server that is being used to launch attacks on other websites. We do this manually now and it’s been working quite well.

The hosting providers have been very quick to take care of the situation which just removes one more infected system from the Internet.

Another development in this latest update is that all file changes are sent to us. That way we can further analyze them to determine if a new type of infection has been released. With over 500 installations of our software installed on clients VPS’s and dedicated servers, we’re growing our database of infectious code, which helps us – help you.

If you have any other needs or wants, please send them to me and I’ll research the idea and it could be included in one of our upcoming releases.

Questions? Let me know…

If you’re a hosting provider and would like to offer this to your VPS and dedicated server customers, feel free to contact me.

You can always contact me at: traef@wewatchyourwebsite.com

Thank you.


Internet Storm Center sets Threat Level to Yellow

Due to the appearance of exploits targeting the vulnerabilities in Internet Explorer 8 and Internet Explorer 9, Internet Storm Center (http://isd.sans.edu) has raised the Threat Level to Yellow.

You can read their write-up here:


As always, update your browsers daily.

You know hackers will be infecting websites with code that will be targeting this vulnerability. This means that if your website is infected, anyone visiting your site while using Internet Explorer 8 or 9 could have their computer infected.

Please post back if you have any questions or comments.

Thank you.



FTP Password Stealing Malware

For years now, I’ve been writing about how often websites are infected by hackers stealing their CMS (WordPress, Joomla, etc.), FTP or hosting account login credentials.

I know that some of our competitors roll their eyes whenever we help someone in a forum seeking help with an infected website and we determine that their site was compromised due to stolen login credentials. However, our experience shows this to be a widely used method by today’s cybercriminals.

Here is a link to an article about how this malware works: http://vinsula.com/hunting-down-ftp-password-stealer-malware-with-vinsula-execution-engine/

In the article you’ll see how this malware works. It seeks certain files on your local computer and sends them to the hackers CnC server (Command ‘n Control server). You’ll see in that article that it also seeks out certain anti-virus programs and either disables them or reconfigures them.

One other interesting point of this article is how they obtained the malware – via an infected email. You have to be suspicious of all emails. We constantly see one that looks like it’s from LinkedIn, but if you hover over the link to see their profile before accepting their invitation to connect, you’ll see it does not go to www.linkedin.com. This is a very cleverly crafted email designed to infect the unsuspecting recipient.

Please share this others. The more knowledge shared about how hackers (cybercriminals) work the better and safer we’ll all be. Have any incidents like this to share? Let me know…

Thank you for reading.


What’s the best anti-virus program?

In cleaning infected websites and protecting them, we constantly see infected websites that have been infected due to stolen passwords.

Which passwords?

That all depends. Sometimes it’s the CMS (WordPress, Joomla, Drupal, etc.) or the ecommerce (Zen Cart, osCommerce, etc.). Other times it’s either the hosting account or the FTP account’s password that is stolen.

How can we tell?

There are numerous ways of determining when stolen passwords were used as the point of entry into a hosting account or website, but frequently we can see successful logins in the log files from places all over the world. Mind you, these are not attempted logins, but actual logins.

Often times we can tell by the type of infection or where the infectious code is located, whether or not the point of entry to an infected website is via stolen passwords.

How does this happen?

Typically there is a virus on someone’s local computer that is stealing the password. When this happens you can “cloak” your WordPress login page, you can have a 52 character password with multiple special characters, you can rename the admin account, but none of this matters as the password stealing viruses and trojans steal: the login URL, the username and the password.

This can also happen if you’re using SFTP or FTPS, the “secured” file transfer protocol.

Yes, this even happens to Mac users. Quite often we find that Mac owners don’t have any anti-virus program or they’re using ClamAV for Mac.

With everyone seeking “free” anti-virus programs, we typically recommend: Free version of Avast for Mac, or Sophos for Mac.

On PCs, the most used anti-virus program is Microsoft Security Essentials. That is not what we recommend, but that is what most people are using.

Today, I read an article that gives some details into why Microsoft Security Essentials may not be a reliable program to use if you’re trying to keep your PC safe.

Here is the article I read:

Please understand I am not a Microsoft hater. I don’t hate anyone. But in our efforts to lower our already low re-infection rate (currently at .048%) we like to recommend products that will save you money and be highly effective.

If you could take a minute, let me know what anti-virus program you use and whether you’re on a Mac or a PC.

Thank you.


Unauthorized access to drupal.org

We received an email yesterday:

Dear community member,

We respect the privacy of your information, which is why, as a precautionary measure, we are writing to let you know about an incident that involves your personal information. The Drupal.org Security and Infrastructure Teams have discovered unauthorized access to account information on Drupal.org and groups.drupal.org. Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly.

This unauthorized access was made via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within the Drupal software itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally.

We have implemented additional security measures designed to prevent the recurrence of such an attack, and to protect the privacy of our community members.

The next time you attempt to log into your account, you will be required to create a new password.

Below are steps you can take to further protect your personal information online. We encourage you to take preventative measures now to help prevent and detect the misuse of your information.

First, we recommend as a precaution that you change or reset passwords on other sites where you may use similar passwords, even though all passwords on Drupal.org are stored salted and hashed. All Drupal.org passwords are both hashed and salted, although some older passwords on groups.drupal.org were not salted. To make your password stronger:

* Do not use passwords that are simple words or phrases
* Never use the same password on multiple sites or services
* Use different types of characters in your password (uppercase letters, lowercase letters, numbers, and symbols).

Second, be cautious if you receive emails asking for your personal information and be on the lookout for unwanted spam. It is not our practice to request personal information by email. Also, beware of emails that threaten to close your account if you do not take the “immediate action” of providing personal information.

For more information, please review the security announcement and FAQ at https://drupal.org/news/130529SecurityUpdate. If you find any reason to believe that your information has been accessed by someone other than yourself, please contact the Drupal Association immediately, by sending an email to password@association.drupal.org.

We regret that this incident has occurred and want to assure you we are working hard to improve security.

If you have an account with drupal.org or groups.drupal.org you should definitely be changing your password. Also, if you use the same email address and password on other sites, you should change those as well.

Please note, if you read this carefully, the unauthorized access was due to a third-party software on the server – NOT a vulnerability with the drupal software and does not affect your own drupal installation.

Just an FYI…


The recent widespread attack on WordPress sites

While we may not have been the first to report this, we have been quietly gathering information and watching.

First, I’d like to start off by saying that this is the “current” attack and most of the suggestions online are temporary fixes for this attack. What about the rest of the time? What about the next attack?

Next, blocking by IP is not going to work. This botnet is so large that the IP addresses could come from anywhere: overseas or even here in the US. This is like blocking user-agents and other easily spoofable settings. Hackers are too smart for this.

Setting your .htaccess to only allow access to your wp-admin or wp-login.php is not going to work for everyone. Most people are still on dynamic IP addresses, so locking it down to a select group of IP’s will lock you out and yes you could go into FTP and delete, but who is going to do that on a regular basis? And, are you going to go back after you’ve logged in and change that .htaccess again? and again?

We have seen in more recent attacks that once the hackers infect a local computer, they can launch their attack from there. So the IP address looks like the attack came from your computer.

Also, changing the location of the wp-admin or wp-login.php file is going to help you on this attack, but the more frequent attack we see is the password stealing trojan.

This trojan has infected PCs and Macs and it steals the URL, username and password sequence. You could change the URL to:www.yourdomain.com/wp-dontthinkyoulleverguessthis.php and change your username to: rumplestiltskin and have a password that’s twice as long as the english alphabet and you’re still going to have an infected website if you have the password stealing trojan.

If you want to know the username, even if it’s been changed and admin removed, try this with your URL:


Replace the above URL before the ? with the exact URL to your blog. If you get a valid response, you know that you have the admin user still intact. If you’ve changed the admin user or deleted it, you’ll get a response that says something like:

Sorry, but you are looking for something that isn’t here.

To keep searching, change the 1 to a 2 and see what happens. If you get a valid response your URL will have something like:


Now you know the userID and the username name. Add your dictionary of passwords and continue.

You could also password protect the wp-admin folder with an .htaccess file. Guess what? The password stealing trojan steals all the information to a successful login even the secondary passwords.

Over the past 2 weeks, we’ve cleaned 1,978 infected websites and 1,755 of them were compromised due to the password stealing trojan. (62% of the people we’ve helped were using Macs). We have the log files to prove it. We see a website owned by someone here in the US and we see successful logins from all over the world. That is proof.

We hear all the time, “I don’t need anti-virus because I’m on a Mac”. Or, “I don’t have a virus. I know what websites to stay away from.” Really? Because that persons website was infected and was attacking a browser exploit on the computer’s of visitors to his site. Surely that person must stay away from their own website then, right?

What does work?

Keep your local computer clean. Install something to detect malicious behavior.

Two-factor authentication works. Captcha is good for now, but we keep seeing reports where hackers have cracked many captchas. But for the automated attacks of hackers, it works well.

Use something like LastPass or on a Mac use KeyChain. Do not save the login credentials in your browser – DO NOT! This is too easy for hackers to steal.

Create a separate user on your local computer and use that for day-to-day work and only log in as administrator when you need to do updates or install software. Keep in mind that when a virus/trojan breaches your computer it has the same access as the currently logged in user. If you have admin rights, guess what? So does the virus/trojan.

In our honeypot analysis of this current attack, it appears that while the hackers are using a dictionary attack of pre-created passwords, they also have buried in their password lists legitimate passwords stolen from computers.

We see the attempted passwords and too many of them are so bizarre that they couldn’t have been part of a computer generated password dictionary.

If you want to hide your real intention, why not bury it inside a larger attack that will cause a lot of frenzy and confusion?

We believe the hackers responsible for this attack are sitting back and laughing at the frenzy they’ve created knowing that their real intention totally slipped by everyone – well almost everyone.


Hackers using errors to redirect websites

Our website malware removal service has removed malware from over 151,000 websites, our most recent cleanings have seen hackers adding malicious code to 500.php files (which handles website errors of a specific type), and then creating some hidden error in a website to cause the site to call the 500.php file and thus run their malicious code.

The strategy isn’t new, but the method we found recently was quite unique.

The sites we were working on were WordPress sites. The owners of these sites were very diligent about keeping their WordPress core files updated and their plugins too, however, they were less diligent about keeping their own local computers safe.

You see, all of these particular site owners were Mac users. I don’t have anything against Macs, but the fact that Mac users have been told for so long that they don’t need any anti-virus software leaves them vulnerable.

Whether it’s because Macs have finally reached enough popularity, or hackers know most Mac users don’t have any method to detect them, Macs are on the radar of hackers.

We will be posting steps to follow to make your Mac more difficult for hackers to infect your Mac investment.

The specific malicious code found in the 500.php files won’t be posted here because we found some quite radically different code in the sites we’ve recently cleaned. Let’s just say that you check all of your error pages for anything that doesn’t look like it belongs.

The common thread in these most recent website malware cleanings was that they were all WordPress sites and each one of them, after we removed the malicious code in the error files, would redirect to the /wp-admin/install.php file and give us a 500 error. Upon further investigation (thank you Ty) it was discovered that the database table prefix in the wp-config.php file specified wp_ but the actual tables in the database had prefixes that were quite different. This was the error that the hackers were producing.

By changing the table name prefix, there wasn’t any specific file evidence of anything being changed, except for the 500.php files, but most people see those, know they were put there by the hosting provider and never think twice about them.

The strategy here was to infect the page that an error would redirect to and then create a hidden error to cause that error page to be run. Wile-E-Coyote, Super Genius!

I know what you’re thinking (did he fire 6 shots or only 5…) not that. If the website owners had kept everything up-to-date, how did the hackers gain access?

As mentioned, each of these specific infected websites were owned or operated by people with Macs. In our forensic analysis of website infections we always review the log files if available. In each case we found evidence of IP addresses from outside the country of the website owner being used to login to the WordPress dashboard.

Of course many people tell us that’s impossible because they have passwords that are 12 characters long and have a combination of upper and lower case letters, numbers and special characters. Or in a few of these cases, the people had followed the popular WordPress security recommendations and removed the admin user and also used plugins that allowed them to change the name and location of the wp-admin folder. How does a hacker breach a website that has followed all of these steps?

With WordPress being so popular and many people having websites, hackers know that if they infect a local computer, chances are good that the user will have some login to a website. The hackers put keyboard loggers on local computers and just wait for the user to login to a website.

What do they record?

The URL, the username and password. Even if your login URL has been changed to mydomain.com/837ujdndtgkdhghs6s0d6 and your username changed to Rumplestiltskin and your password is nothing short of “Supercalifragilisticexpialidocious” with every other “a” replaced with @ and every third “i” replaced with either a “1” a “l” or an “!”, the hackers malware on your local computer will steal all that information.

Keep in mind, hackers only need one way in to your website. You must know their methods and block them all.

In order to keep your website safe and secure you must be certain that everyone who you provide login rights to for your website, has their local computer fully secured. Otherwise, you’ll be calling us to help you clean your site.