Could Your WordPress Security Plugin be Lying?
Many people have received notifications from their cloud server provider indicating their server’s IP address has been reported as attacking other websites.
We Watch Your Website’s services have been used frequently to investigate these claims. The following is a recent one that is very interesting.
We Watch Your Website has just completed another investigation of a “reported” website infection.
We’ve reported before that often times hackers will use a website they have control of, to attack other websites. They do this because it gives them another layer of anonymity, but it also allows them to use your resources.
A customer had been contacted by their cloud server provider claiming their server was being used in attacks on another website. The notification stated the customer had 48 hours to remediate or their server would be deactivated.
Part of the service provided by We Watch Your Website includes logging and watching outgoing traffic to port 80 & 443 (HTTP & HTTPS). This is standard for the server service as we want to know the second a server is compromised and outgoing traffic to those ports is an indication of compromise.
The notification from the cloud server provider included a few lines from a log collector. These logs included the source IP address of the “reported” attack, which was in fact the IP address of We Watch Your Website’s customer, and the date of the attack which was the previous day of the notification. Upon receiving this notification the database was checked for outgoing traffic from the customer’s server to this IP address. Not one line in We Watch Your Website’s database showed any traffic going to that IP address.
Was our process faulty? Did something slip past our programs???
The snippet of information included in the notification was examined closely and it became obvious from the pattern it was a specific, popular WordPress security plugin that created the log snippet. Not believing the plugin could be wrong, we obviously scanned all the sites and databases on our customer’s server.
There was no infection found. Nothing suspicious in our database records indicating any type of infection on any of the 23 websites on this particular server. Not a single indication of compromise.
Head scratching ensues…
The customer, not wanting their 23 websites to be deactivated starts questioning where they should move their sites to. The investigation seemed to be hitting a brick wall. The focus turned to the possibility of a false positive report. Could it be the reported issue was outdated and just now being reported? That’s certainly been seen frequently.
No. The sample log entry included a date/time stamp of the previous day and the customer had this IP address for over 6 months.
The investigation team had read a blog post about IP spoofing reports from Snicco.io on various WordPress security plugins.
Sure enough the plugin was using the IP address from the header to identify the source, which is easily spoofed. As the report from Snicco.io states, “Only ever use REMOTE_ADDR to access the correct IP”. However, with this plugin, that was not the case. The hackers had spoofed the IP address of the attack to make it look as if the attack came from elsewhere than the actual source. Obviously this was to thwart root cause analysis.
In the end, the owner of the website that claimed to be attacked was contacted and the full investigation continued. They provided access logs to be analyzed, these are generated from the server itself. We Watch Your Website tested the WordPress security plugin with some bogus IP addresses in the header sent to the website and as suspected, that’s what was reported by the plugin, not the actual IP address from the access logs.
What’s even more alarming is that the plugin author had been contacted months ago about this IP spoofing and they felt is was just a nuisance not an actual bug, so it has not been patched or updated.
In this case, everything was presented to the cloud server provider who agreed with the findings and closed the case. The customer was happy We Watch Your Website was so thorough in the investigation and didn’t have to migrate all those sites to a different server.
Beware of notifications from your cloud server provider. They may be outdated or in this case, the blame was placed squarely on the WordPress security plugin, rather, their creator.
In website security, all possibilities must be examined.