VBulleting SQL injection vulnerability – Update now

A serious SQL injection vulnerability was reported on Vbulletin (4.0.x, 4.1.0, 4.1.1 and 4.1.2) last month and we are starting to see it being used to attack and infect forums using it. The vulnerability is very simple and explained here:

Multiple vBulletin Products ‘Search Multiple Content Types’ SQL Injection Vulnerability

 
Multiple vBulletin products are prone to an SQL-injection vulnerability because the applications fail to properly sanitize user-supplied input before using it in an SQL query.

 
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

 
The following example data are available:

&cat[0]=1) UNION SELECT database()#
&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#
&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#

There is even a video on Youtube showing how to do it:

So if you are a Vbulletin user, update it now! If you think your site is already hacked or compromised, you can scan it here: http://sitecheck.sucuri.net or contact us for help.

*Thanks to Marcus Maciel for the reminder and help.

Understanding .htaccess attacks – Part 1

Attackers have been using the .htaccess file for a while. They use this file to hide malware, to redirect search engines to their own sites (think blackhat SEO), and for many other purposes (hide backdoors, inject content, to modify the php.ini values, etc).

Why do they use the .htaccess file? For multiple reasons. First, the .htaccess is a hidden file (starting with a “.”), so some site owners might not find them in their FTP clients. Secondly, it is a powerful file that allows you to make multiple changes to the web server and PHP behavior. This makes a .htaccess the attack hard to find and to clean up.

1- Redirecting users coming from search engines to malware

This is the most simple type of .htaccess attack, and the one we see more often. This is what gets added to the .htaccess file of a hacked site:


Read More

WordPress 3.1.3 available (security fixes)

If you are using WordPress, make sure to upgrade it now. The version 3.1.3 was just released with a few security fixes:

* Various security hardening by Alexander Concha.
* Taxonomy query hardening by John Lamansky.
* Prevent sniffing out user names of non-authors by using canonical redirects. Props Verónica Valeros.
* Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research.
* Improves file upload security on hosts with dangerous security settings.
* Cleans up old WordPress import files if the import does not finish.
* Introduce “clickjacking” protection in modern browsers on admin and login pages.

You can download the new version here or just follow their automated (very simple) update process.. Those were all the files changed from 3.1.2 to 3.1.3:

Read More

LizaMoon SQL injections (ur.php) – Now vcvsta.com, asweds.com, etc.

A couple of months ago the Lizamoon malware / Mass SQL injection was getting a lot of news coverage that it could be affecting hundreds of thousands of sites.

The media mostly forgot about it, but we kept tracking those attacks and they are continuing at full force, but using different domain names.

For example, the domain http://vcvsta.com/ur.php caused 1.5k sites to get blacklisted by Google:

Read More

osCommerce malware: Cannot redeclare corelibrarieshandler

We have been posting for a while about attacks targeting and infecting thousands of osCommerce sites (CreateCSS, div_colors, etc) and the importance of keeping it updated and secure.

If you think things have been improving, just for the last few days we started to see many of those osCommerce sites that were hacked, generating errors when trying to access them:

Read More

ASK Sucuri: Why does my site keep getting reinfected?

If you have any question about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here. For all the “ask sucuri” answers, go here.

Question: Why does my site keep getting hacked / reinfected?

A lot of our new customers only get in contact with us after trying to clean up their sites manually a lot of times without success. A common first question is “I cleaned my site 3 times already and it keeps getting reinfected and blacklisted. What can I do? Can you guys clean it up for good?”

Based on our experience, these are the 4 main causes of reinfections on web sites:

  1. A backdoor is still present in your site. Even though you removed the visible malware, you might still have hidden backdoors in there that the attackers are using to compromise your site. Sometimes even a “clean” backup might still have a backdoor in there. During our clean ups, we always search and remove the hidden backdoors (even when they don’t show up in our scanner).
  2. Stolen FTP/SSH/Admin passwords. This is very common, specially via FTP and compromised desktops. Are you changing your passwords? Is your desktop secure? Even if your desktop is secure, are you using FTP on an insecure wireless (or wired) network? The recommendation is to change all your passwords and scan your desktop for viruses.
  3. Vulnerability in your site. Are you using an outdated CMS? Maybe your WordPress or Joomla or forum is not updated? Make sure to update them asap to avoid reinfections.
  4. Same account infections. If you have other sites in the same FTP account and they are compromised (or infected), the malware can spread back to the site you just fixed. Do you have more sites in the same FTP account? This is specially common on shared servers, but also happens on dedicated servers.

There are also other reasons for reinfections, like when your web hosting company is compromised, causing those “mass infections” we blog about sometimes. But that is outside your power, and there is nothing much you can do about, except switching hosts.

Have a question or a comment? Make sure to ask below :)

LastPass hacked? Forcing users to change their master passwords

If you are a LastPass user, you will be forced to change your master password in order to continue using the service. We just read some worrying news that they might be hacked. Yes, “might”. It is more worrying because they don’t know for sure if they were compromised or not. From their blog:

LastPass Security Notification
We noticed an issue yesterday and wanted to alert you to it. As a precaution, we’re also forcing you to change your master password.

 
We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.

 
In this case, we couldn’t find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can’t account for this anomaly either, we’re going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed.

But due to the lack of details and confusing explanation, it is leading us to believe that they were indeed hacked and are probably hiding something (or still looking). Which is very sad because we always recommended them as a password manager solution.

If they detected a traffic anomaly, something inside their servers generated it (process or script). If they can’t find what is generating the traffic, it means that they are still compromised (rootkit) or their systems are not properly managed.

But we believe they did the right thing in notifying their users and hopefully they will get that sorted out soon. If you are looking for alternative password manager solutions, we have heard good things from http://keepass.info/ and http://peguta.com (not that we think you should stop using LastPass).

WP-DBManager Security update (serious issue)

Just a quick note that if you are using the WordPress WP-DBManager plugin, make sure to update it as soon as possible. Old versions of the plugin (<=2.60) have a security vulnerability that allows anyone to download the wp-config.php file (and thus the credentials to access your database - especially dangerous on shared hosts).

You can see here the changelog with details:

FIXED: Checks File Extension And Sanitise File Name That Is Pass Through The URL When Downloading Database File. Props to Joakim Jardenberg, Jonas Nordstrom and Andreas Viklund.

More details here as well: http://andreasviklund.com/share/security-alert-wp-dbmanager-plugin-for-wordpress/

Note that the vulnerability was fixed a couple of days ago and since this seems to be a popular plugin (more than 300k downloads), attackers will certainly start looking for it.

This is also a good reminder to always keep your plugins updated and only install the ones that you really need. The more code (plugins) you have running in there, the bigger the chance of one of them having a vulnerability.


Are you using WordPress? Check out our WordPress Security plugin (1-click hardening, audit trail and blocking attackers).

Are WordPress users taking care of their security? State of Blog Security – Part I

Almost two years ago we published an article on the “state of blog security” (focused on WordPress) where we checked the percentage of blogs that were taking care of their security properly. We checked if they had WordPress updated and a few other things. You can read the whole article here (note, the formatting is very bad).

We decided to re-do this test a few weeks ago and check the current state of WordPress security. How many blogs are following the security guidelines and protecting their sites?

To get started, we scanned the top 36,299 self-hosted WordPress sites (according to Alexa) and checked all their versions. Note that we did this check a few days before 3.1.1 was released, so it is not included here.

Table 2: WordPress Version Usage
  Version   #   %
v2.7.1 453 1.5%
v2.8.6 545 1.5%
v2.9.1 581 1.5%
v2.8.4 733 2%
v3.0 1,253 3%
v3.0.3 1,945 5%
v2.9.2 2,437 6%
v3.0.5 2,661 7%
v3.0.4 3,392 9%
v3.0.1 4,181 11%
v3.1 15,893 43%

These numbers are very good and they impressed us. Almost 82% of the sites were running versions 3.0 or 3.1, and 43% were upgraded to the latest version! I think this is due to the easy and automated installation option available in WordPress that allows everyone to upgrade with one simple click (plus it’s backwards compatible).

By looking at the major version groups, we can see how good these numbers are:

Table 2: WordPress Major Version Usage
  Version   #   %
v2.7 711 1%
v2.8 1,663 4%
v2.9 3,018 8%
v3.0 13,858 38%
v3.1 15,893 43%

Compared to other web applications (like Joomla, Mediawiki), WordPress is leading the pack in terms of keeping their users updated with their latest versions.

The bad news is that almost 20% of self hosted WordPress users are still running old and unsecure versions of WordPress. We’re talking about sites well ranked on Alexa and with good PR too. We fear that if we started scanning less popular sites, the numbers would be much worse.

If you have any question, let us know.

This is the full data dump if you want to do further analysis:

19 WordPress2.1.3
21 WordPress2.3.2
24 WordPress2.0.4
30 WordPress2.2.2
30 WordPress2.3.1
31 WordPress2.2
35 WordPress2.3.3
39 WordPress2.2.1
44 WordPress2.8.1
52 WordPress2.6.1
57 WordPress2.5
59 WordPress2.6.3
61 WordPress2.8.3
67 WordPress2.6.5
84 WordPress2.6
95 WordPress2.8.2
103 WordPress2.6.2
139 WordPress2.5.1
145 WordPress2.8
160 WordPress2.9
246 WordPress2.8.5
258 WordPress2.7
426 WordPress3.0.2
453 WordPress2.7.1
545 WordPress2.8.6
581 WordPress2.9.1
733 WordPress2.8.4
1253 WordPress3.0
1945 WordPress3.0.3
2437 WordPress2.9.2
2661 WordPress3.0.5
3392 WordPress3.0.4
4181 WordPress3.0.1
15893 WordPress3.1

TheWebbyAwards hacked and compromised with Blackhat SEO

The WebbyAwards web site ( www.webbyawards.com/ ) is currently hacked and compromised with Blackhat SEO. If you try to search for it on Google you will get a warning saying that “This site may be compromised”:

And if you look at the source code of the page, you will see thousands of hidden spam links in there (about selling Windows vista, buying office, etc) pointing to gl.iit.edu:8080, www.korea.edu, www.gefassembly.org, www.ncsconline.org and car.dost.gov.ph. Yes, all “important” and high PR sites (one university, two .gov sites, etc).

<a href="http://gl.iit.edu:8080/id=8085=WHERE-CAN-I-BUY-WINDOWS-7.html’>where can i buy windows 7</a>..

<a href="http://gl.iit.edu:8080/id=1974=BUY-MICROSOFT-OFFICE-2007-FOR.html">buy microsoft office 2007 for windows</a>

<a href="http://www.korea.edu/m02/m02_06_03.php?3142=Windows-Vista-Price.php’>windows vista price at targe..

<a href="http://www.gefassembly.org/administrator/modules/mod_title/mod_title.php?id=3387=COMPRAR-OFFICE-2007.aspx’>comprar office 200..

<a href="http://car.dost.gov.ph/libraries/phpgacl/.gacl.php?5656=Windows-7-Ultimate-(64-Bit).php’>cheap upgrade to windows ..

If you also search on Google for some of these terms (like “windows vista price at targe” ), you will see webby.aol.com (webbyawards.com) in the top pages already (along with some .gov and .edu web sites).

We have no details on how it was compromised yet, but we will keep you posted (if we hear back from them). If you are a site owner, take this as a reminder to make sure that all your sites are updated, using good passwords, monitored and following the best practices.


Site hacked? Infected with malware or spam? We are here to help.