Daniel Cid

Daniel B. Cid is the CTO&Founder of Sucuri and the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

About Daniel Cid

Daniel B. Cid is the CTO&Founder of Sucuri and the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

MailPoet Vulnerability Exploited in the Wild – Breaking Thousands of WordPress Sites

A few weeks ago we found and disclosed a serious vulnerability on the MailPoet WordPress Plugin. We urged everyone to upgrade their sites immediately due to the severity of the issue. The vulnerability allowed an attacker to inject anything they wanted on the site, which could be used for malware injections, defacement, spam and many more nefarious acts.

This is not something we’re excited to report, but we were right.

A few days ago we started to see a massive number of WordPress sites compromised with malware. The malware code had some bugs, it was breaking many websites, overwriting good files and appending various statements in loops at the end of files.

At the time of the post, the root cause of the malware injections was a bit of a mystery. After a frantic 72 hours, we are confirming that the attack vector for these compromises is the MailPoet vulnerability. To be clear, the MailPoet vulnerability is the entry point, it doesn’t mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website.

All the hacked sites were either using MailPoet or had it installed on another sites within the same shared account (cross-contamination still matters).

Exploited in the Wild

The attacks always start the same, with the attackers trying to upload a custom (and malicious) theme to the site:

194.79.195.139 – - [05/Jul/2014:01:41:30 -0700] “POST /wp-admin/admin-post.php?page=wysija_campaigns&action=themes HTTP/1.0″ 302 – “http://site.com.com/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate” “Mozilla/5.0″

Once they succeed, they upload the malicious theme, they access their backdoor inside /wp-content/uploads/wysija/themes/mailp/:

194.79.195.139 – - [05/Jul/2014:01:41:31 -0700] “GET /wp-content/uploads/wysija/themes/mailp/index.php HTTP/1.1″ 200 12 “Mozilla/5.0″
194.79.195.139 – - [05/Jul/2014:04:08:16 -0700] “GET /wp-content/uploads/wysija/themes/mailp/index.php?cookie=1 HTTP/1.0″ 200 12 “-” “Mozilla/5.0 (Windows)”

They get full control of the site.

The Backdoor is very nasty and creates an admin user called 1001001. It also injects a backdoor code to all theme/core files. The biggest issue with this injection is that it often overwrites good files, making very hard to recover without a good backup in place.

So if you see this error on a site:

Parse error: syntax error, unexpected ‘)’ in /home/user/public_html/site/wp-config.php on line 91

It means it was likely hacked through this vulnerability.

Mass Infections

MailPoet is a very popular plugin with almost 2 million downloads, so as you can expect, when such severe vulnerability is identified, it can be mass exploited.

This is the total number of hacked sites that we were able to identify so far (per day):

Sucuri MailPoet Mass Infection Rate

This is based on sites scanned on our free sitecheck scanner. The number of hacked sites is likely much bigger.

Upgrade Mailpoet!

If you are running MailPoet, we recommend upgrading it asap to the latest version. Users of our Website Firewall (CloudProxy) have been protected against this threat since day 0. However, if you do not have a firewall (WAF) on your website, you have to upgrade the plugin or remove it altogether to avoid more issues.

SQL Injection Vulnerability – vBulletin 5.x

The vBulletin team just released a security patch for vBulletin 5.0.4, 5.0.5, 5.1.0, 5.1.1, and 5.1.2 to address a SQL injection vulnerability on the member list page. Every vBulletin user needs to upgrade to the latest version asap.

vBulletin is a very popular forum sofware used on more than 100,000 web sites.

Directly from vBulletin.com:

A security issue has been reported to us that affects the versions of vBulletin listed here: 5.0.4, 5.0.5, 5.1.0, 5.1.1, and 5.1.2 We have released security patches to account for this vulnerability. The issue may allow attackers to perform SQL injection attacks on your database. It is recommended that all users update as soon as possible.

You can download the patch for your version here: http://members.vbulletin.com/patches.php

This vulnerability was discovered by the Romanian Security Team (RST), so it could already be used in the wild on 0-day attacks. If you can’t patch vBulletin, we recommend blocking access to the memberlist page in the mean time.

If you are leveraging the Sucuri Website Firewall product, your website is already protected through our virtual patching signatures.

Website Malware – Mobile Redirect to BaDoink Porn App

A few weeks ago we reported that we were seeing a huge increase in the number of web sites compromised with a hidden redirection to pornographic content. It was a very tricky injection, with the redirection happening only once per day per IP address and only if the visitor was using a mobile device (IPhone, Android and a few others).

These types of injections are called conditional redirections because certain conditions need to be met for them to redirect visitors. They are not always present and the malware authors try very hard to hide them from the website owner. The malware code looks for logged in cookies to try to identify whether or not someone is managing the site and then attempts to never redirect someone who is logged in. Finally, if a visitor gets redirected once, the malware will not redirect them again. The goal for the malware author is for visitors to not report something going wrong with a website. In this example, if you were to visit an infected site, you’d be redirected, but from your point of view, maybe it was just something weird so you retype the url and now you aren’t redirected. Since everything is working normally now, you decide not to report it and the malware lives on.

As you can imagine, this sort of malware can be difficult to troubleshoot. In fact, very often webmasters think it’s a typo and move on instead of investigating what happened. For that reason, most sites remain compromised, so if anyone ever complains that your site redirecting to “instabang.com” or a Badoink Porn App, it is very likely your site is hacked.


Read More

Ask Sucuri: Who is logging into my WordPress site?

Today, we’re going to revisit our Q&A series. If you have any questions about malware, blacklisting, or security in general, send them to us at: info@sucuri.net. For all the “Ask Sucuri” answers, go here.


Question: How do I know who is logging into my WordPress site?

Answer: One of the most basic and important security aspects of any system is access control, specifically logging your access control point. It defines who can do what and where and under what circumstances. However, access control without the proper enforcement and auditing is like a law that is not enforced by the police; it loses its meaning.

WordPress has a very powerful access control tool, known as roles and capabilities, that allows you to specify what each user can do. However, it lacks good auditing capabilities. The purpose of auditing, i.e. logging, is to give administrators visibility into what is happening on the website at any given time.

Auditing is a very broad term. We could go in depth into the various elements that you, as an administrator, should audit. However, for this post we’re going to focus on your access control, specifically who is logging in.

Sucuri WordPress Security Plugin – Last Logins Feature

Out-of-the-box, the WordPress CMS does not provide auditing, nor does it include any type of authentication auditing for successful logins. For this reason, we have added both capabilities to our Free WordPress Security plugin.

The plugin allows administrators to see who is and has logged into your website. It includes attributes like location (i.e. where) and time. It’s known as the Last Logins feature (it’s based off the Linux “last” command).

This is what it looks like in your dashboard:

wordpress-lastlogins

It will list the users, IP addresses (hidden in the image) and the time of the login.

If you want to know who is logging in to your site (from when and from where), then leverage our Free WordPress Security plugin.

Note that it will only start logging the users, after you install it. So as soon you add the plugin, the last-logins table will be empty. But if you try to logout/log back in to WordPress, you should start to see it populating.

Importance of Auditing Your Access Control

For website administrators, we cannot stress the importance of logging activity, such as user log ins, enough. We handle various incidents on a daily basis where the website owner has no idea as to who is and isn’t logging into their environment.

Often, after a compromise, the forensics team will work with the website owner to understand what was going on. In many instances, basic auditing would have informed the client that something was not right. Here are some examples:

  1. Website owner works on the Pacific Coast, yet his user is logging in from China with his username and password
  2. Website owner is sleeping, yet somehow, the client’s user is still logging in
  3. A new user is logging into the environment every day and the website owner never created the user or it’s a single user website

Are you able to say, confidently, that this is not happening to you? If the answer is, “Yes,” then congratulations, you’re adhering to the auditing basics. If the answer is, “No,” then you should seriously consider downloading our free plugin.

Remote File Upload Vulnerability in WordPress MailPoet Plugin (wysija-newsletters)

Marc-Alexandre Montpas, from our research team, found a serious security vulnerability in the MailPoet WordPress plugin. This bug allows an attacker to upload any file remotely to the vulnerable website (i.e., no authentication is required).

This is a serious vulnerability, The MailPoet plugin (wysija-newsletters) is a very popular WordPress plugin (over 1,700,000 downloads). This vulnerability has been patched, if you run the WordPress MailPoet plugin please upgrade ASAP!

Are you affected?

If you have this plugin activated on your website, the odds are not in your favor. An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable.

The only safe version is the 2.6.7, this was just released a few hours ago (2014-Jul-01).

Why is it so dangerous?

This bug should be taken seriously, it gives a potential intruder the power to do anything he wants on his victim’s website. It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, host malware, infect other customers (on a shared server), and so on!!

Technical Details

Our research team discovered this flaw a few weeks ago and immediately disclosed it to the MailPoet team. They responded very well and released a patch as quickly as possible.

Because of the nature of the vulnerability, specifically it’s severity, we will not be disclosing additional technical details. The basics of the vulnerability however is something all plugin developers should be mindful of: the vulnerability resides in the fact that the developers assumed that WordPress’s “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/.

It is a easy mistake to make and they used that hook (admin_init) to verify if a specific user was allowed to upload files.

However, any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated. Thus making their theme upload functionality available to everybody.

Pro-tip: If you are a developer, never use admin_init() (or is_admin()) as an authentication method.

How should you protect yourself?

Again, Update the plugin as soon as possible. Keeping WordPress and all plugins updated is the first step to keep your sites secured.

For our customers: The good news is that any website behind our Website Firewall – CloudProxy has been protected against this vulnerability since we found it.

TimThumb WebShot Code Execution Exploit (0-day)

If you are still using Timthumb after the serious vulnerability that was found on it last year, you have one more reason to be concerned.

A new 0-day was just disclosed on TimThumb’s “Webshot” feature that allows for certain commands to be executed on the vulnerable website remotely (no authentication required). With a simple command, an attacker can create, remove and modify any files on your server. For example:

http://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php?webshot=1&src=http://vulnerablesite.com/$(rm$IFS/tmp/a.txt)

http://vulnerablesite.com/wp-content/plugins/pluginX/timthumb.php??webshot=1&src=http://vulnerablesite.com/$(touch$IFS/tmp/a.txt)

In the first example, we were able to remove a file (rm command) and on the second example, create one (using the touch command). And you are not limited to only these 2 commands as many others can be executed remotely (RCE). The full disclosure is available here for anyone interested in more technical details.

Are you vulnerable?

The good news is that Timthumb comes with the webshot option disabled by default, so just a few Timthumb installations are vulnerable. However, you have to check if your timthumb file does not have this option enabled to prevent it from being misused. Open your timthumb file (inside your theme or plugin) and search for “WEBSHOT_ENABLED” and make sure it is set to “false”, just like this one:

define (‘WEBSHOT_ENABLED’, false);

If it is enabled, you have to disable it asap. Our research team is monitoring this vulnerability very closely and if we have any news, we will update in this post.

For our customers: Another piece of good news is that any website behind our website firewall is already protected automatically against this vulnerability.

SPAM Hack Targets WordPress Core Install Directories

Do you run your website on WordPress? Have you checked the integrity of your core install lately for SPAM like “Google Pharmacy” stores or other fake stores?

We have been tracking and analyzing a growing trend in SEO Spam (a.k.a., Search Engine Poisoning (SEP)) attacks in which thousands of compromised WordPress websites are being used to hide fake stores and spam doorways. In every case, the attacker is leveraging one of the core install directories – wp-includes.

google-pharma

Abusing WP-INCLUDES with SPAM

By default, every WordPress installation comes with 3 main directories: /wp-content, /wp-admin and /wp-includes. Generally, /wp-includes is reserved for generic code and is the heart of WordPress where all major core files are stored. It’s a folder that doesn’t need to be remotely accessed and should not contain any externally accessible or executable HTML or PHP files.

Unfortunately, that is not what we’re seeing. Thousands of WordPress sites seem to have been hacked, and in each case SPAM has been injected into their core directory wp-includes. We have found it’s not specific to Pharmaceuticals either, it includes things like “Payday spam” and “cheap bags”, “cheap watches” and many other forms of SPAM content.

This type of spam injection has 3 main characteristics:

  1. The SPAM pages are hidden inside a random directory inside wp-includes (eg: /wp-includes/finance/paydayloan or /wp-includes/werty/)
  2. The spam is conditional and often based on the referrer
  3. We’ve noticed that, in almost every instance, the websites are running outdated WordPress installs or cPanel – this is obviously conjecture

Here is a small list of 100 WordPress hacked websites with SPAM injected in their wp-includes directories. All of them are publicly accessible by doing some Google searches:

http://www.immunomix.com/ITIpress/wp-includes/finance/paydayloan/payday-loans-instant.html
http://microwaveamps.co.uk/wp-includes/js/thickbox/lib/loans/payday-loans-in-london-uk.html
http://www.scifidimensions.com/wp-includes/finance/cashadvance/cash-advance-loan-lenders.html
http://www.beereading.com/wp-includes/finance/cashadvance/cash-advance-loans.html
http://vastema.com/wp-includes/cheap-hermes-lindy-bags-on-sale.html
http://www.antibabypillerezeptfrei.net/wp-includes/js/crop/advancement/helpers/blrmalaysiabank.html
http://todayscliche.com/wp-includes/palco.html
http://www.ethosindia.com/wp-includes/mambo.php?p=55
http://www.turnerforte.com/blog/wp-includes/finance/cashadvance/cash-advance-credit.html
http://www.ednapletonblog.com/wp-includes/werty/replica-36596.html
http://www.pettycustomhomes.com/wp-includes/cheap-kids-nba-jerseys-3167596.html
http://www.pondproshop.com/reference/wp-includes/catalog/services/vybe/vybe-band-reviews.html
http://firefly-path.net/wp-includes/pomo/qwe/4/Buy-Balenciaga-High-Quality-Replica-Clutches.php
http://wolfgangcapellari.com/wp-includes/pomo/rolex-imitation.html
http://byphandyman.com.au/wp-includes/people/replica-bvlgari-fake-watches.html
http://rumbaytimbal.com/wp-includes/reviews/
http://www.preservinggoodstock.com/wp-includes/louis-vuitton-bags-5641302.html
http://www.domagojkovacic.com/wp-includes/wholesale-jerseys-from-china-7479567.html
http://maciejkot.pl/wp-includes/detect.html
http://allinseopack.com/wp-includes/js/plupload/oscar-leeser-bio-i12.com
http://www.marinavendrell.com/wp-includes/store/diet/solpria/solpria-cleanse-reviews.html
http://missouriche.org/wp-includes/louisvuitton19.html
http://vastema.com/wp-includes/replica-hermes-birkin-25-cm.html
http://www.conemund.org/eng/wp-includes/replica.php
http://cri-technologies.com/wp-includes/pomo/mkheaf.php?psdjvwei=uplink%20dwd
http://www.giser.net/wp-includes/headt.php
http://chicksdigme.com/wp-includes-old/vanilla-sky-lyrics-owl-city-i0.com
http://jewelrypictures.org/wp-includes/js/imgareaselect/ghd-machine-i5.com
http://www.jobshopsf.com/wp/wp-includes/finance/autoloan/car-loan.html
http://www.ebrice.com/wp-includes/shop/health/tagaway/buy-tag-away-discount-price.html
http://amr-nadim.net/wp-includes/fake-hermes-clic-clac-bracelet–5621.html
http://jesicaglot.com.ar/wp-includes/news/replica-watches_14626.html
http://funaki.ens-serve.net/wp-includes/images/news/black-evening-dresses.html
http://linkarbeid.no/wp-includes/replica-celine-tas.html
http://www.iwillstandupforyou.com/wp-includes/nfljerseys-19244-6847676.html
http://www.viparenda.com.ua/wp-includes/pomo/index/shorewatches.htm
http://www.lelieuunique.com/site/wp-includes/wp-about.php?p=124-chaussure-christian-louboutin-pas-cher.html
http://redtouch.com.mt/wp-includes/news/oris-aquis-depth-gauge-replica-watch-hands-on.html
http://www.stridesforstars.com/wp-includes/rewrite/list.html
http://perfectgroup.se/wp-includes/replica/rolex
http://www.cowalrugby.co.uk/wp-includes.php
http://janmccraylaw.com/wp-includes/watches/replica-32802.html
http://bekarty.pl/wp-includes/be/cartier-swiss-replica.html
http://conceitorio.com.br/home/wp-includes/indo/rolex-airking.html
http://www.liftstudios.ca/wp-includes/images/arrows/lib/chanel/wallets/Chanel-Wallet-On-a-Chain-Replica.php
http://mag.amazing-kids.org/wp-includes/js/crop/lib/vuitton/LV-Bags/Louis-Vuitton-Overnight-Bags-Replica.php
http://atelier.aencre.org/wp-includes/js/thickbox/lib/louboutin/model/christian-louboutin-crystal-daffodil-pumps-replica.php
http://feo.nusta.com.ua/wp-includes/images/news/buswatches.htm
http://cafetaxa.dk/wp-includes/replica-watches-uk/
http://www.socialned.nl/wp-includes/php/tag/michael-kors-outlet-washington
http://podcasttennis.free.fr/wordpress/wp-includes/js/tinymce/themes/advanced/ejezuli/inig/
http://www.baypointmarina.com/wp-includes/brand/ralph-lauren-sleepwear.html
http://nsldigest.org/wp-includes/css/wp-pointer/Buy-Good-Replica-Louis-Vuitton-Shoes_25510.html
http://supportambitiongroup.com/wp-includes/css/download-free-porn-no-sign-up.php
http://icmcc.org/wp-includes/js/jcrop/gearshifter.php?dqq=506
http://w3f.pl/wp-includes/pomo/silagra-50-price.html
http://www.fedusa.org.za/wp-includes/js/tinymce/wp-mce-help.php
http://www.styleslicker.com/wp-includes/js/buytadalafil/index.php?page=4
http://nclarkplaning.co.uk/blog/wp-includes/Cardiovascular/ventolin-mdi-buy.html
http://www.cadillacpizzapub.com/livemusic/wp-includes/finance/creditscore/annual-credit-score.html
http://www.nagaloka.org/wp-includes/filesd/1137a750e374cebd95e7bfb4c05c60a0
http://www.immunomix.com/ITIpress/wp-includes/finance/creditreport/credit-report-and-score.html
http://www.elpaisdealtamira.es/wp-includes/js/crop/lib/vuitton/LV-Replica/Louis-Vuitton-Replica-AAA.php
http://yogagals.com/wp-includes/bottega-veneta.html
http://www.baypointmarina.com/wp-includes/brand/ralph-lauren-bicester-village.html
http://nrca-railroad.com/wp-includes/js/crop/_notes/vuitton/LV-Outlets/Louis-Vuitton-Outlet-Store-in-Kansas-City-Missouri-MO.php
http://www.madeleineking.co.uk/wp-includes/the-wine-house-lichfield-i10.com
http://www.mecalfab.com/mecalfab1/wp-includes/discountstore/kitchen/ninjamegablender/mega-ninja-blender.html
http://oisa.org/trl/wp-includes/onlineshop/naturalproducts/powerprecision/buy-power-precision-lean-muscle-formula.html
http://www.elpaisdealtamira.es/wp-includes/js/crop/lib/vuitton/LV-Replica/Louis-Vuitton-Replica-AAA.php
http://adamriemer.me/wp-includes/user/index.php?p=netflix-rentals-netflix-dvd-movie
http://adcaustintech.com/javaegl/wp-includes/user/index.php?p=netflix-shares
http://todomejora.org/wp-includes/js/crop/lib/loans/payday-loans-without-checking-account-requirements.html
http://www.thekookmovie.com/wp-includes/php
http://www.moorefinefoods.com/wp-includes/heads7.html
http://www.businsure.com.au/wp-includes/jordanretroretails.com.html
http://www.airjordanpaschererfr.com/
http://stoleti.cz/wp-includes/images/index.php
http://www.chriswind.net/wp-includes/nets1121.html
http://icmcc.org/wp-includes/js/jcrop/gearshifter.php?dqq=196
http://www.demalagana.es/wp-includes/jordan11spacejambox.com.html
http://www.iarld.com/wp-includes/sageron.html
http://www.maintenantlagauche.com/wp-includes/class-wp-login.php
http://www.thesinbin.ca/wp-includes/images/jordansbred-us.com.html
http://www.plantingdandelions.com/wp-includes/x-jordan.html
http://www.martaortells.com/wordpress/wp-includes/images/jordansinfrared.com.html
http://missouriche.org/wp-includes/nikefree11.html
http://www.accqtrak.com/WordPress/wp-includes/Text/Diff/Renderer/Year57.php
http://urbancampout.com/wp-includes/glass.php
http://kortshoes.nl/wp-includes/The/fake-replica-watches.html
http://wolfgangcapellari.com/wp-includes/pomo/rolex-imitation.html
http://vastema.com/wp-includes/buy-hermes-lindy-handbags-outlet.html
http://maciejkot.pl/wp-includes/detect.html
http://nrca-railroad.com/wp-includes/js/crop/_notes/vuitton/LV-Buy/Buy-Louis-Vuitton-in-Warsaw-Poland.php
http://www.elpaisdealtamira.es/wp-includes/js/crop/lib/vuitton/LV-Cheap/Cheap-Louis-Vuitton-Luggage-Knock-Off.php
http://dibach.com/wp-includes/Text/Lifestyle/dating-lord-elgin-watches.php
http://www.iwillstandupforyou.com/wp-includes/real-gucci-belt-for-men-cheap-8163353.html
http://www.missouriche.org/wp-includes/index.html
http://www.lonestarlandscaping.biz/wp-includes/store/diet/greencoffee/where-can-i-buy-green-coffee-bean.html
http://www.andersonmontana.com/test/wp-includes/Text/Diff/Renderer/Filter17.php
http://www.cerbone.com/wp-includes/store/exercise/contourabs/contour-abs-reviews.html
http://www.smkgear.com/_wp/wp-includes/discountstore/home/solaramerica/solar-america-home-power-station.html

This is a very small sample. A quick search on Google using inurl:/wp-includes viagra levitra cialis reveals more than 13,000 pages. As you rotate out the SPAM keywords that number increases dramatically. You quickly start painting a pretty dire picture as you run more scans:

WordPress Wp-includes SPAM

If you find yourself with similar symptoms, we recommend replacing your core install or seeking professional help.

If you are a Do it Yourself’er (DIY’er) then be sure to manually replace the core installs. Don’t just select update in your administrator panel because doing so won’t remove the file and while it may address the issue on the surface, it won’t be getting to the bottom of the issue.

Conditional Redirections

The term Conditional should not be new to most of our readers, but if you’re new we recommend diving into our older posts to better understand how it works. A good place to start is our most recent post on redirects that were occurring only on mobile devices and targeting Porn websites.

If you click on any of these URL’s, you will see doorways for different types of spam. Some are just like the Google Pharmacy screenshot and some with real complex fake stores. However, if you are coming from a Google search, referrer = google.com, they will redirect you to the final SPAM destination.

And what is the final spam destination? These are the ones we have been able to isolate to date:


http://www.greboxs.com/


http://www.mkbagsesale.com/


http://www.shoebuy.com


http://www.top-online-pills.com/

We don’t know if they are really malicious or being used by affiliate spam, but they appear to be the final destination for all these spam pages.

How are these WordPress sites getting hacked?

While we don’t have definitive proof as we do not have control of these environments, each instance we have analyzed always show one common denominator – out of date software. We cannot stress the importance of patching your software via upgrades and if you can’t, be sure to leverage tools that allow you to operate safely on the web with your out of date software. The last thing any website owner wants is to find out later that their brand and system resources have been used for nefarious acts.

CloudProxy + SPDY = A Faster Website

Our CloudProxy Firewall already protects and speeds load times for 1,000′s of websites. Now, it’ll be even faster. We’re happy to announce that we just added support for SPDY (pronounced speedy) across all of our plans and servers. Any website being protected by our CloudProxy firewall can enable SPDY support with just one click:

SPDY

If you haven’t heard of SPDY (SPeeDY), it is a new protocol developed primarily by Google for transporting web traffic. It reduces page load latency through compression, multiplexing, and prioritization. In non-technical terms, it makes your HTTPS site a lot faster and it is supported by all major browsers, including Chrome, Firefox and Opera.

Internet users using these browsers can take advantage of this protocol on sites that have SPDY enabled (like Google.com, Twitter.com, etc…).

We’re excited about this because while we continue to protect our clients’ websites with our WAF, we will also be helping to make their sites faster and more reliable.

If your site is already being protected by CloudProxy, just login and enable SPDY. If you haven’t yet protected your website, head to our CloudProxy homepage to see why 1,000′s of clients are using our firewall to shield their site from attacks.

Website Firewall Update – Introducing 2FA and More

Today, we are launching the new and improved Protected Page capability in our Website Firewall, CloudProxy. It allows for a simple (1-click) activation of secondary authentication methods on any page of your site. It means you can easily add the following to any page on your website:

  • A custom password verification
  • Two Factor authentication (2FA) using Google Authenticator
  • Captcha verification
Protected Page

Have you ever needed to protect a specific page on your site with a custom password or using two-factor authentication? In the past, it required a lot of coding and messing with plugins that aren’t always easy to setup.

We’re happy to say that we’ve made it a lot easier with the Protected Page feature. In your CloudProxy dashboard, you can specify the location you want to protect (/wp-admin for WordPress or /administrator for Joomla, for example) and choose how you want to add a second layer of protection to it:

cloud-2fa

We are really excited about these options and hope you are too!

Use Cases

You can use it on any website, with any CMS or web application and it doesn’t require and coding or other change to your website. Here are some of the ways that clients will be able to take advantage of this upgrade:

  1. Want to prevent bots from submitting comments? Or filling a form on your site? Add the captcha option.
  2. Want to restrict access to /wp-admin, /administrator or any other admin page on your site? Add a custom password or two-factor authentication.
  3. Want to make a page, private? Add a password to it.
  4. Do you have an employee portal, web mail or custom application that you want to restrict access? Add a password to it.

There are many ways you can use this new functionality on your website. Interested? Log into your CloudProxy dashboard, then go to security and then to the Protected Page section to start using it right away.

BaDoink Website Redirect – Malicious Redirections to Porn Websites on Mobile Devices

The past week has brought about a large number of cases where compromised websites had hidden redirections to porn injected into their code. All the infections had a similar pattern where they only targeted mobile devices. They are highly conditional as well making it challenging for webmasters to detect.

Lets take a minute to explain what is going on.

Conditional Redirects to Porn Websites Targeting Mobile Devices

Sounds complicated, but it isn’t. If the visitor is coming from an Ipad, Iphone, Android or other similar mobile device, the page is redirected to a random pornographic page. If the same person tries to visit the site again, nothing happens and the site loads properly. What gives?

1. The Word is “Conditional”

The malware injected on the website is intelligent. It stores the IP address for all the visitors that it redirects to the porn website. If you see the redirect once, it is likely that you won’t see it again for many hours. This makes the malware very difficult to detect and leads people to think it was a random error or that maybe they mistyped the URL.

2. Mobile-Only

This injection is only redirecting Mobile browsers. It’s targets seems to be iPhone, iPad, Android and a few other mobile OS browsers. For everyone else, the site looks clean and safe.

3. Mobile-only + Conditional = Very hard to detect

When you mix conditional with mobile-specific infections, you know it will be very difficult to detect. Yes, even SiteCheck has a hard time flagging it. It will flag the site once, but if the user forces a re-scan it will show the website as clean.

As you can imagine, it can be very confusing for the end user.

Browser-site injection

Rafael Capovilla, one of our Sr. Analysts, was the first to find and decipher how the injection is displayed on the browser. It is very sneaky, accomplishing it’s goal by utilizing a form like this one:

<form method=POST action="http://gridironservices.com/579205f64a3c6…php?q=b9f6606dcd0186725..” id=”refoto_form” target=”_top”>

With random domains (intelligenthometheater.com, gridironservices.com, etc). That by itself it looks ok, but embedded you’ll find this javascript code:

document.getElementById("refoto_form"). submit( );

This forces the POST to be submitted and the visitor redirected. At first glance they both look legitimate and will likely pass as clean for most (if not all) Anti-Virus and security tools.

As mentioned before, this only appears on Mobile devices and conditionally. You might be wondering why they would redirect to porn. As is often the case, it’s all about the money.

These pages are the first level in the redirection funnel. They proceed to push the user to affiliate/ads links, similar to these: httx://ads. mobiteasy.com/ or httx://www. instabang.com/tour/zinstabang.

Where they pay the malware authors good money for every click.

Removing the Porn Redirection

Shameless Plug: If you have used SiteCheck and notice the issue I mentioned above – showing dirty then clean or not showing at all – have no fear, this does happen from time to time it’s how the scanner works. Rest assured though that our team is able to address the issue and our internal scanners will catch the issue outright once configured.

To address the issue yourself investigate these locations:

  • /index.php
  • /wp-config.php (if using WordPRess)
  • /configuration.php (if using Joomla)
  • /wp-content/themes/yourtheme/functions.php (if using WordPress)

These are the 4 places we see this injection being added. Note that it is highly encoded, you will have to look for any line that looks out of place and it’s best to engage your developer for help.

Remember, the issue at the surface – the infection – is only the tip of the iceberg. If your website is infected you have to assume that the attackers have penetrated your defenses and have added controls that will allow them to continue to penetrate your environment. Be sure to look for backdoors.

If you have any question, let us know. You can also engage us on Twitter at Sucuri Support or Sucuri Labs.