MailPoet Vulnerability Exploited in the Wild – Breaking Thousands of WordPress Sites

A few weeks ago we found and disclosed a serious vulnerability on the MailPoet WordPress Plugin. We urged everyone to upgrade their sites immediately due to the severity of the issue. The vulnerability allowed an attacker to inject anything they wanted on the site, which could be used for malware injections, defacement, spam and many more nefarious acts.

This is not something we’re excited to report, but we were right.

A few days ago we started to see a massive number of WordPress sites compromised with malware. The malware code had some bugs, it was breaking many websites, overwriting good files and appending various statements in loops at the end of files.

At the time of the post, the root cause of the malware injections was a bit of a mystery. After a frantic 72 hours, we are confirming that the attack vector for these compromises is the MailPoet vulnerability. To be clear, the MailPoet vulnerability is the entry point, it doesn’t mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website.

All the hacked sites were either using MailPoet or had it installed on another sites within the same shared account (cross-contamination still matters).

Exploited in the Wild

The attacks always start the same, with the attackers trying to upload a custom (and malicious) theme to the site:

194.79.195.139 - - [05/Jul/2014:01:41:30 -0700] "POST /wp-admin/admin-post.php?page=wysija_campaigns&action=themes HTTP/1.0" 302 - "http://site.com.com/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate" "Mozilla/5.0"

Once they succeed, they upload the malicious theme, they access their backdoor inside /wp-content/uploads/wysija/themes/mailp/:

194.79.195.139 - - [05/Jul/2014:01:41:31 -0700] "GET /wp-content/uploads/wysija/themes/mailp/index.php HTTP/1.1" 200 12 "Mozilla/5.0"
194.79.195.139 - - [05/Jul/2014:04:08:16 -0700] "GET /wp-content/uploads/wysija/themes/mailp/index.php?cookie=1 HTTP/1.0" 200 12 "-" "Mozilla/5.0 (Windows)"

They get full control of the site.

The Backdoor is very nasty and creates an admin user called 1001001. It also injects a backdoor code to all theme/core files. The biggest issue with this injection is that it often overwrites good files, making very hard to recover without a good backup in place.

So if you see this error on a site:

Parse error: syntax error, unexpected ')' in /home/user/public_html/site/wp-config.php on line 91

It means it was likely hacked through this vulnerability.

Mass Infections

MailPoet is a very popular plugin with almost 2 million downloads, so as you can expect, when such severe vulnerability is identified, it can be mass exploited.

This is the total number of hacked sites that we were able to identify so far (per day):

Sucuri-MailPoet-Infections

This is based on sites scanned on our free sitecheck scanner. The number of hacked sites is likely much bigger.

Upgrade Mailpoet!

If you are running MailPoet, we recommend upgrading it asap to the latest version. Users of our Website Firewall (CloudProxy) have been protected against this threat since day 0. However, if you do not have a firewall (WAF) on your website, you have to upgrade the plugin or remove it altogether to avoid more issues.

Massive Malware Infection Breaking WordPress Sites

Update: We identified the root cause: MailPoet Vulnerability Exploited in the Wild – Breaking Thousands of WordPress Sites

The last few days has brought about a massive influx of broken WordPress websites. What makes it so unique is that the malicious payload is being blindly injected which is causing websites to break. While we’re still researching, we do want to share share some observations:

  1. This infection is aimed at websites built on the popular WordPress CMS
  2. It is targeting sites with outdated (vulnerable) plugins or weak admin passwords.
  3. Malware is highly obfuscated and attempts to inject SPAM to the hacked website

There is, however, one very unpleasant impact of this infection. The infector PHP code is buggy and it is corrupting legitimate website files. It is targeting not only the core WordPress files, but also theme and plugins files. The result are various PHP errors being displayed instead of the normal site content. If you see this error on your site:

Parse error: syntax error, unexpected ‘)’ in /home/user/public_html/site/wp-config.php on line 91

It means your site is likely hacked. Our sitecheck scanner will warn of this error as well:

corruptedsite

The only known solution (after removal of injected malware)is restoring these corrupted files from the backup. If you are curious about the malware injection, this is what it looks like (randomly generated):

<?php $pblquldqei = ’5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7825j^%xq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x7860ftsbqA7>q7825)3of:opjudovg<~%x5c%x7824!%x5c%x782421787825!|!*!***b%x5c%x7825)…

We’ll continue the investigation and will provide more details as they become available. If you suspect you have been impacted by this infection rest assured that our team is ready and actively cleaning this mess up on all websites.

Website Malware – Mobile Redirect to BaDoink Porn App

A few weeks ago we reported that we were seeing a huge increase in the number of web sites compromised with a hidden redirection to pornographic content. It was a very tricky injection, with the redirection happening only once per day per IP address and only if the visitor was using a mobile device (IPhone, Android and a few others).

These types of injections are called conditional redirections because certain conditions need to be met for them to redirect visitors. They are not always present and the malware authors try very hard to hide them from the website owner. The malware code looks for logged in cookies to try to identify whether or not someone is managing the site and then attempts to never redirect someone who is logged in. Finally, if a visitor gets redirected once, the malware will not redirect them again. The goal for the malware author is for visitors to not report something going wrong with a website. In this example, if you were to visit an infected site, you’d be redirected, but from your point of view, maybe it was just something weird so you retype the url and now you aren’t redirected. Since everything is working normally now, you decide not to report it and the malware lives on.

As you can imagine, this sort of malware can be difficult to troubleshoot. In fact, very often webmasters think it’s a typo and move on instead of investigating what happened. For that reason, most sites remain compromised, so if anyone ever complains that your site redirecting to “instabang.com” or a Badoink Porn App, it is very likely your site is hacked.


Read More

Was the FIFA Website Hacked?

As many know, our company has deep Brazilian roots, as such we have no choice but to enamored with the upcoming World Cup. Yes, the World Cup is coming, soccer news is everywhere and like most things, websites are being used to disseminate the news. The Federation Internationale de Football Association (FIFA) is perhaps one of the largest websites in the world dedicated to Football (a.ka.a Soccer for you Americans) news.

This morning however I awoke to the most startling of news; Twitter was all the rage with the most unexpected, yet expected, FIFA appeared to be hacked.

twitter hacked

Hactivisim Amidst

Is it possible that the Fifa website was hacked? Could it be Hacktivism?

This wouldn’t be the first time ofcourse, big events like this are usually a big target for hackers and this defacement sure is getting a lot of attention from the public. This is what the reported hacked website looks like:

fifa fake defacement

Everything in the site looked the same, except that they added an animation of Fifa’s president, Joseph Sepp Blatter, dancing with a funny song.

At first glance it seems to be legitimate, but taking a closer look you quickly realize it is a fake. Fifa’s official website is www.fifa.com and the one that is being reported as hacked, defaced, is www.fifa-brazil-2014.com.

If you search for these two websites on Google, you will get the same description, which can certainly lead people to believe that it is a legitimate website for FIFA.

phishing

If you take a minute to dig a little deeper though you’ll find it’s really not.

$ host fifa-brazil-2014.com
fifa-brazil-2014.com has address 82.196.13.236

$ host 82.196.13.236
236.13.196.82.in-addr.arpa domain name pointer samba-hack.feinheit.ch.

CH = Abbreviation for Switzerland

Samba-Hack = Name being given to the hack

Registered at:
Registrar URL: http://www.godaddy.com

Creation Date: 2013-06-06 09:11:09

Registrant Email: andrea.arezina@solidar.ch
Admin Name: Andrea Arezina
Registrant City: Zurich
Registrant State/Province: Switzerland

If you look at the real FIFA website you’ll find this information:


$ host fifa.com
fifa.com has address 94.236.90.168

Registrar URL: www.cscprotectsbrands.com

Registrant Email: domain.admin@fifa.org
Admin Name: Domain Name Administrator

Registrant City: Zurich
Registrant State/Province: Switzerland

What’s most peculiar however is that they appear to be in the same city. Definitely an awkward moment for sure.

Lesson To Be Learned

Opportunistic attacks can happen at any time, we can’t allow ourselves to be fooled by what we find online (even if it comes from Twitter, especially if it comes from Twitter). We have to remain diligent when visiting websites we’re unfamiliar with. This caution extends to Google as well as you can see above. Although this specific attack only injected a defacement, the attack could have been much worse, it could have been used to deliver a desktop trojan or any variety of other malware payloads.

Stay safe and don’t be fooled :)

PHP Backdoors: Hidden With Clever Use of Extract Function

When a site gets compromised, one thing we know for sure is that attackers love to leave malware that allows them access back to the site; this type of malware is called a backdoor. This type of malware was named this because it allows for remote control of a compromised website in a way that bypasses appropriate authentication methods. You can update your site, change passwords, along with any of your admin procedures, and the backdoor would still be there allowing unexpected access to an attacker.

Backdoors are also very hard to find because they don’t have to be linked in the site, they can be very small and be easily confused with “normal” code. Some of them have passwords, some are heavily encrypted/encoded and can be anywhere on your site, file system or database.

We have written extensively about website backdoors (generally in PHP) that allow for continuous reinfections and control of hacked websites.

You can read something more about backdoors on these links:


Read More

Darkleech + Bitly.com = Insightful Statistics

This post is about how hackers abuse popular web services, and how this helps security researchers obtain interesting statistics about malware attacks.

We, at Sucuri, work with infected websites every day. While we see some particular infections on one site or on multiple sites, we can’t accurately tell how many more sites out there are infected, and how many people were exposed to that malware. All we can do is estimate.

Most estimations are based on data that can’t provide the whole picture such as number of detections in our SiteCheck scanner, number of cleanup requests, number of posts about a particular problem in webmaster forums. This only helps to tell whether it’s something “major” or “minor”.

Like any other firm out there, sometimes we can make some good educated estimates. For example, we can target specific Google searches that reveal the number of sites that contain some text, or URL specific to a particular attack. Another example is if an attack uses one specific URL (or a few well known URLs), then Google Safe Browsing reports also help estimate number of infected sites. These Google-based approaches are more precise, but they don’t work for most attacks that frequently change domains and have no artifacts that can be found in search results.

If security researchers are quite lucky, they might find an attacker’s unprotected (or poorly protected) Control Panel that contains all the statistics about infected site, clicks, exploits, etc.

This post will be about a different and quite unusual way of obtaining data about activity of a server-level attack that is known for being hard to detect and track.


Read More

Many Pieces of a Puzzle: Target, Neiman Marcus and Website Hacking

Corporations get hacked all the time. This is not news to anyone in the security business, but it has certainly received a lot of attention from those in the media over the last few weeks because of a couple of large-scale credit card events at both Target and Neiman Marcus.

Website Malware

Read More

Understanding Google’s Blacklist – Cleaning Your Hacked Website and Removing From Blacklist

Today we found an interesting case where Google was blacklisting a client’s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight to understand what is going on, and how to troubleshoot things when your website is blacklisted.

Get Your Bearing

While investigating the website, we found that some Google shortened URLs were being loaded and redirecting to http://bls.pw/. Two of the goo.gl links were pointing to Wikipedia images, their icon to be specific, and one was redirecting to http://bls.pw/ shortener.

goo.gl/9yBTe - http://bits.wikimedia.org/favicon/wikipedia.ico
goo.gl/hNVXP - http://bits.wikimedia.org/favicon/wikipedia.ico?2x2
goo.gl/24vi1 - http://bls.pw/

A quick search for this last URL took us to /wp-content/themes/Site’sTheme/css/iefix.sct. As malware writers like to do, it was trying to trick us into believing it was good code. In this case, the Sizzle CSS Selector Engine code (Real code here) was the target:

Sucuri  Sizzle CSS Selector Engine Modified III

Read More

vBulletin.com Compromised

The vBulletin team recently announced that they suffered a compromise which allowed the attackers access to vbulletin.com servers and database. On their own words:

We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.


Read More

Case Study: Analyzing a WordPress Attack – Dissecting the webr00t cgi shell – Part I

November 1st started like any other day on the web. Billions of requests were being shot virtually between servers in safe and not so safe attempts to access information. After months of waiting, finally one of those not so safe request hit one of our honeypots.

We won’t get into the location of the site because it really doesn’t matter, a fact that most critics don’t realize. As is often the case, the honeypot site was quiet without much traffic and the weakness was access control.

We intentionally left the password to the site to one of the top 10 passwords, with continuous attempts it took about 3 months before it was accessed.

This time though we were ready and this is how it went..

Read More