Ask Sucuri: Who is logging into my WordPress site?

Today, we’re going to revisit our Q&A series. If you have any questions about malware, blacklisting, or security in general, send them to us at: info@sucuri.net. For all the “Ask Sucuri” answers, go here.


Question: How do I know who is logging into my WordPress site?

Answer: One of the most basic and important security aspects of any system is access control, specifically logging your access control point. It defines who can do what and where and under what circumstances. However, access control without the proper enforcement and auditing is like a law that is not enforced by the police; it loses its meaning.

WordPress has a very powerful access control tool, known as roles and capabilities, that allows you to specify what each user can do. However, it lacks good auditing capabilities. The purpose of auditing, i.e. logging, is to give administrators visibility into what is happening on the website at any given time.

Auditing is a very broad term. We could go in depth into the various elements that you, as an administrator, should audit. However, for this post we’re going to focus on your access control, specifically who is logging in.

Sucuri WordPress Security Plugin – Last Logins Feature

Out-of-the-box, the WordPress CMS does not provide auditing, nor does it include any type of authentication auditing for successful logins. For this reason, we have added both capabilities to our Free WordPress Security plugin.

The plugin allows administrators to see who is and has logged into your website. It includes attributes like location (i.e. where) and time. It’s known as the Last Logins feature (it’s based off the Linux “last” command).

This is what it looks like in your dashboard:

wordpress-lastlogins

It will list the users, IP addresses (hidden in the image) and the time of the login.

If you want to know who is logging in to your site (from when and from where), then leverage our Free WordPress Security plugin.

Note that it will only start logging the users, after you install it. So as soon you add the plugin, the last-logins table will be empty. But if you try to logout/log back in to WordPress, you should start to see it populating.

Importance of Auditing Your Access Control

For website administrators, we cannot stress the importance of logging activity, such as user log ins, enough. We handle various incidents on a daily basis where the website owner has no idea as to who is and isn’t logging into their environment.

Often, after a compromise, the forensics team will work with the website owner to understand what was going on. In many instances, basic auditing would have informed the client that something was not right. Here are some examples:

  1. Website owner works on the Pacific Coast, yet his user is logging in from China with his username and password
  2. Website owner is sleeping, yet somehow, the client’s user is still logging in
  3. A new user is logging into the environment every day and the website owner never created the user or it’s a single user website

Are you able to say, confidently, that this is not happening to you? If the answer is, “Yes,” then congratulations, you’re adhering to the auditing basics. If the answer is, “No,” then you should seriously consider downloading our free plugin.

More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack

Distributed Denial of Service (DDOS) attacks are becoming a common trend on our blog lately, and that’s OK because it’s a very serious issue for every website owner. Today I want to talk about a large DDOS attack that leveraged thousands of unsuspecting WordPress websites as indirect source amplification vectors.

Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites. Note that XMLRPC is used for pingbacks, trackbacks, remote access via mobile devices and many other features you’re likely very fond of. But, it can also be heavily misused like what we are seeing.

Read More

Joomla Security Updates – Version 2.5.19 and 3.2.3 Released

The Joomla team just released 2 security updates and pushed out the stable versions for Joomla 2.5.19 and 3.2.3. If you run your site on Joomla, you need to update and apply these patches ASAP to ensure that your site continues to run securely.

If you are behind our CloudProxy Firewall, we will virtually patch these for you so you’re protected even if you do not upgrade. The Joomla website has more details on the security updates.

Issues fixed

On Joomla 2.5.19, these two issues were listed fixed:

Medium Priority – Core XSS Vulnerability More information
Medium Priority – Core XSS Vulnerability More information

But on Joomla 3.2.3, the following issues were fixed:

High Priority – Core SQL Injection More information
Medium Priority – Core XSS Vulnerability More information
Medium Priority – Core XSS Vulnerability More information
Medium Priority – Core Unauthorised Logins More information

As you can see, there are some high priority SQL injection vulnerabilities along with some unauthorized login vulnerabilities in their Gmail login module (disabled by default).

The SQL injection seems to be related to an exploit released almost a month ago on the weblinks-categories id that was not escaped properly, and seems very easy to exploit.

Our team is still investigating the impact of this one and other vulnerabilities, and we will post more details as we identify them.

Malicious iFrame Injections Host Payload on Tumblr

It’s always fun to watch malware developers using different techniques to code their creations. Sometimes it’s a matter of obfuscation, placement, injection, but this time it’s how they code it to be dynamic.

I believe this is not the first one that uses this service, but it’s the first time I’m seeing it. The concept is not new, we have often seen Twitter and Ask.fm accounts being used as malware Command & Control (C&C) servers, but now we can add Tumblr to the list.

A few weeks ago we found an iFrame injection that was relying on Tumblr to trigger the payload.

Tumblr lets you effortlessly share anything. – Tumblr

It appears they take this motto to heart!

How Does It Work?

The anatomy of this attack is very interesting.

Read More

Not Just Pills or Payday Loans, It’s Essay SEO SPAM!

Remember back in school or college when you had to write pages and pages of long essays, but had no time to write them? Or maybe you were just too lazy? Yeah, good times. Well, it seems like some companies are trying to end this problem. They are offering services where clients pay them to write these essays for you.

Essay SEO SPAM

The problem is that this is not only wrong, but it’s also becoming a competitive market where some companies are leveraging SEO SPAM to gain better rankings on search engines (i.e., Google, Bing). They are also using popular sites like bleacherreport.com and joomlacode.org to add their spam links.

Here are a couple example URL’s from sites that got hit (URL’s are still showing SPAM):

Read More

New iFrame Injections Leverage PNG Image Metadata

We’re always trying to stay ahead of the latest trends, and today we caught a very interesting one that we have either been missing, or it’s new. We’ll just say it’s new.. ;)

We’re all familiar with the idea of iFrame Injections, right?

Understanding an iFrame Injection

The iFrame HTML tag is very standard today, it’s an easy way to embed content from another site into your own. It’s supported by almost all browsers and employed by millions of websites today, use Adsense? Then you have an iFrame embedded within your site too.

Pretty nifty, I know. Like with most things though, the good is always accompanied with the bad.

Read More

Friday the 13th – A Gallery of Webmaster Nightmares

This post is dedicated to all you geeky horror movie fans out there!

One morning you open your website and don’t recognize it. Something is devastatingly wrong. You wipe the sleep from your eyes, and instantly you know that you’re living your worst nightmare…

As you gain early morning focus from what you thought was a good night sleep, a scary face stares back at you, and declares that you’ve been hacked!

When you see it you know it’s, it’s…it’s…it’s Friday the 13th!!!

Hacked Website Defacement

It’s always Friday the 13th for webmasters of defaced sites, regardless of what their calendar tells. It becomes the most unlucky day in their webmaster life, the day when only bad things can happen.

Hacked Website Defacement 2

We, at Sucuri, come across such hacked sites every day. Every day we help website owners like you survive your Friday the 13th. We restore your sites and make sure this don’t happen again.

When your site is finally restored, and you calm down after the stressful fight for your site, it may eventually occur to you that the defaced page was a piece of some weird modern cyber art.

Hacked Website Defacement 3

OK, maybe you weren’t comparing your defacement to your favorite Van Gogh. We have seen defaced websites every day for the last few years, and after a while you start finding artistic value in some of the “hacked by..” pages you come across.

Sometimes they are disturbing and offensive, sometimes they are scary. Sometimes they are funny, and sometimes they even provide security advice.
In the end, they all reflect the sub-culture of h4x0r$.

Hacked Website Defacement 4

In this post, we’d like to share our collection of screenshots of defaced websites. Lean back and submerge into the world of cyber-chaos.
Once you emerge back from the craziness, think to yourself, and ask yourself the simple question, “Am I prepared to deal with such unfortunate events?”

Hacked Website Defacement 5

Hacked Website Defacement 6

Hacked Website Defacement 7

Hacked Website Defacement 8

Hacked Website Defacement 9

Hacked Website Defacement 10

Hacked Website Defacement 11

Hacked Website Defacement 12

Hacked Website Defacement 13

You can find 100 more screenshots and the whole collection on the Sucuri Facebook page.

——————

Have you encountered such defaced pages on the Internet? Share your own website nightmare, on this eery Friday the 13th!

How We Decoded Some Nasty Multi-Level Encoded Malware

From time to time, we come up with interesting bits of malware that are just calling us to decode and learn more about them. This is one of those cases.

Recently, I crossed pathes with this little gem:

dissecting-malware-step-1

That snippet is encoded malicious content. The full payload is is much bigger, 12816 characters, to be exact. Seems benign, right? At least it looks interesting. So interesting that I decided to dissect it, piece by piece.

Read More

Case Study: Analyzing a WordPress Attack – Dissecting the webr00t cgi shell – Part I

November 1st started like any other day on the web. Billions of requests were being shot virtually between servers in safe and not so safe attempts to access information. After months of waiting, finally one of those not so safe request hit one of our honeypots.

We won’t get into the location of the site because it really doesn’t matter, a fact that most critics don’t realize. As is often the case, the honeypot site was quiet without much traffic and the weakness was access control.

We intentionally left the password to the site to one of the top 10 passwords, with continuous attempts it took about 3 months before it was accessed.

This time though we were ready and this is how it went..

Read More

WordPress 3.6.1 Released – Includes Security Fixes

The WordPress team just pushed out a new version of WordPress. WordPress 3.6.1 is a maintenance release that includes some security bug fixes. Straight from their release post, these are the security changes:

  1. Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
  2. Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
  3. Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.

We asked WordPress Lead Developer, Andrew Nacin for a bit of clarity around the author role issue that was fixed, here’s what Andrew said:

A user can reassign the authorship of a post to another user, even when they are not allowed to do so. (For example, the user is an Author and not an Editor.) The user must already be allowed to edit content — and specifically edit that post. They also then lose the ability to edit that post, but this “forging” could still cause a compromised account or malicious user to post as another user.

In closing the conversation with Andrew, he remarked that WordPress is not vulnerable to the remote code execution issue by default:

I’ll emphasize that WordPress is *NOT* exploitable to the RCE out of the box, despite it being a doozy. It requires a vulnerable object (which core does not have), as well as a vulnerable character set. It is a “perfect storm” vulnerability.


Read More