SECURELI.com responds to ISIS attacks against French and US sites

😱 Since Sunday, October 25, 2020, many US and French sites have been victims of cyber attacks to spread fundamentalist propaganda in a very tense diplomatic context… 🤨

⚡️SECURELI.com provides an IMMEDIATE response TO PROTECT YOU from these attacks: 🎯

🎁 If your site is a victim of this attack: FREE REPAIR (100€ HT => Free)

🎁 Migration Offered and 30% discount on your annual SECURELI hosting (300€ HT / year =>240€ HT / year)

Enjoy now SECURELI services for your site :

🤝 100% uptime guaranteed – Satisfied or refunded
📞  24/7/365 phone support
🙋🏻 Dedicated account manager and a team of Web security experts
⚡️ Same day repair if your site is under attack
🔑 Best possible security for your website
🏦 Continuous backups… and easy restores to safeguard your datas

Do not hesitate to contact us to learn more about the security of your site : (833) SITE-FIX !

OctoberCMS Web Application Open Source Dependency Vulnerability

OctoberCMS is a CMS similar to WordPress, but with much less “fluff”.

Our team identified the latest version of OctoberCMS relying on Bootstrap 3.3.7, jQuery 1.11.1, and jQuery 3.3.1.

All of these dependencies are vulnerable.

/october/themes/demo/assets/vendor/bootstrap.js

↳ bootstrap 3.3.7 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of tooltip/popover, 

CVE-2019-8331; https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy,

CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in collapse data-parent attribute,

CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE:

CVE-2018-14042; https://github.com/twbs/bootstrap/issues/20184

/october/themes/demo/assets/vendor/jquery.js

↳ jquery 1.11.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute,

CVE: CVE-2015-9251;
https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium;

CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers;

https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low;

CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution;

https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

/october/modules/backend/assets/js/vendor/jquery-and-migrate.min.js

↳ jquery 3.3.1 has known vulnerabilities: severity: low; CVE:

CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution;

https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

All of these vulnerabilities were identified by RetireJS (https://retirejs.github.io/retire.js/), which identifies open source dependency vulnerabilities.

WordPress Version Number Disclosure

WordPress is a platform super popular for hackers, as it powers ~70% of the websites online.

The most common way they are hacked are due to outdated core versions of WordPress, insecure plugins, and insecure themes.

We decided to create a script that would allow us to quickly identify if a website was vulnerable to WordPress, based on its version number.

https://wpvulndb.com/wordpresses/ was our resource for creating an array in Golang to check against the version number we pulled from our internal WordPress version number identification script.

This script turned out to be FAST! It was our first time working with Golang, and the shear power of multithreading HTTP requests made it a game changer when monitoring & scanning millions of WordPress sites, to contact website owners & agencies with this vulnerability information, so we can prevent them from having to rely on a hacked website repair service or WordPress malware removal.

Hacker101 jQuery Dependency Vulnerability

“Hacker101 is a free class for web security. Whether you’re a programmer with an interest in bug bounties or a seasoned security professional, Hacker101 has something to teach you.”

https://github.com/tidave85/hacker101 suffers from the following open source dependency vulnerabilities.

/hacker101/assets/javascript/bootstrap/bootstrap.bundle.min.js

↳ bootstrap 4.1.0 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of tooltip/popover, CVE: CVE-2019-8331; https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/bootstrap/issues/20184

/hacker101/assets/javascript/bootstrap/jquery.min.js

↳ jquery 3.3.1 has known vulnerabilities: severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

Kotlin v1.3.60 Programming Language Vulnerability

https://github.com/Saamyy/kotlin suffers from the following open source dependency vulnerabilities, relying on an outdated version of jQuery.

/kotlin/libraries/examples/browser-example/src/js/jquery.js

↳ jquery 1.6.2 has known vulnerabilities: severity: medium; CVE: CVE-2011-4969, summary: XSS with location.hash; https://nvd.nist.gov/vuln/detail/CVE-2011-4969 http://research.insecurelabs.org/jquery/test/ https://bugs.jquery.com/ticket/9521 severity: medium; CVE: CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

/kotlin/libraries/examples/browser-example-with-library/src/js/jquery.js

↳ jquery 1.6.2 has known vulnerabilities: severity: medium; CVE: CVE-2011-4969, summary: XSS with location.hash; https://nvd.nist.gov/vuln/detail/CVE-2011-4969 http://research.insecurelabs.org/jquery/test/ https://bugs.jquery.com/ticket/9521 severity: medium; CVE: CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

Self Replicating, Polymorphic Website Malware

The hardest challenges are the ones that constantly change.

Malicious website software has recently seen an influx in self-replicating, polymorphous code that infects a website (and thus, web server) with remote code execution access to launch additional attacks and compromise the data on the breached website and server.

In a recent incident, we cleaned a website fully in a non-web environment based on a WordFence Premium scan.

After deploying this codebase to our staging environment, within seconds it became reinfected as per WordFence’s scan results as we viewed them live.

This lead us to create an NGINX configuration rule only allowing our team’s IP to access the website, in an attempt to keep the apparent “bots” from re-attacking our site with weaponized code to auto-exploit our tech stack (WordPress, PHP/MySQL, Linux – in a popular cloud provider’s single VPS).

Sadly, that also blocked WordFence from “phoning home” for updates ( as well as validation of a valid Premium license key installed, I’m sure.) This lead us to whitelist their IP range of 69.46.36.0 to 69.46.36.32. The scan ran… and boom….

More malware.

While we worked to ensure that the website was being actively analyzed for what we missed, we took a step in the direction of looking at the web server itself.

There are a few critical actions that help website intrusion incident response:

      • Review the web server logs on Linux @ /var/log/apache2/access.log & error.log or /var/log/httpd/access.log & error.log
      • Execute the command netstat -ntap to identify all network connections. You can combine this with the watch command, such as watch "netstat -ntap" along with a terminal recorder (tools like https://asciinema.org/ are amazing for this!)
      • Perform a packet capture using tcpdump, and deploy the “most clean” version of the website we have

This gives us a great deal of information on how to act next. First, we can identify through the web server logs what URLs are being hit by a bot to trigger a re-infected, and identify the IP address of the bots hitting those URLs.

This is extremely important to document properly if there becomes a need for FBI involvement, in the case of credit card theft & identity theft.

While our systems engineers went to work on the server side of things, we continued to investigate the code base.

We blocked the IPs. Still, another re-infection.

We disabled cron. More re-infections.

But now, we were only seeing “index.php”, as well as a random PHP shell being dropped (e.g.: “wp-content/uploads/maps-backup/cnhmeiyu.php”)

Back to more code analysis. Given this site had 30+ plugins, some which were “abandoned” plugins (major red flag), we decided to look for some more common issues. Maybe we were too close to the trees to see the forest?

Using a TimThumb vulnerability scanner (a very popular vulnerability with outdated/abandoned WordPress plugins), we identified ONE vulnerable TimThumb file!

So, we patched and re-deployed, crossing our fingers…

Boom, a clean site. Next step? Snapshot backup, and on-going monitoring of the website automatically using WordPress plugins, and manually by our 24/7 network and security operation center. Continued management of the core WordPress version, plugins, vulnerability management, standing up a web application firewall, and much more are the next steps for continuing to keep this company secure.

Our team would love to hear your experience with polymorphic, self-replicating malware! E-mail us any time at [email protected] or by calling (833) SITE-FIX.

-John from SECURELI

3 Ways to Prepare for WordPress Website Malware in 2020

Maybe your client’s site got hacked, it’s time for a security checkup, or you’re tired of telemarketers terrorizing your phone lines with the vulnerabilities sales pitch.

Despite the hype, the threat is real. WordPress makes up 90% of hacked CMS sites, reports ZDNet the CBS-owned technology news site. It’s doubly dangerous when your client’s business and your reputation are at risk. WordPress website malware removal could protect your agency’s brand and bottom line.

What is malware or malicious software? Malware is software designed to damage, steal data, or simply mess things up. If you’ve searched “how to protect WordPress site from malware”, then follow these three steps.

1.) Keep Your Client’s Site Updated

Some agency managers hesitate to make updates because they’re afraid to break something. It’s critical that you update every aspect of the sites you oversee when the opportunity presents itself. Old versions are far more vulnerable because they lack the newest security and anti-malware measures. You’ll want to update WordPress itself, themes, plugins, and files.

As you update the various components, it’s often a smart idea to standardize your themes and plugins. It’ll prevent one-off vulnerabilities and help manage your business as it grows.

It’s a headache to manually monitor the WordPress Admin interface for each client. Many agency managers partner with a security firm to handle this crucial yet time-consuming task.

2.) Lockdown the Login Page

WordPress is a secure platform, but the log in page is a targeted weak point. The most often overlooked strategy for website malware protection is creating a strong username and password. Avoid “admin” as your username because it’s the default and therefore easy pickings for bots and hackers. A secure password can even by generated by WordPress itself.

Also, you can beef up security with 2-factor identification, which requires users to have a smartphone to log in. And you can add plugins that limit the number of login attempts to prevent a brute force attack, which is when a hacker tries endless combinations to crack your password.

3.) Schedule and Automate Regular Backups

Backups allow you to restore your client’s website to a saved version before a current hack or malware infection. It allows you to go to the “past” without a time machine.

Depending on your client’s industry, it may be essential to have a more frequent backup schedule. For example, a news company might need more frequent backups than a brochure site for a lawyer.

Choose the time interval for automated backups to match content updates. But always back up before significant changes such as when you switch themes, install a new plugin, or upload large amounts of content or products.

There are a few strategies to back up your WordPress sites. There are plugins with this feature, some web hosting offers backups, and there are support plans that provide this functionality. Although you often sacrifice a little content when you restore, it’s better than losing everything.

Client’s Site Hacked and You Need WordPress Website Malware Removal?

First, tell your client what’s up. Honesty is always the best policy. Do a complete backup of the site and go into maintenance mode. Use tools like Google Console to diagnose the infection if your sites been search engine blacklisted.

You can then follow step-by-step instructions from thousands of online articles to remove the malware. But with your reputation and your client’s customers in jeopardy, it may be best to contact a WordPress malware removal service. SECURELI has a three-step proprietary process that can get your client’s site going without delay, and you don’t pay until it’s repaired.

Client’s WordPress site hacked how to fix it doesn’t have to be a nightmare. We can help with WordPress website malware removal. Contact us today 24/7/365 at (833)-SITE-FIX or email us at [email protected]

Your DIY Guide to Hacked WordPress Repair

Your Guide to Hacked WordPress Repair

If you run a website, you have to be prepared for the reality that it could be hacked at some point. Dealing with a hacked website can be stressful, and when it’s a WordPress site specifically, it can be even more frustrating because repairs won’t be the same as they would for a standard website.

Fortunately, this guide will help you learn the basics of hacked WordPress repair, including what you can do and when to call for help.

Hacking Can Cause All Kinds of Damage
If your WordPress website (or any other site, for that matter) is hacked, it can affect a lot of different things. If you run an e-commerce business or have customer payment information on file, you could expose them to security risks. You can lose your rankings in search engines, and even be blacklisted if the infection is serious enough.

Being hacked can expose visitors to viruses and malware, cause you to lose site data, and even ruin your reputation due to the security breaches or by the virus redirects to bad websites. It’s bad news in a lot of ways, but there is something you can do.

How to Repair Your Hacked WordPress Site

Step One: Find the hack and its source. Check to see if you can log in to the admin panel or if there are links popping up that you didn’t put on the site. Maybe you realized there was a problem because of malware redirects or that Google started flagging your site as unsafe. Either way, you have to find the source.

Step Two: Change your passwords immediately. If you can, put your site into maintenance mode so that it’s not continuing to cause damage. You may be able to restore your site from a backup, but you could risk losing fresh content so you’ll have to consider this in your decision.

Step Three: If you use hosting services, check to make sure they didn’t have a breach that’s bigger than your own WordPress site. They may have more information about what happened or how to fix it. In some cases, they might even clean up the mess for you.

Step Four: Find and remove the malware, bad code, or other infection. With WordPress, you’ll often find backdoors for hackers hiding in inactive plugins and themes. Delete any of these to ensure they’re not the problem. You can use any number of free plugins to do security audits and help with hacked WordPress repair.

Protect Yourself for the Future

If you don’t already, invest in a reputable WordPress hosting service. If the budget allows, consider using managed hosting services for the best security and hacking prevention. Also, make sure that you have a backup option for your website so that you can back everything up before you begin the repair process.

While you might be able to manage most of the process, you should really call in the professionals for hacked WordPress repair. Hacking repair specialists will ensure that you get the results that you deserve and that your WordPress site is better protected against future threats.

Need an expert to repair your website? Contact us today by calling (833) SITE-FIX.

Resources
https://www.tripwire.com/state-of-security/security-awareness/fix-hacked-wordpress-site/
https://www.wpbeginner.com/beginners-guide/beginners-step-step-guide-fixing-hacked-wordpress-site/

Hacked Website Repair: What You Should Know

Hacked Website Repair: What You Should Know

If your website is hacked, you may find yourself in a situation where you aren’t sure what to do or who to call. The good news is that there is no need to panic. Help is available and there are even some things that you can do yourself to help with the issue. Website security is critical to your online business and there are so many potential risks out there that a small business could find themselves spending a small fortune just to stay safe.According to an annual crime report from Cybersecurity Ventures:

“Ransomware attacks occur every 14 seconds. The report also estimates that this number will increase to every 11 seconds by the year 2021.”

One well-known attack compromised more than 4,600 websites when malware was used to steal payment information and other private user data.

Some of the websites still remain partially infected or contain some remnants of the coding. With all that being said, it’s obvious that hacking and malware are serious problems. However, there are also a number of solutions out there to help increase your website security and repair the damage.

Signs You May Have Been Hacked

Although every attack is different, there are certainly some “symptoms” that you may experience on your own website that others have reported. Some of the most common signs that there’s been a security breach on your website include:

  • Unknown or suspicious files, admin users, scrips, or links start appearing on your website or in the coding.
  • Your site becomes slow and unresponsive.
  • Third-party hosting accounts may be disabled or banned.
  • Search engine warnings are presented to visitors attempting to click through to your website.
  • There are ads and pop-ups redirecting your visitors to nefarious or irrelevant domains.
  • The server load is heavy even when traffic is low.
  • Gibberish content starts showing up at random throughout your website.
  • You find unknown extensions and plugins on your servers.
  • Spam emails are being sent from your own mail server.
  • Customers are reporting stolen credit card information or calling about security breaches.
  • Your website data is being sold online.

Obviously, the last couple are fairly obvious signs that you’ve probably been hacked. Others, however, may be harder to detect on their own. By knowing what to look for, it should be easier for you to identify breaches sooner and save some damage.

What Do I Do Now?

If you realize that your website has been hacked, you’ll want to do what you can to control the damage right away. Perform a total backup of your website and put it into maintenance mode. You can also use tools like Google Console to find the cause of the infection if your site has been blacklisted in search engine results.

There are plenty of articles online that offer advice and step-by-step solutions for removing malware and ransomware files on your own, but unless you’re experienced in coding and databases, you really need to reach out to a professional website repair service that can eliminate all of the infected files or scripts and secure your site to help prevent against future attacks.

Resources
https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/
https://www.getastra.com/blog/911/hacked-website-repair/
https://hackrepair.com/hackrepair-com-articles-catalog

Password Leak – Version 76.0.3809.132 (Official Build) (64-bit)

When a plain-text password form field is found by Google Chrome, it will reveal all passwords on that primary domain.

For example, take a look at the following code and screenshot:

<input class="form-control secure_password required password fs-hide" data-install-name="secureli" id="ftp_user_pass_new" required="required" aria-required="true" autocomplete="new-password" type="text" name="ftp_user[pass]">

By checking the “Show Password” button, as shown below…

…the auto-complete function in Chrome is activated and clicking on the password field shows a drop-down of all passwords saved on that domain, as shown below: