Self Replicating, Polymorphic Website Malware

The hardest challenges are the ones that constantly change.

Malicious website software has recently seen an influx in self-replicating, polymorphous code that infects a website (and thus, web server) with remote code execution access to launch additional attacks and compromise the data on the breached website and server.

In a recent incident, we cleaned a website fully in a non-web environment based on a WordFence Premium scan.

After deploying this codebase to our staging environment, within seconds it became reinfected as per WordFence’s scan results as we viewed them live.

This lead us to create an NGINX configuration rule only allowing our team’s IP to access the website, in an attempt to keep the apparent “bots” from re-attacking our site with weaponized code to auto-exploit our tech stack (WordPress, PHP/MySQL, Linux – in a popular cloud provider’s single VPS).

Sadly, that also blocked WordFence from “phoning home” for updates ( as well as validation of a valid Premium license key installed, I’m sure.) This lead us to whitelist their IP range of 69.46.36.0 to 69.46.36.32. The scan ran… and boom….

More malware.

While we worked to ensure that the website was being actively analyzed for what we missed, we took a step in the direction of looking at the web server itself.

There are a few critical actions that help website intrusion incident response:

      • Review the web server logs on Linux @ /var/log/apache2/access.log & error.log or /var/log/httpd/access.log & error.log
      • Execute the command netstat -ntap to identify all network connections. You can combine this with the watch command, such as watch "netstat -ntap" along with a terminal recorder (tools like https://asciinema.org/ are amazing for this!)
      • Perform a packet capture using tcpdump, and deploy the “most clean” version of the website we have

This gives us a great deal of information on how to act next. First, we can identify through the web server logs what URLs are being hit by a bot to trigger a re-infected, and identify the IP address of the bots hitting those URLs.

This is extremely important to document properly if there becomes a need for FBI involvement, in the case of credit card theft & identity theft.

While our systems engineers went to work on the server side of things, we continued to investigate the code base.

We blocked the IPs. Still, another re-infection.

We disabled cron. More re-infections.

But now, we were only seeing “index.php”, as well as a random PHP shell being dropped (e.g.: “wp-content/uploads/maps-backup/cnhmeiyu.php”)

Back to more code analysis. Given this site had 30+ plugins, some which were “abandoned” plugins (major red flag), we decided to look for some more common issues. Maybe we were too close to the trees to see the forest?

Using a TimThumb vulnerability scanner (a very popular vulnerability with outdated/abandoned WordPress plugins), we identified ONE vulnerable TimThumb file!

So, we patched and re-deployed, crossing our fingers…

Boom, a clean site. Next step? Snapshot backup, and on-going monitoring of the website automatically using WordPress plugins, and manually by our 24/7 network and security operation center. Continued management of the core WordPress version, plugins, vulnerability management, standing up a web application firewall, and much more are the next steps for continuing to keep this company secure.

Our team would love to hear your experience with polymorphic, self-replicating malware! E-mail us any time at [email protected] or by calling (833) SITE-FIX.

-John from SECURELI

3 Ways to Prepare for WordPress Website Malware in 2020

Maybe your client’s site got hacked, it’s time for a security checkup, or you’re tired of telemarketers terrorizing your phone lines with the vulnerabilities sales pitch.

Despite the hype, the threat is real. WordPress makes up 90% of hacked CMS sites, reports ZDNet the CBS-owned technology news site. It’s doubly dangerous when your client’s business and your reputation are at risk. WordPress website malware removal could protect your agency’s brand and bottom line.

What is malware or malicious software? Malware is software designed to damage, steal data, or simply mess things up. If you’ve searched “how to protect WordPress site from malware”, then follow these three steps.

1.) Keep Your Client’s Site Updated

Some agency managers hesitate to make updates because they’re afraid to break something. It’s critical that you update every aspect of the sites you oversee when the opportunity presents itself. Old versions are far more vulnerable because they lack the newest security and anti-malware measures. You’ll want to update WordPress itself, themes, plugins, and files.

As you update the various components, it’s often a smart idea to standardize your themes and plugins. It’ll prevent one-off vulnerabilities and help manage your business as it grows.

It’s a headache to manually monitor the WordPress Admin interface for each client. Many agency managers partner with a security firm to handle this crucial yet time-consuming task.

2.) Lockdown the Login Page

WordPress is a secure platform, but the log in page is a targeted weak point. The most often overlooked strategy for website malware protection is creating a strong username and password. Avoid “admin” as your username because it’s the default and therefore easy pickings for bots and hackers. A secure password can even by generated by WordPress itself.

Also, you can beef up security with 2-factor identification, which requires users to have a smartphone to log in. And you can add plugins that limit the number of login attempts to prevent a brute force attack, which is when a hacker tries endless combinations to crack your password.

3.) Schedule and Automate Regular Backups

Backups allow you to restore your client’s website to a saved version before a current hack or malware infection. It allows you to go to the “past” without a time machine.

Depending on your client’s industry, it may be essential to have a more frequent backup schedule. For example, a news company might need more frequent backups than a brochure site for a lawyer.

Choose the time interval for automated backups to match content updates. But always back up before significant changes such as when you switch themes, install a new plugin, or upload large amounts of content or products.

There are a few strategies to back up your WordPress sites. There are plugins with this feature, some web hosting offers backups, and there are support plans that provide this functionality. Although you often sacrifice a little content when you restore, it’s better than losing everything.

Client’s Site Hacked and You Need WordPress Website Malware Removal?

First, tell your client what’s up. Honesty is always the best policy. Do a complete backup of the site and go into maintenance mode. Use tools like Google Console to diagnose the infection if your sites been search engine blacklisted.

You can then follow step-by-step instructions from thousands of online articles to remove the malware. But with your reputation and your client’s customers in jeopardy, it may be best to contact a WordPress malware removal service. SECURELI has a three-step proprietary process that can get your client’s site going without delay, and you don’t pay until it’s repaired.

Client’s WordPress site hacked how to fix it doesn’t have to be a nightmare. We can help with WordPress website malware removal. Contact us today 24/7/365 at (833)-SITE-FIX or email us at [email protected]

Hacked Website Repair: What You Should Know

Hacked Website Repair: What You Should Know

If your website is hacked, you may find yourself in a situation where you aren’t sure what to do or who to call. The good news is that there is no need to panic. Help is available and there are even some things that you can do yourself to help with the issue. Website security is critical to your online business and there are so many potential risks out there that a small business could find themselves spending a small fortune just to stay safe.According to an annual crime report from Cybersecurity Ventures:

“Ransomware attacks occur every 14 seconds. The report also estimates that this number will increase to every 11 seconds by the year 2021.”

One well-known attack compromised more than 4,600 websites when malware was used to steal payment information and other private user data.

Some of the websites still remain partially infected or contain some remnants of the coding. With all that being said, it’s obvious that hacking and malware are serious problems. However, there are also a number of solutions out there to help increase your website security and repair the damage.

Signs You May Have Been Hacked

Although every attack is different, there are certainly some “symptoms” that you may experience on your own website that others have reported. Some of the most common signs that there’s been a security breach on your website include:

  • Unknown or suspicious files, admin users, scrips, or links start appearing on your website or in the coding.
  • Your site becomes slow and unresponsive.
  • Third-party hosting accounts may be disabled or banned.
  • Search engine warnings are presented to visitors attempting to click through to your website.
  • There are ads and pop-ups redirecting your visitors to nefarious or irrelevant domains.
  • The server load is heavy even when traffic is low.
  • Gibberish content starts showing up at random throughout your website.
  • You find unknown extensions and plugins on your servers.
  • Spam emails are being sent from your own mail server.
  • Customers are reporting stolen credit card information or calling about security breaches.
  • Your website data is being sold online.

Obviously, the last couple are fairly obvious signs that you’ve probably been hacked. Others, however, may be harder to detect on their own. By knowing what to look for, it should be easier for you to identify breaches sooner and save some damage.

What Do I Do Now?

If you realize that your website has been hacked, you’ll want to do what you can to control the damage right away. Perform a total backup of your website and put it into maintenance mode. You can also use tools like Google Console to find the cause of the infection if your site has been blacklisted in search engine results.

There are plenty of articles online that offer advice and step-by-step solutions for removing malware and ransomware files on your own, but unless you’re experienced in coding and databases, you really need to reach out to a professional website repair service that can eliminate all of the infected files or scripts and secure your site to help prevent against future attacks.

Resources
https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/
https://www.getastra.com/blog/911/hacked-website-repair/
https://hackrepair.com/hackrepair-com-articles-catalog

dotCMS v5.1.1 Open Redirect Vulnerability

dotCMS v5.1.1 suffers from an Open Redirect Vulnerability, in addition to many other vulnerabilities that I am still verifying.

The following URL is a proof-of-concept that requires a user to be logged in. Simply login to the demo before visiting the supplied POC.

Logging into the demo requires you to go to https://demo.dotcms.com/dotAdmin and log in with the demo credentials (username: [email protected] password: admin).

POC link: https://demo.dotcms.com/html/portlet/ext/common/page_preview_popup.jsp?hostname=google.com/test.html

dotCMS v5.1.1 HTML Injection & XSS Vulnerability

dotCMS v5.1.1 suffers from an HTML injection and XSS vulnerability, in addition to many other vulnerabilities that I am still verifying.

Here’s a screenshot of HTML injection:

To reproduce this vulnerability, simply go to https://dotcms.com/dotAdmin/ and login with their demo credentials (username: [email protected] password: admin) and then visit the following URL:

https://demo.dotcms.com/html/portlet/ext/files/edit_text_inc.jsp?referer=%22%3EHTML%20Code%20Injection%20Here%20and%20XSS%20Vulnerability%20%3Cbr%3E%3Cbr%3E

There are more unconfirmed vulnerabilities in dotCMS.

dotCMS v5.1.1 – Vulnerable Open Source Dependencies

dotCMS v5.1.1 suffers from several vulnerabilities due to the reliance on open source dependencies with publicly disclosed issues.

These vulnerabilities are listed below:

Scanning open source dependencies of dotCMS_5.1.1
 
/ROOT/html/js/scriptaculous/prototype.js
 
↳ prototypejs 1.5.0
prototypejs 1.5.0 has known vulnerabilities: severity: high; CVE: CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/ http://prototypejs.org/2008/01/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security/
 
ROOT/assets/3/6/36c22c5d-c813-4869-a4b7-fcc10a74e8b6/fileAsset/jquery.min.js
 
↳ jquery 1.9.1
jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
 
ROOT/assets/5/1/515cba4e-ac64-4523-b683-8e38329e7f46/fileAsset/bootstrap.min.js
↳ bootstrap 3.2.0
bootstrap 3.2.0 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of tooltip/popover, CVE: CVE-2019-8331; https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/bootstrap/issues/20184
 
ROOT/assets/9/9/99c7ffe7-e1c2-407f-85b7-ec483dbcf6f1/fileAsset/jquery.min.js
↳ jquery 3.3.1
jquery 3.3.1 has known vulnerabilities: severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
 
ROOT/assets/f/6/f6fa6b13-3a96-4cbf-9a75-19a40137f05a/fileAsset/jquery.min.js
 
↳ jquery 1.9.1
jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
 
ROOT/assets/4/a/4a5a727f-369b-49e0-bff5-42d9efb4ba90/fileAsset/jquery-2.1.1.min.js
 
↳ jquery 2.1.1.min
jquery 2.1.1.min has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
 
ROOT/html/js/dojo/custom-build/dojo/dojo.js
 
↳ dojo 1.8.6
dojo 1.8.6 has known vulnerabilities: severity: medium; PR: 307; https://github.com/dojo/dojo/pull/307 https://dojotoolkit.org/blog/dojo-1-14-released
 
ROOT/html/js/tinymce/js/tinymce/tinymce.min.js
 
↳ tinyMCE 4.1.6
tinyMCE 4.1.6 has known vulnerabilities: severity: medium; summary: xss issues with media plugin not properly filtering out some script attributes.; https://www.tinymce.com/docs/changelog/ severity: medium; summary: FIXED so script elements gets removed by default to prevent possible XSS issues in default config implementations; https://www.tinymce.com/docs/changelog/ severity: medium; summary: FIXED so links with xlink:href attributes are filtered correctly to prevent XSS.; https://www.tinymce.com/docs/changelog/