Category: WordPress

SiteLock Threat Intercept blog

Threat Intercept: Passwords Publicly Exposed by Malware

By Ramuel Gall
This article was co-authored by Product Evangelist Logan Kipp.

THREAT SUMMARY

High Threat
Threat Bar Graphic
Learn More

Category: Shell / Information Disclosure

Trend Identified: 4/20/2017

CVE ID: N/A

Trend Name: Trend Tusayan

Vector: Application Vulnerability, Multiple

The threat rating was determined using the following metrics:

Complexity:

LOW: The vectors used to infect websites appear to be well-documented vulnerabilities in older versions of website platforms.

Confidentiality Impact:

HIGH: This infection provides complete control of the target website, including credential disclosure and database contents.

Integrity Impact:

HIGH: This infection provides the adversary administrator-level access to impacted website applications, making total data loss a possibility.

The SiteLock team has discovered a dangerous malware trend that not only provides website administrator level access to the bad actors involved, but exposes sensitive website credentials publicly over the internet.

The mechanism behind the trend involves the injection of the IndoXploit Shell, or IDX Shell, a common shell kit that is often used to deface and compromise websites. This particular trend makes extended use of the shell by grabbing the contents of configuration files for content management systems (CMS) including WordPress, Joomla and Magento, and saving them to .txt files in a folder it creates named /idx_config. While these text files may seem innocuous, they contain sensitive credentials that a hacker could use to access CMS-connected databases on target hosting accounts.


A Shell is a tool that can be used by an adversary to run commands in a hosting environment. Many hackers opt to upload a shell as the primary method for controlling a target environment.

Who is impacted?

We have identified that this trend currently impacts WordPress, Joomla and Magento websites by taking advantage of various vulnerabilities present in older versions of the platforms.

What does it look like?

A website that has been infected will have a world-browsable folder called “idx_config,” which contains text versions of the configuration file of every CMS installation the shell is able to find.

IDX Shell

IDX Shell

The code within the shell used to gain the initial foothold is currently listed in the SiteLock malware database, but does not appear to be widely recognized as a threat by many website security vendors at this time. You may use the code snippet below to manually add the shell to your security mechanisms.

Here’s what you need to do

As this trend both provides administrator-level control over the target website environment as well as publicly discloses credentials, action must be taken to counter both threats.

  • Run a malware scan to locate the presence of any shell files. (see: SiteLock Malware Scanners)
  • Search for any instances of the idx_config folder and delete any sensitive information within. We’ve most commonly observed this folder directly in the webroot, but may be present in other folders as well.
  • Update your CMS platform to the latest version, including any themes, plugins, or extensions used.
  • Change all database passwords.
  • Update any relevant connection strings within the CMS platform.
  • Change your CMS passwords.
  • Review all administrator-level accounts in your CMS platform for any users that do not belong.
  • If you are using the software cPanel to manage your hosting account, change your cPanel password.

We advise reaching out to your hosting provider as they may have a backup of your website stored on file. Additionally, if you have any questions or concerns about how to protect your website, please contact us at 877.563.2832 or email support@sitelock.com.

Please check this article regularly for updates as more information becomes available.

Tags:   cpanel, idx shell, Joomla!, magento, malware, password, shell, threat intercept, trend, vulnerability, WordPress
Categories:  Website Security, WordPress, WordPress security

Pressnomics – Remaining Steadfast

By Adam Warner

Last week the SiteLock team gathered at the Tempe Mission Palms to attend and sponsor Pressnomics. If you’re not familiar, Pressnomics is a conference focused squarely on entrepreneurs and influencers who are committed to the WordPress community.

Tags:   business, events, pressnomics
Categories:  WordPress
website security scientist

Ask a Security Professional: Feature-Based Malware Detection

By Logan Kipp

Last year we published an #AskSecPro series where we explained how signature-based malware analysis works, as well as how traditional signatures are created. An area we don’t often talk about in public channels, but has played a pivotal role in SiteLock becoming a global leader in website security solutions, is our research and development efforts in new security technologies. In addition to our more traditional approaches to malware detection, SiteLock continues to explore new frontiers in technological improvement to push the field of security research forward. For some time SiteLock has been developing machine learning mechanisms as part of its process for discovering new malware iterations on an automatic basis. Our research in the field has shown that machine learning promises to be an important part of early malware detection and preliminary identification. One of the most significant breakthroughs we’ve had in machine learning as it pertains to malware detection and signatures, has been in feature-based signature analysis.

Tags:   #AskSecPro, analysis, behavioral analysis, feature-based, machine learning, malware, research, signatures, unsupervised learning
Categories:  Ask a Security Pro, Website Security, WordPress, WordPress security
A Day of REST Boston 2017

Wide Awake at A Day of REST

By Adam Warner

A Day of REST Boston was a one-day conference all about the WordPress REST API. Speakers included members of the team who are building the REST API, and developers using it in production websites. Attendees learned how to use the REST API for their projects, along with insights into best practices, tools, coding, and specific use cases.

Tags:   events, REST API
Categories:  WordPress
website security scientist

Ask a Security Professional: WordPress Database Security Part Two — Best Practices

By Logan Kipp

In Part One of our #AskSecPro series on WordPress Database Security, we learned about the anatomy of WordPress. Now that we have a firm understanding of the role the WordPress MySQL database plays in a WordPress installation, we can take a look at the various ways an adversary can exploit the mechanisms involved. We’ll also explore some of the ways to defend your database against compromise.

Tags:   #AskSecPro, best practices, database, mysql
Categories:  Ask a Security Pro, Website Security, WordPress, WordPress security
website security scientist

Ask a Security Professional: What is #Cloudbleed?

By Logan Kipp

Over the last few days you may have heard the term #Cloudbleed thrown around the water cooler. Some of the questions our customers are asking us include,  “What is Cloudbleed?” and “Am I protected from Cloudbleed?” As your resident Security Professional, I’ll be glad to help you to understand what the Cloudbleed buzz is all about and how it may impact you.

— First, I want to be very clear that the Cloudbleed bug does NOT impact SiteLock TrueShield™ WAF/CDN. More below.

Tags:   buffer overflow, CDN, cloudbleed, disclosure, leaked, memory leak
Categories:  Ask a Security Pro, Website Security, WordPress, WordPress security

SiteLock is a WordCamp Global Community Sponsor for 2017!

By Adam Warner

We are excited to announce that SiteLock is a WordCamp Global Community Sponsor this year! After sponsoring 17 WordCamps and attending 40 in 2016, becoming a 2017 global sponsor was an obvious next step for us, and we look forward to expanding our support within the community this year!

Tags:   community, influencer, sponsorship
Categories:  WordPress

Rogue Pharmacy Defacements via REST API Exploit

By Logan Kipp
SiteLock Research shield

This article was co-authored by Security Researcher Wyatt Morgan from SiteLock Research.

 

This month we’ve seen WordPress websites bombarded with defacements and remote code execution attempts by abusing a vulnerability in the WordPress REST API. As could be expected, compromises motivated by financial gain have now made their debut through the same vector. This most recent flavor of defacements focuses on driving traffic to a rogue pharmacy website, where the visitor is encouraged to purchase — you guessed it, “authentic” erectile dysfunction medication.

Tags:   exploit, pharmahack, REST API, rogue pharmacy, trend, Trend Yuma
Categories:  Website Security, WordPress, WordPress security

Case Study: ValChoice

By Ashley Baldwin

Company Background

Dan Karr is the founder and CEO of ValChoice.com, a company with a mission to “give every consumer in America a free analysis of their insurance company.” After an awful car accident, Karr was unable to recover almost $100,000 worth of medical expenses from his health and auto insurance companies. As a husband and a father of three, the financial strain put pressure on his entire family. “After that experience, I vowed to prevent this from happening to any other family by leveraging my technology background to bring transparency to the insurance industry,” said Karr. That’s when ValChoice.com was born.

ValChoice.com provides its customers with a detailed, easy-to-understand analysis of the value, protection and services that insurance companies offer. As the company website states, ValChoice.com is “an independent, unbiased and trusted source of information about insurance companies.”

Tags:   case study, Firewall, malware removal, scanning, ValChoice, WordPress
Categories:  WordPress, WordPress Benefits
website security scientist

Ask a Security Professional: WordPress Database Security Part One — Anatomy of WordPress

By Logan Kipp

For most people the year is still just getting started, but for some website owners the year has already packed quite a punch in the form of website attacks. This month hackers exploiting a vulnerability in the WordPress REST API successfully defaced over a million websites in what has become one of the largest website defacement campaigns to date. The attacks injected content that overwrote existing posts on WordPress websites running versions 4.7 and 4.7.1, leaving website owners with an immeasurable number of “Hacked by” posts across the droves of impacted websites.WordPress REST API

Many website owners who have unfortunately found themselves in the proverbial trenches of a digital battlefront, some of which had at least some security measures, are facing a difficult data recovery situation. It is from these recent events that the next Ask a Security Professional question was crafted; How can I better protect my data?

I feel that it’s important to fully understand what the problem is in order to best understand what forms a solution can take. In Part One of #AskSecPro we’ll cover an introduction to some of the infrastructure behind WordPress. Let’s start at the beginning.

Tags:   #AskSecPro, core, database, mysql, phpmyadmin, security, sql
Categories:  Ask a Security Pro, Website Security, WordPress, WordPress security