We are often brought in to re-cleanup malware infected websites after another company has done a clean up and the website gets infected again (or was never actually fully cleaned). The website getting infected again isn’t always the fault of the company doing the clean up, for example we sometimes have clients that don’t takes steps on their end that we told they needed to do (we take any steps that we can during our work), which leads to the website being infected again. But when someone comes to us and mentions a previous clean up has been done, we always ask if the previous cleaner determined how the website was infected (seeing as if that isn’t found and fixed the website could still be vulnerable). In almost every instance the response has been that determining how the website got infected never even came up, much less was attempted.
Avoiding companies that don’t mention that they determine how the website was infected as part of a cleanup would help you avoid some situations that would lead to you having to hire multiple companies to clean up the website. That has a major limitation though as we have found many security companies are much better at sounding like they know what they are doing then actually doing it. Only someone that actually knows what they are doing is likely to be able to spot that a company is not telling the truth, which isn’t likely when someone is hiring a company to do this work for them.
To give an example of this let’s take a look at something we recently ran across with a company named WeWatchYourWebsite. They promote that they do was they “Root Cause Analysis”:
If your website has ever been infected, you want to know “how” it happened. This sets our service alone at the top. We provide you with real proof of how your site was infected. Was it a faulty plugin? Outdated software?
We’ve invested the time required to create a system that will determine how your site was infected – and then we inform you. This along with steps you need to take to help us – help you keep your website safe and secure.
That would be impressive if true, but it isn’t. Not only do we determine how the website was infected, so they are “alone at the top”, but we actually get that issue fixed. We also make sure the website is secured by updating the software (even if that isn’t the cause), because that is one of three basic steps to a proper cleanup. By comparison WeWatchYourWebsite doesn’t do that, instead trying to detect attacks and block them, that really isn’t a good idea and they don’t provide any independent third-party evidence that it is actually effective at that. Our experience with other products making similar claims is that they provide limited to no protection.
The other thing that makes this sound less impressive is that they tout that their malware removal is “automated”. Considering that the cleaning up the malware and other malicious code often provides valuable information on the source of the infection. Having something fully automated is not conducive to doing that. In our experience this often also leads to poor results for the cleanup.
One way to determine if a security company actual has the abilities they claim is to look at their blog posts, since we often find those expose a lack of knowledge that can be covered for in vague marketing material. In the case of WeWatchYourWebsite, one of their recent posts shows a basic lack of understanding of how hackers operate and what log files of activity on the website, which are often key piece to definitively determine the source of a hack, actually show.
In a post from December 29, they claimed to provide an example of a hacker looking for infected WordPress websites. While hackers do sometimes re-check websites they have infected to make sure that is still true and hackers do try exploit malicious code that might have been placed on there by another hacker, what is shown in the post is not that. Let’s take you through it:
Investigating some interesting entries in log files from our customers, we see that hackers apparently are still looking for infected WordPress websites.
First we see this:
(IP address blanked to protect the infected) – – [28/Dec/2016:20:44:14 -0500] “GET / HTTP/1.1” 200 72904 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31”
The big tipoff here is the size of the GET request: 72904.
That first request is just a request for the homepage. From the outside we can’t see what the purpose of that would be. It could be used to see how a URL that actually exists responds on the website, it could be used as a comparison after making some change to the website later on, it could be used to determine that the website is running WordPress and its location on the website, or something else entirely.
We are not sure what it supposed to mean that the size of the request is a “big tipoff”, since that is just the size of the homepage served to the requester. It is possible that WeWatchYourWebsite falsely believes that is the size of request sent to the website, not the size of what was sent back.
And then this:
(IP address blanked to protect the infected) – – [28/Dec/2016:20:44:16 -0500] “ POST ///wp-admin/admin-post.php?page=wysija_campaigns&action=themes HTTP/1.1” 403 – “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31”
We captured the GET request and after comparing it to the attacks on the old, vulnerable version of that WordPress plugin we see that the hackers were doing some open reconnaissance on WordPress sites. We say “open” because this site never had the MailPoet plugin installed.
The second request is not “open reconnaissance”, that is the hacker trying to exploit a vulnerability that had existed in older versions of MailPoet.
(IP address blanked to protect the infected) – – [28/Dec/2016:20:44:19 -0500] “GET //xGSx.php HTTP/1.1” 404 45488 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31”The above is them testing to see if their attack worked. It didn’t
All of this is just to show that even though you think previously infected WordPress website may have been cleaned up from any previous malware, the hackers will always be looking just to be sure you have.
You may want to read about our methods of malware detection: http://wewatchyourwebsite.com/our-methods-for-finding-and-removing-website-malware/
You really haven’t changed since you got booted out of Badwarebusters. You still don’t know what you don’t know.
That second request was open recon as the client never had that plugin installed. Never. So, again you’re talking about something you know nothing about. There was a number of attacks on plugins that never existed. That is considered open recon.
An attack isn’t always successful. Attack is just the action of trying to get in.
The first request was many times larger than a normal request for that website. Of course you wouldn’t know that being that you have no idea what that would be. But yet, your ego drives you to critique everyone else. Maybe you should get some counseling. You really have a Napoleon complex.
And yes we do root cause analysis. Our processes are automated. If you don’t believe that automation can be useful in removing malware, you should go back to school and learn more about programming. Of course I’m certain your ego won’t allow this comment to ever show on your site. Which is too bad for the 14 viewers you have.
Wow, you really need to get your head out of the sand. Maybe take some lessons in manners – and English too.
Your comments in this comment don’t actually disagree with what we wrote in the post. For example, right in the post we mention the fact that the plugin that was attempted to be exploited was never installed on the website and we explained that showed that what they were saying isn’t true:
So disputing what we said by pointing that it wasn’t installed doesn’t make any sense.
It isn’t clear what the point of your comment is supposed to be, other than to try to distract people from WeWatchYourWebsite’s lack of security knowledge.
It also worth noting that you don’t allow any comments on your blog, while claiming that we won’t allow your comment (which we obviously did). That probably is good indication of which company is telling the truth here.
It sounds like you should take your own advice and “get your head out of the sand”.
It’s a shame that you decide to focus solely on attacking what others write about. You do seem to know something about website security, but sadly you’ve chosen to take the low road and try and improve how others perceive you by attempting to make others look bad.
I hope others feel sorry for you as well.
We used terms to indicate that not only was the hacker doing open recon, they were also scanning for other vulnerable plugins.
Best of luck to you.
You are lying about us and about what you said again.
We don’t “focus solely on attacking what others write about”, as anyone that looks through our blog can see. We do often write about the poor state of security, which we are all to often brought in to deal with the aftermath of. Criticizing people for speaking out about the situation as you are doing here is part of the problem. Doing that won’t fix the problems, while shining a light on them has the chance of making a difference.
As for your post, the first sentence is:
That was what your blog post was about, not about a hacker doing “open recon”.
It is also worth noting here, that we allow comments on our posts, but your website does not permit them. So anyone can see your side here, but no one is able to point out when you are telling people things that are not true on your website.
It’s because of people like you, who bring nothing to the conversation other than your own “slanted” version of the truth.
We have the log files. The hackers were doing open recon on this site.
Recon, short for reconnaissance, is defined as:
“military observation of a region to locate an enemy or ascertain strategic features.”
…or ascertain strategic features! Whether the hackers were looking for plugins that were never installed or whatever term you think is appropriate, the post clearly indicates that the hackers were trying to ascertain strategic features in order for their automated systems to seek for an exploitable point of entry to this website.
When you read information on someone’s site, you should try to just see what they’re saying rather than what you can point out is wrong. You had the same problem on the badwarebusters.org website – where you were suspended.
The title of your post was “Hackers looking for infected WordPress websites” and again, here is the first sentence of your post:
But what you showed wasn’t that at all, as we explained in our post. Now you are lying and trying to claim that you said something else than you actually did, or to use your terminology providing a “”slanted” version of the truth”. Doubling down on the lie isn’t helping you.
They were looking for infected WordPress websites as some of the other log entries showed they were trying to POST to files that weren’t there. Log entries from other websites we service did have those files. Therefore our conclusion was that those files were common with this type of infection and the client or their host or their developer had already removed those files from this hosting account.
Have a nice day!
We already went through this in the post, but here is the key point:
What you were seeing was someone trying to hack a website, not someone seeing if a website was already infected or doing any sort of recon.
That you don’t understand this is troubling when your company is marketed in this way:
Now you’re proving our point:
“hacker trying to exploit a vulnerability that had existed in older versions of MailPoet”
Just for your education, if a hacker was trying to exploit a vulnerability in a plugin, but that plugin never existed on this particular website, they’re not really trying to exploit a vulnerability. That vulnerability never existed on this site, therefore, it could be considered a recon to see if that plugin did exist on this site.
And you state, “We are not sure what it supposed to mean that the size of the request is a “big tipoff”, since that is just the size of the homepage served to the requester. It is possible that WeWatchYourWebsite falsely believes that is the size of request sent to the website, not the size of what was sent back.”
However if you knew about this particular website, you would have known that the size of the returned data from the GET request was the result of a customized function that returned more data for a page not found than normal. It also returns a 200 response instead of a 404.
Again, you’re talking about things you don’t know about. Accusing me of lying, when it’s a site you know nothing about. You really should focus on what you do rather than making yourself look bad by trying to degrade what others post.
Trying to make yourself look good by putting others down is bad business. But you didn’t even learn that from being suspended on badwarebusters.org site.
This is just getting ridiculous.
If someone tries to exploit a vulnerability that doesn’t exist on a website, they really were trying to exploit it, it just wasn’t successful because the vulnerability didn’t exist. Hackers often don’t check if something exists on a website before trying to exploit a vulnerability in it, which is something you should know. Also, the way that a hacker normally would check if a WordPress plugin exists on a website is by requesting a .css or .js file from it.
What you are saying about response codes is also wrong. The “big tipoff” was a request for the homepage of the website, which would exist. Also the website clearly can return a 404 response code for things that don’t exist as one of the other log entries mentioned in our post has a 404 response.
As was explained before, part of what we do is to try to shine a light on the problems in the web security industry because in dealing with clients we see the damage that the industry is causing. It’s clear your company doesn’t have the expertise that is claimed and now you are trying to cover for being exposed by our post.
You have repeatedly lied in your comments here.
You continually think you’re the only one in the industry who knows anything. Yet you keep talking about things you know nothing about. Without seeing all the log entries you make blatant lies and accusations about what we know to be facts.
The fact still remains you were suspended by a highly regarded website for your antics and accusations. You still try to make yourself look good only by trying to make others look as though they don’t have the “expertise” you think you possess exclusively.
Ego and false bravado are rarely signs of “expertise”.
What you “know to be facts” are not in fact facts, which was explained in the post and our comments. If you had pointed to a problem with our post we wouldn’t have a problem posting a correction (it is why we have a section of the sidebar titled “Did We Make a Mistake?”), but you haven’t. As it is, we have approved all your comments despite their many inaccuracies, while you don’t allow comments on your blog at all. That seems like a good indication of which company is telling the truth about this situation, because we don’t have a problem with public scrutiny of what we have said and you do. Overall, this seems like a good example of the Dunning–Kruger effect in action.
The reality is that many in the security industry don’t know and or care much about security. People don’t have to take our word for that, they can just look at the current poor state of security to see that something is very wrong.
It’s definitely Dunning-Kruger: the Dunning–Kruger effect is a cognitive bias wherein persons of low ability suffer from illusory superiority, mistakenly assessing their cognitive ability as greater than it is.
Unfortunately, you’ve proven this with your illusory superiority. Thinking you, or your new writer, are the only one who knows anything about website security. I see your comments on other sites. You look for one little area that you don’t agree with and therefore, the other person is labeled by you as being inferior.
This is something we agree on. There definitely is a Dunning-Kruger effect here however it is you who suffers from mistakenly assessing their cognitive ability as greater than it is.
Look, each time you have brought up a supposed issue with our analysis here, we have explained why it isn’t correct and instead of providing a rebuttal you come up with something else that is supposed to be a problem. If we were the “persons of low ability” then that wouldn’t be the case. There is also the fact that we allow comments on our posts and your company doesn’t, which seems like a good indication of who is the one who thinks that they are the ones that know everything.
At this point you have resorted to making claims that we think we “are the only one who knows anything about website security” and we “look for one little area that you don’t agree with and therefore, the other person is labeled by you as being inferior” on some unidentified other sites. But you don’t even point to where that is supposed to have occurred, much less provided a quote where we said anything along those lines.