OneHourSiteFix Introduces Arbitrary File Upload Vulnerability on Websites Using Their Service

We are often brought in to re-clean malware infected or otherwise hacked websites after other security companies have failed to get things fully cleaned up. Recently though we were brought in to deal with a high profile website (one where we were later contacted by the FBI during their investigation in to it) where not one, but two companies had failed to do anything meaningful to clean it up. One of them, Sucuri, we already were well aware likely wouldn’t do a good job based on everything we had seen in dealing repeatedly in cleaning up after them. The other company is one that we don’t have as much experience with, though from everything we have seen it wasn’t surprising they hadn’t handled the situation well, but something we noticed makes them much worse since they are introducing a serious security vulnerability on their customers’ websites when they are supposed to be cleaning them.

The company’s name is OneHourSiteFix. Just the name indicates they likely don’t do a good job since you are unlikely to be able to properly clean up most websites in that time frame. As we mentioned in a previous post related to strange claims they make, it seems impossible they could do what they claim to do in that time frame seeing as they claim to:

manually analyse EVERY element of your site – every row in your database and every line of your files is checked and cleaned

In the case of the high profile website they don’t appear to have accomplished anything positive. They did add a couple of files that actually introduced a serious security vulnerability, which we will discuss in a bit.

Another instance of interaction with their work came a couple of months ago when we got sent this email from them:

Hi there,

We have cleaned and replaced the hacked version of this site. Also, we have placed the website behind an enterprise grade web application firewall to ensure this site has a high level of protection against future attacks

https://www.virustotal.com/#/url/9eb38ae785eeeca21b344ead39cf595b0bdb5f991c60c6ac630e6e628bc34678/detection

Could you please review and remove the blacklisting as soon as possible ?

We don’t blacklist websites nor do anything close that. Looking at our logs we found that they landed on our website on page titled Sucuri SiteCheck Scanner Falsely Claims Our Website is Defaced, which has nothing to do with us blacklisting websites. You would have to be very confused to believe otherwise based on that page, but they did.

They seem to make a fair amount of strange requests like that, considering a quick search pulled up them requesting blacklist removals for websites well after that removal had already occurred.

With that complete lack of attention to detail what else we noticed about them isn’t surprising.

OneHourSiteFix Makes Their Customers’ Websites Vulnerable

At the point we brought in to clean that high profile website there were still files from OneHourSiteFix on the website in a directory named appropriately “ohsf”. In that directory was another directory named “upload”. That directory in turn contained a file that allowed anyone to upload arbitrary files to the website. The file used to handle that was recently in the news for the real but overstated security risk introduced by it. In this case there were no restrictions on what types of files could uploaded through that or who could upload files, so a hacker could use that to place malicious .php files on a website and gain full access to the website, which seems like something that a company that is supposed to be cleaning a website shouldn’t be making possible (even if it is hopefully only temporary).

What was also interesting in this situation is that Sucuri flagged a number of the files in “ohsf” directory as being “malware” and removed them, but didn’t notice that file with a serious security issues.

Leave a Reply

Your email address will not be published.