This Doesn’t Inspire Confidence in cPanel’s Understanding and Handling of Security

One problem that companies in the web security space have to deal with is the large volume of inaccurate security advice that is out there, much it coming from people that you should be able to rely on, including web security companies.

One company that you would hope that you could rely to provide accurate security information would be company behind the widely used cPanel web hosting control panel. That isn’t the case with something we ran across recently.

The answer to a Q&A question, “What is the anonymousfox address on my system? ” on their website starts out:

Anonymousfox is a WordPress vulnerability where users are able to exploit vulnerable WordPress plugins to get access to the account’s files on the system. While not an issue with the cPanel software, the attacker can gain access to that particular cPanel account by editing the contact address file and then resetting the account’s password.

It isn’t a great sign that WordPress is miss capitalized there, but the rest of that doesn’t even make sense. If the vulnerability is in a WordPress plugin, then it isn’t a vulnerability with WordPress, but with the plugin. Also, what is described there sounds like it isn’t a WordPress specific issue, as it sounds like an attacker that gains access to the website can change a cPanel account file, which wouldn’t be something that would be WordPress specific.

Skipping past a paragraph you see this:

There are excellent forums posts that have additional details you may want to read at the following links:

 

https://forums.cpanel.net/threads/question-and-tips-about-anonymousfox.677765/

If you follow that link you will find a cPanel employee wrote this:

This kind of activity can be achieved by a compromised password, script or plugin used on the site. It isn’t just WordPress related. I would strongly suggest you not only enlist the services of a qualified system administrator to audit your installations and security but you must identify the point of entry or the issue will continue to occur.

If you read through the rest of the information on that page, other people are stating they ran into the issue despite not using WordPress, so it is hard to understand how that is being cited and yet the information in it was ignored and the information provided in the answer is incorrect in the way it is.

What seems of more concern is that someone with just access to a website in the cPanel account could edit that file, a concern that was raised in comments on that linked page.

Do You Need to Worry About Being Hacked if WordPress is Warning of Use of an “Insecure” Version of PHP?

Recently we had someone hire us to clean up a hacked WordPress website where one of their concerns in regards to dealing with the situation was that they were being warned by WordPress that they were using an “insecure” version of PHP:

What that referred to was use of version 5.6.x of PHP, which is no longer supported, with the website.

While it is a good idea to keep software up to date and use supported versions, it also important to understand what risk there are and are not, when not doing that. Software that is outdated is not necessarily any more insecure than up to date software (as up to date software can, and in a lot of cases does, have vulnerabilities as well). More importantly, software that is insecure is often not insecure in a way that is likely to lead to a website being hacked.

With PHP, you have to go back to May of 2012 for an instance where there was a vulnerability that was fixed, which then had widespread exploit attempts. Even with that, the vulnerability was only exploitable on a subset of PHP installs, due to only being an issue with one particular setup.

That doesn’t mean that you don’t need to keep PHP up to date, but it does mean that if your website is hacked, unless a new equally serious vulnerability has been found in PHP, then the PHP version likely wasn’t part of the cause of the hack. It also means that when dealing with a hacked website you don’t need to rush to change the PHP version. Which is a good thing, since switching to a newer version could cause software that isn’t designed for it, to break.

As part of our hack cleanups of WordPress website, we can handle getting the software used on the website compatible with the newer version of PHP and the PHP version brought up to date (to the extent that isn’t something that the web host has to handle), as we did that website.

VaultPress Didn’t Protect Website From Being Hacked

Recently we had someone hire us to clean up a hacked WordPress website that mentioned that they had thought that the VaultPress service for WordPress they were using would protect their website. As they were already aware by that point, it hadn’t turned out to be true.

It is understandable that they might think that since this is what you see when you visit the homepage of the VaultPress website:

But the feature set listed in the lower portion of the homepage doesn’t make any mention of a feature that provides any protection against hacks, instead it indicates that it might detect you have already been hacked:

While detecting the aftereffects of a hack can be useful, it won’t protect the website from being hacked. Also, they don’t put forward evidence, much less, evidence from independent testing, that shows that the service is actually able to effectively detect malware. We wouldn’t recommend using a service like that if they are not providing evidence to support their claims (which means we recommend not using most security services at this time).

In this situation, the owner of the website became aware that the website was hacked because the search results for the website showed pharmaceutical spam, not from VaultPress.

If GoDaddy’s “Firewall Prevents Hackers” Why Would You Also Need Multiple Hack Cleanups?

We often get asked about whether people should use a service that claims to protect their website from being hacked. Part of our answer is that we have seen no evidence that these services actually provide that protection and plenty that they don’t, including being hired to clean up hacks on websites using those services.

That these services don’t work isn’t something that is really hidden, often the marketing material service for them suggests that they don’t really work. Take GoDaddy’s Website Security service. That service has three price tiers. With all three tiers, one of the bullet points is “Firewall prevents hackers.” In the lowest tier another bullet point is “Annual site cleanup and remediation” and in the other two it is “Unlimited site cleanups.”:

If the firewall prevents hackers, why would you need a hack cleanup?

Even if you want to give the benefit of the doubt to GoDaddy, that say they are thinking people would sign for the service when their website is already hacked or they are advertising hack cleanups, even though you wouldn’t need them, since they are confident the service works, it makes no sense that they wouldn’t offer unlimited hack cleanup with the lowest tier of the service as well, since even considering those possibilities, there would only need to be one hack cleanup.

That contradiction doesn’t just appear in that spot. In the textual information on the same page, they claim to take a “preventative approach” that “blocks attacks”, but immediately pivot to an indication that their service doesn’t accomplish that:

Take a proactive, preventative approach to the safety of your website. The Website Security firewall blocks attacks on your site while its malware scanner regularly searches your site for malicious content and alerts you if any is found. All you need to do is submit a malware removal request, and our expert security team will get to work cleaning* up your site.

What is completely missing from that page is any evidence, much less evidence from independent testing, that their service is effective at stopping attacks or detecting malware. Based on our experience having been hired to re-clean websites they were supposed to have protected and cleaned, the results of such testing probably wouldn’t be good.

GoDaddy Hosting phpMyAdmin on Server With “Broken Encryption” With F Grade From SSL Labs

One telling example of the web security industry’s lack of concern for security is how web host GoDaddy has continued to have rather poor security while first being partnered with one web security company, SiteLock, and then owning another one, Sucuri.

An example of that poor security came up a few months ago while we were dealing with a hacked website where Sucuri had not properly secured the website. We meant to post about that at the time, but then forgot about it until we were dealing with another hacked website with a GoDaddy connection worth posting about.

While working on the hacked website, we accessed the phpMyAdmin database administration tool that GoDaddy provided and found a situation we can’t recall seeing before with a web host. That would be the SSL encryption was “broken” on the server hosting phpMyAdmin.

If you access that in Google’s Chrome web browser the connection is listed as “Not Secure”:

You are warned that “Your connection is not fully secure” and that:

This site uses an outdated security configuration, which may expose your information (for example, passwords, messages, or credit cards) when it is sent to this site.

When looking at the Technical Details of that issue with Firefox, it states:

Broken Encryption (​TLS_RSA_WITH_AES_128_CBC_SHA, 128 bit keys, TLS 1.0)

If you run that address through the SSL Labs tool, the server gets an F grade:

The domain name being used for that insecure server, secureserver.net, which isn’t an accurate name.

Hacker Impersonated GoDaddy When Hacking GoDaddy Hosted WordPress Websites

While working on cleaning up a hacked WordPress website recently we found a hacker had tried to disguise some of what they were doing by making it seem like it was coming from GoDaddy. GoDaddy, possibly not coincidentally, was the web host for the hacked website we were dealing with.

GD-Stats

The first element of this we found was a malicious plugin with the slug gd-stats. If you were looking at the Installed Plugins page in the WordPress admin area, you would see this information for that plugin:

That labels the plugin as being named GD-Stats and being from GoDaddy, Inc, though the link is to wordpress.com.

The description is weird:

Most leading CMS platforms like WordPress use Ajax in their architecture.

In looking to see if others had encountered a malicious plugin with the same name, we found a topic on WordPress’ forum from early in February where someone else hosted with GoDaddy had run into this:

This morning, I found that our WordPress website has been hacked by someone in Moscow. They uploaded the file “gd-stats.zip” then installed the plugin. Now when I go to our wordpress.org log in page, I put in my credentials, it takes me to a completely blank screen. When I went to our website, it doesn’t have the dashboard option available to log into. We’re hosted through GoDaddy. I’m waiting on their support team as well.

In a follow up they wrote this:

No it wasn’t Godaddy. It was from someone in Moscow who hacked our site at 4:30 AM. They installed the gd-stats.zip and the plug in but I finally got into our Godaddy account and deleted the plug in so we’re good now.

There was a reply from someone else with the same plugin, but no mention of the web host of the affected website.

For a hacker to add that plugin to the website they would already have to have access to the website in some way. In trying to determine what that was, we ran across a major problem, it appeared that GoDaddy had about a week before moved the website to a new cPanel account. That meant that among things, the last modified dates on malicious files were not meaningful, since it just listed the time of the move. It isn’t clear why that happened because of the partially unmanaged nature of the website at the time. Whatever was the case, the malicious plugin appeared to exist from before there was logging available that could have shed light on that. So we hit a dead end there.

Users Table

Another piece of the hack might help to further explain how the hack happened. In the WordPress database table storing the users of the website, _users, we found two non-legitimate Administrators accounts.

Both accounts were listed as being listed as being registered at 0000-00-00 00:00:00, which shows that they were not created through the normal registration process, since if they were, the time they were registered would be there.

Both of the accounts were also meant to look like they came from GoDaddy, with the usernames being:

  • gd_support
  • gd_sys_kafhi

Curiously the email address for them doesn’t use a GoDaddy-like domain, instead opting for wordpress.org.com:

  • gd_support@wordpress.org.com
  • gd_sys_kafhi@wordpress.org.com

Again we ran into a problem, since the logging isn’t available to see what it would show about how the hacker created those accounts.

There are several routes that could have occurred through. They could have been added through a SQL injection vulnerability on the website that allowed for adding things to the database, but most SQL injection vulnerabilities don’t permit that type of action, so that seems unlikely.

More likely would be that the hacker was able to get direct access to the database. That could be because of a security issue with the website, with the web host, or combination of the two. GoDaddy has had issues with improper security of database access, we posted about another hacked website where that came in to play in April.

February Time Frame

Looking at the session_tokens entries in the WordPress database’s _usermeta table, we found that one of those accounts was logged in to from a Russian IP address, 185.4.65.27, on February 4. That matches up with what was described in that WordPress forum topic.

Notifying GoDaddy

We are going to contact GoDaddy’s security team to let them know about this impersonation and maybe they can check if other websites they host still contain that plugin.

Having Us Clean Up Your Hacked WordPress Website Can Save You Money and Downtime

Getting your WordPress website hacked is bad, what makes that worse is how many security companies are then there to take advantage of you when you try to deal with that hack. Yesterday we published a post about how a web host, HostGator, and web security provider, SiteLock, had gotten someone dealing with a hacked WordPress website to pay $300 dollars for an unnecessary security service. That was after it was decided to restart the website from scratch because of the hacking. So at that point this person had payed more than it costs to hire us to properly clean up a hacked WordPress website and they didn’t have a functioning website.

If they had hired us, we would have gotten the website cleaned and back running already, as we can usually have the cleanup done within a few hours of being brought in. It could get worse, as we noted recently, starting from scratch can in sometimes actually result in you getting back to square one, having a hacked WordPress website.

HostGator and SiteLock Use a Raft of Falsehoods to Sell Unnecessary Security Service

When it comes to the selling of web security services, it is common for those to be sold using with clear falsehoods. We recently highlighted an example of that with a service called Malcare. But the breadth of the falsehoods that were used recently to get $300 out of a customer of the web host HostGator for a SiteLock service stands out.

The customer contacted HostGator support about dealing with the website not showing up as being secure despite a SSL certificate being purchased. They weren’t sure if they were then dealing with someone from SiteLock or HostGator, which sounds a bit odd, since you wouldn’t think that you would contact your web host and be transferred to another company, but that has at least in the past been the case of web hosts, like HostGator, who are partnered with SiteLock. The conversation they then had was described to us and it sounds in line with what have heard in the past and seen when provided transcripts of the conversions.

They were told that the website contained malware, when they responded that was the old website at different web host (they replacing everything because of the website being hacked), they were told that the malware was tied to the domain name and redeployed to the new website to find vulnerabilities. They were told that a firewall needed to be put on the website, for $300, to stop the website from being infected the way the old one was and that the Google search results would be cleaned. As to evidence of the claim of malware, they were pointed the search results for the website, which showed pharmaceutical spam.

There are a lot of falsehood packed in there, which include:

Google’s search results are not real time, so spam pages showing up there doesn’t necessarily mean there is anything at issue with current state of a website, unless they are from a crawl just done. Spam pages are also different than malware.

Even if there were spam pages, they wouldn’t cause the website to not be listed as secure, since that isn’t impacted by that. Potentially a hack could cause pages to not be secure, if say, they added code to existing pages that accesses a website over HTTP instead of HTTPS.

SiteLock couldn’t clean up Google’s results. If the website is still hacked, then cleaning that up would eventually lead to Google’s results no longer showing the spam pages. If it is clean now, then they would just need to wait for Google to refresh them.

Malware isn’t tied to a domain name. If someone is flagging the website as containing malware, that could be tied to the domain name, but that isn’t tied to it being listed as secure as far as we are aware, as that relates to something else.

If there are vulnerabilities, you would want to fix them, not put a firewall around the website, since among other things, there isn’t evidence that firewalls like SiteLock’s would actually effectively protect against those vulnerabilities and plenty that they wouldn’t. Also, hackers are always trying to exploit vulnerabilities on websites, that has nothing do with a domain name being tied to malware.

So almost nothing they said was true and none of it actually addressed the issue that support was being contacted about in the first place. You might think that conduct like this would have some repercussions, but right now neither journalists nor government regulators have shown an interest in it.

Cyber Ninjas, Colonial Pipeline, and Your Website’s Security

What does an election audit in Arizona and a pipeline operator have to do with the security of your website? It turns out a lot.

Cyber Ninjas

Recently an audit of the US presidential election votes in Maricopa county in the state of Arizona started. The audit has noted for being poorly run, violating rules to ensure integrity of the process, and involving strange things, like trying to check for the presence of bamboo in ballots.

That doesn’t sound like it should relate to the security of your website and it shouldn’t, but it does. The reason for that is that the company in charge of the audit, Cyber Ninjas, is a cybersecurity company. They have no experience in doing an election audit, which is good reason for them not to be doing an election audit, but also is probably a good reason they shouldn’t be doing security either.

What seems like it should be a basic element of being a professional would be to stick to what you have expertise in. An architect wouldn’t agree to take on demolishing a building just because they know how to build them. When it comes to the security industry, we frequently see people involved in things they clearly shouldn’t be. In fact, very few people in the industry seem like they should be anywhere near it. Looking at Cyber Ninjas website, they are claiming to offer a very wide range of services, which might be a sign they are offering services without the needed expertise to properly handle them.

The other thing that stands out for us about Cyber Ninjas website is how it looks so obviously untrustworthy. A lot of it is the same stuff you see repeatedly on security companies’ websites, for example, there is the obligatory stock photo of some dressed like they are going to break in to a building at a computer:

We have a hard time understanding how anyone would look at something like that and not avoid that company, but people don’t seem to feel that way. Even the name seems like it would ward people away from the company, but it doesn’t seem to.

Part of that text next to that image reads (the weird characters are in the original):

The headlines are increasingly filled with articles about hackers compromising systems and stealing data. While it often seems like they must be utilizing some dark ninja magic to accomplish their amazing feats; the reality is that most security breaches are conducted utilizing types of security vulnerabilities we’ve known how to prevent for over 10 years.

While that is mostly true, curiously if you head over to the website’s services page, the company doesn’t seem to be focused on actually addressing that. But instead on selling people on services that don’t directly address the issue and indirectly address it an ineffective way. One of the three things they highlight, and the one they provide the most specificity, is ethical hacking:

From what we can tell, ethical hacking is mostly a rip-off. You end up paying a lot of money to inefficiently review things and the issues found are not resolved.

Cyber Ninjas has gotten a fair amount of coverage because of their involvement with the audit, but there has been very little of it from security journalism outlets. What little there has been has been devoid of any discussion of what this says about the legitimacy of the security industry. There is probably a good reason for that, as companies like Cyber Ninjas are frequently the only sources for security journalists stories, despite being companies, that like Cyber Ninjas, seem like a serious journalist should be warning about, not relying on. In line with that, security journalism is quite bad, which brings in the next part of this, a pipeline company, and gets back to a claim Cyber Ninjas made.

Colonial Pipeline

A ransomware situation involving a US pipeline operator, Colonial Pipeline, has received a lot of news coverage. There was a claimed detail that seems rather important from a wider security perspective. Colonial Pipeline wasn’t keeping their software up to date:

It is important to note that the claim about one piece of software being the “most likely culprit” is just speculation. What is important about that is that keeping software up to date is one of the most important security steps and one that often isn’t done.

While usage of outdated software that is known to be insecure is often the source of hacks we deal with and the source of high-profile hackings, both security companies and security journalists seem rather uninterested in that be better dealt with. For security companies, that could be explained by it being bad for business. Right now they can charge a lot of money for security services that require little work and don’t actually have to work (you might have noticed despite all the money being spent on security, security doesn’t seem to get better). The reason that security journalist do this is harder to explain.

Improving Your Website’s Security

Improving the security of websites, and security in general, is more difficult than it should as long as the security industry and security journalists are taking actions counter to actually improving security. But to improve security, your focus should be addressing real threats with proven solutions. Keeping software up to date is a proven solution since it will avoid systems getting hacked because of vulnerabilities that have been fixed. By comparison, while security services frequently make extraordinary claims about the results they deliver, those are almost never backed up with evidence of their effectiveness. Based on plenty of experiencing looking at them in different ways, that is in part because they don’t deliver the results claimed, in many cases, if you just look at how they are advertised that becomes clear.

So when looking to improve security, you should ask what is the evidence that something will improve security versus looking at unsupported claims of amazing results.

Also, if claims sound extraordinary, they probably are not true.

What is Magecart? It Isn’t a Thing.

When it comes to the security of websites, and security in general, there is a lot of focus on catchy names for things, not a lot on actual security. A great example of that is Magecart. What is Magecart? Well, it really isn’t anything. Instead, it is a term used for a whole host of different things, which makes it useful selling security services and creating press coverage, but not for actually resolving the underlying issues.

Here is one description of Magecart from security news outlet, CSO Online:

Magecart is a consortium of malicious hacker groups who target online shopping cart systems, usually the Magento system, to steal customer payment card information.

Elsewhere, a security news outlet described it as being competing groups:

here’s no clearer indicator that the Magecart scene is getting crowded than discovering that some groups are now sabotaging each other’s code

Elsewhere it is described not as an entity, but as a type of attack:

Every day we hear about some new threat or vulnerability in technology, and the data harvesting attack known as “Magecart” is the latest threat.

Elsewhere, in a security news outlet that is part of a security company, you will find it claimed that only impacts Magento websites:

So-called Magecart attacks utilize web injections to deploy JavaScript code on Magento websites that skims and steals payment card information from retail website customers.

But the very next paragraph mentions “high-profile targets”, which didn’t run on Magento:

Once believed to be the work of a single cybercrime gang hitting high-profile targets including Ticketmaster and British Airways, Magecart-style attacks have now evolved and have been adopted by numerous threat groups.

We could go on, but you get the point.

What You Can’t See is Ignored

To the extent that these disparate descriptions of Magecart have any common feature, it is that involves JavaScript code that captures information, like payment details, during the checkout process on a website. That isn’t the only way that hackers can capture that information, as they could capture on the system that it submitted, which is often the same system serving the website where the checkout is occurring. That wouldn’t be possible to directly detect from the outside, generally, which seems to explain why there is so much focus on only part of the issue.

Even what you can detect is only the end result of a hack, so while you will find lots of stories about Magecart, there is very little on how the hack occurred. If you don’t focus on how they occurred, they you are not likely to address those issues. Not surprisingly, the hacks keep occurring. That is bad for just about everybody except the people pushing the Magecart narrative, since security companies can sell more products and services this way (which don’t resolve the issue seeing as the hacks continue) and journalists get easy stories.

Indirect Protection at Best

For this type of attack to work, a hacker has to somehow get malicious JavaScript code to run on the checkout page. That would either occur by placing it directly on the website handling the checkout or some other websites that serves up JavaScript on the checkout page. In either case, a hacker has to gain access to systems to do that. To put that another way, the way to prevent this would be to focus on the server-side, but here was the start of a recent article in a security news outlet written by an employee of a security company:

With e-commerce displaying no signs of slowing down since the start of the COVID-19 pandemic, the Magecart cyber-criminal syndicate is thriving. By evolving their web skimmers to become harder to detect and avoid, they have been successful in breaching several high-profile businesses.

After years of discovery and research by the cybersecurity industry, we are at a stage now where companies have started looking for effective protection against this serious threat. Typically, when security teams understand how web skimming attacks operate and how they take advantage of the huge security blindspot that is the client-side, they first turn to CSP (Content Security Policy).

Focusing on the client-side would be, at best, an indirect way to handle this and wouldn’t handle the situation at all if hacker collects the data when it is submitted to the website. There is simple reason why that person might present that as the focus, the company they work for provides client-side solutions.

Need Help Securing a Magento Website?

If you have a Magento website that is hacked, we can help you to actually get it cleaned and secured. If need someone to handle keeping Magento up to date, which goes a long way to keeping it secure, we can take care of that for you.