While reviewing the log files while cleaning up a hacked Magento website recently we ran across a reminder that a common security practice isn’t full proof. With the Magento software and some other software the software has a built in capability to use a non-standard address for the login page for the admin portion of the website. With other software that is commonly promoted security feature to be implemented with an add-on.
The value of that is limited as while there are widespread claims that there are frequent brute force attacks against admin passwords, in truth what is going on are dictionary attacks, which involved trying to log in using common passwords and that can easily be prevented from being successful by using a strong password. There is the possibility of some value of doing this in a far more limited situation where the hacker has access to valid login credentials for the website, but it turns out that there can be various ways to get access to login page without knowing that address.
In the logs of this hacked website we were seeing many POST requests to this address:
When visiting the page we saw that the Magento admin login page was showing. In looking into if that all there was that we found that this is something that hackers are looking around with pages like that generated by various extensions.
Magento added protection against this issue with SUPEE-6788, which was part of Magento 220.127.116.11, but by default the protection is not enabled.
These days quite a bit of our business dealing with the cleanup of hacked websites is re-cleaning websites after other security companies didn’t clean them up properly before us. Troublingly we recently noticed a company that offers to clean up websites, ASTRA Security, treating that as a normal result and using it to promote using web application firewall (WAF), which they also sell:
Even after clean up and restoring your site, the Magento admin hack may reoccur. The reasons could be a backdoor left by the attacker or simply a vulnerability that may be left unpatched. To avoid such scenarios it is highly recommended to use a WAF or security solution of some sort.
If there is still a backdoor on the website that means it hasn’t been cleaned up, since that would be something would be removed during the cleanup, which someone cleaning up hacked websites should understand.
Part of a proper cleanup is trying to figure out how the website was hacked, so if a vulnerability is left unpatched then things probably have not been done right either.
The providers of WAF’s don’t provide evidence that they provide effective protection against vulnerabilities, while we have seen plenty of evidence that they don’t provide it. It would be even more difficult for them to protect against exploitation of backdoors due to wide variety of their location and what is done through them, which someone cleaning up hacked websites should also understand.
The best way to handle a reoccurrence is to avoid one in the first place by hiring someone like us that will properly clean up the website. If you didn’t do that then the next best solution is to hire someone to re-clean it that will do things properly.
Yesterday we discussed GoDaddy’s usage of misleading claims to try to sell overpriced SSL certificates. Based on that it probably wouldn’t be surprising to hear that they would mislead people in other ways about security and that is exactly what we ran across while looking into things while working on that previous post. When we clicked on the “Add to Cart” button for one of their SSL certificates, at the bottom of the page we were taken to, there was a “malware scan and removal” service offered to “Secure your site”:
The description of that is:
Defend your site against hackers and malware with automatic daily scans and guaranteed cleanup.
It shouldn’t be too complicated to understand what is wrong with that, though as we mentioned earlier today there seems to be a lot of confusion when it comes to what security services and products do.
If a website is secure it wouldn’t have malware or some other hack on it to detect or remove, so either GoDaddy doesn’t understand what they are providing or they are lying about.
The problem we see so often with this sort of service is that people will fail to do the things that will actually keep websites secure because they believe a service like this will actually keep a website secure.
Trying to deal with the after effects of having a website hacked instead of actually securing it introduces a lot of issues. One of those being that if a hacker uses the hack to exfiltrate customer data stored on the website a cleanup isn’t going to undo that.
What is a lot more important to note is that everything we have seen from the underlying provider of GoDaddy’s security services, Sucuri, is that they are not good at detecting and cleaning up hacks of websites. Their scanner seems, to put it politely, incredibly crude. Their employees seem to lack a basic capability to understand evidence that a website is hacked. And in what is most relevant to this specific service, we recently we brought in on a situation where their scanner had failed to detect that a website was hacked and then they repeatedly incompletely cleaned up the website, leaving it in a hacked state for a while. It was only after we were brought in to clean things up properly (which Sucuri doesn’t appear to even attempt to do) that it was finally cleaned and stayed that way.