White Fir Design Blog

SiteLock Claimed Website Had Critical Severity Malware Due to Link to Unregistered Domain Name in Comment

On most days we now have multiple people contacting us in regards to claims made by SiteLock and their web hosting partners about the security of their websites. Those contacts broadly fall into to two categories these days.

The first involves websites that SiteLock and their hosting partners are claiming are hacked, which are in fact hacked, but seemingly due to their reputation and shady sales tactics, the websites’ owners believes that the websites are not hacked. In some cases we even are contacted by people claiming that SiteLock or their web host has hacked their website, though those claims have appeared to be completely baseless (we have seen zero evidence ever that SiteLock has hacked any websites).

The second category largely involves SiteLock and their web hosting partners making seemingly baseless claims that websites contain some vulnerability, are at high likelihood of being hacked, or have some other security issue. A recent source of many of those claims has been something referred to as the SiteLock Risk Assessment, which is supposed to provide a score of how likely a website is to be hacked based on “predictive model that analyses over 500 variables “, but the scores appear to be unconnected to reality.

The combination of those situations is not just bad for the people having to deal with the claims made by SiteLock and or their web host, but also for the general public since websites that are really hacked are not being seen as having the serious issue they have, due in part to the false claims also being made.

A recent example of the latter category stood out to us as a good example of the type of activity that has caused SiteLock to earn a reputation as scammers.

We were recently contacted by someone that had multiple calls and emails from SiteLock claiming their website contained malware. Below is one of the emails that was sent by SiteLock about this supposed issue:

Dear SiteLock Customer,

My name is [redacted] and I’m a Security Consultant here at SiteLock Website Security.We are reaching out to you because one or more of the domains you own has malware on it and this issue needs to be resolved. As your website security provider you Do Not have the appropriate level of security to remedy/ remove and prevent these issues.

I’ve attempted to leave a message or left a message on the number in our records as well.

Contact me immediately and directly. We are able to assist you. [redacted] // [redacted]

Cheers,

Worth noting here is that SiteLock’s usage of “Security Consultant” is in fact a euphemism for a commissioned sales person, who likely doesn’t have any background in security.

When we were contacted about this, we asked if there had been any evidence provided to back up the claim that the website contained malware. One reason for doing that is that SiteLock labels all sorts of things that are not malware as being malware, so that makes providing a second opinion in many instances very difficult because the claimed issue could be one of many things.

The website’s owner had not been provided any yet and after SiteLock was asked for evidence, a couple of screenshots were provided. The first showed the following alert box:

What the “critical security issues” is supposed to be is shown in the second screenshot:

The most relevant portion is shown here:

So by malware on the website and “critical security issue” they really meant there was a link to another website. The link in question wasn’t something that was placed on the website as part of a hack of the website, instead the URL was the website provided with a comment on a post from 7 years before. So the claim didn’t seem at all accurate and the repeated contact by SiteLock seemed unreasonable, but it gets worse. We expected that at least the linked to domain, aspergerssyndromsymptomsblog, would contain something malicious, why else would they be claiming it was malware? But instead we found that the domain name isn’t even registered anymore. So a link from a comment to an unregistered domain caused SiteLock to claim a website contained malware.

The SiteLock employee that sent the email mentioned earlier was recently quoted in a SiteLock post saying the following:

The positivity and high energy makes me want come to work each day. We provide valuable products that help business owners succeed, without them having to worry about security issues. We also have great perks here, including free breakfast on Mondays and lunch on Fridays, an on-site gym and cafe, and an employee game room. I feel right at home!

In reality it appears that SiteLock is actually causing people to worry about security issues that don’t even exist and then trying to sell them solutions to protect them from non-existent issues.

123 Reg Sending Out Scammy Emails Based on Baseless SiteLock Risk Assessments

Earlier this month we discussed what seemed to be new attempt to scam people by the web security company SiteLock and their web hosting partners, using a supposed assessment of a website’s likelihood of attack. That post was based on information in an article written by a contributor at Forbes that had been contacted by their web host Network Solutions about the supposed risk of compromise of their website. The author of that article did a very good job of breaking down on how the claimed “comprehensive analysis” leading to risk score seems to be without a basis and we recommend reading that article.

The web host 123 Reg, which is now part of GoDaddy, has now started sending out emails based on the same assessment and the results are equally questionable. We were contacted by someone that received one of these that has a small website built on HTML files, so there is limited ability for it to be hacked when compared to, say, a website using CMS and a lot addons for the CMS. Despite that, the email claims that the “website is at high risk of vulnerabilities or compromise” and that “vulnerabilities are 12 times more likely to be exploited than the average website”, which is completely ridiculous. If you were to believe that there website is at high risk of being exploited then we can’t think of one that you wouldn’t.

Here is the email they are sending out:

Dear [redacted],

We take a proactive approach to protecting our customers’ website security. There are many factors that make a website vulnerable to hackers, and some sites are more vulnerable than others simply because of their software, plug-ins and passwords.

To help you understand where your website may be vulnerable, we have completed an automated scan of your website via the SiteLock Risk Assessment, a predictive model that analyses over 500 variables to determine a website’s likelihood of attack. The Risk Assessment is designed to score a website on a scale of low, medium or high.

After performing a comprehensive analysis of [redcated], we can confirm that your website is at high risk of vulnerabilities or compromise. When a website indicates a high risk score, vulnerabilities are 12 times more likely to be exploited than the average website, according to SiteLock data.

It is important that you act. For £0.99 per month, SiteLock ‘Find’ carries out a daily scan of your website. It can reveal where your website is vulnerable, and discover any malware. For £4.99 per month, SiteLock ‘Fix’ can also remove the malware from your site.

Find out more about SiteLock from 123 Reg

Alternatively, you can call us on 0330 221 1007 for more information.

Good website security comes down to teamwork. Here at 123 Reg, we do everything we can to keep your website safe server-side, and we urge you to do the same. A security breach can undo years of hard work in a matter of minutes. That is why, as a security precaution, we recommend you always upgrade outdated software like web applications or plugins to the latest versions when available.

Kind regards,

123 Reg Team

Based on everything we have seen so far these seems to be a rather naked attempt to sell security services based on scaring customers of web hosts under the guise of providing serious analysis of the security risk of the website. What makes it worse is that from what we have SiteLock services are not very good at providing protection, so the end result wouldn’t even be a good one even if the means is quite bad (as well as the company not doing much to help improved security for everyone in comparison something like our Plugin Vulnerabilities service).

One of the other people that received one of these emails raised another issue with them:

cheers @123reg, but I use your automatic installer with auto updates turned on, so if anything is insecure and outdated… pic.twitter.com/1FXWeanNf8

— Adam Hay (@antireality) August 31, 2017

It should go without saying that no company involved with security should be doing something like this. SiteLock already has a well earned reputation for this type of thing. Who seems like they should be taking more heat for this is GoDaddy, as not only are they multi-billion dollar company, but they also provide security services under the brand Sucuri (which has lots of issues of its own).

Fixing Two Possible Issues When Upgrading phpBB Gallery During an Upgrade From phpBB 3.0.x

Version 3.1.x of phpBB introduced a major change, a new addon system. The previous addons, MODs, have been replaced with extensions. That change has a number of impacts, including possibly requiring replacements extensions to be found when MODs being used haven’t been converted, as well as needing to go through additional steps during the upgrade to handle moving to the new extension version of addons. That is a good reason to make sure that a test of the upgrade is done first, which should really be done with any significant upgrade. That is something that we do for all of the phpBB upgrades that we do.

While working on a recent upgrade from 3.0.x to 3.2.x we ran into a couple of issues with upgrading the phpBB Gallery addon. To help others that might run into those we are sharing how we resolved them.

The basic steps for completing the upgrade of phpBB Gallery are found here. While following those we ran in to two issues when enabling the phpBB Gallery extension after upgrading phpBB to 3.2.x.

The first error that occurred was as follows:

Something went wrong during the request and an exception was thrown. The changes made before the error occurred were reversed to the best of our abilities, but you should check the board for errors.

A required module does not exist: ACP_CAT_DOT_MODS

That can be resolved by following the instructions here.

After resolving that we got the following error:

Something went wrong during the request and an exception was thrown. The changes made before the error occurred were reversed to the best of our abilities, but you should check the board for errors.

Several modules with the given parent module langname already exist: PHPBB_GALLERY. Try using before/after keys to clarify the module placement.

What we found was that removing two rows from _modules table in the database would solve this. The instruction prior to installing extension causes some rows related to the addon to be removed:

Open your database (either using phpMyAdmin or mysql from console) and execute the following SQL:
CODE: SELECT ALL
DELETE FROM tableprefix_modules WHERE module_basename LIKE '%gallery%'
tableprefix by default is phpbb.

On the website we working with, doing that would not remove the rows with the “module_langname” of “PHPBB_GALLERY” and “UCP_GALLERY”:

Removing those two would allow the extension to be enabled and then the rest of the upgrade process for it can be completed.

Is SiteLock Not Even Saying What Website They Are Claiming is Vulnerable?

A few days ago we discussed a Forbes article about a report from the web security company SiteLock that claims be a score of how likely a website is to be compromised that seems to be based on nothing, as despite claiming a website had a “Medium” likelihood of compromised SiteLock couldn’t point to any way that the website would be compromised other than ones that are not considered in their score. In that post we noted that previously we have had people come to us after SiteLock had contacted and claimed that there was vulnerability on their website, but wouldn’t give them any details of it. It looks like they can provide even less information, as the following portion of an email sent to someone that was formerly a customer of one of their web hosting partners shows:

This amuses me as the only hosting I've had with @bluehost was cancelled months ago. Hey @SiteLock, GO AWAY KTHNXBAI! pic.twitter.com/oBcC0Ji3Rs

— Indie (@IndieAtWork) August 17, 2017

It is baffling that telling the owner of a website which one of their websites is claimed to have a vulnerability, without providing any details whatsoever of the vulnerability, is going to somehow expose the vulnerability.

What is a bit odd about this message is that Bluehost’s name is incorrectly capitalized as “BlueHost” with the “h” capitalized when it shouldn’t. It seems like you should get your partners name right, especially when that partner is ultimately run by SiteLock’s owners. Without seeing the rest of the email we can’t see if there is any indication that this actually another phishing email being sent to Bluehost customers, like the one we that came up last week when Bluehost was pushing someone to hire SiteLock to deal with a non-existent malware issue. Though that phishing email actually mentioned a specific website.

One alternate explanation that isn’t too far out there considering SiteLock’s track record and the fact this person isn’t even with the web host anymore is that there is no basis for the claim. By not mentioning a website they might hope to get more interest from webmasters than if they mentioned one and it wasn’t important.

Resolving “You are not authorised to view this resource.” Issue on Joomla Website Due to PHP Version Change

Sometimes figuring out the source of an error is as easy as doing a Google search on the message being shown instead of what should be shown. In other situations that isn’t the case. We recently had someone contact us for Joomla support that had a website where the website’s menu had disappeared and for most pages of the website they were getting a message that “You are not authorised to view this resource.” instead of the page’s content.

If you were to Google that message you get a lot of results with a lot of different possible resolutions. One of the first results is for a slightly different message (with an additional sentence after that one) and there were eighteen possible causes listed for the issue in that result.

In this situation, looking at what was shown in the PHP error log (and was shown when the display of errors was turned on) made it look like the problem could have been caused by the PHP version being used. The version of PHP in use was version 7, which considering that the Joomla and the installed extensions where several years out of date, could cause errors to occur. It would appear that web host had automatically changed to that version and lowering the version back down to PHP 5.6 got the website working again.

PHP 5.6 is supported with security updates until the end of next year, so moving to a newer version isn’t necessary yet.

While extensions may still have issues with the newer version of PHP, Joomla introduced official support for PHP 7 with Joomla 3.5, which was released in March of last year. Considering that numerous security fixes have been released since that version, you should already have upgraded Joomla to a newer version than that.

SiteLock Likelihood of Compromise Reports Look Like Another SiteLock Scam

We have written a lot about the shady stuff involving the web security company SiteLock and the main complaint we have gotten about this is that because we also offer web security services (though very different from what they offer) that the information we provide is suspect. We can’t point to much written by others in a professional capacity because for the most part SiteLock has remained under the radar. But we now have something written by someone else that we can point to that shows the kind of activity that has caused “sitelock scams” to be one of the search predictions that Google provides when searching for SiteLock:

An article put out by Forbes last week describes something we have yet to have anyone contact us about, a report from SiteLock that is supposed to be “high-level security analysis by leveraging over 500 variables to score a website’s risk on a scale of low, medium and high”. The author of story was told that their website, which is “single-page static website with just a handful of files and no CMS or other editing software”, had a “Medium” “likelihood of compromise”. The author of the article noted they could only think of two ways that type of website could be compromised, but SiteLock told them that neither of those was consider when calculating the score:

The SiteLock representatives clarified that they do not check for or consider either password security or server vulnerabilities in their assessment and that their risk score is based exclusively on the characteristics of the site itself.

Considering that SiteLock was saying that there was a “Medium” risk of compromise how else did they think it could be compromised, they couldn’t even come up with an answer:

When asked how a remote attacker might then modify the files on a CMS-less single-page self-contained static website without either guessing/phishing/resetting the account password or finding a vulnerability in the server stack, a representative initially said they would work with their engineering team to send me some examples of how such a site could be compromised, but later said they would not be commenting further and did not respond to two subsequent requests for additional comment.

In light of the fact that the score seems to be baseless in this instance, it is worth noting the only detail of the score provided was:

The only detail of any kind offered by the report as to how it assessed my site at Medium risk was that 7% of the risk came from “Popularity: Number of visitors and overall social media presence,” 29% of the risk from “Presence of specific components” and 64% from “Site size and the number of distinct components.”

So SiteLock is making it appear that all of this is evidence based, they are giving percentages and claiming to leverage over 500 variables (we can’t even think of close to 500 variables that could possibly be used unless they are really stretching as what they count as a separate variable), but the reality is that the score seems to be baseless. The author of the piece had the expertise to see past the superficial evidence based nature of this, but SiteLock wouldn’t be doing this if they didn’t think that others would not be as knowledgeable.

This isn’t the first time that we have seen SiteLock put forward claims that websites are vulnerable based on false evidence or unsupported by evidence. In June we noted how they continued to use false information about the security of WordPress to claim websites were vulnerable. In other instances we have had people come to us after SiteLock has claimed there is some vulnerability on their website, but has refused to provide the details, instead only suggesting purchasing SiteLock services to resolve. That was also the case for the author the article.

When the web hosting partner that was passing along the score was asked what could be done to reduce it, the response was to purchase SiteLock services:

When asked what a company could do to reduce their risk score, Network Solutions noted that it offers two subscription monitoring services by SiteLock that scan a customer’s site each day, alerts them if their site has been compromised and automatically removes selected malware from infected files.

The web host would likely get a significant percentage of the fee for those services if they were purchased.

SiteLock gave a similar response:

When asked how a company might work to reduce their risk score from Medium to Low in the absence of any technical detail as to which of the 500 indicators were triggered for their site and if their subscription vulnerability scans did not reveal a known vulnerability, SiteLock offered that it has a commercial professional services team that can be hired in a consulting arrangement to review a site and determine if there are any concerns with its architecture or technical design.

In line with what we have seen in the past when caught doing questionable stuff, SiteLock claimed that they didn’t see anything wrong with what they are doing:

The company strenuously emphasized that it believes such a score is very useful and that many companies have found it of great use to them, but declined to provide more detail as to what companies have done with that information beyond simply subscribing to SiteLock’s products.

The Forbes article raises other issues with this situation that are also problematic and we would suggest you read the article.

Based on all of that it looks like these scores can be safely ignored, but with other claims from SiteLock about the security of websites that are backed by some level of evidence we recommend getting a second opinion before taking any action, as they are not all false. We are always happy to provide a free second opinion.

iPage’s Strange False Claim of Malware Being Detected on a Website

We get a lot of people that contact us looking for a second opinion as to a claim that their website contains malware coming from the SiteLock and or their web hosting partners. One of the latest included a head scratching claim in an alert from the web host iPage (the logo shown with that is SiteLock’s, so maybe they did the scan):

So there was malware detected on their site during a recent scan, but it impacted “0 domain”. Those seem like they are contradictory statements to us, but maybe something that doesn’t count as a domain was impacted?

What we suggested to the website’s owner was to contact iPage for more evidence because that wasn’t enough based on that to give a second opinion as to the veracity of the claim, though it seemed unlikely considering the website was built with the Weebly website builder provide by iPage.

The response they got from iPage was that the there was not any malware, but they were not provided with an explanation as to what had happened:

We apologize for any inconvenience caused. I have performed a scan of your account and it is malware free. Right now there is no alert regarding infection is shown in the ControlPanel.

If you receive an alert similar to this from iPage whether it actually lists a positive number of domains affected or not, our recommendation is to contact iPage for more information and then get a second opinion instead of signing up for a SiteLock service, which they are trying to sell you from that alert, right off the bat.

False Claim From Bluehost Phishing Email Leads to Bluehost Trying to Sell Unneeded SiteLock Service

On a daily basis we are contacted by people looking for a second opinion after their web host and or their web host’s security partner SiteLock claim that their website contains malware. While a lot of the time there really is some hack of the website that has occurred, though not necessarily involving malware, there are many instances where the claim turns out to be false. There have been many different reasons for that, one of the latest seems like it might be the worst the one yet, since the web hosting partner, Bluehost, tried to sell someone on a $1,200 a year security service from SiteLock based on false information from a phishing email that didn’t even claim there was malware on the website.

What we were told at first about the situation didn’t make sense to us. The website’s owner said they were told by their web host Bluehost that their website was using excessive MySQL resources and that the cause was malware. MySQL is database system and malware and other hacks rarely involve interaction with a database, so we didn’t understand where the belief that malware would be the cause would have come from. Looking at the website made things seem odder. The one possibility we could think of is if a hack added spam content to a website it could cause increased traffic to the website that in turn could increases MySQL resource usage. Not only did we not see any indication of that type of issue, but there was also the fact that the website was built with the Weebly website builder software, which seems unlikely to be hacked in that way or using much in the way of database resources.

After asking if Bluehost provided any more information that might make their conclusion that malware was the cause seem more reasonable, we were forwarded the following email that had started the situation:

Bluehost abuse12@bluehost.com via annika.timeweb.ru

11:16 PM (12 hours ago)

Dear Bluehost customer [redacted]:

It has come to our attention that your site is using an excessive amount of MySQL resources on your BlueHost.Com account. This is causing performance problems on your website as well as for other customers that are on this server. It can cause our servers to crash and cause additional downtime.

Our research shows that server performance degrades when the MySQL usage is over 1,000 tables and/or 3 GB on a single account or 1,000 tables and/or 2 GB on a single database. In order to ensure optimal performance for your account and the others in your shared hosting environment, we request that you reduce the MySQL usage on your account to under these limits in 14 days.

You must confirm the current copy of our Terms of Service here:
http://my.bluehost.com.687fe34a901a03abed262a62e22f90db.d0013151.atservers.net/domain/[redacted]
How to fix:
http://mysql.bluehost.com.687fe34a901a03abed262a62e22f90db.d0013151.atservers.net/domain/[redacted]

Terms of Service Compliance Department
1958 South 950 East
Provo, UT 84606
Phone line: (888) 401-HOST Option 5 | Fax line: 801-765-1992

The very beginning of that caught our attention first, as it referenced “annika.timeweb.ru”, which seems like it shouldn’t be where an email from Bluehost should be coming from. A Google search on that showed that this email was part of an ongoing phishing campaign against Bluehost customers. Later on in the email the URLs being linked to are intend to look like it is Bluehost by starting “my.bluehost.com” and “mysql.bluehost.com”, but the rest of the domain is “687fe34a901a03abed262a62e22f90db.d0013151.atservers.net”. The server that is hosted from is in Belarus.

Since this was a phishing email there was not anything wrong with the website. So that makes Bluehost’s claim that it was malware and that the SiteLock service should be purchased when they were contacted even odder. The Bluehost support person must not have checked to insure that the issue the customer was contacted about actually existed, despite a phishing campaign going on making false claims along those lines. Even then it doesn’t make sense to say this was malware based on the claimed MySQL resource usage issue. So what explains it?

Well it might have something to do with the fact that Bluehost gets 55% of the revenue from sales of SiteLock services through their partnership or that SiteLock’s owner also run the parent company of Bluehost, the Endurance International Group. Based on what have heard in the past it sounds like when support persons don’t know what is going on they may blame malware for what is going on and point people to SiteLock.

In any case, it is a good reminder to make sure to get a second opinion when you are contacted by SiteLock or their web hosting partners so that you don’t end up spending over a thousand dollars a year on something you don’t need. If you were really hacked you also don’t need to spend anywhere near that amount of money to get the website properly cleaned up (SiteLock doesn’t even properly clean up websites for their high fees).

Wordfence Pushes Their Less Effective Products and Services Over Doing a Security Basic

From dealing with a lot of hacked website we see the damage the security industry often causes. One of the problems we have run into over and over is that people are not interested in doing the basics of security and instead trying to rely on security products and services to protect them. Doing that has leads to website being hacked that shouldn’t, that even includes the website of a security company. It isn’t hard to understand why this happens since these security products and services are often promoted as being a magical bullet, while in reality some are somewhat useful and others are of little use to no use.

In some cases security companies are explicitly promoting using their products instead of doing the basics even when they would have provided better results. Case in point a post by the WordPress focused security company Wordfence today.

They claim that websites are being infected with a particular malware through two vectors:

So far the Wordfence Security Services Team has seen two infection vectors (methods of infection). The first is websites that are infected because they left the searchreplacedb2.php script lying around. This is a relatively uncommon infection vector. We wrote about this risk a few weeks ago.

The second vector is by far the most common. The attackers are exploiting a vulnerability in the WordPress ‘Newspaper’ theme. This vulnerability allows them to inject malicious code into the WordPress ‘wp_options’ table which then redirects your traffic to malicious websites or ad campaigns. Our Security Services Team has seen several other themes that are based on the Newspaper WordPress theme that suffer from the same vulnerability.

What isn’t noted in their post is that according to discoverer of the vulnerability in the theme, the vulnerability was fixed four days after the developer was notified and the fix was put on in April of last year. Why not note that, well one reason might be the next paragraph in their post:

Wordfence released a Premium firewall rule about 40 days ago which prevents these attackers from exploiting the Newspaper theme. Even if you had a vulnerable theme, you would have been protected. About 10 days ago, that rule became available to our free customers too.

So simply keeping the theme up to date would have protected those using it long before Wordfence ever got around to protecting against the vulnerability. Wordfence didn’t mention the importance of keeping software updated in those parts of the post, but surely they would do that in a section “What to Do To Protect Yourself” since updating the theme would in fact be the best protection against the vulnerability in the older version from being exploited. It turns otu that isn’t the case:

What to Do To Protect Yourself

As always we recommend running Wordfence Premium. In this case, our Premium customers have been protected for over 40 days from TrafficTrade by a Premium firewall rule that was deployed by our team in real-time.

The firewall rule became available to our free community users about 10 days ago. Both Wordfence free and Premium are now protecting your sites from these attacks.

Because this infection is so wide-spread, we have released additional detection in the Wordfence malware scan to detect a newer variant of TrafficTrade. We are seeing attackers modify your wp_options table to inject the malicious code into that table. A Wordfence scan will now detect this.

This new feature is immediately available for free and Premium Wordfence customerswith Wordfence version 6.3.16 which was released this morning. Simply install Wordfence or update to 6.3.16 and run a scan.

We mentioned earlier that security companies promote their products as being magic bullets, Wordfence is a perfect example. They promote their plugin with the blanket claim that its “Web Application Firewall stops you from getting hacked” despite the obvious counter example here that they only started protecting against the theme vulnerability more than a year after it was disclosed.

Restoring the Tax ID to Customer Data in OpenCart 2.x and Above

When upgrading from OpenCart 1.5 to a newer version there are some significant changes. One that we recently dealt with for a client was restoring the Tax ID field that was previously available as part of the information entered during checkout by customers and was removed in OpenCart 2.0. There two steps to accomplish this.

The first step is to restore the Tax ID field to the customer data and to checkout. That can be done by creating a custom field, which can be done from the Customers menu in the admin area of OpenCart. You are provided with a number of options when setting up a new custom field, including what customer groups you wish it to be shown to:

The second step is to copy over the existing Tax IDs to the new custom field. The existing Tax IDs are stored in the tax_id column of the address table in the database and the custom field in the custom_field column in the customer table. Because of the formatting used for the custom_field column you cannot simply copy over the values from one to the other. The simpler method technically to copy the data is to enter the values from the tax_id column in to the customer’s details in the admin area. For those technically minded you can use a bit of coding to get the values from the one column, convert them to the formatting for the second, and then copy them over.