DreamHost Also Distributing Outdated Web Software Through One-Click Installer

When it comes to improving the poor state of the security of websites, web hosts certainly could be doing things over and above what is their responsibility to help with that. But at this point we are finding that they are still failing to do some things that really are their responsibility. One of those being not offering to install software on websites that is outdated and insecure. In May we discussed an instance were a web host told the owner of a hacked website that the outdated version of Joomla they were using, 2.5.28, was a security weakness while still offering to install that through the MOJO Markeplace service. Support for that version of Joomla had ended almost two and half years before, so it should have long been removed from such a service. Earlier this week noted another similar service used by web hosts, Softaculous, was still also offering to install that version of Joomla as well.

While working on a website hosted with DreamHost we checked to see how they were doing in this regard. The good news they are not offering to install that version of Joomla. The bad news is that the version of Joomla they are installing is an outdated and insecure version, 3.6.4:

That version was superseded by 3.6.5 in the middle of December and that version was a security update. There have been three security updates released since then: 3.7, 3.7.1, and 3.7.3.

Of the other software that they offer that we deal with a regular basis most of it is also outdated and insecure.

They offer MediaWiki 1.26.3:

Version 1.26.4, which includes a security update, was released last August and version 1.26.x reach end of life in November.

They offer phpBB 3.0.13:

Version 3.0.14, which includes a security update, was released in May 2015 and version 3.0.x reached end of life in November of that year.

The offer Zen Cart 1.5.4:

That was superseded by version 1.5.5 in March of last year. If Dreamhost hadn’t added the security patches released for version 1.5.4, then that version would have been a security update over what they are offering as well.

You Don’t Need to Get In a Long Term Contract With SiteLock to Get a Hacked Website Cleaned Up

On about a daily basis we are dealing with people that come to us looking for advice and or help after having an interaction with web security company SiteLock. To make sure we are providing them the best information possible we keep track of what is being said by others about SiteLock as that helps us to be able to explain things that are brought up with us that otherwise wouldn’t make much, if any, sense.

A recent complaint about them that we ran across brings up something that we have been getting a lot questions about recently, so we thought posting on that would helpful.

Here is the complaint from the SiteLock’s BBB page:

We needed help to clean our website (they were referred to us from *********)- we are a children’s educational program and our site had been hacked by an Asian Pornography site. We were about to be featured on national TV so we needed a fix quickly. We were told that our only option was a one year…contract at $99/month- and that everything on our site would be fine. Within 30 days we still had issues and contacted them-ended up having to leave ********* and set up clean,virus-free hosting and change site- at considerable expense to us–were told we were responsible for entire contract. Cherise at first said if we waited until the first 4 months were up we could then cancel and that would count. When I called at the end of that 4 months I was told it was too late and we needed to pay-all anyone ever repeated was “you signed a year contract’. We DID try to cancel within 30 days- which under Florida law – businesses are required to follow. We were forced to pay.

There is no reason that you need to get in to a long term contract to get a hacked website cleaned up, especially a $1200 a year one. We and many others offer one-time clean up services, which are much cheaper than that, and in at least our case, won’t leave you with unresolved issues. Based on everything we have seen the reason why SiteLock pushing this type of plan is that they and their commissioned sales people are trying to get as much money as possible out of people (we recently interacted with a current SiteLock customer that they tried to sell an additional unneeded service on the basis harmless activity occurring on the website).

While there are web hosts that will strongly push their customers to hire SiteLock to clean up a hacked website, if you ask them directly they will tell you don’t have to use SiteLock. The reason they are pushing SiteLock, isn’t that SiteLock does a really great job at cleaning up hacked, as complaints like the one above show, but it is because they are getting paid by SiteLock and in the case of one of SiteLock’s biggest partners because they are run by SiteLock’s owners. Interestingly in the complaint the web host has been redacted at least once, leaving people unaware of the level of connection they had with SiteLock in this instance.

That the customers was still having issues isn’t all that surprising when you consider SiteLock doesn’t do the work needed to make sure the things they claim lead to website reinfections are done when doing cleanups and unlike any other company that we have been brought in after to re-clean a website, they do such a bad job in some instances that they leave websites broken.

Resolved?

One question we get asked about fairly often that we don’t really have a good answer to, is what to do if somebody has run into a situation like the one in the complaint (that is part of why we have a focus on making sure people don’t get involved with SiteLock in the first place). The responses to this complaint indicate it might to be to file a complaint with the BBB, though that isn’t clear.

Here is SiteLock’s response, which indicates that it was resolved:

In regards to complaint #********, we apologize for any confusion or frustration the customer may have experienced. At SiteLock, we always strive to deliver exceptional customer service. Although a contract with agreed upon terms had been signed, our number one priority is delivering the… highest levels of satisfaction. We have taken immediate actions to address the issue, and are happy to report the matter is resolved. 

But the customer’s response seems to indicate that SiteLock hadn’t actual resolved it yet:

Better Business Bureau: I have reviewed the response made by the business in reference to complaint ID ********, and find that this resolution would be satisfactory to me.  I will wait until for the business to perform this action and, if it does, will consider this complaint resolved. Regards, **** *******

If you have been able to get a refund or otherwise get yourself unwound from a SiteLock contract please leave a comment so that others can have a better idea of what might work for them.

Softaculous is Also Still Offering to Install Joomla 2.5 Despite Being EOL’d Two and Half Years Ago

Back in May we noted that service MOJO Marketplace, which is used by web hosts to provide their customers with quick installations of various web software, was still offering to install Joomla 2.5 despite support for that version having ended on December 31, 2014. We came across that while dealing with a hacked website where the web host that uses MOJO Marketplace’s service (and is also owned by the same company as them) and the web host’s security partner (whose owners also run the two other companies) both told a website’s owner that use of that version was a security weakness.

While working on a non-hack issue on another website we noticed that another service that does software installations, Softaculous, is still offering to install Joomla 2.5 as well. Not only are the offering to install it, but at this web host it is fairly prominently offered as this what you see in the last section when you log in to the web host’s cPanel control panel:
To confirm that wasn’t something where they still listed it as Joomla 2.5 despite really installing whatever is the current version you can see at the top of the page you get taken if you click the link that they are in fact still offering that version:

Seeing as they also keep track of the release date, you would think they might periodically review if they are offering software that hasn’t been updated in years to see if they should still be offering it, but they don’t seem to be considering Joomla 2.5 is still available.

SiteLock is For Some Reason Labeling Spam Links as Malware

We often have people coming to us looking for advice after an interaction with the web security company SiteLock. That frequently involves claims by SiteLock that a website contains malware. Not only is the claim not always true, but in some instances the files they have labeled as being malicious don’t really make sense as being malicious (compressed database backups for example). Back in February we ran across what looks to be part of the explanation for this, SiteLock’s malware scanner labels evidence of non-malware based hacks as malware.

In that instance it involved SiteLock’s detection of a website defacement (they were identifying the wrong website as being defaced though), which they were labeling as malware. Back in May we ran across a tweet from SiteLock that seemed to be saying that they would also label spam comments in a database as malware. It turns out that when it comes to spammy content this also applies to spammy links.

Here is screenshot we were forwarded while providing a consultation recently, showing a spam link being identified as malware and being labeled “SiteLock-HTML-SEOSPAM-iar”:

Seeing as website malware refers to either malicious code being served to visitors of a website or malicious code that is in the underlying files or database that that generate a website, labeling spammy links as malware isn’t accurate.

Why SiteLock is doing this isn’t clear. It could be as simple as lack of understanding of what they are doing. While they promote themselves as the “global leader in website security”, there is plenty of evidence out there that really don’t know much on the subject. It also could be intentional. Someone would probably be more likely to order a $100 a month protection plan (which their commissioned sales people are often trying to sell people on) if you told them they had malware on their website instead of a spam link. This also makes it harder for another security company to figure out what is going on, because if they look for malware on the website and don’t find anything they might reasonable assume they missed something that SiteLock had found.

This all is good reminder for anyone dealing with a claim from SiteLock that a website contains malware, to get evidence from them as to what they are claiming is the malware as that should go a long way to clearing up if it is fact malware, some other type of hack, or a false positive. If you have gotten that information from them about a claimed malware issue with your website and are still not sure what is going on, we are always happy to provide a second opinion on the issue.

The Online Trust Alliance Doesn’t Seem Too Trustworthy

When it comes to words that might be reasonably associated with the web security company SiteLock one of them isn’t “trust”. You don’t have to look farther that Google’s search suggestions to see that:

Google;s second search suggestion for "sitelock" is "sitelock scams".

But if you do want to look farther you could look at the situation where with a couple of their services, their content delivery network (CDN) and web application firewall (WAF) services, they promote the services as if they themselves provide them. For example, they use phrases including “SiteLock servers“, “SiteLock patent-pending technology“, and “our IP addresses“. But in reality the service are provided by another company, Incapsula. Beyond just having a security company lie about something that there doesn’t seem to be a need to, the lie is rather troubling because both of those service involve sending a website’s traffic through a third-party’s systems. While SiteLock’s customers are told those systems are theirs, it turns out they belong to a company that the customers neither are aware or have a business relationship with. That raises some pretty obvious privacy and security concerns.

Based on that we don’t understand how an organization named the Online Trust Alliance would think it is appropriate to name SiteLock to their “Online Trust Audit and Honor Roll”, as announced by a SiteLock press release.

The press release lists what is evaluated for that:

As the only comprehensive, independent online trust benchmark study, the ninth annual OTA Online Trust Audit evaluates websites in three categories: consumer protection, responsible privacy practices and security. Based on a composite weighted analysis, sites that scored 80 percent or better overall, without failing in any one category, received Honor Roll status.

If you look at the complaints from SiteLock customers it sounds like the public is need of protection from SiteLock (just last week looked at an example of SiteLock trying to sell a customer on getting unneeded work done). As for security, while SiteLock’s website may be secure, that isn’t even the case for customers included in SiteLock’s cases studies.

Security Plugins and Plugins by Automattic Haven’t Been Updated To List Them as Compatible With WordPress 4.8

Back on May 31 we received an email from WordPress.org asking us, as developers of several plugins, to make sure that the plugin were listed as being compatible with the then upcoming WordPress 4.8. The beginning of the message reads:

Hello, White Fir Design!

WordPress 4.8 is scheduled to be released on June 8. Are your plugins ready?

After testing your plugins and ensuring compatibility, it only takes a few moments to change the readme “Tested up to:” value to 4.8. This information provides peace of mind to users and helps encourage them to update to the latest version.

As scheduled, that version was released on June 8.

While looking at something the other day we noticed that a security plugin had not been updated to list as being compatible with the new version. Looking at the plugins tagged security it turns out that many haven’t been two weeks after the release of that new version of WordPress. That doesn’t seem to be a great indication as to the state of security plugins, but more striking was that several of the most popular plugins tagged security that have not been updated come from the company Automattic, which is closely associated with WordPress.

First up being Jetpack by WordPress.com, which is tied with 6 other plugins for having the most active installs, 3+ million:

One of those other plugins with the most active installs is another Automattic plugin, which despite shipping with WordPress also isn’t listed with WordPress 4.8:

Getting back to the security tagged plugins, another Automattic plugin not listed as being compatible is VaultPress:

Among the other security tagged plugin that haven’t been updated to be listed as being compatible, you have iThemes Security:

You also have Sucuri Security, which still hasn’t even been listed as being compatible with WordPress 4.7, despite that being released in December:

The parent company of that plugin GoDaddy also hasn’t updated their other plugins to list them as compatible:

Also worth noting, considering SiteLock’s questionable involvement with WordPress, is the SiteLock Security plugin:

Google Handling Advertising For Website Serving “Nulled” WordPress Themes and Plugins With Malicious Code

Recently Google has been deciding to show ads for one of our services on websites serving “nulled” web software, which is paid web software being distributed illegal, possibly with security measures removed from it. That isn’t something we are interested in having our ads run on and we have excluded those websites from showing our ads. Today while looking into a hacked WordPress website that we were contacted about, we noticed that Google is handling the advertising for another such website, dlwordpress.com, where “nulled” WordPress themes and plugins are being distributed with malicious code in them.

At the top of the homepage are two ad blocks being served by Google (bordered in red):

The website (and the others that had included our ads) seems to pretty clearly be in violation of Google’s AdSense programs policy related to copyright material:

AdSense publishers may not display Google ads on pages with content protected by copyright law unless they have the necessary legal rights to display that content. This includes pages that display copyrighted material, pages hosting copyrighted files, or pages that provide links driving traffic to pages that contain copyrighted material.

The malicious code being reported to be served with the software at that website would seem to cause the website to violate a couple of their content guidelines as well:

It doesn’t seem like it would be hard for Google to detect that these websites are engaged in the activity they are, so it seems if they didn’t want them to be in their advertising program they already could be excluded. We have been reporting the ones that have been showing our ads, though.

dlwordpress.com Warns About Similar Websites Distributing Files Containing Viruses

While the website prominently links to a page for filing DMCA takedowns for copyrighted content on the website, the website is promoting that it actually is involved in placing such content on their website, which would seem to remove the safe harbor protection that DMCA provides for websites:

For your money, we'll buy new wordpress themes.

While a WordPress theme’s (or a plugin’s) code would need to be licensed under the GPL and therefore can be legally distributed to others after being purchased, other assets included with them would not.

On the “Submit Your Theme or Plugin” page, they pretty clearly are requesting content that they know wouldn’t be legal for them to distribute. But more striking is that they ask people submitting themes and plugins to not submit them from other similar sites because they “can share files with viruses”:

Here you can send your nulled themes and plugins. Please do not send files from another sites! Another sites can share files with viruses. Share only from themeforest or codecanyon!

Cloudflare Too

Google isn’t the only legitimate company involved with this website, as when we went to check to see where the website’s server was located we found that it is being served through Cloudflare.

A couple of months ago we found them doing the same for a website being used as part of a hack to compromise credit card credentials.

A Single Tweet Nicely Sums Up the Problem With WordPress Allowing SiteLock to Be Involved With WordCamps

The web security company SiteLock has a well earned reputation that can be summed up with what Google suggests when you type in their name:

Google's second suggestion is "sitelock scams".

That obviously isn’t a reputation you would think that any company would want. It would probably be difficult for SiteLock to legitimately change it though since their business model seems to be based around the activity that gets them labeled as such.

It would also be difficult because if they, for example, stopped partnering with web host to try to get people to pay them to clean up hacked website that are not in fact hacked, then they would actually have to really clean up websites to get paid and from everything we have seen they are even worse than the average web security company, which is already quite bad, when doing that. For example, we are often brought in to re-clean hacked websites after some other company had previously had done that and then the website got hacked again. While that isn’t always their fault, in almost every instance we have been told that the determining how the website was hacked never even came up, despite trying to do that that being a basic part of the cleanup and important to make sure the vulnerability that allowed the website to be hacked has been fixed. That is certainly something we have seen with SiteLock. What we haven’t seen with other companies is that SiteLock has caused websites to be broken after doing their work.

Instead of trying to change, SiteLock looks to have focused on various efforts to present a public face very different than the one that their customers and not always willing potential customers can find themselves dealing with. What looks to be an important component of that effort is their involvement and sponsorship in the conferences for WordPress, WordCamps, which uses money they have gotten from their questionable business practices. We think a tweet put out by one of those WordCamps succinctly shows what the problem with WordPress allowing that to occur is:

The claim that SiteLock wants make your WordPress secure is belied by many things we have run across, including a few recent examples: thinking that leaving malicious code on a website for a while is not a threat, not taking the actions needed to prevent hacked websites from being reinfected, and not warning about vulnerable plugins or insuring they are being kept up to date on a website they are supposed to be keeping secure. But maybe the most troubling recent example is that SiteLock is still knowingly spreading false information about the security of the core WordPress software and using it to make a profit. We would love to hear from someone on the WordPress or WordCamp side of things how that makes anyone’s WordPress secure.

At some point, maybe we have already reached that point, you have to say that WordPress is complicit in what is going on here. Back in September of last year we contacted the central WordCamp organization to let them know that about the issues with SiteLock and ask for a comment about the situation or a more general comment on any restrictions on who can be a sponsor. We never got any response from them, though it was pretty clear they saw the message. So it seems that they can’t actually justify what is going on, but are still willing take money SiteLock has gotten through less than above board business activity. We later left a comment on a blog post about SiteLock on the WordCamp US’ website, shortly afterwards the comments left on that post were removed and commenting was disabled, so there does seem to an effort to hide what is going on.

What could explain some of why they continue to allow SiteLock’s participation is that SiteLock’s owners don’t just sponsor WordCamps under the SiteLock brand, but also through brands of the web hosting company Endurance International Group, which they run. For example, at WordCamp Europe they were a higher level sponsor through EIG brands Bluehost and MOJO Marketplace (MOJO Marketplace also doesn’t seem to be too concerned about security):

Joomla 3.7 is Not Hack-Proof

When it comes to bad information on the security of websites, far too often that information is coming from companies offering security services. A recent example we came across, while dealing with a hacked website, involved a Joomla focused web development company that in their marketing their service for upgrading or migrating to Joomla 3.7 claimed that Joomla 3.7 is “hack-proof”:

That certainly isn’t a claim that is made by Joomla (nor would you expect it to be a claim that is likely ever made by someone trying to be taken seriously).

Already a “high” priority SQL injection has been fixed since 3.7.0 was released, which was considered serious enough for Joomla to pre-announce that a security update was coming.

The same company offers to clean up hacked Joomla websites, so they should know better than to make that sort of claim and in fact they seem to understand that vulnerabilities continue to be found in Joomla based part of how they advertise that service:

We will identify possible loop hole in security and install required updates and patches. Because of consent Joomla and component upgrades, this is a critical step to prevent hacking.

In describing their service there was also this troubling claim:

As soon as we are engaged to fix your hacking issues or to prevent your website from hacking, we will do a thorough analysis and prepare an action plan to recover your website at the earliest. Mostly a Joomla upgrade should fix it, but it depends on the kind of website and problem you have.

We deal with lots of hacked Joomla websites and upgrading would not normally fix them. Perpetuating that idea is decidedly not helpful, as if our experience is any indication people with hacked website will often come to that conclusion and then hire someone to upgrade it without mentioning that they are doing that to clean up hack. Trying to upgrade a hacked website could actually make the situation worse, as it might cause the upgrade to go wrong and it could erase important evidence needed to determine how the website hacked, which may be needed to prevent it from being hacked again.

SiteLock Uses Harmless Activity on Website as a Reason to Try to Sell Unneeded Malware Removal to One of Their Customers

When you have a malware infected or otherwise hacked website it can make a lot of sense to hire someone with expertise in handling the cleanup of them to do that for you. Beyond that they would have the knowledge to quickly resolve the issue for you, where we have seen the value of doing that for our clients is that they often can use help understanding what is going on. Often times they are concerned about things that they don’t need to be and we can easily clear things up for them.

Unfortunately, far too often they are concerned about things due to misleading or outright false information being put out by other security companies. That then leads in to the big problem when it comes trying to hire an individual or a company for any type of security service, many of them really don’t know and or care much about security. On top of that there doesn’t appear to be good way to find one that isn’t true about, since these companies don’t seem to have a problem with lying and reviews of them come from customers who often are unlikely to have a good sense of the quality of the service they have gotten since they don’t have the expertise needed to determine that (we have had people saying another company did a good job even after they have hired us to re-do work that wasn’t done right by that company).

We recently had someone that came to us that believed there website had a re-occurrence of a malware issue and were looking for an alternative to the company they were already paying to secure their website, SiteLock, to do deal with it. That was in part because SiteLock had not detected any issue they had noticed.

The first thing we always do when someone comes us to about dealing with a malware infected or otherwise hacked website is to determine that it is in fact hacked. In this situation the belief that the website was infected with malware was based on some things the website’s owner had seen in the log file of HTTP activity. In reviewing those we found that those things were harmless. There were several request for spammy URLs, but the status code of the responses was 404, which indicates that a page with that URL did not exist. The other concerns related to request coming from a Russian search engine and requests coming from the file that does cron jobs for WordPress. Other checks should no current issue with the website.

SiteLock had given them a very different response when they had brought up what the customer had seen the log. SiteLock didn’t address the specifics that were raised and seemed to just assume that the website infected. They implied that the infection coincided with the SiteLock’s web application firewall (WAF) service that was in use being downgraded from “Enterprise level” to the “Premium level” (contrary to SiteLock’s marketing that service is actually provide by another company). To resolve the issue they suggested upgrading the WAF back to “Enterprise level” and having their “Expert Services” clean it up.

If all that were true it would seem to be reasonable to ask why they offer the “Premium level” WAF that permitted the website to get infected. You might also ask why you should pay more to clean up a website when the service you already paying to protect didn’t actual accomplish that.

While it is possible that SiteLock assumption that the website was infected and recommending that more money being spent with them was based on them not understanding that you should determine that a website was hacked before trying to clean it up, everything we have seen points to something else. That being that from everything we have heard and seen when you get in touch with SiteLock you are usually going to interact with commissioned sales person. It wouldn’t be surprising that a person that is not a tech and are getting paid if they can sell you something, would instead of determining that there wasn’t any issue, try to sell this person on an additional service and to a more expensive version of an existing service. It also would be in line with what have heard in numerous other instances when SiteLock failed to provide protection, that the answer was to move to a more expensive service.