{"id":3240,"date":"2017-01-18T10:37:33","date_gmt":"2017-01-18T17:37:33","guid":{"rendered":"https:\/\/www.whitefirdesign.com\/blog\/?p=3240"},"modified":"2017-07-11T10:38:05","modified_gmt":"2017-07-11T16:38:05","slug":"no-wewatchyourwebsite-that-is-not-hackers-looking-for-infected-websites","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2017\/01\/18\/no-wewatchyourwebsite-that-is-not-hackers-looking-for-infected-websites\/","title":{"rendered":"No WeWatchYourWebsite, That Is Not Hackers Looking For Infected Websites"},"content":{"rendered":"

We are often brought in to re-cleanup malware infected websites<\/a> after another company has done a clean up and the website gets infected\u00a0again (or was never actually fully cleaned). \u00a0The website getting infected again\u00a0isn’t always the fault of the company doing the clean up, for example we sometimes have clients that don’t takes steps on their end that we told they needed to do (we take any steps that we can during our work), which leads to the website being infected again. But\u00a0when someone comes to us and mentions a previous clean up has been done, we always ask if the previous cleaner determined how the website was infected\u00a0(seeing as if that isn’t found and fixed the website could still be vulnerable). In almost every instance the response has been that determining how the website got infected\u00a0never even came up, much less was attempted.<\/p>\n

Avoiding companies that don’t mention that they determine how the website was infected as part of a cleanup would help you avoid some situations that would lead to you having to hire multiple companies to clean up the website. That has a major limitation though as we have found many security companies are much better at sounding like they know what they are doing then actually doing it. Only someone that actually knows what they are doing is likely to be able to spot that a company is not telling the truth, which isn’t likely when\u00a0someone is hiring a company to do this work for them.<\/p>\n

To give an example of this let’s take a look at something we recently ran across with a company named\u00a0WeWatchYourWebsite. They promote that they do was they “Root Cause Analysis”:<\/p>\n

If your website has ever been infected, you want to know \u201chow\u201d it happened. This sets our service alone at the top. We provide you with real proof of how your site was infected. Was it a faulty plugin? Outdated software?<\/p>\n

We\u2019ve invested the time required to create a system that will determine how your site was infected \u2013 and then we inform you. This along with steps you need to take to help us \u2013 help you keep your website safe and secure.<\/p><\/blockquote>\n

That would be\u00a0impressive if true, but it isn’t. Not only do we determine how the website was infected, so they are “alone at the top”, but we actually get that issue fixed. We also make sure the website is secured by updating the software (even if that isn’t the cause), because that is one of three basic steps to a proper cleanup. By comparison\u00a0WeWatchYourWebsite doesn’t do that, instead trying to detect attacks and block them, that really isn’t a good idea and they don’t provide any independent third-party evidence that it is actually effective at that. Our experience with other products making similar claims is that they provide limited to no protection.<\/p>\n

The other thing\u00a0that makes this sound less impressive is that they tout that their malware removal is “automated”. Considering that the cleaning up the malware and other malicious code often provides valuable information on the source of the infection. Having something fully automated is not conducive to doing that. In our experience this often also leads to poor results for the cleanup.<\/p>\n

One way to determine if a security company actual has the abilities they claim is to look at their blog posts, since we often find those expose a lack of knowledge that can be covered for in vague marketing material. In the case of\u00a0WeWatchYourWebsite, one of their recent posts shows a basic lack of understanding of how hackers operate and what log files of activity on the website, which are often key piece to definitively determine the source of a hack, actually show.<\/p>\n

In a post<\/a> from December 29, they claimed to provide an example of a hacker looking for infected WordPress websites. While hackers do sometimes re-check websites they have infected to make sure that is still true and hackers do try exploit malicious code that might have been placed on there by another hacker, what is shown in the post is not that. Let’s take you through it:<\/p>\n

Investigating some interesting entries in log files from our customers, we see that hackers apparently are still looking for infected\u00a0WordPress websites.<\/p>\n

First we see this:<\/p>\n

(IP address blanked to protect the infected)\u00a0\u2013 \u2013 [28\/Dec\/2016:20:44:14 -0500] \u201cGET \/ HTTP\/1.1\u201d 200 72904<\/span> \u201c-\u201d \u201cMozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.31 (KHTML, like Gecko) Chrome\/26.0.1410.63 Safari\/537.31\u201d<\/p>\n

The big tipoff here is the size of the GET request: 72904.<\/p><\/blockquote>\n

That first request is just a request for the homepage. From the outside we can’t see what the purpose of that would be. It could be used to see how a URL that actually exists responds on the website, it could be used as a comparison after making some change to the website later on, it could be used to determine that the website is running WordPress and its location on the website, or something else entirely.<\/p>\n

We are not sure what it supposed to mean that the size of the request is a “big tipoff”, since that is just the size of the homepage served to the requester. It is possible that WeWatchYourWebsite falsely believes that is the size of request sent to the website, not the size of what was sent back.<\/p>\n

And then this:<\/p>\n

(IP address blanked to protect the infected) \u2013 \u2013 [28\/Dec\/2016:20:44:16 -0500] \u201c POST \/\/\/wp-admin\/admin-post.php?page=wysija_campaigns&action=themes HTTP\/1.1<\/span>\u201d 403 \u2013 \u201c-\u201d \u201cMozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.31 (KHTML, like Gecko) Chrome\/26.0.1410.63 Safari\/537.31\u201d<\/p>\n

 <\/p>\n

We captured the GET request and after comparing it to the attacks on the old, vulnerable version of that WordPress plugin we see that the hackers were doing some open reconnaissance on WordPress sites. We say \u201copen\u201d because this site never had the MailPoet plugin installed.<\/p><\/blockquote>\n<\/blockquote>\n

The second request is not “open reconnaissance”, that is the hacker trying to exploit a vulnerability that had existed in older versions of MailPoet.<\/p>\n

\n
(IP address blanked to protect the infected) \u2013 \u2013 [28\/Dec\/2016:20:44:19 -0500] \u201cGET \/\/xGSx.php HTTP\/1.1\u201d 404 45488 \u201c-\u201d \u201cMozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.31 (KHTML, like Gecko) Chrome\/26.0.1410.63 Safari\/537.31\u201d<\/div>\n
\n
The above is them testing to see if their attack worked. It didn\u2019t<\/div>\n<\/blockquote>\n<\/blockquote>\n
Here they seem to understand that isn’t reconnaissance, since they are referring to one of the previous requests as an attack.<\/div>\n
\n
\n
All of this is just to show that even though you think previously infected\u00a0WordPress website may have been cleaned up from any previous malware, the hackers will always be looking just to be sure you have.<\/div>\n
<\/div>\n<\/div>\n<\/blockquote>\n
Hackers do sometimes\u00a0check if the malware or other malicious code they have placed on a website is still there, but what was shown here was someone trying to exploit a vulnerability on the website. Considering that\u00a0WeWatchYourWebsite stated that this plugin was never installed, it really is odd that they came to this conclusion that the hacker was re-checking things.<\/div>\n
<\/div>\n
The last line might explain what is really going on here:<\/div>\n
\n
\n
You may want to read about our methods of malware detection:\u00a0http:\/\/wewatchyourwebsite.com\/our-methods-for-finding-and-removing-website-malware\/<\/div>\n<\/blockquote>\n<\/div>\n
It looks like the post was really about getting to promoting their service, but it really ends up being a warning that this company doesn’t know what they are talking about.<\/div>\n","protected":false},"excerpt":{"rendered":"

We are often brought in to re-cleanup malware infected websites after another company has done a clean up and the website gets infected\u00a0again (or was never actually fully cleaned). \u00a0The website getting infected again\u00a0isn’t always the fault of the company doing the clean up, for example we sometimes have clients that don’t takes steps on … Continue reading “No WeWatchYourWebsite, That Is Not Hackers Looking For Infected Websites”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[108],"class_list":["post-3240","post","type-post","status-publish","format-standard","hentry","category-bad-security","tag-wewatchyourwebsite"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3240","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=3240"}],"version-history":[{"count":5,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3240\/revisions"}],"predecessor-version":[{"id":3615,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3240\/revisions\/3615"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=3240"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=3240"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=3240"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}