Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Wordpress: hacked by Typical Idiot Security
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Wordpress: hacked by Typical Idiot Security

Anybody here has experience with following problem:

The file readme.html with text hacked by Typical Idiot Security appeared in several /public_html/ folders. Quite a few WP folders, but also in /cgi-bin/ and /.well_known/ and some that have no function.

I wonder what that is about. Obviously some hacker can place files on my shared cPanels host as they please.

Any suggestion? And how can I prevent that?

«1

Comments

  • Look for better host which provides basic security for such kind of attacks.

    Thanked by 1zeolum
  • dergelbedergelbe Member
    edited December 2019

    @verjin said:
    Look for better host which provides basic security for such kind of attacks.

    I am not sure how much of the issue is me and how much the host. I wonder if cPanel is part of the problem. It's not the first time I have issues on that host, but doesn't mean necessarily that they are to blame.

    Thanked by 1verjin
  • jsgjsg Member, Resident Benchmarker

    @dergelbe

    I just did a find readme.html on my Wordpress box and there is only 1 in the WP root (which is normal).

    What you describe is almost certainly not related to WP. My first suspicion would be http and ftp server software.

  • It's very easy to use a compromised WordPress plugin to upload a shell script and use it to annoy you.

    Reset account, and restore form a old backup, change all passwords.

    Thanked by 2kkrajk coreflux
  • jsgjsg Member, Resident Benchmarker

    @somik said:
    It's very easy to use a compromised WordPress plugin to upload a shell script and use it to annoy you.

    Reset account, and restore form a old backup, change all passwords.

    From what I know WP can not go below the directory below its root and I doubt that plugins can do that - unless of course the provider has done an extremely poor job.

  • Beside that readme.html, that is partly outside WP I have a few wp-protect.php inside WP. WP has no such file, it has some Base64 payload. When I D/L the php Windows Defender gives me a Trojan:Win32/Masson.A!ml warning and deletes the file.

  • jarjar Patron Provider, Top Host, Veteran

    You have a PHP script that can be exploited to create or modify files. It's almost always a plugin or theme that has a vulnerability in it's code.

    This is so common it's happened to 15,000 people since I started writing this comment.

  • jarjar Patron Provider, Top Host, Veteran

    @jsg said:

    @somik said:
    It's very easy to use a compromised WordPress plugin to upload a shell script and use it to annoy you.

    Reset account, and restore form a old backup, change all passwords.

    From what I know WP can not go below the directory below its root and I doubt that plugins can do that - unless of course the provider has done an extremely poor job.

    Sure it can. Think suPHP and the script is running as the user. The user owns the directories, the scripts are executed by the user.

  • Was Wordpress and all your plugins up to date? Don't bother trying to just remove the infected files, reinstall your wordpress (be very selective with plugins) and use a database from an older backup if it's a mostly static site.

    An even better solution would be to reinstall with a new database, and import your old posts.

  • @jar said:

    @jsg said:

    @somik said:
    It's very easy to use a compromised WordPress plugin to upload a shell script and use it to annoy you.

    Reset account, and restore form a old backup, change all passwords.

    From what I know WP can not go below the directory below its root and I doubt that plugins can do that - unless of course the provider has done an extremely poor job.

    Sure it can. Think suPHP and the script is running as the user. The user owns the directories, the scripts are executed by the user.

    The entire folder /home/username/ has read-write permissions by any PHP scripts running from /home/username/public_html/ or any folders bellow it. so it is possible to create a simple PHP script to create those .html files in all folders, including those outside your wordpress directory.

  • Install Wordfence plugin and start a full scan. Then reinstall and update your plugins and themes.

    Delete what you are not using.

  • I have neither of those plugins. I do keep my sites reasonably up to date too. I should probably set all to auto-update.

    In the meantime all IPs that hit certain files, such as wp-login.php get banned instantly. I will have to do a bit more research into WP hardening.

    Thanked by 1timelapse
  • bikegremlinbikegremlin Member
    edited December 2019

    @dergelbe said:

    I have neither of those plugins. I do keep my sites reasonably up to date too. I should probably set all to auto-update.

    In the meantime all IPs that hit certain files, such as wp-login.php get banned instantly. I will have to do a bit more research into WP hardening.

    My 2c on the topic (not an expert, but sharing what I know and has worked for me so far):
    https://io.bikegremlin.com/8963/wordpress-security/

    I've also started making a series of posts on making a WordPress site - from start to finish. What I set up, how I secure it etc. So far, only email and domain registration (with nameserver setup) is covered, but it will grow:

    https://io.bikegremlin.com/tag/how_to_make_wp_website/

    Thanked by 1timelapse
  • bountysitebountysite Member
    edited December 2019

    How did you find out that the files were modified?

    Checkout BountySite. Its a platform built from scratch to handle such website security incidents, irrespective of your hosting provider.

    how? what? why? duh?
    Alright... here is the deal

    • BountySite makes an offsite backup of your website, using credentials provided by you
    • Backup is stored in git repository, so you have unlimited restore points without exponential increase in storage.
    • Security scans run on the backup files to detect malwares (It is something like offsite Wordfence) and notifies you with changes. You are the best security administrator for your website
    • File Change notification lets you know that some files have been modified. This works at file/table(MySQL) level
    • You can investigate the malware on your own[BountySite is the only platform that is capable of doing this].
    • I also release target patch for known vulnerabilities, which can protect the site from getting infected
    • In most case, all you need is restore, app/plugin update, password reset and backdoor cron check, and you are good
      If the above is not enough, presenting you with a platform for Bounty Hunting 0day vulnerability in open source web apps - BountySite.
      The only Bounty Hunting platform for Hosting.
  • @bountysite said:
    How did you find out that the files were modified?

    The had phishing links to Microsoft. So whoever handles the security for MS informed my host, which because I wasn't around shut down that domain. That isn't ideal, but that site ain't very active anyway. It was updated 2 or 3 weeks ago, so it was pretty fresh.

  • FHRFHR Member, Host Rep

    Check ctime/mtime of the malicious files and correlate that to the web server log entries around that time.
    After you learn how the infection got in, nuke the site and reinstall from scratch.

    Thanked by 1bikegremlin
  • @dergelbe said:

    The had phishing links to Microsoft. So whoever handles the security for MS informed my host, which because I wasn't around shut down that domain. That isn't ideal, but that site ain't very active anyway. It was updated 2 or 3 weeks ago, so it was pretty fresh.

    Ok! I am guessing you dont know what files have been modified with malware.

    BountySite was built exactly to provide you with this information. When a file is modified within your website, a mail notification is shot. Site owner can then login and investigate file changes and detect the malware code.

    Once, I get a provider tag I will post freebies that you can use to protect(truly, add a layer of security) your website.

  • Install word fence, scan, then continue with your day. It will compare your WordPress installation file with the original, scan for a file that is not supposed to be there, and scan any file that contain payload. If after scanning, and cleaning, your site still get infected. It means the your plug in / theme is compromised. Change them. Or it's possible that other site with the same user / permission get infected, and spread to yours.

  • FlamesRunnerFlamesRunner Member
    edited December 2019

    @bountysite

    I don't know about you, but I certainly wouldn't hand over my credentials to a company that started in October, especially given your "glowing anonymous reviews" that do little to improve your reputation.

    Certainly, before you go "giving away" your product, I suggest you demonstrate that it is actually effective, and that you handle credentials/private information properly.

  • Thank you @FlamesRunner for putting forth your concerns. Very reasonable!

    My Company WidEva Systems Pvt Ltd is incorporated since March 2015. Its a long story.
    I have over 17yrs tech experience. I have worked for large hosting companies. I am OSCP certified, meaning that I am far more paranoid than you.

    I have been building BountySite platform from scratch since Oct 2016. BountySite is a totally new approach to website security.

    I am a Solopreneur.

    Can BountySite guarantee 100% website security? There is no such tool on this planet that can guarantee. This is the bitter truth.
    BountySite gives site owner adequate information of what has happened in a site infection, to start with.

    The overall idea is simple, on every single investigation I can find the root cause and introduce security patch(looking at php) to prevent other sites on my platform from the same attack.
    And also, if my malware scanner did not detect the new malware, I can add the signature to my db(yara, md5, sha256, fuzzyhash).

    My current reviews are from demo. I can share the demo account and you can see it for yourself. Just drop a mail to sales at bountysite.com. I would be more than happy to do a video call and show you demo of all the features. I will not send any automated promotional messages.

    Now addressing your security concerns:-

    • I use web2py, which gives several layers of security by default
    • Frontend and storage are separate layers, meaning storage servers can be placed anywhere in the internet. Frontend talks to Storage servers over SSL REST API.
    • Storage servers stores the FTP credentials in industry standard AES 256 bit encryption. So, lets say in an unprecedented case, the frontend was compromised, the storage servers are still away and safe. User passwords are stored as 20 byte long hashes(iterations of pbkdf2 algorithm with SHA512), by web2py. Passwords are enforced to be least 10 characters long with least 1 upper case, 1 special and 1 number.
      So, likely case of cracking passwords is through already hacked/pwned databases.

    • All the downloaded website data is stored in AES 256 bit encryption. Meaning, if someone pulls off the hard drive, they wont be able to see data. This applies for all plans.
      Free plans comes with no storage redundancy. You can sync your backup archive(full git) data to your own S3/B2 cloud storage for reliability.
      Paid plans can have redundant storage drives with n copies of data redundancy to different storage server or to S3 managed by us/hosting-provider, depending on budget.

    • Note that storage server can be commodity(JBOD) hardware or cloud block storage. Also, it gives an option to add compliance say PCI, without changing things fundamentally. Also, this allows me to cater to different kinds of customers.
      I can partner with Hosting providers who can spin their own storage server and can also resell this service with good profit margins. The data remains within Hosting provider infrastructure, which helps for likes of EU data compliance.
      Also, with storage servers near hosting server, backups/restores are very fast(<1min for incremental).

    • There are tonnes of features, that I have built into BountySite. For example, if an unauthorized hacker is able to login with stolen credentials, he/she wont be able to delete the backup data. Besides, user can set ACL for added login security like TOTP over mail, IP acl, country ACL. 2FA still needs some work.
      As on date, the git revision has all revisions/snapshots since first backup. Site owner can restore to any point back in time.

    • Having said all this, I would just say that BountySite platform is far more secure than your hosting environment. Security is all about layers of security. I have ensured several layers of security than most big organizations, and am constantly thinking/adding.

    The most important fact is that it has no impact on hosting server. All the security scanning and other features takes place on storage server and incremental backups are added to git repository.

    So, all sites on a single server can be backed up and given an extra solid layer of security.

    I seek your support, with BountySite. I can help you solve your security woes.

  • @bountysite

    Appreciate your response. To be fair, my systens don't run WordPress (which axes out a lot of security vulnerabilities in itself!), and I've already taken reasonable measures to prevent a catastrophic loss of data (i.e daily backups to multiple off-site servers).

    You have addressed this partially, but I have a few more questions about your handling of FTP credentials. If someone were to compromise your backup systems, they would effectively have full control over a plethora of sites under your wing -- to me, that is a risk I simply don't feel comfortable with.

    Even if you were to encrypt FTP credentials, at some point you would need to decrypt them to access customer files to take a backup. And, there will always be a moment where files are not yet encrypted on your storage systems. What have you done to protect against this?

    Lastly, I did end up having a look at your product -- I think your mobile interface could use a little work with the less-than-friendly navigation menu, as well as the weird checkout page.

    Although I won't be using your services, I do wish you luck on your ventures. Part of starting a business is handling criticism, and so far I'm satisfied with your answers.

  • edited December 2019

    The absolute worst advice in the world, that I always read on these types of questions, is to wipe and reinstall. You learn nothing from doing that, create a bunch of unnecessary work for yourself, and usually only temporary fix the problem until it happens again and you will still not know how to fix it properly.

    You learn a lot from tracking this stuff down and surgically removing it. I mean all of it, including the alternate backdoor stuff they sometimes put in to try get in again if you find their primary access.

    One of the first things you learn by doing this is that hackers are lazy and usually not that clever. Some things that may not be obvious to them as an outsider with malicious intent is obvious to an admin. Like datestamps. If you know approximately when it happened you can do a search for datestamps and maybe figure out what the first file was that was touched.

  • are you installing nulled theme/plugin?

  • @LosPollosHermanos said:
    The absolute worst advice in the world, that I always read on these types of questions, is to wipe and reinstall. You learn nothing from doing that, create a bunch of unnecessary work for yourself, and usually only temporary fix the problem until it happens again and you will still not know how to fix it properly.

    You learn a lot from tracking this stuff down and surgically removing it. I mean all of it, including the alternate backdoor stuff they sometimes put in to try get in again if you find their primary access.

    One of the first things you learn by doing this is that hackers are lazy and usually not that clever. Some things that may not be obvious to them as an outsider with malicious intent is obvious to an admin. Like datestamps. If you know approximately when it happened you can do a search for datestamps and maybe figure out what the first file was that was touched.

    +1
    Definitely worth finding out how the problem had started - which is a way towards learning how to prevent it from happening again.

    Though, I'd feel safer doing a clean install from the last good backup after that - just in case I had missed something.
    I'd even argue that finding the problem cause is one task, while disinfecting, instead of using good backup and securing properly is another tedious task.

    As for @bountysite, they were kind enough to offer beta testing some months ago.
    My only real "objection" is the price. I don't think my use would warrant it.

    For other aspects - people who know as little as I do (or less) will most probably only benefit from something like Bountysite, as an out of the box security and automated backup solution.

    I'd be delighted to read a performance and security audit done by someone who actually knows what they are doing. :) But I can't dismiss Bountysite based on what I've seen so far.

    Security is a game of cat and mouse and no system in the world is 100% secure (100% secure system is a useless system, by definition). It boils down to making any breach difficult enough, compared to the "attractiveness" of the prize for the hackers and/or value of what is protected for the owners. And, best case scenario, at least being able to figure out when you've been hacked - think that is as good as it gets, unfortunately.

  • edited December 2019

    Clean installing is not a solution. That is just being lazy imo.

    Web stuff on Linux/PHP is not like trying to get rid of malware on Windows which has millions of places to hide stuff that you cannot easily search for. It's entirely doable to surgically get rid of it entirely on Linux/PHP and you will learn a lot doing it.

    Most of the whitehat stuff I learned I don't share because I don't want the script kiddies to know how I do it. The datestamp trick is one of those things I learned. Yes of course it is not some big secret. Some hackers and script kiddie scripts do stuff to try hide that but the vast majority do not. They are also relying on you being lazy just like them. When you are forced to wipe clean and re-install they basically win imo.

  • @bikegremlin

    100% security on a whim. To be fair, it's not useless -- it's still nice to look at :)


    Posted this on HostBalls a while back, but I figured I'd post it here too.

  • jsgjsg Member, Resident Benchmarker

    @bikegremlin said:
    I'd be delighted to read a performance and security audit done by someone who actually knows what they are doing. :) But I can't dismiss Bountysite based on what I've seen so far.

    I was willing to have a closer look. But what I found was largely marketing and what a "security enthusiast" who likes web2py has created.

    Remarks:
    web2py has over 900 issues, about one third of which are open, incl. one opened by "Danny" (the bountysite guy).
    That issue is the only activity by him on github in years. No code, no nothing, just this issue.
    I'm under the impression that Danny really likes to look at security issues and that bountysite is basically the result of him wondering "how to get at the code and data of many, many websites and earn money along the way too?".
    One isn't a security guy because one has this or that sticker (e.g. OSCP) but due to concrete and real experience. @joepie91 for example is a credible security guy (and I would be very astonished if he even thought about creating something like bountysite).

    I wish Danny good luck with bountysite, honestly, but after looking at his website I'm not at all interested in looking at his solution anymore and I would certainly not hand out my sites access data to some guy in Chennai, India who didn't convince me at all. And btw, no I do not think that Python is inherently much more secure than PHP. Sorry.

    Thanked by 1poisson
  • @LosPollosHermanos said:
    The absolute worst advice in the world, that I always read on these types of questions, is to wipe and reinstall. You learn nothing from doing that, create a bunch of unnecessary work for yourself, and usually only temporary fix the problem until it happens again and you will still not know how to fix it properly.

    ** You learn a lot from tracking this stuff down and surgically removing it. I mean all of it**, including the alternate backdoor stuff they sometimes put in to try get in again if you find their primary access.

    One of the first things you learn by doing this is that hackers are lazy and usually not that clever. Some things that may not be obvious to them as an outsider with malicious intent is obvious to an admin. Like datestamps. If you know approximately when it happened you can do a search for datestamps and maybe figure out what the first file was that was touched.

    To clarify, "wipe and reinstall" should always be part of the solution, just AFTER finding out how it got in. Trying to and thinking you have successfully removed an infection is... dumb and prone to missing something. It's trivial to make an obvious infection to make user think they found the problem and the hacker just hid something else in there. They just need to cover their tracks a bit, which decent bad actors have been doing for decades.

    So,
    1. Find out how it got in
    2. Wipe
    3. Reinstall

Sign In or Register to comment.