Category: Security

  • Our Investigation of the Hack of One Website (OR: How We Investigated a Hack of One Website)

    Our Investigation of the Hack of One Website (OR: How We Investigated a Hack of One Website)

    We were contacted by one WordPress website owner with the issue of a website hack. Consequences of the hack were that their whole website content was deleted, meaning articles, pictures, plugins and themes were gone and visiting the website displayed a blank page. What was left in the folder «wp-content» was a single folder «uploads», new files in the root directory and many custom files «.htaccess» in other folders.

    What measures were taken in the first place before restoring the website. To avoid future successful connections from the hacker, all passwords were changed, including database ones, authorization over HTTP was enabled, installation of any files and themes were allowed only over FTP.

    What Has Been Done to Find Out the Source of the Hack

    The main task was gathering information about how the hacker managed to get access to the website and delete all of its content.

    The first step was saving the entire file system in a way where the files can not be created anew but to be saved in their current state (It’s important to know for identifying the creation time of the malicious files).

    • saving nginx «access.log» on the date of the detected hack
    • saving nginx «error.log» on the date of the detected hack
    • saving nginx «syslog» on the date of the detected hack

    Input data:

    • logs «access.log» (200 MB) «error.log» (47 MB)
    • website files

    The local repository of Splunk was chosen for the log analysis, data sources were the files «access.log» and «error.log».

    To determine the time when the website infection happened, the creation time of the suspicious files in the website folder was inputted.

    The next step was selecting a set of lines from the log files within a certain time period and the server response 200, while requests from «admin_ajax» and «wp_cron» were excluded.

    Thus, we found the hacker’s IP address that was able to get a response 200 for its POST request to this address: /wp-content/themes/seotheme/db.php?

    Next, we analyzed every line of activity of this IP address within the same time period. Based on this data, we see that someone created this folder: /wp-content/themes/seotheme

    Furthermore,

    • the cybercriminal from the IP address 43.153.77.57 was able to get a response 200 to their POST request while forcing /wp-content/themes/seotheme/db.php?u and in the end a number of malicious files was created which were started being called; 
    • a set of files «.htaccess» was created and modified specifically for the Apache-like webserver to allow executing files; 
    • the file «index.php» was modified, added obfuscated malicious code;
    • the file «plugins.php» was modified, added obfuscated malicious code;
    • the file «pluggable.php» was modified, added obfuscated malicious code; 
    • there were some eval constructions in the files, and parsing them was impossible.
    • It’s also impossible to know the origin of the folder /wp-content/themes/seotheme and the files in it, the reason is self-deletion of the malware results.

    How to prevent future hacks:

    1. constant monitoring of the website files for any new unknown files in the system,
    2. aggressive response to status changes of the «.htaccess» files if you use an Apache web-server
    3. force to implement any filesystem actions with a protected FTP account only, you can edit your wp-config.php by adding the code below:
    define( 'FS_METHOD', 'ftpext' );
    
    define( 'FTP_BASE', '/yoursitepath' );
  • WordPress DDoS Protection. How to Mitigate DDoS Attacks

    WordPress DDoS Protection. How to Mitigate DDoS Attacks

    How to Mitigate DDoS Attacks on WordPress

    To mitigate DDoS attacks you can implement several methods.

    The first method is to forbid access to your website by IP address on the level of your webserver by adding a rule in the file «.htaccess» manually.

    The second method is to install the CleanTalk Security plugin for WordPress, our feature Traffic Control that protects from DoS is enabled by default.

    CleanTalk Traffic Control monitors each request from any IP address and if the number of requests exceeds the limit in a certain time period then this IP address will be temporarily blocked and it wouldn’t be able to access your website at all.

    For instance, if an IP address sends requests to your website with a frequency of 1000 requests per 1 hour, such activity will definitely be blocked for 1 hour.

    You can adjust the settings of Traffic Control as you want and as you find appropriate. To do that, go to your WP Dashboard → Settings → Security by CleanTalk → General Setting → Firewall.

    Time frame to measure page hits – here you can set a time period which will be taken to calculate the number of requests of your visitors.

    Block a visitor if the count of the opened pages in the time frame more than – here you can set your limit of requests after exceeding which any IP address will be blocked.

    Block a visitor if they exceed the limit of opened pages for X minutes – this option is meant for setting a time period a blocked IP address will be put in.

    Ignore logged-in users – tick this option to ignore all requests going from your logged-in users.

    Also, on the tab Firewall, you can see all IP addresses that are visiting your website right now.


    What are DDoS and DoS?

    These are types of attacks on a website when a lot of requests are being sent. If the number of requests is quite high then it will result in problems with the website functioning.

    The difference between DDoS and DoS consists of that DDoS has a distributed attack, meaning it is executed from many IP addresses, while DoS has just one or a few IP addresses.

    Why DDoS and DoS might be dangerous to a website

    Such types of attacks is based on the fact that a webserver has to process each request, thus running all website page scripts, loading all pictures, and so on spending its resources. As a result, the website will function slower or start giving an error on attempts of visiting any page.
    The second trouble is in a high volume of your website traffic, in some cases, it may lead to unexpected expenses or a warning from your hosting provider.

    It’s unwise to underestimate the dangers of such types of attacks and spend your time forbidding IP addresses manually, it’s more efficient to give this task to the automated tools.

    You can install the plugin Security & Malware scan by CleanTalk from the WordPress catalog.

  • Vulnerability in Eval(‘$some=1;’); Code for WordPress Auto-Cure

    Vulnerability in Eval(‘$some=1;’); Code for WordPress Auto-Cure

    A new virus has been detected by our Security Malware Scanner on one of our client’s websites. So, using this file we created a malicious code signature and added it to the Security Malware Scanner.

    <?php
    /**
     * Front to the WordPress application. This file doesn't do anything, but loads
     * wp-blog-header.php which does and tells WordPress to load the theme.
     *
     * @package WordPress
     */
    
    /**
     * Tells WordPress to load the WordPress theme and output it.
     *
     * @var bool
     */
    define( 'WP_USE_THEMES', true );
    
    /** Loads the WordPress Environment and Template */
    require __DIR__ . '/wp-blog-header.php';
    eval('$some=1;');

    Here it is in the last line.

    So, from this moment this virus will be recognized and auto-cured on all the websites, protected by our Website Security plugin.

    What is a signature

    A Signature is a specific pattern that allows cybersecurity technologies to recognize malicious threats such as SQL injections, malware etc.
    There are different types of signatures in our Security plugin, including parts of malicious php/js/html code, entire files, and WAF (Web Application Firewall) rules.

    How it works

    In other words, the Signature is a kind of mold of the file, the scanner will create a mold of each file from your website (we work only with MD5 cache of files) and compare it with the signature mold (MD5 cache as well). And if it finds a match – the file will be marked as Critical. If the Cure malware option is enabled then automatic treatment is performed.

    In order to enable the Cure malware option you should go to your WordPress DashboardPluginsSecurity by CleanTalkGeneral Settings. You will find the option in the Malware Scanner part.

    If you have any questions, add a comment and we will be happy to help you.

  • Geolocation (сity) in the Security Log and email reports

    Geolocation (сity) in the Security Log and email reports

    Sometimes knowing the attacker’s country is just not enough, so now we added certain geolocation by IP to help you. The new feature will be added automatically to all Website Security plugin users.

    You can notice it:

    1. On the Security Log page.
    2. On the Security FireWall page.
    3. On the Blacklists Database Reports page.
    4. In your email with Successful Logins With an Administrator Role.
    5. In your email Weekly Security report.

    Blacklists Database Reports page

    Create your CleanTalk account

     

  • Custom text messages for Security FireWall Block Page

    Custom text messages for Security FireWall Block Page

    We’re glad to introduce the new feature of our Security Extra Package.

    When you use Personal Black Lists (including blocking by country) users see a default message “This is the testing page for Security FireWall” but now you can change it. The message can include your email or phone number. In that case, you can collect data about the reasons for false positives.

    How to create a custom message

    Step 1: Go to your Dashboard => Security. Select your website and click on Settings.

    Step2: Scroll down to Message for forbidden visitors and check it. After that you can type any text you want including emails and phone numbers. When finished just press the Update button.

    That’s it! Your custom message is enabled and updated. After about 10 minutes you can take a look at your Security FireWall block page.

    How to preview your block page

    Step 1: Go to Dashboard => Security => Your website Settings (exactly like it was described above). Then click on Testing Security FireWall.

    Step 2: After that, your Security FireWall testing page will appear. Here you can preview your custom message and edit it if needed.

    Get your Website Security now

     

  • Vulnerability in the CleanTalk Anti-Spam plugin for WordPress

    Vulnerability in the CleanTalk Anti-Spam plugin for WordPress

    There was a slight vulnerability in the comment scanning interface. It was not very serious, since only the logged-in administrator could execute the malware. In other words, in order to exploit a vulnerability, you need access to a site with administrator privileges. And if an attacker has such access, then this makes this vulnerability irrelevant, because he obviously can add any malicious code without using any vulnerabilities. The vulnerability in the plugin interface can still be exploited in versions till 5.174.1.

    Anyway, we added the bugfix in the version 5.174.1 of Anti-Spam Plugin right after we got the message from WordPress Plugin Team. So from now on, all you have to do is to make sure, that your Anti-Spam Plugin is up-to-date. In case you use one of these previous versions, please be sure to update the plugin to the latest stable version as soon as you read this post using our special guide.

  • Check your plugins and themes using CleanTalk Web Application FireWall (WAF)

    Check your plugins and themes using CleanTalk Web Application FireWall (WAF)

    From now the Security Plugin also grants your WordPress website the best malware protection. Malware can be sometimes uploaded via different themes and plugins. Using WAF is the best way to prevent your site from being infected.

    Download «Security & Malware scan» plugin

    To enable this option go to your Dashboard and choose Installed Plugins in Plugins menu.

    Then go to Settings below your Security Plugin.

    And check the “Check plugins and themes while uploading” checkbox.

    How to check WordPress plugin for Malware

    Step 1: Go to your WordPress Dashboard. Then go to Plugins and press Add new.

    Step 2: Click on the Upload Plugin button.

    Step 3: Then choose your Plugin (it should be compressed to .ZIP file). After that just press Install now and let WAF do the rest.

    Step 4: Wait until the Security Plugin finishes the malware scan of your plugin. If you see INFECTED or Plugin installation failed messages – it means that Malware has been found and the Plugin you uploaded may be infected.

    And in case you see a success message – feel free to use the Plugin.

    How to check WordPress Theme for Malware

    Step 1: Go to your WordPress Dashboard. Press the Appearance button and on the next page press Add new.

    Step 2: Click on the Upload Theme button. Then choose your Theme (it should be compressed to .ZIP file). Then just press Install now and let the Plugin do the rest.

    After antivirus scan, the Plugin will display a message with the check results. If you see INFECTED or Theme installation failed messages – it means that Malware has been found and the theme you uploaded may be infected.

    So in that case the installation will be interrupted and your website will remain safe. After malware removal, the theme may be uploaded again.

    You can create your own CleanTalk account to see the security status of your website, add new websites or manage existing ones!

    Create an account

  • New feature in Website Security FireWall Log

    New feature in Website Security FireWall Log

    Your website is regularly visited by different bots. The “bad” ones are blocked by your Security FireWall before they even reach your website, but what happens with the “good” ones like Google, Bing, and MSN? From now you can use Security FireWall Log to find out, what ”good“ bot visit your site and how many actions they provide there.

    What exact information can you get:

    • Date
    • Website
    • URL of visited website
    • Bot IP
    • Hostname (in case it can be defined)
    • Browser used by bot
    • Bot country
    • Quantity of requests (hits)
    • FireWall result

    How it works

    Step 1: Go to your Security Dashboard. Choose “Site Security” in the “Services” menu.

    Step 2: Go to your Security FireWall Log:

    In order to find information about some specific bot just type in the name of it (or part of the name).

    From that page, you may decide whether you want to block one of these bots or not.

    How to block bots by User-Agent

    Feel free to block any bot using our special guide.

  • Our client’s story: LBMSOLUTIONS.CO.UK

    Our client’s story: LBMSOLUTIONS.CO.UK

    We continue sharing our clients’ reviews and today’s story is brought to you by Dave from lbmsolutions.co.uk.

    Love this company, great products and excellent support.

  • «My IP Address Details» – the new CleanTalk service is available

    «My IP Address Details» – the new CleanTalk service is available

    CleanTalk My IP service shows information about your current IP address. Your device receives an IP address from your internet service provider and most often dynamic IP addresses are used, which change over time or every time you connect to the internet. The IP address is public information and is used to connect and work with any services on the Internet.

    What information you can get using our web service

    Host Name
    The full and official name of your Internet provider.
    Operation System
    Your current operation system, you use right now. Available for your own IP address only.
    Country
    Just a country that this certain IP address belongs to.
    Anti-Spam
    Indicates whether your IP address is blacklisted by the Anti-Spam service or not.
    Network
    The full address of your network, its type, and public spam rate.
    SpamFireWall
    Indicates whether your IP address is blacklisted by the SpamFireWall service or not.
    Autonomous System
    A collection of connected routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain.
    Security FireWall
    Indicates whether your IP address is blacklisted by the Security FireWall service or not.
    Web Browser
    The current version of your browser, you use right now. Available for your own IP address only.

    Ok, let’s сheck my IP