While monitoring exposed password databases we found a leaked database that contained 178 compromised credentials of CleanTalk users among other data. These emails/passwords were compromised some time ago and after that were used to create a CleanTalk account by their owners. As soon as we found this potential vulnerability – we immediately reset passwords for all CleanTalk users related to these email addresses.
Please remember to be careful when clicking on third-party links or using unverified services or WordPress plugins. And be sure to check the list of your compromised passwords in your browser. If you use Google Chrome you can find it here: chrome://password-manager/checkup/compromised.
We are proud to introduce the White Label option for our Anti-Spam and Security plugins. This option gives Unlimited plan users the ability to resell Anti-Spam or Security services to their customers under their own brand name. The Extra Package should be connected as well.
Here’s what you get
Any CleanTalk and affiliate program mentions will be removed.
Absolutely all links to CleanTalk.org will be replaced with your custom URL.
The contact information of tech support will be replaced with yours.
All Connection problems reports will be sent to your support email.
How to connect the White Label option for regular installation (not for Multisite)
Ensure your Unlimited plan and the Extra Package for your Anti-Spam or Security services have been purchased.
In the upper right corner of your Dashboard screen go to your Profile → Settings → Whitelabel Database.
Switch the White label option to On and fill in the following fields and press the Save button.
Congratulations! You can now invite your customers to their new control panel.
How to connect the White Label option for Multisite/Multiuser/WPMS
In case you are using a Multisite/Multiuser/WPMS version of WordPress, check out these instructions.
We were contacted by one WordPress website owner with the issue of a website hack. Consequences of the hack were that their whole website content was deleted, meaning articles, pictures, plugins and themes were gone and visiting the website displayed a blank page. What was left in the folder «wp-content» was a single folder «uploads», new files in the root directory and many custom files «.htaccess» in other folders.
What measures were taken in the first place before restoring the website. To avoid future successful connections from the hacker, all passwords were changed, including database ones, authorization over HTTP was enabled, installation of any files and themes were allowed only over FTP.
What Has Been Done to Find Out the Source of the Hack
The main task was gathering information about how the hacker managed to get access to the website and delete all of its content.
The first step was saving the entire file system in a way where the files can not be created anew but to be saved in their current state (It’s important to know for identifying the creation time of the malicious files).
saving nginx «access.log» on the date of the detected hack
saving nginx «error.log» on the date of the detected hack
saving nginx «syslog» on the date of the detected hack
Input data:
logs «access.log» (200 MB) «error.log» (47 MB)
website files
The local repository of Splunk was chosen for the log analysis, data sources were the files «access.log» and «error.log».
To determine the time when the website infection happened, the creation time of the suspicious files in the website folder was inputted.
The next step was selecting a set of lines from the log files within a certain time period and the server response 200, while requests from «admin_ajax» and «wp_cron» were excluded.
Thus, we found the hacker’s IP address that was able to get a response 200 for its POST request to this address: /wp-content/themes/seotheme/db.php?
Next, we analyzed every line of activity of this IP address within the same time period. Based on this data, we see that someone created this folder: /wp-content/themes/seotheme
Furthermore,
the cybercriminal from the IP address 43.153.77.57 was able to get a response 200 to their POST request while forcing /wp-content/themes/seotheme/db.php?u and in the end a number of malicious files was created which were started being called;
a set of files «.htaccess» was created and modified specifically for the Apache-like webserver to allow executing files;
the file «index.php» was modified, added obfuscated malicious code;
the file «plugins.php» was modified, added obfuscated malicious code;
the file «pluggable.php» was modified, added obfuscated malicious code;
there were some eval constructions in the files, and parsing them was impossible.
It’s also impossible to know the origin of the folder /wp-content/themes/seotheme and the files in it, the reason is self-deletion of the malware results.
How to prevent future hacks:
constant monitoring of the website files for any new unknown files in the system,
aggressive response to status changes of the «.htaccess» files if you use an Apache web-server
force to implement any filesystem actions with a protected FTP account only, you can edit your wp-config.php by adding the code below:
Sometimes knowing the attacker’s country is just not enough, so now we added certain geolocation by IP to help you. The new feature will be added automatically to all Website Security plugin users.
When you use Personal Black Lists (including blocking by country) users see a default message “This is the testing page for Security FireWall” but now you can change it. The message can include your email or phone number. In that case, you can collect data about the reasons for false positives.
How to create a custom message
Step 1: Go to your Dashboard => Security. Select your website and click on Settings.
Step2: Scroll down to Message for forbidden visitors and check it. After that you can type any text you want including emails and phone numbers. When finished just press the Update button.
That’s it! Your custom message is enabled and updated. After about 10 minutes you can take a look at your Security FireWall block page.
How to preview your block page
Step 1: Go to Dashboard => Security => Your website Settings (exactly like it was described above). Then click on Testing Security FireWall.
Step 2: After that, your Security FireWall testing page will appear. Here you can preview your custom message and edit it if needed.
Your website is regularly visited by different bots. The “bad” ones are blocked by your Security FireWall before they even reach your website, but what happens with the “good” ones like Google, Bing, and MSN? From now you can use Security FireWall Log to find out, what ”good“ bot visit your site and how many actions they provide there.
What exact information can you get:
Date
Website
URL of visited website
Bot IP
Hostname (in case it can be defined)
Browser used by bot
Bot country
Quantity of requests (hits)
FireWall result
How it works
Step 1: Go to your Security Dashboard. Choose “Site Security” in the “Services” menu.
Do you know how to hide your WordPress usernames from bad bots? We are glad to introduce you a new Security plugin improvement: from now CleanTalk allows you to hide WordPress username from bad bots brute-force.
Before this improvement became available some bots could learn WordPress usernames by their ID and use it to brute-force these accounts later. For example, a request like «https://blog.cleantalk.org/?author=007» could return the username «https://blog.cleantalk.org/author/james_bond».
This option is switched off by default so in order to avoid vulnerabilities like that we highly recommend to switch it on.
Step 1: Go to Plugins → Installed Plugins.
Step 2: Go to Settings beneath the Security plugin.
And after that choose General Settings.
Step 3: Go to Miscellaneous section and find checkbox «Prevent collecting of authors logins» and just check this box.
Step 4: Press the «Save Changes» button.
Success! That’s how quickly CleanTalk allows you to hide WordPress username from bad bots
If you have any questions, add a comment and we will be happy to help you.
Create your Cleantalk account – Register now and enjoy while CleanTalk Anti-Spam plugin protects your Clean and Simple Contact Forms from spam.
We added new parameters in the Security FireWall Log.
CleanTalk WordPress Security Log shows a list of all the network requests blocked in the course of loading the page. Each request is displayed in its own row.
All of these requests will have next string:
-Page URL to which the request was sent.
Security FireWall blocks all requests from the most active IP addresses where massive spam and brute force attacks come from.
Security FireWall may significantly reduce the risk of hacking and reduces the load on your web server. All security logs are stored in the cloud for 45 days.
CleanTalk continues to develop Security Service and launches new option “BlackIPs Database”.
Our Cloud Service processes millions of requests every day and we know which IPs have suspicious activity in real time.
BlackIPs Database — is the database of the most active IP addresses where massive spam and brute force attacks come from. When IP starts attacking a few websites they are immediately added to the blacklist. IPs that stop attacking are being removed over time and that time is relatively short — usually about 2 weeks.
This option will be a powerful way to improve the Security Service for your websites.
Blocking a bad IP completely is more effective and safer than just blocking its malicious requests because you don’t allow it to gather information about the target website it is about to attack.
BlackIPs Database is included in the standard package of Security Service and does not require any additional payment, just enable this option in your CleanTalk Dashboard -> Settings then mark the option “Use CleanTalk database of dangerous IP addresses”.
If you need to add exceptions for IP addresses or subnets, you can add them to white lists that have higher priority and will not be blocked.
In 2 weeks we will add new parameters to Security Service Log that will show blocked requests and Page URL which the IP address was trying to get access to.
CleanTalk Real-Time BlackIPs Database is one of the greatest security features.
We work every day to continuously improve and evolve our services.
Let us know if you have any suggestions or comments.
