WordPress

PHP Injection Bug Fixed

June 17th, 2013

A pair of popular WordPress plugins used to help sites cache content has fixed serious vulnerabilities that attackers could exploit simply by including special HTML code in a comment. Both WP Super Cache and W3 Total Cache contained a vulnerability that allowed for PHP code injection through a simple attack vector, but both plugins have now been updated to address the vulnerability.

The vulnerability was in the way that the plugins handled dynamic snippets included in the comments on sites with one of the plugins enabled. An attacker who found a vulnerable site would be able to execute arbitrary code on the backend server. The developers of both plugins have patched the vulnerability and so details of the bug have now become public.

“As a result, blogs with WP Super Cache (before version 1.3) and W3 Total Cache (before version 0.9.2.9) were at risk of PHP code injection. Blog comments could contain dynamic snippets (in HTML-comments) and WordPress core did not them filter out. Upon such a malicious comment having been submitted, a new cached version of the page was created that included the injected PHP-code. Upon the first request of the cached page, that code was successfully executed,” Frank Goossens, a Belgian blogger wrote in description.

First word of the vulnerability appeared in a WordPress user forum about a month ago, and the original poster included detailed code that demonstrated the vulnerability. Last week, Donncha O Caoimh, the author of WP Super Cache, said that he was releasing a new version of his plugin and would add a feature in a future version to disable a function that was one of the causes of the vulnerability.

“I’ve just released a new version of WP Super Cache that removes the html comments from user comments. I’ll publish a post about it in a few days time after most people have hopefully upgraded their sites. In the next release (1.4) I’m going to disable mfunc and associated functions by default because I suspect most users don’t even use them. Admins will have to enable them on the settings page,” O Caoimh wrote.

The hugely popular WordPress publishing platform is used by a wide variety of users, including professional publishers and individual writers. There are hundreds of plugins available for the platform that perform all kinds of tasks, from preventing spam comments to enabling the site to run on mobile platforms, and attackers often target vulnerabilities in those plugins, as they know that users may not update them as often as they should. Just as browser extensions and plugins such as Flash and Java have become favorites of attackers, so too have the WordPress plugins. The security breach on WordPress site has increased and so has data security.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Large Scale Botnet Brute Force WordPress

May 23rd, 2013

There have always been a lot of brute force attempts/bot scans and hacking attempts on WordPress hosted sites (due to flaws in the core and a multitude of insecure plugins) – this site being no exception (they’ve even done some minor damage before).

But things appear to have really ramped up recently with a large increase in brute force attacks on WordPress sites. It seems to be the work of a rather crude botnet, which hits up the normal admin username (along with a few others like test/root etc) with a bunch of common passwords. Once it gets in, it leaves a backdoor and adss itself to the botnet – and starts scanning for other victims.

Sucuri have confirmed that the number of brute force attacks in April is double than that of previous months in their blog post here – Mass WordPress Brute Force Attacks? – Myth or Reality

Hosting providers are reporting a major upsurge in attempts to hack into blogs and content management systems late last week, with WordPress installations bearing the brunt of the hackers’ offensive.

WordPress installations across the world were hit by a brute force botnet attack, featuring attempts to hack into installations using a combination of popular usernames (eg, “admin” and “user”) and an array of common passwords. Attacks of this type are commonplace; it is the sharp rise in volume late last week to around three times the normal volume rather than anything technically cunning or devious that has set alarm bells ringing.

The primary target appears to be WordPress installations but Joomla users also reportedly took a bit of a hammering.

Early suggestions are that hackers are looking to harvest “low-hanging fruit” as quickly as possible in order to gain access to a bank of compromised sites for follow-up malfeasance, which could be anything from hosting malware to publishing phishing pages or running some sort of denial of service attack. “It’s doorknob rattling, but on an industrial and international scale,” notes Paul Ducklin, Sophos’s head of technology for Asia Pacific.

This is a large scale attack though, well organized and very well distributed with over 90,000 IP addresses involved. So using something like the WordPress plugin Limit Login Attempts wouldn’t help much – as they are not sending many login requests from each IP address.

Cloudflare have already pushed out a block for this type of attack, both for paying and free customers – so if you’re using that you should be safe.

If you notice your admin login or blog in general is very sluggish, you might have already been hacked. The outgoing brute force attempts take a lot of server resources.

WordPress founder Matt Mullenweg said that the attack illustrates the need to use a distinct username and a hard-to-guess password, common-sense advice that applies to using web services in general, not just for blog administration.

Olli-Pekka Niemi, vulnerability expert at security biz Stonesoft, outlined the range of possible motives behind the attack.

“A concern of this attack is that by compromising WordPress blogs attackers may be able to upload malicious content and embed this into the blog,” Niemi said. “When readers visit the blogs in question they would be then be subject to attack, come under compromise and develop into botnets. The attacks against the word press blogs seem to be distributed, with automated attacks coming from multiple sources.”

Matt Middleton-Leal, UK & Ireland regional director of corporate security dashboard firm Cyber-Ark, said hacks on corporate blogs might be used as an access point to hack into other (more sensitive) enterprise systems. Weak passwords need to be changed pronto, he argues.

“Common usernames and weak passwords are extremely risky online, however, the dangers are compounded if users re-use the same login credentials for other sites. Once the bad guys have cracked a username and password, it’s extremely common that they’ll attempt to use the same combination for additional sites in the attempt to fraudulently use accounts, or access information such as credit card details or corporate data.

“If WordPress users have been targeted in this attack, they should immediately seek to change their username and password details for their WordPress account, but also for any other accounts for which they use the same credentials,” he added.

There’s not a lot of info going around on what happens after a site has been compromised, in technical terms anyway – so I can’t really comment on that. But if you have decent file permissions, a strong password, you have already deleted the admin user long ago you should be safe.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Brute-Force Attack on WordPress blogs and Joomla Sites

April 15th, 2013

At present, Thousands of WordPress and Joomla sites are under brute-force passwords attacks by a large botnet. This calls for administrators to take the charge by making sure that they all have strong passwords and uncommon usernames for their installations on WordPress and Joomla.

According to reports from CloudFlare, HostGator, and several other company reports, the cyber criminals have been significantly stepping up on brute-force, dictionary-based login attempts, during the past few days against the WordPress blogs and Joomla sites. These kinds of cyber attacks looks for familiar account names, such as “admin,” and tries to systematically enter with common passwords on the site in order to break into the WordPress or Joomla accounts.

These kinds of cyber attacks warns the administrators, which in turn let them stop perpetrators from breaking in getting access to their sites, as that would lead attacker to mutilate the site or embed malicious codes to infect other people with malware. However, the highly organized nature of the cyber attacks, and its large-scale application implied even more menacing goals. It appears now, that the attackers are likely to make an attempt to get a foothold onto the server in order to figure out a way to take over the entire machine. Generally, web servers are more powerful and carry bigger bandwidth pipes than home computers, making them more attractive targets for the cyber criminals.

“The attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” informed Matthew Prince – CEO of CloudFlare, on his company blog.

According to researchers, they believe that “The Brobot botnet” are behind all the massive denial-of-service attacks or cyber attacks which were against the U.S. financial institutions, made up of compromised Web servers. Following this discussion, Prince said, “These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.”

Accounts that are Brute-Forced

For the purpose of attacking the WordPress blogs and Joomla sites, the cyber criminals are using brute-force tactics to break into the user accounts of these sites. And the top five user names being targeted by the attackers were “admin,” “test,” “administrator,” “Admin,” and “root.” In order to brute-force attack a particular site, the perpetrators systematically tried  out all the possible combinations of passwords until they successfully logged in to the accounts and hacked it ultimately. For the attackers, it is easy for them to predict and figure out simple passwords which are in number sequences and dictionary words, also when a botnet automates the entire process. The top five passwords being attempted in this attack happen to be “admin,” “123456,” “111111,” “666666,” and “12345678.”

When a user creates an account on these sites with a common username and common password, they should immediately change it to something less obvious and familiar, to avoid any kind of cyber attacks.

“Do this and you’ll be ahead of 99 percent of sites out there and probably never have a problem,” Matt Mullenweg, creator of WordPress, wrote on his blog.

Surge in Cyber Attack Volume

As per Sucuri’s statistics, indicates that the attacks were still increasing. And the company had already blocked 678,519 login attempts in December, followed by 1,252,308 more login attempts blocked in the month of January, 1,034,323 login attempts in February, and 950,389 attempts in March, Daniel Cid, CTO of Sucuri, on the company blog. However, in the beginning 10 days of April, Sucuri has already blocked 774,104 login attempts, Cid said. That’s is quite a significant jump, going from 30 thousand to 40 thousand cyber attacks per day to about 77,000 per day on an average, and there have been days when these attacks even exceeded 100,000 per day, this month, Sucuri said.

“In these cases, by the sheer fact of having a non- admin / administrator / root usernames you are automatically out of the running,” Cid said, before adding, “Which is kind of nice actually.”

Hints of a Large Botnet

The cyber attacks volume is a hint at the size of a botnet. Sites like HostGator made an estimate of at least 90,000 computers involvement in these kinds of attacks, and CloudFlare believes “more than tens of thousands of unique IP addresses” are being used for the same.

What is a Botnet?

A botnet is basically, made up of several compromised computers receiving instructions from one or more than one centralized command-and-control-servers, and then executing those commands as per the requirements. For most of the times, these computers have been infected with some kind of malware and sometimes, the user is even unaware of the fact that the attackers are controlling the machines.

Updated Software and Strong Credentials

The actual thing to worry about all these attacks is that the cyber attacks against the popular content management systems are not new, but the sheer volume and sudden increment in them. At this situation, there is not much an administrator can do, apart from using a strong username and password combination making it more complex for the attackers and also by ensuring the CMS and associated plugins are up-to-date.

“If you still use ‘admin’ as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress,” Mullenweg said. An updated version of WordPress released three years ago, that was WordPress 3.0, which allowed its users to create a username which can be customised too, so there was no reason to use an “admin” or “Administrator” as a password.

Protect yourself with Alertsec

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

Enhanced by Zemanta