Category Archives: Exploits

CVE-2014-3704 Drupal SQL Injection Vulnerability – How can you fix it?

Twitter Facebook

This is a critical vulnerability. If this is the first you are hearing about it and you manage a Drupal website, I would highly recommend that you go read the Drupal PSA and follow the instructions there before doing anything else.

 

CVE-2014-3704

The situation with CVE-2014-3704

On October 15th, 2014 the Drupal core team released the details of a vulnerability, CVE-2014-3704, that was classified as the most severe type of vulnerability: Highly Critical. This CVE-2014-3704 SQL injection attack can allow remote, anonymous users to take control of your Drupal installation and gain access to all of your content. The Drupal team describes it in a bit more technical detail:

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
This vulnerability can be exploited by anonymous users.

The website firewall company, Sucuri, observed attacks on Drupal sites starting only 8 hours after the vulnerability was disclosed. Those attacks have become systematized and are now widespread. As a result, the Drupal team is advising all website owners to assume “[...] that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC [...].”

What should website owners do about CVE-2014-3704?

Unfortunately, the patch that Drupal provided for CVE-2014-3704 can only prevent a future attack. If your site has already been compromised, as the Drupal team and Sucuri data suggest is very likely, the patch can not undo an attack that has already occurred. The recommendation from Drupal is to restore your website to a time before October 15th to remove the backdoor and then apply the patch to prevent re-infection.

If you have your website backed up with CodeGuard, restoring to a time before October 15th should not be an issue. If you do not have daily backups, CodeGuard or otherwise, you could also check with your hosting provider. However, while they may have a disaster recovery backup of their servers (including your website content) that was taken some time between 24 hours and 7 days ago, that would not help in a case like this where backdoors could have been inserted weeks ago. If you do not have a viable backup, the only other option that Drupal provides is to rebuild your website from scratch. Ouch. Backdoors can be incredibly difficult to find manually, so if you do not have a comprehensive backup, rebuilding is the only other truly safe option if you have been compromised by CVE-2014-3704.

Backups are a necessary part website infrastructure

Just like reliable hosting, a comprehensive backup strategy should be high on the list of priorities when building a new website or maintaining an existing property. In addition to providing some measure of insurance against events like CVE-2014-3704, they can also save you time in cases where files are accidentally deleted or when plugin updates go awry.

In addition to 99.99% levels of reliability and daily backups, CodeGuard’s ChangeAlert feature can also be helpful in bringing unauthorized file content changes to your attention. In the event that the backdoor was inserted in a file or your static content was defaced, CodeGuard can provide you with a notification of the change and the tools to roll back the malicious activity.

In this age of rapidly exploited vulnerabilities like CVE-2014-3704, a comprehensive backup strategy is no longer a nice-to-have option, it’s a must-have for every website owner or administrator.

– Jonathan

The Easiest Way to Upgrade Your Site to HTTPS

Twitter Facebook

Google just changed their ranking algorithm to give a boost to sites that use https instead of http. Even if you have a content site or a personal website, it makes sense to take all reasonable measures to secure it from hacking, especially when Google could give your site more traffic.

The easiest way to get https is to use a paid CloudFlare account and turn on Flex HTTPS. This avoids the need to buy and install a security certificate, saving money overall. CloudFlare also helps protect your site from malicious bots, hackers, and denial of service attacks.

To configure CloudFlare for HTTPS, login, click the gear icon next to your site, and choose “CloudFlare settings”. Then set the SSL switch to Flexible SSL.  This encrypts communications between CloudFlare and users. CloudFlare still communicates with your web server via http, eliminating the need to make changes there. Most man-in-the-middle attacks happen close to where the user connects, such as an un-encrypted WiFi network vulnerable to Firesheep, or a hotel network that splices ads into web pages, not between major Internet services such as CloudFlare and your hosting provider.

Flexible SSL

After making the switch its necessary to test the site to make sure you get good lock symbols on all pages. If you have embedded assets using non-secure http protocol, you need to update those to https. Search the code for the string src=”http: to find them.

Green Lock Means Secure
lock-icon

To redirect http to https when using CloudFlare, add the following magic code to your .htaccess file, if you have a Linux/Unix server.

RewriteCond %{HTTP:CF-Visitor} '"scheme":"http"'
RewriteRule ^(.*)$ https://www.yourdomainname.com/$1 [L]

Remember to update your robots.txt file and your sitemap.xml file to use your new https urls. Lastly, update Google Webmaster Tools and Google Analytics to reflect your new website URL.

An Ultimate Black Hat Script

Twitter Facebook

Yesterday I received this spam. If you’ve ever wondered who bothers to hack websites and why they do it, here’s a premium explanation straight from the hackers.

Hey guys,

A true bl4ckhat system for Internet Marketers

Do you want to control other site’s traffic? Ever wanted to insert your ads, well paid CPA offers and adsense code on other site’s high traffic pages? Every wanted to place your backlinks on other’s high page ranked pages without them knowing? Ever wanted to redirect the other site’s visitors to any link you desire? Well you have finally found the secret souce, Presenting…

An Ultimate Black Hat Script

What is it exactly ?

Mass control millions of servers at a given moment with Affiliate Ad’s, Adsense, Clickjacking, Content-Locking, Redirection -The sky is the limit! These black hat methods are being utilized by the pharmas and now its your time to get hold of their secrect way of money laundering.

Control Millions of people’s servers from all over the internet.

– Redirect the traffic of the other website
– Contron their ads or inster your own ad in their website
– Initate the pop-unders
– Put backlinks on the high page rank sites
– Place any code on their sites

———————————-
How to gain access to people’s servers ?

You insert a simple code within scripts, themes, or plugins…or whatever…get creative! Then distribute it.
Once they put it on their server, all sites within their IP are now under your control It’s really quite simple. the coder was able to gain over 100,000 IP’s in about 3 months. That’s not website…that’s IP. Right now, it over 8 million pages that he has full control over to redirect, post ads on, place popups, popunders, or just insert his backlink on.

Check it out:-

Click Here!!

Only few copies will be given out and than this product will be taken off the market forever! Act now!

Don’t let cybercriminals pwn your site. No matter how good your security, it will break sooner or later. When that happens, you’ll want to be informed promptly and have an easy way to put things right.

Law Firms Need Website Backup More Than Ever

Twitter Facebook

If you work for a law firm, it is unlikely that the idea of protecting your firm’s website has entered and lingered in your mind. Attorneys and paralegals are focused on clients, not websites. Most firm’s sites contain service descriptions, company history, and contact information, so if they were hacked it wouldn’t be that big of a deal, right?

Wrong. Just ask Matt Passen.

Passen Law Firm Becomes Victim of Malware Cyber Attack

Passen Law Group is a two-man personal injury firm in Chicago. As told by USA Today, in June of 2011 Matt Passen went to his site and says he was confronted with “a series of letters and numbers that made no sense to me.”  Passen soon learned that he had been targeted in a slew of malware-based cyber attacks.

Being infected means lost traffic, not just an ugly webpage- Google actively blacklists websites that are known to be infected with malware (currently 700,000+), rendering the sites invisible to searches, or marked with a warning not to visit it. The idea of not having a searchable web presence is unacceptable.

Passen needed to remediate immediately, and after a few weeks and three separate attempts by hired professionals to remove the malicious script, Passen’s site was finally back to an uninfected state. But what did he lose by not preparing for a situation like this? He put it best himself by saying: “It will easily cost us a couple thousand dollars to remedy, and I can’t tell you what the costs are in terms of lost business opportunity.”

What Could Passen Have Done?

Matt Passen could have dedicated a considerable amount of time each day to manually checking his site for unsolicited changes. He could have downloaded his site’s source code and compared it line-by-line to a prior version in order to detect discrepancies between the two. If he found something that didn’t look right, he could rollback to an earlier rendition of his site by finding that version’s source code and pushing it onto his server. If he had done this each day, he would have caught and eradicated the malware in a shorter timeframe, and with less damage.

Unsurprisingly, Passen didn’t do any of that. Shifting focus away from day-to-day professional responsibilities in order to manually monitor a website isn’t a feasible option for most. Luckily, it isn’t the only option.

CodeGuard, a cloud-based website backup, monitoring, and restore service could have easily lessened Passen’s burden. After a simple initial backup, CodeGuard monitors each site for malware every hour and completes daily scans for file changes. Should a site become compromised, the user receives an email notification from CodeGuard. But it doesn’t stop there: we store every backup taken of your site, so someone in a situation similar to Passen’s can choose a prior version and quickly restore their site back to an uninfected, fully functional state.

Law Firms Need CodeGuard

Law firms are prime targets for hackers because website security is not currently a priority in the legal industry; regulation, competition, and client-servicing dominates mindshare. Here are two things law firms stand to lose by not focusing on properly protecting their websites:

1. Losing potential clients- without a searchable web presence, site traffic will plummet. In today’s search dominated lifestyle, you will lose industry traction by not appearing to potential clients looking to utilize your services.

2. Losing credibility- current and prospective clients may perceive your firm as unprepared and insecure, and choose to take their business to a competitor whose site and content hasn’t been tampered with.

CodeGuard is part of a solution that helps protect against real struggles that law firms face, and should firms encounter difficulties with their website, can help to quickly remediate the problems. Law firms have enough things to worry about – the website shouldn’t be one of them. Talk with your IT department or webmaster about giving CodeGuard a try before it’s too late, and gain peace of mind that you never knew you could have!

-Sarah

How to Enable HTTPS Security on LinkedIn

Twitter Facebook

Logging into social networking, WordPress, or any other website via a public WiFi hotspot could be risky because somebody using a cookie-sniffing tool, such as FireSheep, can hijack your session cookie and get full access to your account—unless you are using https. On Feb 7, 2012 LinkedIn announced a feature that allows users to turn on https, and thus prevent session hijacking.  The feature is currently opt-in, but will be rolled out to all users “in the next coming weeks.”

The https switch is not that easy to find in the LinkedIn configurations.  After logging in, select your name in the upper right corner, choose Settings, then click Account in the lower left, and Manage security settings at the bottom.  Click the check box in the pop up window.