WordPress Remote Code Execution Vulnerability – How It Works

Recently, security researcher Dawid Golunski released an advisory describing a remote code execution vulnerability in the core of WordPress version 4.6 affecting the PHPMailer library. The vulnerability was published under CVE-2016-10033 and could be used by unauthenticated remote attackers against servers running WordPress with default web server configurations. In this post, we will summarize this advisory and explain the technical aspects of the vulnerability. To start, here is a short video of the exploit being executed by the researcher.

According to the WordPress Foundation, more than 40% of WordPress installations are still using versions 4.6 or older and could be vulnerable to this attack. If you are using WordPress, you should make sure to update to the latest version (4.8 at this time) as soon as possible!

 

Read More “WordPress Remote Code Execution Vulnerability – How It Works”

Website security and .htaccess files

The .htaccess file is a hidden text file used by the Apache web server to configure your website without the need to create or modify global server configuration files. It is usually located in the root folder of the website but can be in other locations as well, depending on what files and folders do you want to be affected by the specified configuration.

This file contains a series of “directives,” similar to those in traditional Apache web server configuration files. Usually, these directives are key-value pair commands indicating if a configuration should be on or off, but they can be more complex. The .htaccess file allows anyone in control of a particular set of website content to execute many directives which can change the behavior of that site, without access to Apache’s global httpd.conf.

A typical .htaccess file.

Why is it important?

This file is very important to your website as it can affect the availability and the security of your site or application. In this post, we are going to focus on the security functions of .htaccess although it is important to understand that using a .htaccess file on your server might cause your site to load more slowly, negatively impacting your visitors, and adds complexity to your website or application setup.

Read More “Website security and .htaccess files”

MalwareGone Threat Analysis – PHP Ransomware

Today we’re going to explore a newer type of threat: Ransomware or, more precisely, PHP Ransomware. Ransomware attacks have increased greatly over the last few years and many variations have been made and are still being used in the wild. First, we should define what we mean when we talk about Ransomware. We’re specifically talking about a piece of code or software that encrypts your files in place and demands a ransom payment to receive the key that decrypts your files. So, if you are the victim of a ransomware attack and do not have recent, verified backups you could be in trouble! You have no other way to retrieve your files besides paying the ransom unless the ransomware is an old one and security companies have already created the software that decrypts it. If you are curious, here is a list of Ransomware Decryptor Tools: http://www.thewindowsclub.com/list-ransomware-decryptor-tools (use at your own risk!)

How does a ransomware infect a computer?

Traditional Ransomware usually affects personal computers and is delivered by email or infected websites. Whether in an email attachment or served from a hacked website, possibly using drive-by download techniques, the payload may disguise itself as a PDF, Flash, Adobe or Java update or some other type of executable. According to this PhishMe Q1 2016 Malware Review report, 9 out of 10 phishing emails sent in March 2016 carried a ransomware payload. Read the full report here: http://phishme.com/phishing-ransomware-threats-soared-q1-2016/

phishme_phishing_email_ransomware_stats

Read More “MalwareGone Threat Analysis – PHP Ransomware”

MalwareGone Threat Analysis – MulCiShell Backdoor and File Uploader – Part II

This is the second part of our exploration MulCiShell Backdoor and File Uploader, a malicious PHP Web Shell that was detected on a customer’s website using CodeGuard’s MalwareGone tool. If you haven’t already, take a look at Part I before continuing. In this post, we’ll wrap things up by discussing the vulnerabilities that were found on this site, which may have allowed the MulCiShell Backdoor and File Uploader to be inserted. To pick up where we left off before, here is a list of installed WordPress plugins installed on the hijacked site:

codeguard-malwaregone-pluginsfolder

 

A search on the WPScan Vulnerability Database reveals a number of public vulnerabilities for some of these plugins. Here are a few examples:

  1. WordPress Plugin: Akismet

Version installed: 3.0.4

Vulnerability:  Unauthenticated Stored Cross-Site Scripting (XSS)

Versions affected: Akismet 2.5.0-3.1.4

Source: https://wpvulndb.com/vulnerabilities/8215

2. WordPress Plugin: iThemes Security (formerly Better WP Security)

Version installed:  5.6.1

Vulnerability: Unauthenticated Stored Cross-Site Scripting

Versions affected: <= 5.6.1

Source: https://wpvulndb.com/vulnerabilities/8635

Read More “MalwareGone Threat Analysis – MulCiShell Backdoor and File Uploader – Part II”

MalwareGone Threat Analysis – MulCiShell Backdoor and File Uploader – Part I

For this installment, we’ll talk about a webshell called “MulCiShell”, more specifically the “MulCiShell v0.2” backdoor file, which is a PHP Web Shell that we found in another client’s website using CodeGuard’s MalwareGone tool. Here is a snippet of code for this webshell:

codeguard-malwaregone-mulcishell

If you’d like the full version of the file you can find a copy on GitHub.

Doing a little bit of research we found that the first versions of this webshell dates back to 2009, which is really old for malware like this, but it seems that the developer of this backdoor has been maintaining it as it keeps getting updated with new capabilities and enhancements. As we can see this webshell has many functions and there’s even a changelog in the comment at the top of the file. This specific version was last updated by someone nicknamed KingDefacer.

Read More “MalwareGone Threat Analysis – MulCiShell Backdoor and File Uploader – Part I”

CodeGuard Launches Patented Malware Monitoring and Remediation Service: MalwareGone™

ATLANTA, GA. (August 18, 2016) – CodeGuard, Inc. (http://www.codeguard.com), the global leader in cloud website backup services announced today the release of patented technology which utilizes website backups for automated site remediation in the event of malware.

Coupled with CodeGuard’s ChangeAlert™ monitoring, which provides insight into new zero-day attacks, MalwareGone™ has the potential to transform website protection. Until now, companies have struggled in fixing sites infected with malware, with many relying on humans to provide fixes, while others with clunky automated technology end up causing more damage to sites than help.

“MalwareGone™ has been a long time coming – we have been waiting for years to release this product”, says David Moeller, CEO of CodeGuard. “The reason there isn’t a product like this on the market is that its foundation is our patented backup technology, which obviously no one else possesses.”

MalwareGone

This isn’t your average malware cleanup tool. Instead of relying on just signatures, MalwareGone™ utilizes actionable intelligence from ChangeAlerts™ and examines the collected information. This approach allows the scanner to discover which files act and look like malware.

It’s designed to discover viruses, trojans, rootkits, spyware and other malware on any websites. It searches for early-life and next-generation malware; the kind of malware that doesn’t yet have a detection signature.

MalwareGone™ removes persistent threats from within the operating system by utilizing prior backups stored in CodeGuard’s cloud. This ensures that remediation happens as quickly, efficiently, and accurately as possible – no more destroyed websites from a “fixing” service.

CodeGuard uses a virtual version control system and stores site data in the cloud. Backups are stored as the differential between each daily scan of the site, providing visibility for users into what has changed along with the ability to undo any changes. Restoring a previous version is as easy as pressing a button.

For additional information regarding this new product, you visit http://www.codeguard.com/pages/malware