I wonder if the point of the botnet is to get SERPs from Google? They stopped letting you know quite a bit of information about keyowrds, rankings, etc. a while ago.
Seems like there is lots of potential for blackhat SEO with this type of botnet.
It's fairly easy to get serp just by spinning up some ec2 instances. You can make a good number of requests just by providing proper headers. That is, assuming the last guys using that ip didn't just do the same and get rate limited. All this to say this seems to be a lot of trouble just for SERP results.
tl;dr Someone hacks WordPress websites and includes strange .js files that a) lead to fake Flash downloads that install a botnet on your PC and b) abuse your browser to get URLs from a Google search.
This is the whole reason Sucuri [1] exists and blew up in popularity shortly after it launched. If you are running Wordpress, I'd definitely recommend Sucuri.
If you don't have a paid plan, at least run the free scan once a month or more to make sure you weren't hit by anything. I don't mind Wordpress as a CMS, but it is a constant target. Constant. And nothing looks worse than having "Cheap Canadian Viagra" at the bottom of your corporate website.
At least the pages I looked today at aren't recognized by this external tool. Only green checkmarks, also the "List of scripts included" doesn't see the 2 scripts added dynamically by the injected code in the post.
The Wordpress plugin would probably do a better job.
Seems like it would be very hard for it to catch everything from the outside. I've seen malware that only presents itself to clients with a Referer from Google or an iPhone user-agent, for example
What you're referring to is Conditional Malware. We actually do very well with that, but there are no 100% solutions. There are also things that are hard, like Defacements and environments used for Phishing Lures..
You can have a look at WordFence as well which comes free of charge (and there are paid plans). It does checksumming and guards your login page. https://www.wordfence.com
No one security solution is enough. While I also like Sucuri, it's Malware scanner tool missed a handful of infections on a recent clean up job. Microsoft Security (or whatever they're calling it now) actually found more (once I downloaded the site's files via FTP)
Moral of the story, don't rely on just a plugin, or a tutorial for your WP security.
Do you have any samples? One of the biggest reasons for this is if it's endpoint malware, versus website malware. Two very different things as you might know. Regardless, would love some samples if you any.
I do have a recent example - worked out the issues with WPEngine, but it took quite a few scans. I believe they work with you, so you're probably already aware. Prior to being hosted with WPE, we used the Sucuri plugin but all scans were clean.
I had a client who had a security plugin installed and they were getting constant alert notifications about hack attempts. Thousands of login retries, even though there was brute-force protection. The attempts would come from a whole botnet of IP addresses to disguise that they were part of one attack.
On top of the security plugin, I added an .htaccess rule to only allow access to the admin login and the entire wp-admin subfolder from within their office. They have a static IP and were OK with only having access from within the office so this worked well for them. This pretty much ended all of the attacks. I probably wouldn't rely on this as the only protection, but it definitely has been a great piece of their overall security plan. The code to do that is here:
Ironically I can't login to their site from my current IP to see what security plugin they are using!
It was stopping the attacks - it was just that the attacker would try 10 password attempts, then get blocked by the plugin and trigger the alert message. Then the attacker would switch IPs and try 10 more. One morning they had gotten a ton of messages and I found about 250k login attempts in the security logs. So the plugin was doing it's job, but it's better now that the attacks don't even make it that far. In fact you can't even hit a page within the wp-admin folder which is nice in case some type of zero-day exploit surfaces on a file within that area.
Sounds like WordFence. Email notifications are configurable. Turning off most of them is advisable. I've had trouble with users with nominally static IP addresses changing with sufficient frequency to be too much of an annoyance to stay with IP whitelist. Limiting the failed login attempts and maxing out the lockout period cuts down on a lot of the bot activity.
I recently installed Drupal on my new domain / website (it has an .xyz extension) and a certain IP was trying to hit all sorts of WordPress related links.
I have a Wordpress plugin with ~100k active installs. Recently I've started getting emails from people wanting to buy the plugin from me. I'm assuming they want it for a botnet or other nefarious purposes. I'm not sure if Wordpress have stepped up their monitoring of plugins or not, but in past there was little oversight of the plugins and adding a direct backdoor to those 100k servers would be trivial, not to mention the millions of people that could be reached via JavaScript injection.
That's a surprising amount. I'd imagine if its spammers or something, I would be highly suspicious of their payment being legit (stolen PayPal account or something).
I have almost 500k plugin installs, I'd sell my plugin for that amount if I knew it was going to a legit company!
Over the summer I tried taking over a few abandoned Wordpress plugins, some of which had a similar number of installs. Before they would even try to get in touch with the authors they wanted to see my updated code and made sure it was up to current Wordpress standards. Once you have access to the plugin repo you are free to push whatever you want though without review...
I meant more that code can be pushed to the repository without it being reviewed first, not that nobody is looking at it. If someone does push something bad are there systems in place to blacklist a plugin and remotely remove it from an install (and possibly contact the install owners)?
> are there systems in place to blacklist a plugin and remotely remove it from an install (and possibly contact the install owners)
We have automated scanning systems for suspicious code commits. If they occur, me and a few others get an email for manual review of the problem. Additionally, many others get every commit and set up their own scanning tools to see what's happening, as it happens.
When something-bad™ happens, then we can close a plugin (block it from being downloaded or found in searches), revert changes or otherwise manually adjust any aspect of the plugin, and if necessary, push updates for it to any WordPress installs that have it.
Realistically, bad actors are not generally a problem for the plugins system. I can count on one hand the number of times this has occurred to the point where we'd need to actually push code. The real problem we're fighting is accidental security issues. While WordPress core is quite secure, plugins have much less eyes on the problem, and a lot of plugin developers are relatively new coders. Things like simple SQL injections still pop up from time to time in plugins, and that's a big problem.
So, the security issues with with plugins repository is not really about some malicious person out there. Malicious people tend to be dumb spammers. They're easy to spot and protect against, because they're only after the low hanging fruit. What we mostly try to find are the things that good coding practices would protect against, because not everybody uses good coding practices. Those tend to be harder to scan for on an automatic basis.
We do monitor that sort of thing. Very closely. Oh, and I got that email too. They didn't really vet that email list very well, or they would have been smarter about it. :)
The domain hosting one of the files seemed too legit to me, so I checked and it's an actual website of a Brazilian company,http://cjccontabil.com.br/, seems whoever built the website got a WP (free I assume)theme from somewhere which happened to include this malicious file(/wp-content/themes/Hermes/main1.js). I guess folks are downloading free stuff and hosting them at their websites without inspecting the content of all files, so if you think you're safe by just making sure your system is injection-proof, think again, are you using some theme or plugin downloaded from somewhere on the web and if so have you checked every single file included?
The theme directory is a common target for code injection, as it is often set with writeable webserver-user permissions, in order to allow the admin to use the backend theme editor.
Almost all of the compromised accounts I've dealt with over the years were the result of outdated WordPress or plugin installs, where an exploit was used to upload a file to one of the commonly known writeable directories: plugins, uploads, or themes.
Most of those cases could have been prevented if the owner would have kept their installs up to date, which makes these issues so frustrating to deal with.
53 comments
[ 3.6 ms ] story [ 42.7 ms ] threadSeems like there is lots of potential for blackhat SEO with this type of botnet.
I agree that it does seem like quite a bit of effort for an undetermined purpose though...
If you don't have a paid plan, at least run the free scan once a month or more to make sure you weren't hit by anything. I don't mind Wordpress as a CMS, but it is a constant target. Constant. And nothing looks worse than having "Cheap Canadian Viagra" at the bottom of your corporate website.
[1] https://sucuri.net/
(Obviously asking for my former employer... the haven't understood or fixed the problem yet.)
At least the pages I looked today at aren't recognized by this external tool. Only green checkmarks, also the "List of scripts included" doesn't see the 2 scripts added dynamically by the injected code in the post.
The Wordpress plugin would probably do a better job.
Can we get a list of the domains you scanned that weren't recognized?
Thanks
What you're referring to is Conditional Malware. We actually do very well with that, but there are no 100% solutions. There are also things that are hard, like Defacements and environments used for Phishing Lures..
All great points
Moral of the story, don't rely on just a plugin, or a tutorial for your WP security.
Do you have any samples? One of the biggest reasons for this is if it's endpoint malware, versus website malware. Two very different things as you might know. Regardless, would love some samples if you any.
Tony
@perezbox - you might want to mention that in your HN Profile. :)
On top of the security plugin, I added an .htaccess rule to only allow access to the admin login and the entire wp-admin subfolder from within their office. They have a static IP and were OK with only having access from within the office so this worked well for them. This pretty much ended all of the attacks. I probably wouldn't rely on this as the only protection, but it definitely has been a great piece of their overall security plan. The code to do that is here:
https://gist.github.com/jasonhinkle/966aee379b170f365e6f
It was stopping the attacks - it was just that the attacker would try 10 password attempts, then get blocked by the plugin and trigger the alert message. Then the attacker would switch IPs and try 10 more. One morning they had gotten a ton of messages and I found about 250k login attempts in the security logs. So the plugin was doing it's job, but it's better now that the attacks don't even make it that far. In fact you can't even hit a page within the wp-admin folder which is nice in case some type of zero-day exploit surfaces on a file within that area.
Apache:
Nginx:Btw: still wearing my Torbit shirt sometimes ;)
And awesome! Really happy to hear you're still enjoying your Torbit shirt.
I have almost 500k plugin installs, I'd sell my plugin for that amount if I knew it was going to a legit company!
We have automated scanning systems for suspicious code commits. If they occur, me and a few others get an email for manual review of the problem. Additionally, many others get every commit and set up their own scanning tools to see what's happening, as it happens.
When something-bad™ happens, then we can close a plugin (block it from being downloaded or found in searches), revert changes or otherwise manually adjust any aspect of the plugin, and if necessary, push updates for it to any WordPress installs that have it.
Realistically, bad actors are not generally a problem for the plugins system. I can count on one hand the number of times this has occurred to the point where we'd need to actually push code. The real problem we're fighting is accidental security issues. While WordPress core is quite secure, plugins have much less eyes on the problem, and a lot of plugin developers are relatively new coders. Things like simple SQL injections still pop up from time to time in plugins, and that's a big problem.
So, the security issues with with plugins repository is not really about some malicious person out there. Malicious people tend to be dumb spammers. They're easy to spot and protect against, because they're only after the low hanging fruit. What we mostly try to find are the things that good coding practices would protect against, because not everybody uses good coding practices. Those tend to be harder to scan for on an automatic basis.
Almost all of the compromised accounts I've dealt with over the years were the result of outdated WordPress or plugin installs, where an exploit was used to upload a file to one of the commonly known writeable directories: plugins, uploads, or themes.
Most of those cases could have been prevented if the owner would have kept their installs up to date, which makes these issues so frustrating to deal with.
[1] http://meanpath.com/f/j5LK9K