53 comments

[ 3.6 ms ] story [ 42.7 ms ] thread
I wonder if the point of the botnet is to get SERPs from Google? They stopped letting you know quite a bit of information about keyowrds, rankings, etc. a while ago.

Seems like there is lots of potential for blackhat SEO with this type of botnet.

Hm interesting, good point. Would have to check if the API returns the same results as the real search listings...
It's fairly easy to get serp just by spinning up some ec2 instances. You can make a good number of requests just by providing proper headers. That is, assuming the last guys using that ip didn't just do the same and get rate limited. All this to say this seems to be a lot of trouble just for SERP results.
I was also thinking that if competitors showed up in the results you could then use the botnet to then link bomb them?

I agree that it does seem like quite a bit of effort for an undetermined purpose though...

tl;dr Someone hacks WordPress websites and includes strange .js files that a) lead to fake Flash downloads that install a botnet on your PC and b) abuse your browser to get URLs from a Google search.
(Like tracking CSS pseudo-classes or CSSi.)
This is why you disable flash and run NoScript.
No. It is offering an executable pretending to be a flash player installer. Nothing to do with actually running flash.
I realise that. It is just generally good advice to disable flash.
Well, to be fair, you did say "[what the article talks about]. . . is why you disable flash," not "it's generally good advice to disable flash."
I concede, I could have phrased that better.
This is the whole reason Sucuri [1] exists and blew up in popularity shortly after it launched. If you are running Wordpress, I'd definitely recommend Sucuri.

If you don't have a paid plan, at least run the free scan once a month or more to make sure you weren't hit by anything. I don't mind Wordpress as a CMS, but it is a constant target. Constant. And nothing looks worse than having "Cheap Canadian Viagra" at the bottom of your corporate website.

[1] https://sucuri.net/

Can you run it from the outside? Where can I find more on the free offering?

(Obviously asking for my former employer... the haven't understood or fixed the problem yet.)

Ah found it: https://sitecheck.sucuri.net/

At least the pages I looked today at aren't recognized by this external tool. Only green checkmarks, also the "List of scripts included" doesn't see the 2 scripts added dynamically by the injected code in the post.

The Wordpress plugin would probably do a better job.

Hi Sujan

Can we get a list of the domains you scanned that weren't recognized?

Thanks

Done, Celise should have them on your site's chat tool.
Seems like it would be very hard for it to catch everything from the outside. I've seen malware that only presents itself to clients with a Referer from Google or an iPhone user-agent, for example
100%. Although in this case the html posted in the blog post is present on all requests, all the time.
Yup

What you're referring to is Conditional Malware. We actually do very well with that, but there are no 100% solutions. There are also things that are hard, like Defacements and environments used for Phishing Lures..

All great points

You can have a look at WordFence as well which comes free of charge (and there are paid plans). It does checksumming and guards your login page. https://www.wordfence.com
No one security solution is enough. While I also like Sucuri, it's Malware scanner tool missed a handful of infections on a recent clean up job. Microsoft Security (or whatever they're calling it now) actually found more (once I downloaded the site's files via FTP)

Moral of the story, don't rely on just a plugin, or a tutorial for your WP security.

Hey @josefresco

Do you have any samples? One of the biggest reasons for this is if it's endpoint malware, versus website malware. Two very different things as you might know. Regardless, would love some samples if you any.

Tony

(comment deleted)
(going to give context for his ask + big up @perezbox here -- he's the CEO of the awesome Sucuri)

@perezbox - you might want to mention that in your HN Profile. :)

I do have a recent example - worked out the issues with WPEngine, but it took quite a few scans. I believe they work with you, so you're probably already aware. Prior to being hosted with WPE, we used the Sucuri plugin but all scans were clean.
I had a client who had a security plugin installed and they were getting constant alert notifications about hack attempts. Thousands of login retries, even though there was brute-force protection. The attempts would come from a whole botnet of IP addresses to disguise that they were part of one attack.

On top of the security plugin, I added an .htaccess rule to only allow access to the admin login and the entire wp-admin subfolder from within their office. They have a static IP and were OK with only having access from within the office so this worked well for them. This pretty much ended all of the attacks. I probably wouldn't rely on this as the only protection, but it definitely has been a great piece of their overall security plan. The code to do that is here:

https://gist.github.com/jasonhinkle/966aee379b170f365e6f

I'm curious, what security tools did you have in place that were failing to stop the attacks?
Ironically I can't login to their site from my current IP to see what security plugin they are using!

It was stopping the attacks - it was just that the attacker would try 10 password attempts, then get blocked by the plugin and trigger the alert message. Then the attacker would switch IPs and try 10 more. One morning they had gotten a ton of messages and I found about 250k login attempts in the security logs. So the plugin was doing it's job, but it's better now that the attacks don't even make it that far. In fact you can't even hit a page within the wp-admin folder which is nice in case some type of zero-day exploit surfaces on a file within that area.

Sounds like WordFence. Email notifications are configurable. Turning off most of them is advisable. I've had trouble with users with nominally static IP addresses changing with sufficient frequency to be too much of an annoyance to stay with IP whitelist. Limiting the failed login attempts and maxing out the lockout period cuts down on a lot of the bot activity.
Another approach is to setup a small VPN that also gets access, though it's not as cost effective for smaller organizations.
(comment deleted)
Doesn't that break admin-ajax.php access? It sits behind /wp-admin/. WordPress recommends allowing access when using IP whitelists.

Apache:

  # Allow access to wp-admin/admin-ajax.php
  <Files admin-ajax.php>
      Order allow,deny
      Allow from all
      Satisfy any
  </Files>
Nginx:

  location /wp-admin/admin-ajax.php {
    allow all;
  }
Ah, interesting. I guess their theme didn't use any ajax features. But, to be safe I updated my gist to exclude that file.
I recently installed Drupal on my new domain / website (it has an .xyz extension) and a certain IP was trying to hit all sorts of WordPress related links.
I have a Wordpress plugin with ~100k active installs. Recently I've started getting emails from people wanting to buy the plugin from me. I'm assuming they want it for a botnet or other nefarious purposes. I'm not sure if Wordpress have stepped up their monitoring of plugins or not, but in past there was little oversight of the plugins and adding a direct backdoor to those 100k servers would be trivial, not to mention the millions of people that could be reached via JavaScript injection.
May I ask how much they are offering?
$150.00 USD for every 1,000 installs.
Wow, that's a lot of money. Thanks for not taking it. (You didn't, right?)

Btw: still wearing my Torbit shirt sometimes ;)

No, I didn't take it. Saving it for my own botnet. ;)

And awesome! Really happy to hear you're still enjoying your Torbit shirt.

That's a surprising amount. I'd imagine if its spammers or something, I would be highly suspicious of their payment being legit (stolen PayPal account or something).

I have almost 500k plugin installs, I'd sell my plugin for that amount if I knew it was going to a legit company!

Over the summer I tried taking over a few abandoned Wordpress plugins, some of which had a similar number of installs. Before they would even try to get in touch with the authors they wanted to see my updated code and made sure it was up to current Wordpress standards. Once you have access to the plugin repo you are free to push whatever you want though without review...
"Without review" is not quite true. Some of us get an email for every commit. Not kidding. Helps a lot for the scanning of things.
I meant more that code can be pushed to the repository without it being reviewed first, not that nobody is looking at it. If someone does push something bad are there systems in place to blacklist a plugin and remotely remove it from an install (and possibly contact the install owners)?
> are there systems in place to blacklist a plugin and remotely remove it from an install (and possibly contact the install owners)

We have automated scanning systems for suspicious code commits. If they occur, me and a few others get an email for manual review of the problem. Additionally, many others get every commit and set up their own scanning tools to see what's happening, as it happens.

When something-bad™ happens, then we can close a plugin (block it from being downloaded or found in searches), revert changes or otherwise manually adjust any aspect of the plugin, and if necessary, push updates for it to any WordPress installs that have it.

Realistically, bad actors are not generally a problem for the plugins system. I can count on one hand the number of times this has occurred to the point where we'd need to actually push code. The real problem we're fighting is accidental security issues. While WordPress core is quite secure, plugins have much less eyes on the problem, and a lot of plugin developers are relatively new coders. Things like simple SQL injections still pop up from time to time in plugins, and that's a big problem.

So, the security issues with with plugins repository is not really about some malicious person out there. Malicious people tend to be dumb spammers. They're easy to spot and protect against, because they're only after the low hanging fruit. What we mostly try to find are the things that good coding practices would protect against, because not everybody uses good coding practices. Those tend to be harder to scan for on an automatic basis.

Thanks for the explanation, keep up the good work!
We do monitor that sort of thing. Very closely. Oh, and I got that email too. They didn't really vet that email list very well, or they would have been smarter about it. :)
Did you consider taking the money and refusing them access? Beat them at their own game.
Stealing from ganster is almost never a good idea...
The domain hosting one of the files seemed too legit to me, so I checked and it's an actual website of a Brazilian company,http://cjccontabil.com.br/, seems whoever built the website got a WP (free I assume)theme from somewhere which happened to include this malicious file(/wp-content/themes/Hermes/main1.js). I guess folks are downloading free stuff and hosting them at their websites without inspecting the content of all files, so if you think you're safe by just making sure your system is injection-proof, think again, are you using some theme or plugin downloaded from somewhere on the web and if so have you checked every single file included?
The theme directory is a common target for code injection, as it is often set with writeable webserver-user permissions, in order to allow the admin to use the backend theme editor.

Almost all of the compromised accounts I've dealt with over the years were the result of outdated WordPress or plugin installs, where an exploit was used to upload a file to one of the commonly known writeable directories: plugins, uploads, or themes.

Most of those cases could have been prevented if the owner would have kept their installs up to date, which makes these issues so frustrating to deal with.

How botnets are created with hijacked Worpess, fake Flash downloads, Node.js and Microsoft Windows ..