Bad Security

Security Journalists Should Be Focused on Sucuri Failing to Properly Clean up Hacked Websites Instead of Non-Notable Malicious Code

When it comes to the poor state of web security what is badly needed is security journalism that exposes what the many unscrupulous security companies are up to and how they take advantage of their customers, instead what we have found is they act more as the marketing department for them.

One such security company that would apply to is Sucuri, which is company that we are frequently brought in to re-clean hacked websites after they have not even attempted to properly clean them. One of the things we have often found that they haven’t done is try to determine how the website has been hacked. That is a problem for the cleanup, since you need to know how the website was hacked to be insure that vulnerability has been fixed and because from what we have found is that often Sucuri is missing parts of the hack code that could have been spotted if they had done the work needed to try to determine how the website was hacked. But the larger issue with this company not doing that is that their main service is supposed to protect websites from being hacked in the first place, which, in all likelihood, is going to be difficult if you don’t know how they are being hacked.

Sucuri’s own marketing speaks to the fact that they don’t seem focused on actually protecting websites, as on their home page they tout a number of stats about the service, not one is related to effectiveness of protecting websites:

The number of cleanups might be an indication of their failure to do that, if many of those are cleanups of existing customer’s websites (assuming the stats are even true).

You don’t have to take our word that Sucuri doesn’t try to determine how websites are hacked. A recent article on security news website Threatpost, Stealthy Malware Disguises Itself as a WordPress License Key, mentions that in passing, when it should be the focus of the story. Instead the focus of the story is in itself not newsworthy, as it reports on Sucuri describing a dime a dozen situation where malicious code has been added to the functions.php file of a WordPress theme. What might be newsworthy is how that code got there, but Sucuri didn’t even attempt to determine that:

“We had no access to their logs to determine the root cause, but it’s generally caused by compromised admin accounts or downloading and using themes/plugins from untrusted sources,” Moe Obaid, security analyst at Sucuri, told Threatpost.

Getting access to the logs would have been basic part of the work of a proper cleanup and shouldn’t be difficult.

How this person would know how this type of hack generally happens if they are not doing the work to determine that seems like an obvious question to ask them, but it would appear the Threatpost wasn’t interested in digging deeper in to an employee of this company admitting to cutting corners in the work they are doing. (You also have to wonder why someone is called “security analyst” if they don’t actual do security analysis.) One explanation for the lack of critical coverage of the security industry in this instance in general by the Threatpost, it that it appears itself to be owned by a security company.

The Repercussions of Failing to Properly Cleaning Up Your Hacked Website is Not a SiteLock Scam

When it comes to the poor security of websites the unfortunate reality for a company like ours that actually try to improve security, is that much of the security industry is only really focused on taking advantage of people (whether intentionally or because they don’t have even a basic grasp of security) and many people with real security issues often are not interested in getting things properly dealt with, instead looking for magic fixes. The end result is that legitimate security companies suffer, while scammers that will sell people things that don’t work, but are marketing with fantastical claims, do.

On one side of that, take the company SiteLock, which we have seen taking advantage of people for years, by doing things like selling security services that claim provide incomparable security that don’t even attempt to actually secure websites or trying to sell unneeded security services based on phishing emails. Much of what they are up to could accurately be described as a scam, but in addition to having people come to us after being scammed by them, we often deal with people who have not being scammed by them yet, but only seem interested in claiming they are being scammed by them instead of being interested in actually dealing with a real security issue with their website.

One recent example of that came from someone that contacted us directly and also left a long comment on one of our posts about SiteLock. In their case what seems pretty likely to be going on is that they have not been properly cleaning up hacked website and then blaming their web host and SiteLock for the repercussions of that.

At the core of this is something we often hear about, but don’t quite understand since it seems to ignore clear information provided by web hosts and common sense. Mentioned in their comment was that they were simply removing files listed by their web host as being malicious:

The few files I found in the scan report took like 3-minutes to remove and had nothing to do with the domain.

Doing that isn’t enough, as among other things, those files had to get on the website somehow, so you need to try to figure out how that is happening. Not all that surprisingly the issue then kept occurring, but that didn’t cause them to consider changing course.

The more important issue with that though is that their web host would usually mention when listing the files they noticed are malicious, that removing them is not enough, here for example the boiler plate text someone else that contacted us recently received from the same company along with the list of impacted files:

Please Note: While the content listed was specifically reported, it may not be a complete list of all infected content on your website. It is very common for additional infected content to exist and not be captured in our report. For this reason, we highly recommend that you review all of your website content as well as your entire cPanel account to help prevent further security issues and malware reports. Not doing so could leave your website vulnerable to another infection.

So you have someone repeatedly ignoring the advice of their web host, which relates to something else the web host warned about:

For the safety of our servers and your website visitors, repeated reports of malicious content on your account within 60 days of this initial notice will lead to necessary further actions, which may include permanent suspension.

When we replied to this person to point out that you can’t just remove the files and that we haven’t had any of the issues they are complaining about when we have been hired to do a proper cleanup, the just steamrolled forward with their belief that their web host and SiteLock were up to shady behavior. So our time was just wasted there as they were no closer to getting things properly resolved. Instead they said their next move was to move to a new web host, which wouldn’t resolve the hack, just cause a new web host having to deal with having a hacked website on their systems.

We really can’t emphasize enough that if your web host is telling you your website is hacked, after confirming the claim is accurate, you or someone else needs to properly clean up the website, otherwise you are likely to have additional problems that could have been avoided.

Bluehost and SiteLock Still Trying To Profit Off of Phishing Emails Being Sent to Bluehost Customers

In August of 2017 we first interacted with someone that had gotten a phishing email made to look like it was from Bluehost, who then when they contacted the real Bluehost was attempted to be sold on a security service they didn’t need since there wasn’t any issue with their website. More than a year later Bluehost and their security partner SiteLock continue to do that. The latest incident is absurd on its own since they were trying to sell someone security services they largely couldn’t effectively use since there website is hosted with Squarespace, so much of the SiteLock service wouldn’t even work and others wouldn’t be relevant in that situation.

Below is the phishing email. Interestingly the domain used for the phishing is also a Bluehost customer (maybe that is from someone that fell for a previous phishing email).

Hello, [redacted]

We are contacting you today because we have disabled your outbound email services temporarily. The reason for this is because you’ve got a forum that spammers were subscribing to to get messages sent out. They used a spam trap email address that actually resulted in our mail server getting blacklisted.

We need you to add protection to it so it isn’t being exploited in the future. You will need to contact us and let us know this has been resolved for us to restore your email services.

For protection, we ask that you require an account to subscribe to topic notifications if you haven’t already. We also ask that you add protection to your sign-up page so that spammers cannot automate it. You can do this by using a captcha or something similar to that.

To activate your account, please visit our BlueHost account reactivation center. Use the link below:
http://my.bluehost.com.3483e5ec0489e5c394b028ec4e81f3e1.[redacted]/account/6626/reactivation.html

Thank you,
BlueHost.com Terms of Service Compliance
http://www.bluehost.com
For support go to http://helpdesk.bluehost.com/
Toll-Free: (888) 401-4678

Below is the email that was sent by SiteLock trying to sell this person on the unneeded services after they had tried to get in touch with Bluehost. Bluehost apparently directs people over to SiteLock before even doing basic checking to insure that there is actually situation that could use SiteLock’s input. The person that received this is not named Vish (or anything close to that) despite it being address to someone with that name.

You’ll notice they claim that the website has been infected, despite that not being the case or even what the phishing email claimed.

Hi Vish

Thanks for taking the time to speak with me today. Like I mentioned before your website has been infected and we need to clean it as soon as possible before its suspended by the host. The reason your website was fount with malware is that you currently have no security measures in place to stop malware from entering your site.

The simple solution to protect your website is adding a firewall as well as a smart scanner. The smart scanner removes malicious content from your source coding before it infects the website. Also a Firewall blocks any malicious traffic and hacking attempts from entering your website in the first place, its the single most important preventative measure you can have for your website. What I did was attach a couple of documents that fully go over the features of our upgraded scanner and firewall. You can also go to www.sitelock.com to get further details and services. If you have any questions or concerns my contact info is below.

So to break everything down price wise, it’s $30 dollars a month for our secure starter which includes a Professional firewall and Premium scanner. You will get a free cleaning for the website with this that will save you $300.

Best regards,

Secure Starter $30.00/Mo
Premium Scanner and Professional Firewall
– Automated Malware Removal Tool (removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)

Secure Speed $50.00/Mo
Premium Scanner and Premium Firewall
– Automated Malware Removal Tool (removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)
– Protects against OWASP Top 10 (Common type of hacks and targeted attacks)

Secure Site $70.00/Mo with unlimited free manual cleans and vulnerability patching
Infinity Scanner and Premium Firewall
-Automated Malware Removal Tool (continual & non-stop scanning removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protects against OWASP Top 10 (Common type of hacks and targeted attacks)
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)
– Unlimited access to our Cyber Engineers to manually adjust your website coding if malware removal tool does not clean the malware
– Multiple (19) Vulnerability Testing on the site

OneHourSiteFix Introduces Arbitrary File Upload Vulnerability on Websites Using Their Service

We are often brought in to re-clean malware infected or otherwise hacked websites after other security companies have failed to get things fully cleaned up. Recently though we were brought in to deal with a high profile website (one where we were later contacted by the FBI during their investigation in to it) where not one, but two companies had failed to do anything meaningful to clean it up. One of them, Sucuri, we already were well aware likely wouldn’t do a good job based on everything we had seen in dealing repeatedly in cleaning up after them. The other company is one that we don’t have as much experience with, though from everything we have seen it wasn’t surprising they hadn’t handled the situation well, but something we noticed makes them much worse since they are introducing a serious security vulnerability on their customers’ websites when they are supposed to be cleaning them.

The company’s name is OneHourSiteFix. Just the name indicates they likely don’t do a good job since you are unlikely to be able to properly clean up most websites in that time frame. As we mentioned in a previous post related to strange claims they make, it seems impossible they could do what they claim to do in that time frame seeing as they claim to:

manually analyse EVERY element of your site – every row in your database and every line of your files is checked and cleaned

In the case of the high profile website they don’t appear to have accomplished anything positive. They did add a couple of files that actually introduced a serious security vulnerability, which we will discuss in a bit.

Another instance of interaction with their work came a couple of months ago when we got sent this email from them:

Hi there,

We have cleaned and replaced the hacked version of this site. Also, we have placed the website behind an enterprise grade web application firewall to ensure this site has a high level of protection against future attacks

https://www.virustotal.com/#/url/9eb38ae785eeeca21b344ead39cf595b0bdb5f991c60c6ac630e6e628bc34678/detection

Could you please review and remove the blacklisting as soon as possible ?

We don’t blacklist websites nor do anything close that. Looking at our logs we found that they landed on our website on page titled Sucuri SiteCheck Scanner Falsely Claims Our Website is Defaced, which has nothing to do with us blacklisting websites. You would have to be very confused to believe otherwise based on that page, but they did.

They seem to make a fair amount of strange requests like that, considering a quick search pulled up them requesting blacklist removals for websites well after that removal had already occurred.

With that complete lack of attention to detail what else we noticed about them isn’t surprising.

OneHourSiteFix Makes Their Customers’ Websites Vulnerable

At the point we brought in to clean that high profile website there were still files from OneHourSiteFix on the website in a directory named appropriately “ohsf”. In that directory was another directory named “upload”. That directory in turn contained a file that allowed anyone to upload arbitrary files to the website. The file used to handle that was recently in the news for the real but overstated security risk introduced by it. In this case there were no restrictions on what types of files could uploaded through that or who could upload files, so a hacker could use that to place malicious .php files on a website and gain full access to the website, which seems like something that a company that is supposed to be cleaning a website shouldn’t be making possible (even if it is hopefully only temporary).

What was also interesting in this situation is that Sucuri flagged a number of the files in “ohsf” directory as being “malware” and removed them, but didn’t notice that file with a serious security issues.

The Poor Quality of Web Security Products and Services Can Lead To a False Belief That Websites Have Been Hacked

We think a baseline requirement for using any web security product or service that claims to protect websites should be that there is evidence that the service is effective. That would preferably be evidence from independent testing. What we have found though is plenty of products and services not only don’t provide that, but their marketing materials actually indicate that the services fail to secure websites. For example, SiteLock’s idea of security seems to revolve around dealing with after effects of websites being hacked instead of stopping them from being hacked in the first place, which isn’t security.

Even with what SiteLock claims to do instead of securing the website, they don’t provide evidence they are effective at it. We have seen plenty of evidence to the contrary. The latest example is also a reminder of another issue we sometimes see with security products and services, they lead to people falsely believing that their website has been hacked, so instead of securing a website they lead to people to believe that the website insecure. That might be good for security companies since it can mean more businesses dealing from dealing phantom hacks and more fear leading to more purchases of services that don’t have to work, but it, like so much else from the security industry, is bad for everyone else.

The other day we were contacted by someone using SiteLock’s services, for a second opinion on a claim from them that a website was infected with malware. We were sent the following screenshot from SiteLock’s website:

While that does claim that the website contains malware, the signature listed, SiteLock-HTML-SEOSPAM-fkl, seems to actually indicate that there was spam content detected. From what we have seen SiteLock labels any indication that a website has been hacked as malware. We don’t know if they don’t what malware actually refers to or if this is done to make what they are detecting sound more concerning than it really is, but it is sometimes very misleading. In this case they also make this sound very concerning by claiming the severity is “Urgent”.

The sample provided for the supposed issue doesn’t appear to be related to malware or spam. Instead it is just shows a link to another page on the website and harmless HTML code generated by the WPBakery Page Builder plugin for WordPress. We also didn’t find any other indications of a spam hack on the website, so this “Urgent” situation seems to really be a false positive.

Considering that their service is supposed to provide “security” by detecting and removing malware, the poor quality of their scanner makes it unlikely that they could even accomplish effective detection, much less effectively remove what they find.

This was apparently the third time that SiteLock had claimed that there was malware on the website, based on the quality of the claim in this instance, it seems unlikely it was the only false positive.

You Also Shouldn’t Be Relying On SiteLock to Clean Up Hacked Websites

Part of what makes us have such disgust at so much of what goes on in the security industry is that we see the damage that so many of the people and companies in it cause, over and over. Just yesterday we were discussing the mess caused on one website by Sucuri’s poor attempts to secure and clean the website. That isn’t an isolated incident with them and it isn’t justified in anyway, instead that is the type of company that shouldn’t even be in business since they either are simply unable to do the work they claim to be able to do or intentionally don’t things right. That not only harms their own customer, but they make everyone less secure by spreading false information and doing things that make all website less secure (like not determining how websites are hacked, so that unfixed issues can be resolved). They are not alone in this.

Just a couple of days ago we got yet another example of that type of issue with a company named SiteLock, which also isn’t an isolated incident when it comes to this particular company. In this case they were hired to clean up a hacked website. After the clean up, there were errors and the owner of the website was unable to edit the website (possibly because of the web application firewall that was put in place on the website, which isn’t an isolated issue with WAFs). When SiteLock was contacted about those errors they said that there now was more malware on the website and an additional fee was going to be needed over the $500 just paid, to deal with that.

If you just cleaned a website and there is immediately malware on it again, that means you didn’t get things properly cleaned up the first time, so charging more money to deal with that seems highly inappropriate to us. It certainly isn’t something we would do.

An easy way to avoid ending up in situation like this is to avoid hiring SiteLock. We can’t emphasize enough how many problems we have seen caused by this company that we have dealt with over the years that should have never happened if they had an interest in doing things right.

When Sucuri Doesn’t Really Protect Your Website It Shouldn’t Be Surprising Their Cleanups Cause Problems As Well

We recently had someone contact us who was looking for a service that would protect their website from being hacked and clean up the website if it did get hacked. There is what seems to be us to be an obvious issue with that, which is that cleaning up hacks wouldn’t be necessary if the website was being successfully protected from being hacked. It also seems like a bad idea to expect that if a company is providing a service where half of it doesn’t work that the other half will actually work well. When it comes to services that offer both of those things, our experience is that their providers usually are not just bad at both, but don’t even attempt to do the work that would be needed to do them properly.

As a case in point, we were contacted by someone last week that was using Sucuri’s service that provides both of those. The service failed to protect the website from getting infected with malware. Sucuri’s first clean up failed to stop it from getting infected again (or didn’t fully clean it up), which is not all surprising based on lots of previous instances we have been brought in to re-clean things after they failed to even attempt to do things properly.

After the second cleanup the website was broken. Once Sucuri fixed that issue, it was broken in another way, at which point the owner of the website contacted us.

There really isn’t any reason that anyone should be relying on Sucuri at this point (which was equally true years ago as well). They have shown they lack an even basic understanding of security and their own marketing material indicates they are not focused on providing effective protection. They fail to properly deal with hacked websites with even the most serious hacking issues or high profile websites (we were recently hired to re-clean a hacked website they failed to clean, for which the hack was being investigated by the FBI).

Your Web Host Might Cause Your Website to Be Broken In Trying to Secure It

A lot of our business cleaning up hacked websites involves people hiring us to clean up their website after someone else had been hired to do that but failed to even attempt to do things properly, so we are not surprised at most of what we see done instead of doing that, but there is the occasional exception.

We were recently brought in to clean up a website after a web host was supposed to have handled that, but they didn’t seem to have made much attempt at that. What we found was that they had failed at doing some basic things that should have been easier parts of the cleanup. That included failing to remove the malicious JavaScript code that they knew a web based scanner had (correctly) identified was on the website, despite the being added to files on the website in a non-obfuscated way, so a simple search of the files would have found it. They also had failed to enable the archiving of logging of requests to the website, which would have been done through cPanel and would have made would have made it easier to spot the malicious file that was allowing a hacker to continue to access the website.

What stood out was something they claimed they had done:

Another thing I did to help prevent this from happening again in the future, I created a two-user system for your WordPress admin. What this does is it assigns a front-end user that has just enough permissions for the site to display, but not enough for people visiting the site to make changes, without logging in. It also has a back-end user that applies whenever someone logs in, that has all permissions.

Many of those that use WordPress that are not even familiar with security would probably find that odd sounding. You normally don’t have to be logged in to WordPress to view the website and when not logged in, not surprisingly, you can’t make changes to the website, normally. This website was a run of the mill WordPress website, so that was all true for it.

When we went to see what had actually been done we found that there was only one WordPress user, so either they were not referring to a WordPress user or they hadn’t done what they said. One possible explanation was that they were referring to another database user with only read access, which would not really match what they described and seem like a bad idea as WordPress isn’t designed for doing something like that.

In checking into this we found they were referring to a database user and they had created a bit of a mess.

While it looks like they created a database user that was only supposed to be read only as the two database user name were identical save for a “ro” added to the end of one, that wasn’t actually what they had created. The read only user has the following privileges DELETE, INSERT, SELECT, UPDATE. As you might be able to guess from some of those names, that user doesn’t just have the ability to read things, but make significant changes.

It turns out though they didn’t set up a dual user situation, so only that user was being used. That was a problem since privileges the user was missing were needed by WordPress in the course doing normal functioning. In the error logging we could see this had caused actions trying to be taken by a security plugin to not work.

That seems like a good reason to be wary of having a web host clean up a hacked website, but tomorrow we are going to be discussing another recent instance where a prominent security company failed to clean up a website the first time, then on the second go around managed to break the website and then break it some more.

Making an Unnecessary Change to a Website That Breaks Updates is Not Good for Security

There is a nearly endless amount of bad security advice for websites, so someone has to try hard to make theirs stands out, but that is what something we happened to run across recently from a company named ENDURTECH did.

Their post, https://endurtech.com/setting-proper-chmod-permissions-for-wordpress-wp-config-php-and-htaccess/, suggested that you should change the permissions on a couple of WordPress files to the “proper” permissions:

Set CHMOD Permissions to 444 on the following files:

.htaccess

wp-config.php

Those are not the proper permissions (if they were, you would assume that WordPress would set them that way for you) and they don’t make sense from a security perspective seeing as permissions only come in to play if someone has access to the files. In a normal hosting setup the only people that would have access to the files would also have permission to change the files permissions, so if you where to change those as suggested there, which would restrict editing the files, then those with access could change the permissions to be able to edit the files again, so this doesn’t provide a real benefit for most websites.

Bad advice is very common, what made this stand out is what is stated before that in the post:

Please note that doing as suggested within this article will no doubt eventually cause issues with WordPress plugin updates and maybe even WordPress core updates.

This is because these files are no longer “editable“. Great for security, bad for updates.

Just keep this in mind and visit your website from time to time to make sure that your updates are completing correctly

Keeping software updated will actually have a positive impact on security, so they are suggesting doing something that isn’t useful that by their own admission makes something useful harder, which is bad idea.

GoDaddy Says That Version of PHP for Which Support Ended 3 Years Ago Meets Their Stability and Security Requirements

You would think that if a web host owned a security company they would be better than other web hosts when it comes to security. With GoDaddy that isn’t the case, though that might be explained by the fact that the security company they own Sucuri, seems to be completely incompetent. As yet another example of the security issues with GoDaddy, while dealing with a support issue on a website hosted with them we found that they were making this claim about PHP 5.4 on the Programming Languages page of their control panel on the website we were working on:

PHP version 5.4 is available and meets our stability and security requirements.

Support for PHP 5.4 ended in September of 2015.

To make thing more confusing if you click the question mark icon next to radio selector to use that version of PHP on the page a message box appears that states:

Version 5.4 is no longer actively supported.

So is the first claim inaccurate or do they have really low standards for “stability and security”?