OneHourSiteFix Introduces Arbitrary File Upload Vulnerability on Websites Using Their Service

We are often brought in to re-clean malware infected or otherwise hacked websites after other security companies have failed to get things fully cleaned up. Recently though we were brought in to deal with a high profile website (one where we were later contacted by the FBI during their investigation in to it) where not one, but two companies had failed to do anything meaningful to clean it up. One of them, Sucuri, we already were well aware likely wouldn’t do a good job based on everything we had seen in dealing repeatedly in cleaning up after them. The other company is one that we don’t have as much experience with, though from everything we have seen it wasn’t surprising they hadn’t handled the situation well, but something we noticed makes them much worse since they are introducing a serious security vulnerability on their customers’ websites when they are supposed to be cleaning them.

The company’s name is OneHourSiteFix. Just the name indicates they likely don’t do a good job since you are unlikely to be able to properly clean up most websites in that time frame. As we mentioned in a previous post related to strange claims they make, it seems impossible they could do what they claim to do in that time frame seeing as they claim to:

manually analyse EVERY element of your site – every row in your database and every line of your files is checked and cleaned

In the case of the high profile website they don’t appear to have accomplished anything positive. They did add a couple of files that actually introduced a serious security vulnerability, which we will discuss in a bit.

Another instance of interaction with their work came a couple of months ago when we got sent this email from them:

Hi there,

We have cleaned and replaced the hacked version of this site. Also, we have placed the website behind an enterprise grade web application firewall to ensure this site has a high level of protection against future attacks

https://www.virustotal.com/#/url/9eb38ae785eeeca21b344ead39cf595b0bdb5f991c60c6ac630e6e628bc34678/detection

Could you please review and remove the blacklisting as soon as possible ?

We don’t blacklist websites nor do anything close that. Looking at our logs we found that they landed on our website on page titled Sucuri SiteCheck Scanner Falsely Claims Our Website is Defaced, which has nothing to do with us blacklisting websites. You would have to be very confused to believe otherwise based on that page, but they did.

They seem to make a fair amount of strange requests like that, considering a quick search pulled up them requesting blacklist removals for websites well after that removal had already occurred.

With that complete lack of attention to detail what else we noticed about them isn’t surprising.

OneHourSiteFix Makes Their Customers’ Websites Vulnerable

At the point we brought in to clean that high profile website there were still files from OneHourSiteFix on the website in a directory named appropriately “ohsf”. In that directory was another directory named “upload”. That directory in turn contained a file that allowed anyone to upload arbitrary files to the website. The file used to handle that was recently in the news for the real but overstated security risk introduced by it. In this case there were no restrictions on what types of files could uploaded through that or who could upload files, so a hacker could use that to place malicious .php files on a website and gain full access to the website, which seems like something that a company that is supposed to be cleaning a website shouldn’t be making possible (even if it is hopefully only temporary).

What was also interesting in this situation is that Sucuri flagged a number of the files in “ohsf” directory as being “malware” and removed them, but didn’t notice that file with a serious security issues.

OneHourSiteFix’s Crazy Claims About WordPress Websites Being Hacked

Recently we got a spam comment on one of our posts that was meant to provide a link to onehoursitefix.com. The name given with the comment was “how to fix a hacked site” and the comment, which was irrelevant to the post, was:

You might be scratching your head at this point because you are
certainly not sure what tattoo. It is also a classical technique, which started out
for the dancers to seem weightless. s always preferable to let someone
know your location going and which route you.

It probably doesn’t say great things about that website, OneHourSiteFix, that they appear to need to promote themselves in that way, but that turns out to be much less concerning than the blog post we noticed linked to from their homepage.

The title of the post in the title HTML tag is “WordPress Website Defaced ? Due To A Well Known Security Company ?” and the on page title is “WORDPRESS PLUGIN VULNERABILITY MEANS MILLIONS FIND THEIR WORDPRESS WEBSITE DEFACED BY HACKERS”. The post is listed as being put out on June 26, 2017.

The first paragraph seems to be written by someone who has absolutely no idea what they are talking about:

Free open-source website and blog creation tool ‘WordPress’ has left millions of pages defaced, due to a remote code execution (RCE) feature being added to the package. This feature has allowed hackers to take control of pages using WordPress plugins allowing attackers control over editorial features in order to vandalize pages or even worse execute malicious payloads. Plugins are those great bits of extra software you can add to your WordPress site to do everything from show a map of visitors to show a fancy photo gallery. Plugins however, have always been a l known and documented ‘attack vector’ for hackers. An attack vector being ‘a way in’ or path into a website. The end result is millions of site owners have found their WordPress website defaced by hackers.

What it sounds like this person might referring to is a vulnerability that had existed in WordPress 4.7.0 and 4.7.1 that allowed attackers to change the content of posts and was fixed in January. It wasn’t a “remote code execution (RCE) feature” and there hasn’t been something like that added to WordPress. The vulnerability could have had more serious consequences if certain plugins that allow PHP code to be run in posts, which might be what the reference to plugins there is trying to refer to. There was nothing that could remotely be what is described there that happened in June, what did happen in January also doesn’t appear to have impacted millions of websites.

That explanation seems more likely based on the next paragraph (though it again doesn’t make much sense as written):

A well known security firm released a statement saying they had detected multiple hackers seizing control of sites. A backdoor in the protocol allows attackers to inject ads, spam and affiliate links. The security firm expects many more attacks to follow and even advised users to disable the plugins due to attackers using these them to insert malware into any affected website More often than not the old, ‘Hacked By GeNErAL’ ! types of defacement are being replaced by monetising hacks with compromised sites being used to make money for the hacker via the use of paid ads (selling everything from viagra, research chemicals to fake crypto currency exchanges) or redirect them to an ‘online pharmacy’
The fourth paragraph claims, which is below, would seem to confusedly reference what happened as well. As the exploitation only started after it was disclosed that WordPress 4.7.2 had included a fix for the vulnerability a week after that version was released.
What is also interesting is that before the security company released the details of the hack, very few WordPress websites had actually been compromised. The timeline in which the hack was detected, details released and then the fix released – does arouse suspicions amongst the conspiracy theorists amongst us.
The third paragraph makes a claim that seems crazy:
In March alone, over 45 million of WordPress websites were defaced and infectd. Many websites are still affected with many of their users not even realising that hidden within their blog there is a page that is selling some seedy pharmaceutical product . Often these hacked website pages are only found by using very specific search terms in google so blog owners are blissfully unaware that their sweet and innocent cupcake blog is actually harbouring a deep secret within the blog pages…
If it were true that 45 million WordPress website had been “defaced and infected” in just that month that would likely mean that a majority of WordPress had that happen to them. While the numbers seem to be a bit of an estimate, there are figures out there for the total number of WordPress websites at figures like 75 million according to a Forbes article from December. Clearly over half of WordPress websites were not hit during that month.

Another Very Odd Claim

In looking at their service there is another element that makes it sound like something is very amiss. One part of their service is cleaning up hacked websites and the other is a web application firewall (WAF) that is supposed to stop them from being hacked again. What is missing is the thing that should tie those together, determining how they website got hacked. If you don’t do that you can insure the vulnerability that was exploited has been fixed and the website won’t get hit again. That would also seem important to make a WAF effective.

Instead of doing what would actually prevent the website from being hacked again they make a claim that doesn’t sound believable:

 IN ADDITION – our security experts manually analyse EVERY element of your site – every row in your database and every line of your files is checked and cleaned. This layered approach ensures we don’t just throw the hackers off a site – we slam the door on them as well.

That would take a very long time to do on most websites, yet somehow they are also going to fix the website in an hour, and it would likely be very ineffective since the sheer amount of information being reviewed would make it less likely that someone would spot a real issue among everything else.

On the page about their cleanup service there was a linked review that while giving them five-stars and seemed positive, indicated that this person’s websites have been repeatedly hacked:

Always quick, always clean.

OneHourSiteFix staff goes above and beyond everytime we’ve had an issue. Quick service, speedy cleaning, and even making sure sites like Google rank you site as safe again. We can’t thank them enough for keeping our servers from getting shut down by our service provider due to infections/spam. Top notch, our go to company for website cleaning everytime! Need help, look no further!
Which isn’t surprising based on what else we saw.