Tag: Sucuri

GoDaddy’s Idea of Securing Websites Actually Involves Leaving Them Insecure and Trying to Deal with the After Effects of That

Yesterday we discussed GoDaddy’s usage of misleading claims to try to sell overpriced SSL certificates. Based on that it probably wouldn’t be surprising to hear that they would mislead people in other ways about security and that is exactly what we ran across while looking into things while working on that previous post.  When we clicked on the “Add to Cart” button for one of their SSL certificates, at the bottom of the page we were taken to, there was a “malware scan and removal” service offered to “Secure your site”:

The description of that is:

Defend your site against hackers and malware with automatic daily scans and guaranteed cleanup.

It shouldn’t be too complicated to understand what is wrong with that, though as we mentioned earlier today there seems to be a lot of confusion when it comes to what security services and products do.

If a website is secure it wouldn’t have malware or some other hack on it to detect or remove, so either GoDaddy doesn’t understand what they are providing or they are lying about.

The problem we see so often with this sort of service is that people will fail to do the things that will actually keep websites secure because they believe a service like this will actually keep a website secure.

Trying to deal with the after effects of having a website hacked instead of actually securing it introduces a lot of issues. One of those being that if a hacker uses the hack to exfiltrate customer data stored on the website a cleanup isn’t going to undo that.

What is a lot more important to note is that everything we have seen from the underlying provider of GoDaddy’s security services, Sucuri, is that they are not good at detecting and cleaning up hacks of websites. Their scanner seems, to put it politely, incredibly crude. Their employees seem to lack a basic capability to understand evidence that a website is hacked. And in what is most relevant to this specific service, we recently we brought in on a situation where their scanner had failed to detect that a website was hacked and then they repeatedly incompletely cleaned up the website, leaving it in a hacked state for a while. It was only after we were brought in to clean things up properly (which Sucuri doesn’t appear to even attempt to do) that it was finally cleaned and stayed that way.

Sucuri’s 30 Day Guarantee Guarantees That They Won’t Properly Clean Up Your Website

In our dealing with the continued poor state of web security, which seems to be a microcosm of the poor state of security in general, what we see is that there are many different pieces that all come together to get to the current situation. The really terrible shape of the security industry probably couldn’t exist without the public helping them out in numerous ways. One of those ways is that you have a lot of people that don’t really seem to be paying much attention before handing over money to unscrupulous security companies.

We recently had someone contact us looking for help with a hacked website. They hadn’t provided any details as to how they thought the website was hacked and considering that many people come to us that think a website has been hacked when it hasn’t, we first went to look at the website to see if we noticed any issues. We noticed one issue and we then responded asking if that was what was at issue or if there something more. They responded that they already were a paying customer and had sent several message to support that they hoped we would address. Neither of those things sounded like us, especially since we charge after we have completed a cleanup, not before. It turned out that they had confused us with another company named Sucuri.

What was odder about that was that the person said they had seen Sucuri mentioned on our website and decided to give them a try. Considering that we have repeatedly written about problems caused by Sucuri, particularly involving hack cleanups, it doesn’t seem they could have been paying almost any attention to what we had written about that company.

That ties in to understanding something else that they mentioned, which is that Sucuri told them they provide a 30 day money back guarantee. They didn’t look into the details on that, which they should have.

We were curious to see what Sucuri’s refund policy actually was and found that they are inconsistent in what they claiming to provide. More importantly there are some huge caveats, so the guarantee would be of no value in a lot of cases.

On the homepage they advertise it this way:

30-Day Guarantee

You have 30 days to request a refund according to our Terms of Service.

Looking at the terms of service they first state:

You will have thirty (30) days from the Service Commencement Date or any Renewal Commencement Date to cancel the Service (the “Cancellation Period”), in which case the Company will refund your Service Subscription Fee for the applicable Service Term provided that you have not submitted a Malware Removal Request during the Cancellation Period.

Based on that if you sign up for their service and request a cleanup you can’t get a refund, so if they don’t properly clean things up (as they won’t) you are left paying for something that wasn’t done right.

In listing their various levels of service they make a big point of response time, so it seems pretty likely that they expect that many of their customers are coming to them looking for a cleanup:

So it seems like their refund offer would probably be immediately null for many of their customers. It also seems like if they were interested in be honest with their potential customers they would be upfront about that limitation, instead of burying that important limitation in a long legal document.

Later in the terms of service page they say something different:

If at any time during the Service Term, you submit a Malware Removal Request for a Covered Website that Company determines is infected, Company will use reasonable commercial efforts to clean the infected Covered Website. In the event that Company is unable, for any reason, to clean the infected Covered Website, Company will, as its sole and exclusive remedy, refund to you the annual fee you paid to the Company for the clean up of that Covered Website.

That would sound significant if we haven’t see what can actually happen when Sucuri is supposed to be dealing with a hacked website.

In April of last year we discussed a situation that we were brought in where Sucuri’s service had been purchased and they had claimed to have cleaned a website. When the original issue, credit cards being used on the website were being compromised, continued, the person running the website contacted Sucuri about that and Sucuri told them that the website was clean, despite it being very likely it wasn’t. This person wasn’t looking for a refund, just for them to clean things up, which considering Sucuri’s service is marketed as providing “Unlimited Malware & Hack Cleanup”, shouldn’t have been an issue. They instead had to hire us to get things properly cleaned up.

On Sucuri’s page about cancelling an account they have the following Refund section:

Refunds

Refunds are only available within 30 days of purchase and will only be issued in case a manual malware removal was not completed. On all other cases, you can cancel the account, but a refund will not be provided.

That doesn’t match what is written in the terms of service, so who knows what is going on there. But if that is to be believed all they are actually offering is a refund if they don’t “complete” a manual malware removal. Considering that based on everything we have Sucuri doesn’t even really attempt to do complete cleanups, that doesn’t seem meaningful.

Right below that section is a Guarantee section:

Guarantee

We guarantee our work, so if your site gets reinfected we will clean it up again until it is 100% clean. But you also have to do your part and keep your sites updated, change passwords and follow our recommendations.

If you do not follow our recommendations, we will not clean it up again until they are done.

As situation we were brought in to clean up after Sucuri in March shows, even when Sucuri is willing to clean things up again it doesn’t mean the website is ever going to get fully cleaned as the website in that situation was repeatedly incompletely cleaned up by Sucuri. What was happening is that Sucuri repeatedly removed parts of the hack, but since they didn’t remove the others, what they were removing just came back over and over.

One of things that would have stopped that cycle would have been if Sucuri had done one of the three pieces of a proper clean up, which is trying to determine how the website was hacked, as reviewing the logging as part of that would have identified where the remaining malicious code was.

Sucuri not only fails to do that piece of a proper clean up, but they fail to do another one, which involves getting the website secure as possible. That usually mainly consists of getting any software on the website up to date. Based on that guarantee language they even try to push that off to the customer.

In fact while they sell their service as website security service, the guarantee seems to indicate they don’t do anything that will actually secure the website. What it looks like is that you are paying them an ongoing fee for them to be on call to improperly clean up your website.

If your website hasn’t been hacked you would be better off spending your time and money on doing the basics of security, as doing those things will greatly reduce the chances of the website being hacked. If your website has been hacked you would better off hiring someone like us that will actually clean the website up properly and fully stands behind their work instead of providing you with a misleading “guarantee”.

Does Sucuri Believe That There Are Unreal People Working At Other Website Security Companies?

Recently we have been taking a closer look at how website security services are marketed and how they provide what seem like they should be warning signs as to the reality that the services don’t actually provide real security. We ran into another example involving Sucuri, which also involves an odd tag line.

Here was an ad form that showed up in search results while we were looking into for some information for another recent post on this blog:

The tagline there is “Real People, Real Security”. The first part of that is odd, do they believe other website security companies employ unreal people? The second part of that though is more problematic, since Sucuri doesn’t provide real security. That is something that is hinted at by what else is mentioned in the ad. If they could provide real security then websites using their services wouldn’t be getting malware on them that needs to be cleaned, much less repeatedly, and yet one of the things they are touting in that ad is that they provide “Unlimited Malware Cleanup”.

As we noted recently, Sucuri doesn’t present evidence, much less from evidence from independent testing, that their service is actually effective at protecting websites. So it would seem either they don’t know if they provide real security or they know they don’t provide real security, as we assume if they were actually measuring or testing to see if they provide real security they would tout the results if they were good.

There is plenty of reason to believe they don’t provide real security since as we also noted recently, it can be incredibly easy to bypass a critical piece of Sucuri’s offering, their website application firewall (WAF).

As we also noted recently, getting unlimited cleanups from Sucuri isn’t necessarily all that useful since we were recently brought in to deal with a website where Sucuri was repeatedly doing incomplete cleanups that didn’t resolve a hack.

It also worth noting that while Sucuri has real people (again, who wouldn’t?), what is important is if they competent and what we have seen doesn’t point in that direction. For example, just about a year ago SiteLock was telling one of their customers that their website was clean when it seems to us that someone that hasn’t basic competency in the field would have realized that wasn’t true and the employee(s) failed to spot malicious code that we easily found on the website.

SiteLock and Sucuri Inaccurately Portray Hidden Spammy Content on Website as Malware

We frequently have people contacting us for a second opinion on claims from the security company SiteLock that their websites have been hacked. To be able to provide that we ask for the evidence being presented by SiteLock to back that claim up. An important reason for doing that is that SiteLock appears to refer to anything they detect as possibly being an indication of a hack as malware, even if it isn’t malware.

Malware is short for malicious software and can accurately refer to one of two things when it comes to websites. The first being malicious code being served from a website and the second being malicious code located in a website’s files or database.

One reason why they might refer to any indication of a hack as being malware is to make the issue sound more serious than it really is and make you more likely to pay them for some security service. As an example of that, in one instance where we were contacted about a claim of theirs, what they were claiming was “critical” severity malware was just a link to another website. What was even supposed a problem with the link, which was included with a comment on a blog post, wasn’t clear since the domain name of the website being linked wasn’t registered anymore, but saying there is an issue with a link would sound a lot less concerning than “malware”.

Someone that they recently contacted with a claim that their website contained malware, had also been told by the SiteLock representative that called them that Google would “shut down” their website due to the issue. In reality Google doesn’t shut down websites and since the issue wasn’t actually malware they wouldn’t even block access to the website if they had detected the issue.

That person had then run the website through the Sucuri SiteCheck scanner, which also claimed the website contained malware. Sucuri also goes the over top in making issues seem as bad as possible to sell their service:

The small text there states:

Your site appears to be hacked. Hacked sites can lose nearly 95% of your traffic in as little as 24 to 48 hours if not fixed immediately – losing your organic rankings and being blocked by Google, Bing and many other blacklists. Hacked sites can also expose your customers and readers private and financial information, and turn your site into a host for dangerous malware and illicit material, creating massive liability. Secure your site now with Sucuri.

What they actual identified there is what we would describe as hidden spammy content, which is a less serious issue than malware. It also didn’t contain any code, JavaScript or otherwise, despite Sucuri labeling it as “Known javascript malware” and stating that “Malicious Code Detected”.

While Google might penalize a website for that hidden spammy content like that, it isn’t going to do any harm to people visiting the website.

If you visit the link they provide for the details of that type of issue, http://labs.sucuri.net/db/malware/spam-seo.hidden_content?24, the description doesn’t mention “malware”, but does mention “hiding spammy content”:

Hiding spammy content (links, spammy texts, etc) on legitimate web pages is a common black hat SEO trick. It helps use existing site pages in black hat SEO schemes while keeping it invisible to site visitors and webmaster.

There are many techniques that help hide certain parts of a web pages. Most of them include either CSS or JavaScript. The simples is placing spammy content inside a div tag with the display:none; style.

Another interesting similarity between those two companies, which seems like it ties in to the overstated impact of the real issue on this website, is that security services provided by both SiteLock and Sucuri don’t seem to be focused on actually securing websites. Instead they seem to be more focused on trying to deal with after effects of the website having been hacked after having left the websites insecure. That all could be an indication the companies don’t have a good understanding of what they claim to have expertise in or that they are just interested in trying to get as much money out of people instead of being focused on improving security.

Sucuri’s Website Application Firewall (WAF) Makes Improving Websites’ Security Harder, While Being Easily Bypassable

When cleaning up a hacked website there are three main components to doing that properly. We often find that security companies don’t do two of those. One of them being trying to determine how the website was hacked. The other being getting the website secure as possible, which usually involves getting the software on the website up to date. If a company isn’t able to make sure the software is up to date, it seems likely they also are not familiar enough with the software that they should be dealing with hacked websites running it.

One well known company that usually skips doing those things is Sucuri. They promote as alternative to doing that securing, that you can rely on the virtual patching provided by their website application firewall (WAF). There are a number of reasons why that is bad idea, including that they don’t present any evidence, much less from independent testing, that their virtual patching is effective (they also don’t present any evidence that their service is effective at protecting websites in general). Probably the largest problem with relying on that though, is that it can be incredibly easy to go completely around their WAF, leaving websites that haven’t been properly secured wide open to being hacked.

Before we get in to that, what lead to us writing this post was our recent experience with their WAF making it harder to get a website secured.

We were recently brought in to upgrade a Joomla installation on a website that Sucuri cleaned but had failed to upgrade the software on it. When we went to do that upgrade we ran into an error, “ERROR: AJAX Loading Error: Forbidden”:

That error message doesn’t provide much information on what was going wrong and we would guess that others that run into it might get stuck at that point. In debugging that we found that when an AJAX request was made to  /administrator/components/com_joomlaupdate/restore.php the response being received was this page:

Access Denied - Sucuri Website Firewall If you are the site owner (or you manage this site), please whitelist your IP or if you think this block is an error please open a support ticket and make sure to include the block details (displayed in the box below), so we can assist you in troubleshooting the issue.

At that point we could have contacted the person we were dealing with from the website and get them to try to whitelist our IP address, but there was a far quicker solution, simply bypassing Sucuri’s WAF, which can be incredibly easy to do.

Here’s is how Sucuri explains how their WAF works:

The reality is that all HTTP/HTTPS traffic does not have to begin where they show it beginning in that graphic, instead, if you know the IP address of the Original Host you can connect directly to it, bypassing the WAF entirely.

While in something we will get to in a moment, Sucuri refers to this IP address as being “hidden”, in reality it often isn’t hidden at all. In the case of the website we dealing with we just pulled up the DNS records for the website and the second IP address (after the Sucuri one) was the Original Host’s IP address (there was another equally easy method available as well). By simply associating that IP address with the domain name in a computer’s host file the Sucuri WAF can be bypassed.

From previous real world experience we can say that people will in fact rely on Sucuri’s WAF to keep them safe instead of keeping software up to date, which can leave people wide open to attack if someone just takes time to bypass the WAF. What makes that particularly problematic is that a website could appear to be secure for a long time, leading to people claiming that Sucuri’s solution is effective, and only later it becomes clear that things were not as how they seemed.

Here’s what makes this even more troubling, Sucuri is aware of the ability to bypass their WAF, but they either don’t understand that their attempt solution to stop that doesn’t resolve the issue or they don’t care that that what they are providing is fundamentally insecure.

The page Prevent Sucuri Firewall Bypass on Sucuri’s website begins:

If someone knows your hidden Hosting IP address, they can bypass our Firewall and try to access your site directly. It is not common or easy to do so, but for additional extra security, we recommend only allowing HTTP access from our Firewall.

The best way to prevent hackers from bypassing our Firewall is limiting their access to your web server. To do this, all you have to do is add restrictions to your .htaccess file so that only our Firewall’s IP will be able to access your web server.

As we already noted, the IP address isn’t necessarily hidden at all. Calling attempting to prevent the easy bypass as “additional extra security” as opposed to being essential, doesn’t provide much assurance that they actual are concerned about the security of websites using their service.

The larger issue here is that trying to restrict what IP address can access the Original Host directly isn’t very effective. That is because all someone has to bypass that restriction is to spoof a permitted IP address, which involves making it seem a request came from a different IP address than it really did. Either Sucuri doesn’t understand that or doesn’t care that their WAF is fundamentally insecure, neither of which should be true about a security company.

Their a major limitation with spoofing an IP address that is important to note though, which is that any response would not be sent back to the system sending the spoofed requests since the response would be sent back to the spoofed IP address. But with the kind of vulnerabilities we see actually being exploited on websites that often wouldn’t be an issue since the hacker doesn’t need to receive a response to gain further access to the website. Oncee they have access they could remove the IP address restriction or send any responses they need in way they can still access (say writing them to a file accessible through the website).

While we wouldn’t recommend using Sucuri’s WAF (or their services in general), if you are using it, restricting IP addresses as suggested in that previously mentioned article would provide better security when using their WAF.

Sucuri’s Comparison to Other Security Services Doesn’t Present Evidence They Provide Real Security

Earlier this week we looked at how the website security company SiteLock compared itself to competitors. What stood out in that is their idea of security isn’t focused on securing websites, but on instead leaving them vulnerable to being hacked and then trying to incompletely deal with the result of that. That is a good way for them to make money, but it is bad for everyone else. They are not alone in doing that though, as the comparison page for another company, Sucuri, shows.

The main portion of the page is a comparison chart, but before that is text that seems more important in terms of understanding what Sucuri is actually doing and not doing. It starts:

Our constant research keeps us ahead of competitors.

The unique insights shared by Sucuri Labs and the Sucuri Blog have earned us press and media mentions from top news outlets, industry blogs, and cybersecurity journalists.

The reality here is that their postings seems to be focused on getting press coverage instead of actually keeping ahead of competitors in terms of protecting websites. If you look at their blogs they are focused on the after effects of websites being hacked instead of on how they are getting hacked in the first place. That isn’t a good sign for their ability to protect websites, since what is important is how they got hacked, not what was done after that. Since not only do you need to know how they are hacked to effectively protect against those things, but if you are protecting them, the after effects of hack don’t matter since they won’t have happened.

When they have actually discussed how websites are hacked it actually shows they are way behind. In one recent instance of that they were notified of a vulnerability involving two WordPress plugins weeks after it had been discussed on the blog of our Plugin Vulnerabilities service and weeks after the free companion plugin for that service had started warning people about the vulnerable versions of the plugins. So Sucuri isn’t even able to stay ahead of people just following that service’s blog, much less competitors that actually do the research they claim to do.

Next up is this:

A safe internet is our mission, so we offer free tools.

We maintain a free website scanner and guides to help you fix or prevent website hacks. Sucuri is recommended by customers and web professionals in over 60 case studies.

As we have discussed in the past, their website scanner is to put it politely, incredibly crude. For example, as of year ago it was falsely claiming our website had been defaced on the basis of a page on it being named “Hacked Website Cleanup”. Where that gets much worse and seems to dispute their claim that the “a safe Internet is their mission”, is that instead of presenting the questionable results of that scanner in a neutral fashion they go in to full scare mode at detection of a possible issue. It seems their real mission is to take as much money from people without a concern if that involves falsely claiming that websites are hacked. Doing that goes against two of their four claimed values:

Helpful

When a website is hacked or under attack, a website owner is at their most vulnerable state. We will be the calm in the virtual storm, standing by to restore peace of mind.

Trust

The security space is filled with snake-oil and unnecessary FUD (fear, uncertainty, and doubt). We are committed to building services in the best interest of website owners.

In reality they are taking advantage of people when they are at their most vulnerable and spreading the FUD they claim they are against.

Looking at one of their guides it shows a good indication about their lack on focus on securing websites. In the guide for dealing with a hacked WordPress website, there are numerous ads for their service, but there is no mention of one of the three basic components of a proper hack cleanup. That being, trying to determine how the website was hacked. Websites don’t just get hacked, something has to go wrong, so if you don’t figure out what went wrong, you can’t be sure you have fixed that.

There seems to be a good reason for information on determining how websites are hacked being missing, from everything we have seen Sucuri usually doesn’t do that when cleaning up websites (and when we have seen them doing that, they didn’t seem to have a basic grasp of how it should be done). For a company that is supposed to be protecting websites from being hacked, that is fairly big issue since it would severely limit their ability to protect other websites from being hacked, which might explain how they market the service, which we will get to in a bit.

Getting to the main portion of the page, which is a chart that compares Sucuri to other services, just a quick glance shows that it contains false information. In the chart they claim they offer “Complete” hack and malware cleanups:

The reality is that they don’t do two of three basic components of a proper cleanup. Those being securing the website (which usually involves getting the software brought up to date) and the previously mentioned trying to determine how the website was hacked.

Right before the comparison chart is paragraph that begins:

We encourage you to research your options, read online reviews, chat with our team, and make an informed decision about who to trust with your website, reputation, and business.

What is completely missing from that page (or Sucuri’s website in general) is any evidence, much less from independent testing, that their service is actually effective at protecting websites. You can’t possibly make an informed decision on a security service when the most important piece of information is missing. There are two possible reasons why that is missing. The first being that they don’t actually have any idea is their service is effective, which based on everything else we have seen about them wouldn’t surprise us. The second is that they know it isn’t effective, but they realized they can get away with that.

(Reading online reviews is not a good way to make an informed decision since, for example, you can find reviews praising services despite the service failing to properly clean up hacks repeatedly.)

What makes that lack of evidence more striking is that on their homepage they provide several other measures of their service:

Touting how many websites they clean up seems like it could be a good indication that the service isn’t actually effective at protecting websites, since if they could do that that should be the thing they tout and they shouldn’t be doing many cleanups (other than for new customers).

The fact that on the homepage they twice tout that their services that are supposed to protect websites, includes “unlimited” cleanups also seem like a good indication of that:

If websites were actually being protected they wouldn’t be hacked and therefore need to be cleaned up repeatedly.

Everything we have seen and heard, including people frequently contacting us looking for a security service that works after using one that didn’t, indicates that security service like Sucuri provides do not do a good job of protecting website. If you actually want to do something that will protect your websites, doing security basics will actually protect your website from most hacks.

If your website has been hacked you want to make sure to get it properly cleaned up, which involves removing anything the hacker added to the website, securing the website (which usually involves upgrading the software on it), and trying to determine how the website was hacked and fixing that. Many companies, including Sucuri, cut corners. So simply going with a well known company doesn’t mean that you are going to get a good result, in fact what we have seen is that the biggest names are usually very bad at security (lying about things has been effective method to make security companies popular, but it doesn’t help to make them good at security).

Cleaning Up After StudioPress Sites and Sucuri Didn’t Protect or Properly Clean a Website

Two weeks ago we wrote about how StudioPress Sites and Sucuri hadn’t properly dealt with a hacked website, leading it to being hacked again. Subsequent to that we were hired to re-clean the website, which allowed us to see more of what had and hadn’t happened. The results, which we will get to in a moment, are not just a reminder that a security company being well known, as Sucuri is, doesn’t mean that they have any business being involved with security, but also the limits of automated security solutions in general.

Probably the most striking thing that we found, is that based on evidence we ran across in an error log file, the hack had been going on for more than year.

We often find that when we are brought in to clean up hacked websites the hack goes back much further then the website’s owner was aware of. That could be a good reason to use a service that is designed to detect the presence of malicious code on website, if used in conjunction with doing security basics, as that could give you better assurance that the website is secure. The problem with that is we have yet to see evidence presented that solutions that attempt to do that are all that effective. The one time we ran across a security company claiming that independent testing had been done, the result was that their product was 100% effective. That sounded unbelievable to us. One of the important questions as to validity of that was how the samples tested were chosen. It turned out the security company had provided the malicious code that was used to test their service against. That meant it wasn’t independent testing and also made it meaningless that they detected 100% of it, since they could choose things they knew the service could detect.

One of the most worrisome indications of the quality of services to detect malicious code on websites is that we have seen companies providing them having marketed them as if they will protect website from being hacked in the first place, which obviously isn’t remotely possible since they only come in to play after the website is hacked. Either the developers don’t understand really basic elements of what they are providing or they are rather blatantly lying, neither of which seems like something that should be true about a company that has anything to do with security.

In the case of this website that type of detection was supposed to be happening:

Finally, we partner with Sucuri for continuous malware monitoring, scanning and remediation. If malware is found we take the responsibility of removing it so you don’t have to worry about it. Additionally, we also scan for advanced threats, including conditional malware and the latest cyber intrusions.

But it wasn’t, as neither StudioPress Site nor Sucuri were the ones that finally detected the issue, instead person managing the website noticed the issue.

As we mentioned in the previous post, how the StudioPress Sites service is promoted though made it strange that detection and cleanup would even be needed to be provide with the service, because it was claimed that service would protect websites from being hacked in the first place:

Our “always on” proprietary intrusion prevention technology works continuously to keep your WordPress install safe from vulnerabilities, intrusions, and exploits. Our years of experience, plus audit input from multiple third parties, allows us to create configurations and settings that keep the bad guys away without handcuffing your working style.

Clearly it didn’t.

While re-cleaning the website we saw a several issues with what looks to be an automated cleanup done by Sucuri.

The first was a much less serious issue, but it was rather annoying for us, as Sucuri had left numerous empty files all over the website. It looks like if they remove all the code in the file because it is all malicious they don’t then remove the file. That created a couple of issues. The first being that when we did file comparisons to identify any changes made by the hack we had all of these empty files coming up in addition to files that still contained malicious code. The second being that when we started reviewing the log files to see how the hacker was able to continue to access the website, it looked at first glance that they were successfully able to access quite a few files, that actually were empty, that increased the time it took to find the logging of successful requests to malicious files that still existed.

Along those same lines we found that in other instances while Sucuri looks to have removed malicious code they left other content that had been added by the hacker, including comments that had been before or after malicious code. Those all then needed to be checked over during file comparisons, slowing down getting to the serious issues.

Those things then tie in with the much more serious issue. We were able to easily find the files that were being missed by Sucuri’s automated tools, which were allowing additional malicious files to return that they were able to catch (and then remove again and again). Simply doing some file comparisons, some quick checking over the files in some directories, and looking at the logging, allowed us quickly find what Sucuri’s tools were missing. None of those things are by any means advance solutions (it isn’t the first time simply solutions used by us have caught things they missed).

Takeaways

First and foremost, this situation should be a reminder that claims made about security whether by security companies or other companies should be viewed with great skepticism. If there isn’t evidence backing a claim there is good chance that, at best, it is being made without any idea if it is true or not.

Second, relying on a service that will try to detect and remove the result of a hack instead of making sure you are doing the security basics, which will prevent many hacks, is not a good idea since you can run into a situation like this where the hack goes on and on.

Third, any company that is offering to do cleanups with just automatic tools is probably a company you don’t want having anything to do with cleaning them up since they either don’t understand what they are doing or they are providing a service that they know can’t get the job done.

Finally, if your website is hacked, you want to make sure you hire someone that will properly clean it up. The three components of that are cleaning up the malicious code and anything else the hacker added, securing the website (which usually means getting the software on it up to date), and trying to determine how the website was hacked (which not only helps to prevent it happening again, but as we have found repeatedly, helps to make sure that the hack is fully cleaned up). One simple way to insure you are hiring someone that does that is to hire us, since we have always done those things throughout the many years we have been dealing with hacked websites.

StudioPress Sites And Sucuri Didn’t Properly Deal With a Hacked Website

Recently we have gotten quite a few questions related to web hosts that include a security service with their hosting service. Considering that web hosts seem to have problems handling the basics of their own security this type of offering seems like it might not be a great idea. Furthermore, most of what needs to be done to keep websites secure isn’t best handled by a security service.

Another issue is that we haven’t seen evidence presented that those types of services are effective at protecting websites and plenty that they are not. One of the pieces of evidence that we have seen that they are not effective is that companies that provide those services often don’t do an important part of properly cleaning up hacked websites. One of the basic components of a proper cleanup is trying to determine how the website has been hacked. If you don’t do that, it leaves open the possibility that the vulnerability is still on the website and can be exploited again. If you are a service that is supposed to protect websites and you don’t even know how they are hacked, you unlikely to do a good job of protecting them.

Security companies can often get away with all of that because the public doesn’t have a good understanding of security and when it comes to the lack of protection, people will often say that such services have been successfully protecting them because they assume that if the website hasn’t been hacked that means the service worked. In reality most websites don’t get hacked, so a service can get credit for providing protection when it does little to nothing to protect websites.

One prominent web security company that all of that would apply to is Sucuri. From what we have seen over the years they don’t seem to have even a basic understanding of security (amazingly one time they warned people to beware of companies that don’t have that). They fail to even handle even more basics elements of cleaning up hacked websites than determining how the website was hacked.

Those kinds of things haven’t stopped the web hosting service StudioPress Sites (previously known as Synthesis) from partnering with them, which they promote in this way:

Finally, we partner with Sucuri for continuous malware monitoring, scanning and remediation. If malware is found we take the responsibility of removing it so you don’t have to worry about it. Additionally, we also scan for advanced threats, including conditional malware and the latest cyber intrusions.

Right before that in their marketing they make this claim:

Our “always on” proprietary intrusion prevention technology works continuously to keep your WordPress install safe from vulnerabilities, intrusions, and exploits. Our years of experience, plus audit input from multiple third parties, allows us to create configurations and settings that keep the bad guys away without handcuffing your working style.

If they were actually able to keep the bad guys out, why would what Sucuri is supposed to be providing be needed? The reality is that when it comes to WordPress, while you see everybody and their brother making claims about their great security, our Plugin Vulnerabilities service seems to be out there alone in catching the kind of serious vulnerabilities in WordPress plugins that would be exploited before there is evidence that they have been exploited (we disclosed two of those just in the last few days). Considering those are a major source of WordPress based websites being hacked, it seems to be a good indications that others are not really do much when it comes to protecting WordPress sites.

We became aware of the partnership between those two companies when someone recently contacted us about a hacked website and mentioned that the website been hacked again after having using Sucuri’s service to clean it up by way of StudioPress Sites. In a situation like that, the first thing we always ask is if the previous company that did the cleanup determined how the website was hacked, since if the source hasn’t been determined and fixed it could explain why the website got hacked again. They responded that they got some generic security advice, but no information about how the website had been hacked or any indication there was an attempt to do that. So it really isn’t all that surprising that it got hacked again.

Out of line with how that hosting is promoted, neither the web host nor Sucuri had been the ones that spotted the hack in the first place. That really isn’t all that surprising since it seems that Sucuri’s scanner is to put it politely, incredibly simplistic, which we base in part on the terrible false positives we have seen it produce.

A Better Cleanup

When we do a hack cleanup of a WordPress website not only do we do it properly, but we also include a free lifetime subscription to Plugin Vulnerabilities service, which will warn you if any of the plugins you use have disclosed vulnerabilities. We will also review all of your installed plugins for serious vulnerabilities using the same technique that we have used to catch numerous serious vulnerabilities in other plugins.

GoDaddy (Owner of Sucuri) Still Using Server Software That Was EOL’d Over Six Years Ago

Last week we wrote a post about how the web security company Sucuri was hiding the fact that they are owned by the web host GoDaddy while promoting a partnership program for web hosts. Not mentioning that they are owned by a competitor of companies they are hoping to partner with seems quite inappropriate. It also seems problematic since GoDaddy has long track record of poor security, so that seems like material information that web hosts should have when considering partnering with Sucuri.

One example of GoDaddy’s poor security that we have noted before is that they are using a very out of date version of the database administration tool of phpMyAdmin. It turns out they are still doing that, as we found when doing some work on a client’s website hosted with them. While working on an upgrade we created a new database so that the database would be running a newer version of MySQL required by the new version of the software being upgraded. When we went to import the database we found the phpMyAdmin installation it is tied to is the same really out of date version of phpMyAdmin, 2.11.11.3:

The 2.11.x branch of phpMyAdmin reached end of life on July 12, 2011. After that date not fixes or security fixes were not released, so GoDaddy should not have been running that version after that.

Beyond the security concern with this, you have situation where GoDaddy isn’t even managing to update a customer facing piece of software at least every six years.

It also worth noting that GoDaddy is the employer of the head of WordPress security team (they are paying him for his work in that role). You really have to wonder how, if someone who truly cared much about security, they would be employed by a company that doesn’t seem to care about that. That they are willing to work for GoDaddy might go a long way to explain why the security team of WordPress continues to poorly handle things (it also raises questions about the propriety of having the head of the security team being an employee of a company that could profit off of WordPress seeming insecure).

Sucuri’s Lie of Omission Involving Their Ownership by GoDaddy

Last week we touched on a continued lie from the makers of the Wordfence Security plugin and mentioned the general problem of lying within the security industry. Not every lie involving the security industry involves something that is said, it can also be something not said.

As an example take what we noticed in a recent post by the web security company Sucuri promoting their partnership program for web hosts. What they neglect to mention despite being rather important, as we will get to, is that they are in fact owned by the web hosting company GoDaddy.

But before we get to that, the whole post is cringe worthy if you have followed our posts on the web security company SiteLock, whose business seems to largely built around partnerships with web hosts. Many of those web hosts are run by the majority owners of SiteLock, which might have given GoDaddy the idea to move from a partnership with SiteLock to do the same on their own.

At one of point in the Sucuri’s post they write the following:

We have found that doing active scans of your user base’s websites on a continual basis and doing outreach to help them better understand their security status is helpful in educating customers all while helping gain a better understanding of the overall health of accounts in the environment.

In the case of SiteLock, because SiteLock’s scanner isn’t very good that sort of thing has led to lots of people falsely being told that their websites have been hacked and then offered overpriced services to fix the non-issues. Sucuri’s scanner has also been bad for years, the most recent example of that we documented involved them claiming that Washington Post’s website contained malware. We noticed that while looking into a situation where someone was contacted by their web host with Sucuri’s results falsely claiming that their website hacked, much like they had falsely, but hilariously, claimed of ours not too long ago.

Elsewhere in Sucuri’s post they write:

They want a site that is fully secure and stays that way. From our experience, they don’t care about, or understand ambiguous services and up-sells. If it gets hacked, they want someone else to deal with it now, at an affordable cost. Once cleaned, they don’t want to be hacked ever again.

That isn’t what you are get with Sucuri, if one person that came to us after having Sucuri failed to take care of a credit card compromise on their website. Not only did Sucuri fail to detect an easy spot piece of malicious code, but kept telling them the website was clean despite the person telling Sucuri that credit cards were still being comprised on the website.

That ties in with something in the post:

A good website security provider also requires a customer-first approach that prioritizes time to resolution with respect to each customer’s level of technical ability. As an example, Sucuri is recommended by web professionals for our commitment to providing users with cutting-edge technology and excellent customer service.

Clearly the customer service was terrible in that situation. But the other striking element of this is that we were able to identify the issue without using any “cutting-edge technology”. Also, when it comes to security services, web professional are not necessarily who you would want a recommendation from, since they don’t necessarily have a good idea about security. Certainly any of them recommending Sucuri, based on what we have seen, would be someone that shouldn’t be providing that type of recommendation.

If what another recent example of poor security from Sucuri and GoDaddy take this recent example of Sucuri’s web application firewall (WAF) being bypassed by simply encoding a character as reported by ZDNet. That is an indication that the product is rather poor at what it is supposed to be doing, which isn’t surprising based on everything we have seen from this company (they don’t even seem to understand security basics). This also looks like another situation where they are not being honest, as the article states that:

For its part, GoDaddy said it patched the bug within a day of the security researcher’s private disclosure to the company.

But a quote from the company neglects to mention that it was fixed after they were notified of the issue

“In reviewing this situation, it appears someone was able to find a vulnerable website and manipulate their requests to temporarily bypass our WAF,” said Daniel Cid, GoDaddy’s vice-president of engineering.

“Within less than a day, our systems were able to pick up this attempt and put a stop to it,” he said.

What isn’t mentioned anywhere in the post is that SiteLock is owned by GoDaddy and therefore web host partnering are really partnering with a competitor and possible providing them with sensitive information.

That also isn’t mention on the linked to Sucuri Partner Program page.

What is mentioned there is that this is way for web hosts to make a lot of money:

As we have seen with SiteLock, that doesn’t lead to good things.

You also won’t find mention of the ownership on the about page on Sucuri’s website which states:

Sucuri, Inc. is a Delaware Corporation, with a globally-
distributed team spread over a dozen countries around
the world.

Beyond the fact that web hosts might not want to be partnering with a competitor in this way, there is the issue that GoDaddy has a bad reputation when it comes to security.

One element of that is obliquely mentioned in the Sucuri post when the write:

For example, cross-contamination over multiple shared hosting accounts used to be a major problem for large website hosting providers,  but this isn’t really a huge threat today.

One such provider that happened with was GoDaddy, which had ignored attempts by people we were helping to deal those hacks, to get them to do something about it before it became a major issue. GoDaddy then made ever changing claims as to the source of, but notable didn’t blame themselves.

In more recent times there have been issues with them distributing outdated and insecure software to their customers, using outdated and insecure software on their servers, being unable to properly control FTP access to websites, not providing a basic security feature with their managed WordPress hosting, and worst of all, screwing up the security of databases that lead to website that otherwise would not have been hacked, being hacked.

It isn’t really surprising with that type of track record that they would have bought a security company that inadvertently made a good case that you should avoid them. But that all would be a good reason why other web hosts would probably want to avoid getting involved in this if they truly care about their customers and that might be why it goes unmentioned.