We are often brought in to re-cleanup malware infected websites after another company has done a clean up and the website gets infected again (or was never actually fully cleaned). The website getting infected again isn’t always the fault of the company doing the clean up, for example we sometimes have clients that don’t takes steps on their end that we told they needed to do (we take any steps that we can during our work), which leads to the website being infected again. But when someone comes to us and mentions a previous clean up has been done, we always ask if the previous cleaner determined how the website was infected (seeing as if that isn’t found and fixed the website could still be vulnerable). In almost every instance the response has been that determining how the website got infected never even came up, much less was attempted.
Avoiding companies that don’t mention that they determine how the website was infected as part of a cleanup would help you avoid some situations that would lead to you having to hire multiple companies to clean up the website. That has a major limitation though as we have found many security companies are much better at sounding like they know what they are doing then actually doing it. Only someone that actually knows what they are doing is likely to be able to spot that a company is not telling the truth, which isn’t likely when someone is hiring a company to do this work for them.
To give an example of this let’s take a look at something we recently ran across with a company named WeWatchYourWebsite. They promote that they do was they “Root Cause Analysis”:
If your website has ever been infected, you want to know “how” it happened. This sets our service alone at the top. We provide you with real proof of how your site was infected. Was it a faulty plugin? Outdated software?
We’ve invested the time required to create a system that will determine how your site was infected – and then we inform you. This along with steps you need to take to help us – help you keep your website safe and secure.
That would be impressive if true, but it isn’t. Not only do we determine how the website was infected, so they are “alone at the top”, but we actually get that issue fixed. We also make sure the website is secured by updating the software (even if that isn’t the cause), because that is one of three basic steps to a proper cleanup. By comparison WeWatchYourWebsite doesn’t do that, instead trying to detect attacks and block them, that really isn’t a good idea and they don’t provide any independent third-party evidence that it is actually effective at that. Our experience with other products making similar claims is that they provide limited to no protection.
The other thing that makes this sound less impressive is that they tout that their malware removal is “automated”. Considering that the cleaning up the malware and other malicious code often provides valuable information on the source of the infection. Having something fully automated is not conducive to doing that. In our experience this often also leads to poor results for the cleanup.
One way to determine if a security company actual has the abilities they claim is to look at their blog posts, since we often find those expose a lack of knowledge that can be covered for in vague marketing material. In the case of WeWatchYourWebsite, one of their recent posts shows a basic lack of understanding of how hackers operate and what log files of activity on the website, which are often key piece to definitively determine the source of a hack, actually show.
In a post from December 29, they claimed to provide an example of a hacker looking for infected WordPress websites. While hackers do sometimes re-check websites they have infected to make sure that is still true and hackers do try exploit malicious code that might have been placed on there by another hacker, what is shown in the post is not that. Let’s take you through it:
Investigating some interesting entries in log files from our customers, we see that hackers apparently are still looking for infected WordPress websites.
First we see this:
(IP address blanked to protect the infected) – – [28/Dec/2016:20:44:14 -0500] “GET / HTTP/1.1” 200 72904 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31”
The big tipoff here is the size of the GET request: 72904.
That first request is just a request for the homepage. From the outside we can’t see what the purpose of that would be. It could be used to see how a URL that actually exists responds on the website, it could be used as a comparison after making some change to the website later on, it could be used to determine that the website is running WordPress and its location on the website, or something else entirely.
We are not sure what it supposed to mean that the size of the request is a “big tipoff”, since that is just the size of the homepage served to the requester. It is possible that WeWatchYourWebsite falsely believes that is the size of request sent to the website, not the size of what was sent back.
And then this:
(IP address blanked to protect the infected) – – [28/Dec/2016:20:44:16 -0500] “ POST ///wp-admin/admin-post.php?page=wysija_campaigns&action=themes HTTP/1.1” 403 – “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31”
We captured the GET request and after comparing it to the attacks on the old, vulnerable version of that WordPress plugin we see that the hackers were doing some open reconnaissance on WordPress sites. We say “open” because this site never had the MailPoet plugin installed.
The second request is not “open reconnaissance”, that is the hacker trying to exploit a vulnerability that had existed in older versions of MailPoet.
(IP address blanked to protect the infected) – – [28/Dec/2016:20:44:19 -0500] “GET //xGSx.php HTTP/1.1” 404 45488 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31”
The above is them testing to see if their attack worked. It didn’t
Here they seem to understand that isn’t reconnaissance, since they are referring to one of the previous requests as an attack.
All of this is just to show that even though you think previously infected WordPress website may have been cleaned up from any previous malware, the hackers will always be looking just to be sure you have.
Hackers do sometimes check if the malware or other malicious code they have placed on a website is still there, but what was shown here was someone trying to exploit a vulnerability on the website. Considering that WeWatchYourWebsite stated that this plugin was never installed, it really is odd that they came to this conclusion that the hacker was re-checking things.
The last line might explain what is really going on here:
You may want to read about our methods of malware detection: http://wewatchyourwebsite.com/our-methods-for-finding-and-removing-website-malware/
It looks like the post was really about getting to promoting their service, but it really ends up being a warning that this company doesn’t know what they are talking about.
