Call for Free Consultation Today: (619) 479-6637     Hack Repair Testimonials Read more five star service reviews?

Website Malware andHack Repair Services

"We Fix Hacked Websites"

Website Security Heads Up for May!

| | Leave a Comment

Website Security Heads Up for May

The pandemic has dramatically impacted the status of vulnerabilities for all of the major content management systems, like Joomla, Magento, and WordPress.

Hackers stuck at home with nothing to do but “code” have been wreaking havoc on the community of website management scripts, especially WordPress.

Luckily plugin and theme developers have likewise been “available” and most of the exploits listed below have patches in place now.

Sadly, the patches came too late for many. There has been a steady increase in privilege escalation hacks (where hackers gain access to lower-level user roles such as “Subscriber” to do their evil deeds).

Suffice it to say there is enough evidence to demonstrate that allowing subscribers to subscribe without any management oversight and not doing a reasonable amount of due diligence before installing a new plugin is a long term receipt for disaster.

 

Below is a shortlist of WordPress related plugins and theme whose code have been exploited in some way during the month of May (list credit to the WPScan Team).

Plugins:

Add-on SweetAlert Contact Form 7 < 1.0.8 – Authenticated Stored Cross-Site Scripting (XSS)

Advanced Order Export For WooCommerce < 3.1.4 – Authenticated Cross-Site Scripting (XSS)

Ajax Load More < 5.3.2 – Authenticated SQL Injection

bbPress < 2.6.5 – Authenticated Stored Cross-Site Scripting via the forums list table

bbPress < 2.6.5 – Unauthenticated Privilege Escalation when New User Registration enabled

bbPress 2.6-2.6.5 – Authenticated Privilege Escalation via the Super Moderator feature

Chopslider <= 3.4 – Unauthenticated Blind SQL Injection

Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.3.3 – Unauthenticated File Upload Bypass

Easy Testimonials < 3.6 – Authenticated Stored Cross-Site Scripting (XSS)

Elementor < 2.9.8 – SVG Sanitizer Bypass leading to Authenticated Stored XSS

Elementor Pro < 2.9.4 – Authenticated Arbitrary File Upload

Final Tiles Gallery < 3.4.19 – Authenticated Stored Cross-Site Scripting (XSS)

Form Maker by 10Web <= 1.13.35 – Authenticated SQL Injection

Iframe < 4.5 – Authenticated Stored Cross Site Scripting (XSS)

Login/Signup Popup < 1.5 – Authenticated Stored Cross-Site Scripting (XSS)

MapPress Maps < 2.54.6 – Improper Capability Checks in AJAX Calls

Multi Scheduler <= 1.0.0 – Arbitrary Record Deletion via CSRF

Official MailerLite Sign Up Forms < 1.4.4 – Unauthenticated SQL Injection

Official MailerLite Sign Up Forms < 1.4.5 – Multiple CSRF Issues

Page Builder by SiteOrigin < 2.10.16 – CSRF to Reflected Cross-Site Scripting (XSS)

Page Builder: PageLayer – Drag and Drop website builder < 1.1.2 – CSRF leading to XSS

Page Builder: PageLayer – Drag and Drop website builder < 1.1.2 – Unprotected AJAX’s leading to XSS

Paid Memberships Pro < 2.3.3 – Authenticated SQL Injection

Photo Gallery by 10Web < 1.5.55 – Unauthenticated SQL Injection

Site Kit by Google < 1.8.0 – Privilege Escalation to gain Search Console Access

Team Members < 5.0.4 – Authenticated Stored Cross-Site Scripting (XSS)

ThirstyAffiliates < 3.9.3 – Authenticated Stored XSS

Ultimate Addons for Elementor < 1.24.2 – Registration Bypass

Visual Composer < 27.0 – Multiple Authenticated Cross-Site Scripting Issues

WooCommerce < 4.1.0 – Unescaped Metadata when Duplicating Products

WP Frontend Profile < 1.2.2 – CSRF Check Incorrectly Implemented

WP Product Review < 3.7.6 – Unauthenticated Stored Cross-Site Scripting (XSS)

WTI Like Post <= 1.4.5 – Authenticated Stored Cross-Site Scripting (XSS)


Theme:

Avada < 6.2.3 – Missing Permission Checks leading to Arbitrary Post Creation, Edition, Deletion and Stored XSS

 
Be sure to double-check whether your site is using any of the above plugins. And if so, please consider updating them soonest.

 
* Yes, HackGuard.com service client’s plugins have all been fully updated to the latest version respectively.

Enjoy!

 

Website Security Service versus Malware Removal Service — The same thing, right?

| | Leave a Comment

malware removal service versus website security serviceIn my day to day interactions with businesses whose websites have been compromised, I’ve become increasingly alarmed by companies charging outrageous fees for basic “malware removal” then leaving their clients out in the cold to fend for themselves when they do not complete the tasks required to fully secure the website at the completion of their malware cleanup work.

 
Now I’m normally a rainbows and unicorns sort of guy. And bad-mouthing competing website security-related service providers is not my thing. That said, about two-thirds of the interactions I have with new clients by phone lead to a discussion regarding the malware cleanup company they used last month. This has become so prevalent and it breaks my heart.

The malware removal company sales script often reads something like this, “I’m sorry to hear your website has been hacked? Ok, we’ll remove the malware for you ASAP. Can I get your credit card number?”

The unsuspecting client then pays for “malware removal” and receives a service that involves little more than an automated malware scan and removal of suspicious files, sometimes breaking parts of the website in the process. This type of work is something a person with a moderate level of website security expertise can complete in a matter of minutes. That people are being charged hundreds of dollars for this level of service is disheartening (and borderline unethical IMHO).

| Suffice it to say, simply removing malware from a website does not fully secure a hacked website against future abuse.

 
If your website has been compromised and you are looking for help, please ask the person doing the work to at least take the following minimal steps in securing your website:

  1. Change all passwords throughout your entire hosting account.
  2. If yours is a WordPress website, ensure all core WordPress files have been replaced, and ensure all plugins are updated to the latest version.
  3. Remove all content management system and FTP users no longer requiring FTP access.
  4. Ensure all websites sharing the same account have been equally reviewed and secured.

If these four minimal requirements of a website security service are not completed, it is very likely your website may be recompromised.

 
If you would like a free review of your website’s security by phone, please feel free to call me anytime here in San Diego, California, at (619) 479-6637

 

From Disaster to Rebirth, a Wayback Machine Thanksgiving Miracle

| | 6 Comments

If you are reading this, maybe you were caught by the catchy title, or maybe you’ve heard about the Internet Archive Wayback Machine.

If you haven’t donated to the Internet Archive Wayback Machine recently, I hope this tale will convince you to support our mutual cause. Have you donated to the Internet Archive Wayback Machine?

 

My story began early one Sunday morning, sometime before 7 am. While taking a sip of coffee at my computer—where else would I be—the phone rang unexpectedly. Caller ID said, “Unavailable”. Sadly, 2/3rds of the calls I receive each day are sales, robo calls, or “Can you help me. I think my computer has been hacked…” Hoping against all odds for a new customer call, I picked up the phone that early morning.

My business is website security, and this particular caller, from Pakistan, found me in a random Google search. My experience with folks from this region of the world has been markedly poor over the years. Don’t get me wrong. It’s not the people that are the problem, it’s the US Dollar that generally causes “the friction.” That said, this gentleman seemed non-plussed by my flat rate so we continued the conversation in earnest.

Broken and hacked website

          WordPress Content Deleted?

As it turns out, the hosting company had suspended his website for malware earlier that week, and our new client had been trying in vain to find someone to help in recovering his website.

I said, “No problem, I’ll get you back up and running within a couple hours today.”

Normally, I find my staff and I can work through the recovery and lockdown of most compromised websites within a few hours. So when he said, “A hacker deleted my website!” I didn’t’ think twice about it. A good percentage of callers exclaim “My website was deleted! Can you help?”.

Once I had convinced the web hosting company to unsuspend his account and began the files review process, I became even more convinced that all would be well…

See, all of the images were there, theme and plugins appeared to be in place, albeit most compromised with exploitable code. And other than a relatively common WordPress plugin error displaying on the home page I figured all I would have to do was run a quick WordPress reinstallation, malware removal and then step out to an early lunch. As you may have guessed, that didn’t happen.

The moment I logged into the WordPress dashboard my blood ran cold. Indeed, all of the pages, posts, and widgets had been deleted. The hacker had likewise deleted the previously active theme, wryly leaving an old Twenty Twelve theme set as the default. The situation was looking pretty dire at that point.

Digressing a bit. The client had earlier mentioned that he was convinced a prior contractor out of Romania was responsible. And he was hoping I could put together enough evidence to prove that was the case. I didn’t have the heart to tell him at the time that it’s virtually impossible to prove guilt in this way. Later I learned the posts and pages had actually been missing for months. 

Then, as I delved deeper into the malware review portion of the job, it became obvious that a second hacker had taken advantage of the outdated WordPress version installed just weeks before; which apparently led the hosting company to shut down his account for a terms of service violation (reason: terms of service violation – malware/virus). 

The moment of truth if there ever was one. I had to decide whether to refund the client’s payment or dive in heads first and figure out a way to recover content that didn’t exist. 

As it turned out, someone had saved a backup within the account 6 months prior; after the pages and posts had been deleted, but before the WordPress theme had been deleted. I took that as a positive omen that not all was lost. 

Hopeful, I ran a number of Google searches to see whether any older cached pages existed within Google search. I found a few nicely cached pages. Things were looking up. I then called and discussed with him the possibility of hiring a web designer to recover the lost content using the cached copies from Google. He wasn’t so keen on the idea, knowing that might cost as much as just starting over from scratch.

With the wind taken out of my sails a bit, I took a short break from the project—a shower and a toothbrush were beckoning at 8 am. And with a fresh face and clean pair of something draped over my torso, it dawned on me, “What about the Wayback Machine website?

Honestly, my past experience with the Wayback Machine hasn’t been the rosiest. For a time, the old Internet Archive seemed essentially dormant, with gaping years of missing archives. Given my past experience, I did not expect to find anything useful there. But it was early enough in the morning and with my optimism still in full swing I typed into my browser location bar:

“The way back machine”

Internet Archive Wayback MachineAnd with Google Chrome’s nice pre-fill in the location bar, I was there with a click and pasted the client’s website address into the Internet Archive Wayback Machine search box.

While waiting for the Internet Archive to draw up a calendar of saved copies, my first thought was, “Wow, the Internet Archive has really changed since I last checked it out.”

It would seem that in the past year or so the old Wayback Machine appears to have reincarnated itself for the better.

Website content found!

Website content found!

So I clicked one of the older calendar links. This brought up the client’s website within the Internet Archive. All of his preexisting pages were intact—in all their original themed glory!

And with my thoughts of having to refund our client’s payment gone from my mind, I sent a hasty message off to him, “I think I’ve got it!”

His response was overwhelmingly thankful and spilling over with gratitude. He could scarcely believe that anyone could bring his business back online from disaster to rebirth within the span of a few hours.

So with a new sense of purpose and the help of the Wayback Machine, I got back to work on recovering the client’s deleted content. 

Encouraged, I installed a fresh WordPress installation, then reinstalled the preexisting plugins, images, and theme in preparation for importing the cached pages. 

And then another Eureka moment hit me. As I began reviewing the web archives within both the Internet Archive Wayback Machine and Google I stumbled upon something I’d never seen before named, the “Wayback Machine Downloader

The Wayback Machine Downloader has no apparent affiliation with the Internet Archive Wayback Machine. But what it does have is a free HTML exporter for up to the first 4 pages found from the Wayback Machine. I was intrigued so tried the free service. Within minutes I had a pretty decent facsimile of the client’s WordPress website converted into HTML only format running on my local computer.

And then like a snake it nearly bit me. At the top of the Wayback Machine Downloader was a single word menu item, “WordPress“. The summary of the service on their website seemed a bit overconfident to me. I’ll paraphrase from their website, “We provide a website that looks identical to what is shown on archive.org, with a fully functioning WordPress menu integration… yadda yadda.”

WordPress conversionAt this point it dawned on me that rebuilding the client’s website from an HTML converted format, while doable, was going to take me way longer than the client had been billed for, so I took the chance. I placed the WordPress conversion order. The cost was $50ish US dollars —and waited. The email receipt indicated I may have to wait a few days.

Well, within a few hours I found a complete WordPress installation with database and images waiting in my inbox. That was totally unexpected.

I figured that at best I would receive a database with some minimal instructions. What I received was a fully ready WordPress website, with better than average instructions on, “How to restore a website from the Web Archive” within a cPanel server setup. 

Within minutes I had completed the recovery of database and provided files and had a fully functional nearly identical WordPress ready website in place for my new client.

Of course, the Wayback Machine has no way of carting over the previously working contact forms scripting, so some additional setup was required; nothing anyone with a modicum of WordPress experience couldn’t do in a heartbeat.

Presenting my client something from nothing within the course of a few hours on a Sunday morning was glorious.

The client was so overwhelmed and forthcoming with gratitude that I was floating on a cloud for the rest of the day.

It’s days like those that remind me how wonderful the Internet can be and how thankful I am for what it gives us.

People helping people—the speed of light is our only limitation.


Enjoy!

"Give thanks by helping others in need"

 

Disclaimer: The writer of this article has no relation to either the Internet Archive Wayback Machine or the Wayback Machine Downloader. No monies were paid or given for the writing of this article.
Special thanks to Corey Kretsinger for some much-needed editorial review. Thank you!

 

Recent Posts

 

Buy Jim a cup of coffee?

 

WordPress Hacker Insurance and Support

Concerned about WordPress security and would like someone to watch your back? If this sounds like you then you are in the right place.  Taking a vacation, or maybe your web designer has wandered away?  Why worry about dark side of the Internet. Let HackRepair.com worry for you. It's what we Read More

Latest HackRepair Tweets