Call for Free Consultation Today: (619) 479-6637     Hack Repair Testimonials Read more five star service reviews?

Website Malware andHack Repair Services

"We Fix Hacked Websites"

Website Security in The New Year 2021 – Are You A Cat Herder?

| | Leave a Comment

As we all head into the new year, if you implement the below strategies you’ll greatly reduce the likelihood your account will be compromised in 2021.

Are You A Cat Herder?

1. Segregation*
2. Monitoring
3. Regular updates
4. Backups

  • If you choose to not segregate your WordPress installations to separate accounts the risk your hosting account will be compromised will be exponentially greater this year.

 

 

Are you still “herding cats” like it was 2006?

 

As an expert cat herder, I can help you with your cat herding problem today.

 

#wordpress #infection #hackrepair #websitesecurity

Website Security Heads Up for May!

| | Leave a Comment

Website Security Heads Up for May

The pandemic has dramatically impacted the status of vulnerabilities for all of the major content management systems, like Joomla, Magento, and WordPress.

Hackers stuck at home with nothing to do but “code” have been wreaking havoc on the community of website management scripts, especially WordPress.

Luckily plugin and theme developers have likewise been “available” and most of the exploits listed below have patches in place now.

Sadly, the patches came too late for many. There has been a steady increase in privilege escalation hacks (where hackers gain access to lower-level user roles such as “Subscriber” to do their evil deeds).

Suffice it to say there is enough evidence to demonstrate that allowing subscribers to subscribe without any management oversight and not doing a reasonable amount of due diligence before installing a new plugin is a long term receipt for disaster.

 

Below is a shortlist of WordPress related plugins and theme whose code have been exploited in some way during the month of May (list credit to the WPScan Team).

Plugins:

Add-on SweetAlert Contact Form 7 < 1.0.8 – Authenticated Stored Cross-Site Scripting (XSS)

Advanced Order Export For WooCommerce < 3.1.4 – Authenticated Cross-Site Scripting (XSS)

Ajax Load More < 5.3.2 – Authenticated SQL Injection

bbPress < 2.6.5 – Authenticated Stored Cross-Site Scripting via the forums list table

bbPress < 2.6.5 – Unauthenticated Privilege Escalation when New User Registration enabled

bbPress 2.6-2.6.5 – Authenticated Privilege Escalation via the Super Moderator feature

Chopslider <= 3.4 – Unauthenticated Blind SQL Injection

Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.3.3 – Unauthenticated File Upload Bypass

Easy Testimonials < 3.6 – Authenticated Stored Cross-Site Scripting (XSS)

Elementor < 2.9.8 – SVG Sanitizer Bypass leading to Authenticated Stored XSS

Elementor Pro < 2.9.4 – Authenticated Arbitrary File Upload

Final Tiles Gallery < 3.4.19 – Authenticated Stored Cross-Site Scripting (XSS)

Form Maker by 10Web <= 1.13.35 – Authenticated SQL Injection

Iframe < 4.5 – Authenticated Stored Cross Site Scripting (XSS)

Login/Signup Popup < 1.5 – Authenticated Stored Cross-Site Scripting (XSS)

MapPress Maps < 2.54.6 – Improper Capability Checks in AJAX Calls

Multi Scheduler <= 1.0.0 – Arbitrary Record Deletion via CSRF

Official MailerLite Sign Up Forms < 1.4.4 – Unauthenticated SQL Injection

Official MailerLite Sign Up Forms < 1.4.5 – Multiple CSRF Issues

Page Builder by SiteOrigin < 2.10.16 – CSRF to Reflected Cross-Site Scripting (XSS)

Page Builder: PageLayer – Drag and Drop website builder < 1.1.2 – CSRF leading to XSS

Page Builder: PageLayer – Drag and Drop website builder < 1.1.2 – Unprotected AJAX’s leading to XSS

Paid Memberships Pro < 2.3.3 – Authenticated SQL Injection

Photo Gallery by 10Web < 1.5.55 – Unauthenticated SQL Injection

Site Kit by Google < 1.8.0 – Privilege Escalation to gain Search Console Access

Team Members < 5.0.4 – Authenticated Stored Cross-Site Scripting (XSS)

ThirstyAffiliates < 3.9.3 – Authenticated Stored XSS

Ultimate Addons for Elementor < 1.24.2 – Registration Bypass

Visual Composer < 27.0 – Multiple Authenticated Cross-Site Scripting Issues

WooCommerce < 4.1.0 – Unescaped Metadata when Duplicating Products

WP Frontend Profile < 1.2.2 – CSRF Check Incorrectly Implemented

WP Product Review < 3.7.6 – Unauthenticated Stored Cross-Site Scripting (XSS)

WTI Like Post <= 1.4.5 – Authenticated Stored Cross-Site Scripting (XSS)


Theme:

Avada < 6.2.3 – Missing Permission Checks leading to Arbitrary Post Creation, Edition, Deletion and Stored XSS

 
Be sure to double-check whether your site is using any of the above plugins. And if so, please consider updating them soonest.

 
* Yes, HackGuard.com service client’s plugins have all been fully updated to the latest version respectively.

Enjoy!

 

What’s a Web Shell and Why Is My Website Being Repeatedly Hacked?

| | Leave a Comment

“What’s a web shell?”

Most hacked websites have one or more web shell scripts added either during or after the site has been compromised.

Malicious backdoor scriptsWeb shell scripts, sometimes called backdoor scripts, often include a visual interface that may be used to upload, rename, copy, move, or edit files. These scripts may likewise be used to view, edit, or download a website’s database.

Not all web shell or file manager scripts are malicious. A website designer may use these types of scripts legitimately to add administrator users to a WordPress website, edit theme files, or make website backups.

Backdoor scripts may be named anything, though, within a WordPress site, these types of scripts usually stand out from the core WordPress files. They may have file names like module.php, users.php, or have random letters like fnrt.php.

Below are examples of web shell scripting. Notice how some hacker scripts may be readable while others may be encoded or obfuscated? Either way, if a script’s code looks malicious, it probably is. Examples:

1

Web shell code

Click image to enlarge

2

hacker web shell obfuscated code

 

Why Is My Website Being Repeatedly Hacked?

Now that you have a better idea of what a web shell or backdoor script looks like, let’s discuss why your website might be repeatedly hacked.

wordpress other directories

With respect to WordPress. Hackers are often quite good at hiding their malicious scripts in places you might not think to look. For example, I often find web shell scripts within image directories or other directories not associated with WordPress.

If you believe your site is compromised, be sure to check whether other directories have been added within your website hosting account, outside of the usual wp-admin and wp-content, and wp-includes directories. See the example at right.

Likewise, if you have more than one WordPress website installed within your hosting account, assume all are hacked. An analogy I like to use with new clients: “If a burglar breaks into your house, is he likely going to just hang out in your kitchen, eat all your cookies, and then leave?”

Just like the hiding of scripts within unassociated directories, I’ve seen hackers compromise a hosting account using known script exploits within one WordPress installation but leave that website remarkably unscathed malicious-scripting wise. Why? The hackers’ general hope is that you’ll leave the apparently unhacked website alone and only clean up the obviously hacked WordPress installation. This leaves the hacker an “open window” for future attacks.

We fix hacked websites

Let’s summarize what I’ve covered here today. First, nearly all hacked websites will have web shell scripts installed. These scripts allow the hacker ongoing access to your hosting account. And second, be aware that a hacker rarely hides these backdoor scripts in plain site, so be sure to consider every directory within your account as a potential hiding place.

Enjoy!

 

Recent Posts

 

Buy Jim a cup of coffee?

 

WordPress Hacker Insurance and Support

Concerned about WordPress security and would like someone to watch your back?  If this sounds like you then you are in the right place.  Taking a vacation, or maybe your web designer has wandered away?  Why worry about dark side of the Internet. Let HackRepair.com worry for you. It's what we Read More

Latest HackRepair Tweets