
How botnets are created with hijacked Worpess, fake Flash downloads and Node.js - Sujan
http://betamode.de/2015/11/23/what-happens-if-your-wordpress-is-hacked/
======
joshfraser
I have a Wordpress plugin with ~100k active installs. Recently I've started
getting emails from people wanting to buy the plugin from me. I'm assuming
they want it for a botnet or other nefarious purposes. I'm not sure if
Wordpress have stepped up their monitoring of plugins or not, but in past
there was little oversight of the plugins and adding a direct backdoor to
those 100k servers would be trivial, not to mention the millions of people
that could be reached via JavaScript injection.

~~~
lucaspiller
Over the summer I tried taking over a few abandoned Wordpress plugins, some of
which had a similar number of installs. Before they would even try to get in
touch with the authors they wanted to see my updated code and made sure it was
up to current Wordpress standards. Once you have access to the plugin repo you
are free to push whatever you want though without review...

~~~
Otto42
"Without review" is not quite true. Some of us get an email for every commit.
Not kidding. Helps a lot for the scanning of things.

~~~
lucaspiller
I meant more that code can be pushed to the repository without it being
reviewed first, not that nobody is looking at it. If someone does push
something bad are there systems in place to blacklist a plugin and remotely
remove it from an install (and possibly contact the install owners)?

~~~
Otto42
> are there systems in place to blacklist a plugin and remotely remove it from
> an install (and possibly contact the install owners)

We have automated scanning systems for suspicious code commits. If they occur,
me and a few others get an email for manual review of the problem.
Additionally, many others get every commit and set up their own scanning tools
to see what's happening, as it happens.

When something-bad™ happens, then we can close a plugin (block it from being
downloaded or found in searches), revert changes or otherwise manually adjust
any aspect of the plugin, and if necessary, push updates for it to any
WordPress installs that have it.

Realistically, bad actors are not generally a problem for the plugins system.
I can count on one hand the number of times this has occurred to the point
where we'd need to actually push code. The real problem we're fighting is
accidental security issues. While WordPress core is quite secure, plugins have
much less eyes on the problem, and a lot of plugin developers are relatively
new coders. Things like simple SQL injections still pop up from time to time
in plugins, and that's a big problem.

So, the security issues with with plugins repository is not really about some
malicious person out there. Malicious people tend to be dumb spammers. They're
easy to spot and protect against, because they're only after the low hanging
fruit. What we mostly try to find are the things that good coding practices
would protect against, because not everybody uses good coding practices. Those
tend to be harder to scan for on an automatic basis.

~~~
lucaspiller
Thanks for the explanation, keep up the good work!

------
JoblessWonder
This is the whole reason Sucuri [1] exists and blew up in popularity shortly
after it launched. If you are running Wordpress, I'd definitely recommend
Sucuri.

If you don't have a paid plan, at least run the free scan once a month or more
to make sure you weren't hit by anything. I don't mind Wordpress as a CMS, but
it is a __constant __target. Constant. And nothing looks worse than having
"Cheap Canadian Viagra" at the bottom of your corporate website.

[1] [https://sucuri.net/](https://sucuri.net/)

~~~
jakejake
I had a client who had a security plugin installed and they were getting
constant alert notifications about hack attempts. Thousands of login retries,
even though there was brute-force protection. The attempts would come from a
whole botnet of IP addresses to disguise that they were part of one attack.

On top of the security plugin, I added an .htaccess rule to only allow access
to the admin login and the entire wp-admin subfolder from within their office.
They have a static IP and were OK with only having access from within the
office so this worked well for them. This pretty much ended all of the
attacks. I probably wouldn't rely on this as the only protection, but it
definitely has been a great piece of their overall security plan. The code to
do that is here:

[https://gist.github.com/jasonhinkle/966aee379b170f365e6f](https://gist.github.com/jasonhinkle/966aee379b170f365e6f)

~~~
perezbox
I'm curious, what security tools did you have in place that were failing to
stop the attacks?

~~~
jakejake
Ironically I can't login to their site from my current IP to see what security
plugin they are using!

It was stopping the attacks - it was just that the attacker would try 10
password attempts, then get blocked by the plugin and trigger the alert
message. Then the attacker would switch IPs and try 10 more. One morning they
had gotten a ton of messages and I found about 250k login attempts in the
security logs. So the plugin was doing it's job, but it's better now that the
attacks don't even make it that far. In fact you can't even hit a page within
the wp-admin folder which is nice in case some type of zero-day exploit
surfaces on a file within that area.

~~~
SHIT_TALKER
Sounds like WordFence. Email notifications are configurable. Turning off most
of them is advisable. I've had trouble with users with nominally static IP
addresses changing with sufficient frequency to be too much of an annoyance to
stay with IP whitelist. Limiting the failed login attempts and maxing out the
lockout period cuts down on a lot of the bot activity.

------
eljamon
tl;dr _Someone hacks WordPress websites and includes strange .js files that a)
lead to fake Flash downloads that install a botnet on your PC and b) abuse
your browser to get URLs from a Google search._

~~~
thenerdfiles
( _Like tracking CSS pseudo-classes or CSSi_.)

------
paxtonab
I wonder if the point of the botnet is to get SERPs from Google? They stopped
letting you know quite a bit of information about keyowrds, rankings, etc. a
while ago.

Seems like there is lots of potential for blackhat SEO with this type of
botnet.

~~~
jastanton
It's fairly easy to get serp just by spinning up some ec2 instances. You can
make a good number of requests just by providing proper headers. That is,
assuming the last guys using that ip didn't just do the same and get rate
limited. All this to say this seems to be a lot of trouble just for SERP
results.

~~~
paxtonab
I was also thinking that if competitors showed up in the results you could
then use the botnet to then link bomb them?

I agree that it does seem like quite a bit of effort for an undetermined
purpose though...

------
P4u1
The domain hosting one of the files seemed too legit to me, so I checked and
it's an actual website of a Brazilian
company,[http://cjccontabil.com.br/](http://cjccontabil.com.br/), seems
whoever built the website got a WP (free I assume)theme from somewhere which
happened to include this malicious file(/wp-content/themes/Hermes/main1.js). I
guess folks are downloading free stuff and hosting them at their websites
without inspecting the content of all files, so if you think you're safe by
just making sure your system is injection-proof, think again, are you using
some theme or plugin downloaded from somewhere on the web and if so have you
checked every single file included?

~~~
OSButler
The theme directory is a common target for code injection, as it is often set
with writeable webserver-user permissions, in order to allow the admin to use
the backend theme editor.

Almost all of the compromised accounts I've dealt with over the years were the
result of outdated WordPress or plugin installs, where an exploit was used to
upload a file to one of the commonly known writeable directories: plugins,
uploads, or themes.

Most of those cases could have been prevented if the owner would have kept
their installs up to date, which makes these issues so frustrating to deal
with.

------
heyalexej
Wow, this one infected at least 1.000+ sites according to Meanpath¹.

[1] [http://meanpath.com/f/j5LK9K](http://meanpath.com/f/j5LK9K)

~~~
Sujan
Ouch.

------
NickHaflinger
How botnets are created with hijacked Worpess, fake Flash downloads, Node.js
and Microsoft Windows ..

------
Ianvdl
This is why you disable flash and run NoScript.

~~~
bkolobara
No. It is offering an executable pretending to be a flash player installer.
Nothing to do with actually running flash.

~~~
Ianvdl
I realise that. It is just generally good advice to disable flash.

~~~
elbigbad
Well, to be fair, you did say "[what the article talks about]. . . is why you
disable flash," not "it's generally good advice to disable flash."

~~~
Ianvdl
I concede, I could have phrased that better.

