A Little Tale About Website Cross-Contamination via @Sucuri_Security

March 15, 2012 · 54 comments

in WordPress

A Little Tale About Website Cross-Contamination via @Sucuri_Security

 

This post is provided for the readers of Just-Ask-Kim.com courtesy of the website & WordPress Security Scanning & Cleanup folks over at Sucuri. I highly recommend both their free scanner and their cleanup & keep-clean services!

Sucuri LogoA Little Tale About
Website Cross-Contamination

Mary has a site that she really cares about, its called mycoolsite.com. She has learned how to monetize her blog through the use of ads, this allows her to make her living.

She uses WordPress and always keep it updated. She also keeps her plugins updated, uses strong passwords, accesses the admin panel via SSL and takes all the security recommendations very seriously.

She uses a shared server and her host offers her unlimited domains. Over the years she has taken advantage of this offering, adding a few sites here and there. One such site was mytestsite.com, it’s used to try new themes and plugins.

It has been at least a year since she has touched one of her other sites – mytestsite.com, it hasn’t been updated and houses a plugin that has since been removed from the WordPress repository. Little does Mary know that it was removed from the repository for having a very serious security vulnerability.

Part 1: The bad guys came…

Like in any story, the bad guys wasted no time in finding and exploiting this vulnerability.

They had a list with millions of sites that they were scanning daily (based on Alexa). They found her mycoolsite.com (which was ranking very well) and tried to exploit it without success. They looked for any potential attack vector; things like the WP version, vulnerable plugins, weak passwords (making use of brute force and dictionary attacks), they used a slew of tools in their arsenal, nothing worked. She won that battle.

A few days later, using a number of techniques, they found that on the same server she had another site, mytestsite.com. Unlike mycoolsite.com, using the same techniques as before, they were able to gain access. They quickly found the vulnerable plugin and leveraged its vulnerability to gain access. Oh, well that’s cool, its only her unimportant site, mytestsite.com, who cares, right?

Part 2: How did my site get hacked?

The next day, she wakes up to emails from her users complaining that mycoolsite.com is causing their local anti-viruses to set off alerts and or blocking her site. The first thing she does is go to her site to see what’s going. She is greeted with an scary warning, “This site may harm your computer”!

“EEK!! What is going on? How did my site get hacked? I did everything right!! I followed all the recommendations!!!

Part 3: Website Cross Contamination

In part 1, we left you with a question: “Oh, well that’s cool, its only her unimportant site, mytestsite.com, who cares, right?”

WRONG!!

Yes, Mary did everything right to protect her mycoolsite.com. What she didn’t do is apply those same principles to all her sites. She forgot that because the other sites are on the same shared account (and can be managed by the same user), any vulnerability on them can be used to compromise her whole account.

Once on the server the attacker was able to introduce all kinds of malicious code, from backdoors to actionable code. Like any virus, it replicated itself, inserting itself into every PHP file it could find. This spread across every directory on her site without remorse.

That folks, is all she wrote…

Part 4: Fixing the Problem

Like you would expect, Mary contacted a company to fix her site, mycoolsite.com. The company went through and removed all the malicious code to include backdoors. Phew! It was now showing correct again, all warnings were gone.

She even took a few more steps this time around, she blocked wp-admin access by IP address and installed all security plugins she could find. Victory?

Part 5: Website Cross Contamination and Reinfections

Nope. Not even close. Within an hour everything Mary thought she had cleared had reappeared.

Why did this happen when she had done everything by the book? Even hired a company to get it fixed?

The answer is simple, it’s a concept known as cross contamination. It’s actually very simple to understand. We all know how viruses work, they spread. No point in having a virus that doesn’t spread, where is the fun in that.

Same applies to web malware. It duplicates itself, injecting itself in little dark directories you never check, or care to check. Places you would not even think of. You might have a directory for all your JavaScript files, in there you might find a PHP shell file. You might have a directory for images and one of those PNG files might be masking itself as an executable.

Mary did what most people do, she fixed the infection but not the root problem. She spent a week cleaning her little site day in and day out, looking for some relief to the problem Demanding someone fix this problem for good!

She finally took the additional steps recommended, scrubbing her server. She was dismayed at what was found. She was elated, yet heart broken at the amount of energy she had put into the effort. After a week of work, lost sleep, significant impact to her Alexa ranking, and many other effects, some monetary, some not, Mary finally had control of her server again.

Pulling it Together

This very real tale is meant to better articulate, by providing an example, the concept of website cross contamination and how serious an issue it is.

The point is very simple, if you have many sites on the same account (running under the same user), anyone of them can be used to compromise the others. The attackers don’t care how important a site is to you, all they want is an access point.

It’s unfortunate, but we see this all the time. It’s why one of the first things we do is scan the server, if allowed, for software versions and known vulnerabilities. Its sad to report that too often we find things like this:

/mycoolsite.com (WordPress 3.3.1)

/mycoolsite.com_backup_1 (WordPress 3.1) – Out of Date

/mycoolsite.com_backup_2 (WordPress 3.2.1) – Out of Date

/mycoolsite.com_backup_3 (WordPress 3.2.1) – Out of Date

/myplaysite.com (WordPress 1.5) – Not even kidding about the version. – Out of Date

/myunimportantsite.com (Joomla 1.4) – Out of Date

Action item: Check your server today. When you do, ask yourself:

Only keep the minimum necessary files, themes and plugins that allow your site to function perfectly. Everything else should be disabled or moved to a separate server. While you can never say your risk is 0 it does not mean you can’t work to reduce it.

via A Little Tale About Website Cross-Contamination | Sucuri.

Sucuri Logo

Get The Inside Scoop!
social tripletKeep up with all the latest social marketing changes!


54 comments
Mitchel Reverra
Mitchel Reverra

Wonderful work! That is the type of information that are supposed to be shared across the net.

Mary
Mary

You got me so involved into this story that I'm going to have hacking nightmares tonight! :) Thanks for pointing that weakness out.

AnaTrafficCafe
AnaTrafficCafe

A Little Tale About Website Cross-Contamination via @Sucuri_Security via @AskKim

Yourinda
Yourinda

A Little Tale About Website Cross-Contamination via @Sucuri_Security @AskKim

marquita herald
marquita herald

Very scary story indeed - I signed on with Securi last fall (your advice) and they've done a fine job of keeping my site hacker free. Ha! As a matter of fact, I forgot they were there until I saw this headline - jumped over to check, and sure enough the scans are conducted on a regular basis. I guess this is a good example of no news is good news.

Sherryl Perry
Sherryl Perry

Excellent post Kim. Thanks for the link to the free scanner too. When I first read this post, I panicked a little because I have a lot of client sites hosted under my account.Then I realized that Rochen Host won't allow me to host a website with the same user name that i'm hosting another site under. Even though I do my best to keep everyone's site up to date, this sounds like an extra layer of security built in. (Now, I'll stop complaining about having to keep track of all these user names.)

Rosemary O'Shaughnessy
Rosemary O'Shaughnessy

Hi Kim,

Many thanks for sharing this advice. It is so importance to understand how to protect our sites. I always appreciate your wordpress tips and advice. Take care Rosemary

Kim Castleberry
Kim Castleberry

Hey Marquita, that is exactly the kind of "no news" we want to see! They do a great job keeping you safe and I'm glad you made the choice to go with them. Helps reduce one of the biggest possible headaches out here. And I know you have the OTHER big headache covered and are making backups and staying up to date so you're in great shape. Keep on rockin!

Kim

Kim Castleberry
Kim Castleberry

Sherryl, as long as when you connect to the File Manager or FTP for your account you don't see them all there in the same public_html file tree then you're usually good. That's unusual that they've set their structure up so tightly but helpful for you. I use a combination of LastPass (free or pro) and then the WP Internet Management Center to maintain my client sites. That's the plugin/service I emailed about a couple weeks back and really like for managing them all and ensuring everyone is current on WP files etc.

Kim