• Resolved viennamex

    (@viennamex)


    I have installed the latest BulletProof on a site that was hacked by a javascript hack that added the following lines to every php file header in WordPress including plugins.

    [ redacted, please don’t post a malware snippet like that again. ]

    …that’s just the first few lines. According to a 6scan this was due to a comments hack through the wordpress comments file.

    It killed my plugins and would quickly rewrite the javascript in all files in my website WordPress template. I finally had to completely remove the template, re-update 3.5.1, and base my site off a re-uploaded Twenty Twelve theme.

    As soon as I thought I had eliminated everything — I could not find any evidence of the code being written into the WP tables themselves or into the WP comments values.

    Using BulletProof I seem to be clean after a day. Now I want to buy BulletProof Pro.
    Especially since I see that you say you “firewall” the /plugins folder.

    But it leads to these 3 questions —

    Running a free scan from 6scan it alerted me to a problem with the commenting.

    1) Do I understand that even with a BulletProof Pro plugin that you do not offer the same kind of online Scanning for Problems that 6scan does?

    2) Does BulletProof Pro prevent the kind of javascript injection method that may have been used in this hack via the word press commenting file?

    I did not have commenting enabled before but I have now commented out the PHP call to the commenting file in two TwentyTwelve template files. AND deleted the wp-comments-post.php file altogether.

    3) Do you have a description from your experience of how WP sites are getting hacked with this same header injection hack that I experienced? Year after year WP sites get hacked with some form of the same hack yet when you Google this subject it does not seem that even WordPress itself alerts you to prevent just this sort of thing.

    (I did change my FTP password — it was unguessable before and it is still “unguessable”)

    https://www.ads-software.com/extend/plugins/bulletproof-security/

Viewing 15 replies - 1 through 15 (of 21 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    I have installed the latest BulletProof on a site that was hacked by a javascript hack that added the following lines to every php file header in WordPress including plugins.

    Absolutely no plugin in the world will provide you with 100% protection, especially if it’s your hosting account that’s been compromised.

    That’s not to say there is anything wrong with such plugins but there are a lot of insecure hosts out there. ??

    You need to start working your way through these resources:
    https://codex.www.ads-software.com/FAQ_My_site_was_hacked
    https://www.ads-software.com/support/topic/268083#post-1065779
    https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    https://ottopress.com/2009/hacked-wordpress-backdoors/

    Anything less will probably result in the hacker walking straight back into your site again.

    Additional Resources:
    Hardening WordPress
    https://sitecheck.sucuri.net/scanner/
    https://www.unmaskparasites.com/
    https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    Thread Starter viennamex

    (@viennamex)

    Hi Jan,

    Thanks for the quick reply!

    I was looking at these resources yesterday.

    But, as I understand it you are speaking generically about WordPress security issues, and not speaking specifically about the actions and capabilities of Bulletproof Pro since you are not the developer or on the Bulletproof Staff.

    Right?

    I will be checking out your helpful links to see if I missed something yesterday.

    Plugin Author AITpro

    (@aitpro)

    First off, if you found malicious code on your website there is a good chance that hidden backdoor scripts are also somewhere else on your website (scanners will not detect/find them). It is recommended that you restore your website from a good backup to ensure there are not any hidden backdoor scripts anywhere under your website files.

    https://forum.ait-pro.com/forums/topic/website-is-already-hacked-will-bps-pro-automatically-fix-or-remove-the-hackers-files-and-code/

    1. BPS Pro takes another approach instead of using a website scanning approach since scanners can be easily fooled/beaten by hackers hidden backdoor scripts that are not detectable by any scanners. BPS Pro instead has AutoRestore/Quarantine, which is an Intrusion Detection and Prevention System (IDPS).
    https://en.wikipedia.org/wiki/Intrusion_detection_system

    2. Yes, there are several overlapping layers of security and the final layer is the ARQ (IDPS). BPS Pro would block this type of attack before the ARQ (IDPS) kicked in, IF this was a direct code injection attack, BUT typically this is the end result/symptom of a successful hack using one of the 3 primary attack targets listed below. AutoRestore/Quarantine alerts you via email when hacking attempts are prevented and files have been autorestored and/or quarantined. The next action that should be taken by you is to change all passwords immediately.

    https://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/

    3. The 3 primary targets in the highest order/number of attacks are:
    1. FTP password cracking.
    2. WordPress Brute Force password cracking.
    3. Cross site infection/attacks.

    Thread Starter viennamex

    (@viennamex)

    Thanks AITPro for answering my questions on a SUNDAY!

    It sounds like the PRO version needs my FTP account to work.

    Can you tell me about your own FTP security to keep our FTP accounts at your server safe?

    Why doesn’t Bulletproof PRO supply its own Brute Force prevention for just the “brute force” attacks you are talking about, as some plugins do.

    If not, what do you recommend as companion plugins that work with BulletProof PRO to harden up areas such as “brute force”. Since I don’t think simply htaccess rules can handle this crucial weakness.

    Plugin Author AITpro

    (@aitpro)

    BPS Pro does not need your FTP account information or access to your FTP account to do what it does. This link to the ARQ Guide explains how ARQ does what it does: https://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/

    Our FTP and all other login accounts use industry standard secure usernames and passwords.

    Example Secure FTP account info:
    Username: e5t8by3we2p9r8j
    Password: r#@478!y35Jb4#X@h!

    BPS Pro does provide Brute Force Login Security by ending script processing with an error. A very common mistake that a lot of other plugins do is this – they try to handle invalid logins or block by IP address. What happens when you do this is you have now created a DoS/DDoS vulnerability for a website, which leads to a website crashing due to being overloaded from handling invalid login attempts.
    Example: https://www.ads-software.com/support/topic/login-limit-htaccess-ip-ban-list-choking-under-pressure?replies=1

    Plugin Author AITpro

    (@aitpro)

    One of our test sites has been getting hammered pretty hard the last few days with Brute Force Login attempts so we decided to just block the wp-login.php page entirely by adding the wp-login.php filename to this security filter in the root .htaccess file.

    Note: this site is just for testing and is seldom used so no one is currently logging into it. In order to be able to login to this test site it requires that you FTP to the site and remove wp-login.php from this security filter.

    <FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php|wp-login\.php)">
    Order allow,deny
    Deny from all
    </FilesMatch>
    Plugin Author AITpro

    (@aitpro)

    Can you tell me about your own FTP security to keep our FTP accounts at your server safe?

    Also just wanted to make sure that you do not think that anything would change about your current Host/website. You would install BPS Pro on your existing website/Host.

    Thread Starter viennamex

    (@viennamex)

    Thanks so much!

    It’s past 2 am my time.

    I will upgrade to Pro tomorrow.

    Thanks for providing so much useful information!

    Several of my sites have been hacked on june 6. I am searching for the cause of this.

    @viennamex
    Did the malicious code start with zend_framework=”\x63\162 etc…. after the php opening ?
    (Your code got redacted)

    And the cause was a hack through the comments file?

    Would appreciate if you could answer so I can determine the cause of the hack in my sites

    Plugin Author AITpro

    (@aitpro)

    The 3 primary targets in the highest order/number of attacks are:
    1. FTP password cracking.
    2. WordPress Brute Force password cracking.
    3. Cross site infection/attacks.

    What this means is that your site was most likely (98% likelihood) hacked using one of the 3 primary attack targets/methods and the malicious code was injected/added after your website was hacked using one of the 3 primary targets/methods.

    The most desireable hack for a hacker is to crack your FTP password since this gives them full control of your entire hosting account. If you have a guessable FTP username it is only a matter of time until your FTP account is hacked. There are several free FTP password cracking apps available on the Internet.

    FTP account usernames should never be displayed publicly or shared with anyone else. You should never save/store FTP passwords in your Browser or FTP connection apps and you should ALWAYS type in your password each time you make an FTP connection.

    Example Secure FTP account info:
    Username: e5t8by3we2p9r8j
    Password: r#@478!y35Jb4#X@h!

    Hi Aitpro,
    Thanks for the tips on the primary targets.

    On all the sites that have been hacked I use a diffrent username and password. Don’t think that this was the cause, but you got me rethinking my usernames.

    Does Cross site infection/attacks mean that site A can be infected when site B is attacked and not sufficiently secured?
    In my case all the infected sites are hosted on a single (shared) server.
    Does Bulletproof security protect my site against a badly secured site on the same server?

    Plugin Author AITpro

    (@aitpro)

    Yes, Cross site infection/attacks mean that another website hosted on your same Server is either a victim site used to attack your site on the same Server or it is a hacker’s site and the attack is completely intentional on all other sites on that Server.

    Typically hackers prefer to use victim sites since they cannot be traced back to the hacker. So if they can compromise/hack a site on a server then the next step is to try and hack as many other sites on that same server. The objective is always volume with minimal effort. ie hack as many sites as possible with the least amount of effort.

    99% of all hacking is automated with hacker bots. A human hacker typically only visits the website after is has already been hacked or may never visit the hacked site.

    The fact that you stated this – “In my case all the infected sites are hosted on a single (shared) server.” – indicates that one of the 3 primary hacking methods was used since multiple sites are hacked and not just a single website.

    BPS does provide a fair amount of protection against cross site infection. BPS Pro has the ARQ IDPS, which is the final security layer if all other security layers have not stopped the hacking method/attack. In the case of an FTP password being cracked, this is outside the control/protection capabilities of any WordPress plugin (ie a plugin cannot directly protect FTP accounts). ARQ IDPS is classified as countermeasure security since an attack/hack is still prevented/stopped even though the hacker has cracked your FTP password or performed a cross site attack/hack.

    Plugin Author AITpro

    (@aitpro)

    Resolving.

    Thread Starter viennamex

    (@viennamex)

    I have a new problem with BulletProof Pro.
    I am on a 1und1.de server.

    Only when I get to the PHP.ini setup do I discover that Zend OPTIMIZER must be installed on my server account. And the server info says that there is no Zend Extension installed.

    But, when I download what is called OPTIMIZER from the Zend site it is not named what your instructions call for, same for looking at other 1und1.de information.

    zend_optimizer.optimization_level=15
    zend_extension=/kunden/homepages/30/d339629174/htdocs/ZendOptimizer/data/ 5_2_x_comp /ZendOptimizer.so

    The only extracted file from the Optimizer download these days is this —

    php-5.4.x/ZendGuardLoader.so

    I don’t know what to put into the php.ini file.

    and it does not look as if
    this definition is going to work: zend_optimizer.optimization_level=15

    Plugin Author AITpro

    (@aitpro)

    You can use your Host’s existing php.ini file and it will already have the correct Zend directive in that file.

    These 1and1 custom php.ini setup steps are ONLY if your PHP version is 5.2.x.
    https://www.ait-pro.com/aitpro-blog/2853/bulletproof-security-pro/php-ini-general-and-host-specific-php-ini-information-for-bps-pro/#oneandone

    If your php version is 5.3.x or higher then click this link for custom php.ini setup steps.
    https://forum.ait-pro.com/forums/topic/custom-php-ini-file-setup-php5-3-x/

Viewing 15 replies - 1 through 15 (of 21 total)
  • The topic ‘BulletProof Pro?’ is closed to new replies.