What is Reddit's opinion of
Wordfence?
From 3.5 billion Reddit comments
➔ Wordfence website
By popularity on Reddit, this Service is:
100 reviews of this app found across Reddit:
You definitely don't have to be an idiot to fall for a phishing scam these days. The shit is getting pretty sophisticated. Check this one out.
If you know what to look for you have good odds of spotting it but it doesn't make you stupid to miss it.
There's other clever fuckery too. Like this isn't a link to google here: http://ɢoogle.com. There are a lot of unicode characters that can be mistaken for ascii and browsers will render that in the url bar for you too. It's a valid url too. Pop it in and see where you go.
On sites (like my bank) that disallow pasting in fields either via CTRL+V or right-click context menu: > dom.event.clipboardevents.enabled FALSE >
will allow you to paste in randomly generated passwords as well as any other stuff. Remember to change it back to TRUE otherwise shortcuts in other web apps like Google Sheets won't work.
> browser.ctrltabs.preview
will show thumbnails of tabs when you switch through them via CTRL+TAB
> network.IDN_show_punycode TRUE
will show the correct ( non-international chars) URL helping to prevent phishing attacks as explained here
================= Firefox stores your about:config settings in a file called prefs.js, which is kept in your profile directory. So to back it up, all you need to do is find your prefs.js file (on Mac, the profile directory is stored in /Users/XXXX/Library/Application Support/Firefox/Profiles, while on Windows it’s in \Users\XXXXX\AppData\Roaming\Mozilla\Firefox\Profiles) and copy it to a safe location (Dropbox account, USB stick, etc.). Then if you ever need to reinstall Firefox, you can simply overwrite the prefs.js file in the new profile directory with your backup. Restart Firefox and your settings will be restored.
So, we took a deep dive this morning, and looks like they were storing sFTP (which is just SSH) creds as plaintext, or at the very least in a reversible format. Which is kind of terrifying. Also the impact is really that 1.2 million sites had their filesystems and DBs breached, which has a much wider impact than "1.2 million customers" because it is a breach for the customers of those customers. This is huge. My colleague /u/ramgall was just commenting that we're going to see the after effects of this for years.
https://www.wordfence.com/blog/2021/11/godaddy-breach-plaintext-passwords/
"Cyrillic characters" "digital fingerprints" - Lol guys, your country is stupid af.
It was a shitty three years old outdated Ukrainian PHP malware, widely available on the internet, anyone can download it - https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
You found the malware script that some 14yo kid downloaded off the internet in an attempt to be a hacker, routinely spreading primitive phishing spam got lucky and got a password or two and gained the access to emails. This is not super spy hacking operations. It were kids with PHP crap.
Here is an article that backs your claim, by independent IT experts who examine wordpres website hacks from Russian sources: https://www.wordfence.com/blog/2017/01/election-hack-faq/ Its a good (but long) read with other MSM sources who agree that the initial report was bogus... yet the deep state continues to lie.
CrowdStrike has been BS since day 1. Check out the WordFence analysis of the hacking reports. They pretty much BTFO the whole Russian hacking narrative. WordFence is legit. I say this as a person who has used their security on various WP websites for small business clients. https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
I've been fighting pretty hard since 2016 to get Symantec out of our company.
I lost all confidence in them as a security tool provider after the Google Project Zero report.
https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html
Google hacked the test systems by a vulnerability in the SEP client.
That vulnerability had been identified just over 7 years prior.
After being informed of the vulnerability, Symantec issued a patch or hotfix which resolved the problem.
The problem remains that Symantec's Security Tools division (specifically their anti-virus development group) did not have the proper controls in place to ensure that their compilers were fully up to date.
It's not about a software defect. A defect can happen to anyone.
It's about a known, published vulnerability (or defect) remaining unaddressed for seven years inside of a development unit responsible for creating security tools.
Combine this with Symantec's failure to be a proper steward of Crypto Certificates...
https://www.sslshopper.com/google-to-distrust-symantec-ssl-certificates.html
and all in all, it looks like Symantec has failed as a security organization.
Their brand recognition will carry them for a while longer, I'm sure.
But I have no confidence in them as an organization.
Not too fond of that website, but this article gives a very clear idea as to why the entire "Russia hacking" idea doesn't add up. I'm a website developer who works with wordpress a lot and one of the company's I work with who monitors malware did an extensive study based on the FCCIC/FBI document presented in this article using the tools they use everyday to combat spam and phishing to wordpress sites. You can read the article here: (https://www.wordfence.com/blog/2017/01/election-hack-faq/) [https://www.wordfence.com/blog/2017/01/election-hack-faq/] Their conclusion was that the FBI report which made Obama sanction 35 Russian diplomats due to "vote hacking" was essentially amatuer/inconclusive and doesn't prove that Ukraine wasn't 100% provably responsible for the supposed hacks. Obama made a terrible decision based off of shoddy intelligence (sound familiar?)
This article from an independent source agrees with you: https://www.wordfence.com/blog/2017/01/election-hack-faq/
Spez: Here's another article: http://fortune.com/2016/12/31/russian-hacking-grizzly-steppe/
If you've got it there, you've got it multiple places. That's a method of injecting code in a way that can escape more common scanning methods.
It's definitely malicious, and cleaning is going to require a fair amount of effort. https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Also, according to cyber-security experts, the fingerprints they left were actually Ukrainian, not Russian:
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
>The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.
> They have found evidence that supports the idea of Russian involvement in the election. For example, computer forensics showed that the software the DNC hackers used on the hacked servers phoned-home back to the same command-and-control server that known Russian malware used.
Did it? because what I remember is:
the malware was actually freeware Ukrainian malware that you can easily download off of a site
the ranges of IP it phoned home to is used by pretty much every piece of common malware there is
Here is the source where I read this.
I would use WordFence Pro for any client that is extra concerned about security. Their team is actively looking for vulnerabilities across the WordPress landscape. Maybe include the security audit as part of your proposal.
Your client's IT dept will geek out over the real time threat defense feed and live traffic monitoring.
The CIA have the tools to create fake fingerprints, but fortunately the black hat clowns who planted the fake fingerprints were incompetent morons. They messed up and planted Ukrainian malware by mistake, not Russian.
This is a summary from a detailed report on the malware by cybersecurity experts Wordfence:
This has been known for almost two years. The fact that the corrupt Mockingbird media have yet to report this tells you everything. The fake news media are absolutely the enemy of the people. That's why they refuse to report the truth.
>"The malware used to hack the DNC was used to hack the German Parliment back in 2015. According to german security officials, the malware originated from Russian Military Intelligence. An identical SSL certificate was also found in both breaches"
This is such a ridiculous overstatement. So the Russian government is using an outdated commercially available Ukrainian malware for international hacking?They kept their IPs with out signing into a VPN to cover their tracks? I mean, how the fuck do you explain this shit? There is very little (provided) evidence that it was Russian intelligence. There is even less evidence (None) available that this information was given to wiki leaks which was the only organization that was releasing info that could have possibly had any kind of influence on our election. So this is the problem I have (and many others have) with this cluster fuck, is that we have a lame duck president enacting unprecedented sanctions on a foreign government over very flimsy evidence that we have had and known about since the fucking summer of 2015. Give me a fucking break.
>If we are to say these agencies are all lying or being misguided into thinking it was Russia, then there must be strong evidence.
No. NO! This is NOT how this works, If an organization is going to MAKE AN ASSERTION particularly one that could cause potential military conflict with a foreign entity, they must prove the positive, the burden of proof relies on THEM. You can't ask us to prove the negative when they can't even prove the positive! Especially when our President was touting about having the "Most transparent government ever" yet he has been harsher with whistle blowers than any other president. Something is very fishy about this whole situation and I think people should have a very healthy level of skepticism over this matter.
You're correct, they targeted a version of Firefox that was in the Tor Browser Bundle. Users who didn't have the most up to date Firefox (after the 0 day was patched) were vulnerable.
Here's a more detailed explanation. https://www.wordfence.com/blog/2016/11/emergency-bulletin-firefox-0-day-wild/
The biggest threat to tor anonymity is still the end users browsing habits.
>2. After reading a declassified report released by the Office of the Director of National Intelligence, I can say in confidence that I believe that Russia attempted to impact the U.S. election.
All that report did was build a motive. And yeah it would make sense that Russia would want the guy who is trying to mend relationships as the President. What it didn't present was any hard evidence. The actual evidence they presented proved nothing from a technical standpoint. What was actually used was free (you could use it yourself if you wanted to), outdated malware that was sent out to millions of Wordpress users at the time. Hell, the FBI didn't even examine the server, why are they acting so authoritatively on it? The only ones who examined it were DNC contractors. Wikileaks, the only ones that have actually had contact with whomever the hacker/leaker was, has denied that it was Russian government actors. Everything that has been released by the so-called "Intelligence Community" is inconclusive and the fact that they act so indignant when people are skeptical about starting a war over this stinks to high heaven.
There's a spectrum of automatic update security.
At the very bottom, you have curl http://foobar.com/update-1.0.1.sh | sudo bash. Somewhere near there you have what WordPress does. Then you have what Google Chrome already does. Finally you arrive at what I'm trying to accomplish.
To work with a more well-known example: If you hack WordPress's update servers, you get full access to 27% of the Internet for free, at the cost of a single 0day or security misconfiguration.
The work being done here will ensure that, in order for an attack to get carried out, it will require access to the Ed25519 secret key used by the software vendor. You can't attack this scheme by hacking the update server and silently replacing the update file with malware, you have to attack the vendor (who may keep their signing key offline).
Even if you pull this attack off, in order for it to succeed, you must alert the entire Internet to the existence of your attack by committing metadata about it to a public, replicated, independently verifiable database. This prevents two types of attacks:
- Targeted attacks, which compromise the security of a few people. (See the attack on Freedom Hosting by the FBI for an example of a targeted attack.)
- Silent attacks, which operate without alerting the user to their compromise.
In order to pwn someone, you have to pwn all of the users, and alert everyone (users and strangers) to the existence of your attack. This makes forensics easier, attack containment simpler, and as an added benefit, deters law enforcement from ever obtaining a warrant that would authorize them to perform such an attack.
Sure. We've previously published <em>On the (in)security of open source CMS's</em> which delves into the other core out-of-the-box security deficits of WordPress in detail.
Solving this is a side-effect of a larger goal: Making their automatic update feature not an enormous SPOF.
I'm not sure I'd agree that there are much bigger fish in stock. The long tail of vulnerable plugins/themes isn't going to go away until they invest heavily in security automation.
Also, "Making WordPress Secure" is going to be a series of posts I make here over the next month.
Ah that display widgets plugin disaster where the original author sold off the plugin (which had >100,000 installs) for $10-20k.
Some good comments in here at the developer's website. She was a greedy idiot for doing what she did (selling to an unknown party without notifying the users):
http://strategy11.com/display-widgets/
https://www.wordfence.com/blog/2017/09/display-widgets-malware/
> the actions of another government against us
You mean the alleged actions of which the only currently existing """evidence""" is:
an allegation that outdated freeware Ukrainian malware is a sure sign of Russian government hacking
an allegation that IP addresses used by common malware networks and TOR exit nodes are indicators of Russian government penetration
a second report which focuses nearly entirely on Russian TV station RT and contains not a shred of evidence of alleged hacking
Yes, tell me more about "another government actions against us".
Here's an analysis of the report done by the people who make the firewalls for WordPress: https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
They claim the evidence provided is all circumstantial and the malware used doesn't make sense for a state-sponsored attack, as it was outdated at the time and originated in Ukraine. The evidence was all "it fits their work-hours, and their MO" but nothing that proves it had to be them. Since the malware used has been publicly available since before the hacks, it only shows that the hack could have come from anywhere in the timezones Moscow is in or borders.
I never understood what was the big deal with hacks.
- It was public knowledge that DNC got hacked and it was suspected to be Russia months before the elections. Nothing was done!!!! And now just before Trump takes office they are going all out with their balls out to 'combat' it.
- The information about the hacks was mundane
- There was very little debate about the contents
- The media sensationalised the leak itself rather than any of the content
- Wikileaks denies it was the Russian Government (http://www.ajc.com/news/national-govt--politics/julian-assange-wikileaks-source-was-not-the-russian-government/BM6doMVKXO6pkskSOzJI2J/)
- Independent analysis says it was not Russia https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/ Overall Conclusion
The IP addresses that DHS provided may have been used for an attack by a state actor like Russia. But they don’t appear to provide any association with Russia. They are probably used by a wide range of other malicious actors, especially the 15% of IP addresses that are Tor exit nodes.
The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.
You can find a public repository containing the data used in this report on github.
As always I welcome your comments. Please note that I will delete any political comments. Our goal in this report is to merely analyze the data DHS provided and share our findings.
Mark Maunder – Wordfence Founder/CEO
Hey guys. Wordfence Founder/CEO here.
We've posted a blog entry here: https://www.wordfence.com/blog/2016/10/removing-falcon-cache-wordfence-heres-need-know/
We're going to give our customers at least 4 weeks to migrate off Falcon to something else. If you need longer, let us know. But we can't make it indefinite.
Long story short, it's what twinsea said: We're focusing on one thing: Security. It's what we know and it's what we're really good at. Caching actually comes with some down-sides and we detail it in the blog post.
Let me know if you have any questions, I'll be visiting here every few hours when I can.
~Mark
Install WordFence plugin and setup it as you want. My ideal setup is:
- don't leave WP files under /wp-admin url – you can move WP files to subdirectory, eg. "example.com/something/wp-admin" – that makes reaching login form a bit more difficult
- make my account with different username than "admin", eg. "tony3" or whatever
- instantly block/ban those trying to log in with non-existing username
- block/ban when X failed password attempts
- etc.
WordFence (I'm using the free version) also mails you security digests every week with overview of blocked attacks and banned IPs etc.
I wouldn't dare to run another WP instance without it (when I see how frequent those attacks are).
Update: We received confirmation from GoDaddy that the breach also affects tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe.
Fake as in licences not working, or what? The problem is you may have now malware if those installed plugins are "nulled", or the fiverr guy added some backdoor, etc., and no level of "reset" is going to help you here, but start fresh somewhere else.
Try restoring from a backup from before the fiverr guy, and scan your site for malware with gotmls/Wordfence and hope for the best.
In your firefox location bar, type ‘about:config’ without quotes.
Do a search for ‘punycode’ without quotes.
You should see a parameter titled: network.IDN_show_punycode
Change the value from false to true.
Now if you try to visit our demonstration site you should see
Just bookmark it or manually enter mymonero.com. Don't google mymonero then click on an arbitrary link, because it might be some tricky unicode phishing link that looks exactly like mymonero.com but under the hood the link is like https://xn--fkjdaslf.com
see: https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
The fingerprints are actually Ukranian. The CIA attempted to push the narrative that the fingerprints were Russian, but whoever faked the fingerprints messed up.
A report by cybersecurity experts Wordfence confirmed this several months ago:
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
As Wordfence says, the file isn't part of WordPress, and shouldn't be there, especially as it allows people to manipulate the WordPress database. I would definitely delete the file, and if you didn't put it there yourself, it indicates there's a vulnerability somewhere allowing files to be uploaded.
There are more details at: https://www.wordfence.com/blog/2017/07/searchreplacedb2-security/
I've shared this a couple of times, but once again here is an independent source (this source deals with website hacks all of the time) who disproves the Russian hacking narrative: https://www.wordfence.com/blog/2017/01/election-hack-faq/ This is just one source, but many other IT experts who read the Clapper report think it's bogus: http://fortune.com/2016/12/31/russian-hacking-grizzly-steppe/
Säkerhetstjänster säger sig ha sådana videos, inget har presenterats.
Jag hittade huvudkällan, ingen video eller några dokument har presenterats för allmänheten som har bekräftats av infosec kretsen, tvärt om så har det bevisats vara falskt av de. Tills dess är det falskt i min mening.
FBI presenterade ett smakprov på koden de använde, det visade sig vara ett gammalt Ukrainskt PHP malware som vem som helst kan ladda ner. Bevisen är inte på din sida.
Här har du en FAQ, första länken i texten är med all teknisk information, men jag tänkte att du kanske ville ha en snabb överblick först.
https://www.wordfence.com/blog/2017/01/election-hack-faq/
>Du är ingenting annat än en liten Putinråtta.
Rapporterad, testa vara konstruktiv.
Fair question. I drew the conclusion after I saw that the footprint left by the "Russians" who hacked the DNC was actually outdated Ukrainian PHP malware. Meaning, if the Russians were hacking the DNC, they used outdated malware and left a noticeable footprint. Conveniently, this footprint was found by the FBI and used by the media to insinuate that there was a connection between the Russians and Trump. The paid for dossier just furthers that same narrative - that Trump was in collusion with the Russians.
See: https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
Seems to me like leaving an outdated footprint leaves me to draw one of a few conclusions. 1) Russia did hack Hillary, DNC, Podesta, etc. and the US IC got their hands on the information the Russians hacked and leaked it to Wikileaks; 2) Russia didn't actually hack anything and it was rogue agents participating in the counter-coup with access to these CIA tools that were the source of the "Russian" hacking of emails and the subsequent release to Wikileaks; or 3) They were leaks from someone inside the DNC such as Seth Rich (conveniently killed, and whose death is also being investigated for Russian meddling in his death).
I think you're referring to Wordfence. https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
The correct answer is "what proof do you have it was Russia" though, don't let the trolls put the burden on you.
Then there's things like William Binney (former NSA director) writing an open letter saying it wasn't Russia.
Honestly the fact that the left has been calling anyone that doesn't accept the Russian's hacked the election hysteria crazy is beyond me.
This breakdown of Grizzly Steppe report is worth a read too. This plus the fact that Assange keeps repeating the source is not Russia makes me more skeptical of a story I was ready to accept.
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
> Russians hacked the DNC servers and phished stupid Podesta's email. I'll take that as fact.
Unfortunately, I'm a Russo-skeptic. What proof do they have? That the so-called hacking tools were outdated php malware, available to everyone? https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/ It's pretty easy to get a botnet as an American to use IPs in Russia and China. But that's all beside the point, that Clinton should have been using actual security professionals to manage her accounts. And like you said, we do the same thing to other countries. Time to move on.
> McCain thinks he can push Trump around. He's in for a rude awakening. McCain wants to set foreign policy. He can't.
Fascinating take.
It is an Ukrainian malware ( a web shell called P.A.S. 3.1.0. ) It can be found everywhere. It's not uniquely attributable to the Russian Intelligence Services.
Here's where you can get it yourself :http://profexer.name/pas/download.php
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
> We used Wordpress
WordPress is horrible in terms of security. Your next project should be to tighten the security of the new website. You don't want to find out that someone has taken over the site and now posting porn on the new library site.
https://www.wordfence.com/ is a good place to start. The admin dashboard should be locked down to local IPs. Read more into other things you can do to make it more secure. If you want you can even block all traffic from outside the country.
Well - believe it or not - what I've learned from reading other peoples experiences, is that this may not be such an uncommon problem for an ecommerce store. Malicious actors who acquire parts of other peoples card information, will try to brute-force their CCV/CCV2 (or expiry date) in this way, from what I understand.
They essentially use an (any) ecommerce store as a sandbox, to crack this.
If this happens from a consistent IP address, you should look into employing some fraud protection - here is a free resource.
If your store has a sign-up/sign-in functionality, this might be of help.
I can't tell you if your WP installation is compromised. If all you have experienced, is a large number of possible fraudulent purchase attempts, I wouldn't think that it is. If you are uncertain, you could try to employ a WAF like Wordfence, to see if there might be suspicious files in your WP directory.
This is, sadly, the correct answer. If you don't understand security, and you're not running WordFence Premium (for the 0-day firewall rules), you're definitely fully hacked, and simply deleting the files won't fix that in 99.9% of cases.
WordFence also provides site cleaning services (disclosure, a former co-worker is a site cleaner for them, they're very good at what they do) that is probably going to be your best bet at this point.
Similar research and description at wordfence.com/blog/.
Still wondering a bit why all those "Security", "Firewall", "Antivirus", "Scanner" etc. plugins did not get triggered by all that plain text wp_safe_remote_get(..) code..
My mind instantly went to the Aggressive WordPress Brute Force Attack Campaign Started Today, 3am UTC, posted just a few days ago.
5a part 3.
Foolishly use Ukranian malware rather than Russian malware when creating the footprints, because the DNC IT insiders are idiots.
> Hvis det er tilfældet, så læs nu for pokker hvad der står i adressefeltet.
Selv hvis man er på vagt er det ikke altid så nemt.
> Eller læs kildekoden for loginsiden.
Looool.
> Det er så nemt at gennemskue.
Jeg ville ikke være så sikker, hvis jeg var dig. Spear phishing kan være målrettet én bestemt person og jeg tvivler stærkt på at den russiske stat staver lige så dårligt som en gennemsnitlig phishing mail der påstår at den er fra "Ddamske Bangk".
Det her er en organisation med mange ressourcer og mange tricks i deres værktøjskasse, og ikke bare en eller anden tilfældig kriminel der forsøger at franarre folk deres VISA-numre.
We don't know who interfered with our election. Take a gander at this report from WordFence(https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/). The attacks mainly come from software that is readily available in 'newbie hacker' and 'script kitty' software bundles. It is so pedestrian that it has instructions on how to use it in the program itself. A vast majority of the attacking IPs come from TOR networks and are therefore completely untraceable. There were more Domestic IPs involved in the attack than from Russia. Etc.
From what it seems the security on these systems was so lax that some kid from the US trying to impress Anonymous could have done it.
> But despite what Assange says (which isn't much, tbh) it doesn't matter. I'll take evidence over someone's word any day. Especially the word of Assange...
I mean have you actually looked at the evidence provided by the intelligence agencies? It is entirely unconvincing to me. E.g.: https://www.wordfence.com/blog/2017/01/election-hack-faq/
And why exactly is the word of Assange worth so little? Wikileaks has never been proven to have released any false information (and there have been countless people/agencies trying to prove such a thing). CIA/FBI/NSA/etc have all been proven multiple times over to have lied to the public to further their agendas, for the entirety of their existence. IMHO Wikileaks has a way more trustworthy track record of telling me the truth.
Thank you! Generally I'm a fan of Paragon's work, but I'm also a Drupal and Wordpress dev (who's dabled in Joomla as well) and these last two airship pieces really haven't done much for me.
The biggest issue I'm having with their framing is that it feels no better/different than the thousands of "My CMS is better than yours" posts across the web. It's like arguing hammers are better than table saws because they are better at pounding things in.
From the Drupal side, I think Drupal does take security seriously (more so than any of the other CMS's I work with see Wordfence v 404 to 403 plugin ), and adding patches that cover these concerns is just a matter of doing the work (maybe aside from auto-updates?).
With that said - if you compare the quantity of work necessary to write and maintain a full CMS, with the time necessary to write the patches to address these issues and push them through the Drupal community, the math doesn't make sense for me.
On balance, it's great that airship is out there, and I'm disagree with people who are hating on it. If I need to look a good secure approach to implementing a feature, it's a good place I'll look. That said, it's hard to see a time in the near future when selling airship to a client will be a viable option.
>Don’t use the default database prefix.
This doesn't do anything. You can query the database prefix and continue on your way.
https://www.wordfence.com/blog/2016/12/wordpress-table-prefix/
Actually the original vector used was Ukrainian in origin source :
- Maunder, Mark. "US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware." Wordfence. Dec 30 2016.
Try this one:
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
A technical refutation of the "Russia did it" meme that the entire Western news press has jumped onboard with, without question or scrutiny, or considering the political motivations of James Clapper.
I don't claim any cyber security expertise but I have tried to educate myself on both sides. Here's a couple relevant links related to skepticism over whether the malware(s) and attack vectors are compelling:
> Proponents of this theory, including the CrowdStrike researchers who analyzed the Democratic National Committee's hacked network, argue that the pattern strongly implicates Russia because no other actor would have the combined motivation and resources to hack the same targets. But as Carr pointed out, the full source code for the X-Agent implant that has long been associated with APT28 was independently obtained by researchers from antivirus provider Eset.
> "If ESET could do it, so can others," Carr wrote. "It is both foolish and baseless to claim, as CrowdStrike does, that X-Agent is used solely by the Russian government when the source code is there for anyone to find and use at will."
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
> The IP addresses that DHS provided may have been used for an attack by a state actor like Russia. But they don’t appear to provide any association with Russia. They are probably used by a wide range of other malicious actors, especially the 15% of IP addresses that are Tor exit nodes.
> The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.
The WordFence blog has an article on this vulnerability, as well as some possible indicators of the exploit in use. Thankfully, I can't find anything across the sites I manage going back as far as mid 2019.
> If you think you have been exploited due to this vulnerability, the WooCommerce team is recommending administrative password resets after updating to provide additional protection. If you do believe that your site may have been affected, a review of your log files may show indications.
> Look for a large number of repeated requests to /wp-json/wc/store/products/collection-data or ?rest_route=/wc/store/products/collection-data in your log files. Query strings which include %2525 are an indicator that this vulnerability may have been exploited on your site.
There was a massive/critical security breach found in July 2020 - https://www.wordfence.com/blog/2020/08/critical-vulnerability-exposes-over-700000-sites-using-divi-extra-and-divi-builder/
But not updating to the latest version, you are risking the entire website for you and visitors.
It is very important to update because things like these could result in a data breach which can be very costly.
Like TSP2015 said, update on a staging site and see what happens. If there were modifications done to the actual theme (Which is never advised and should always be put in a child theme) then you will most likely need to ask what changes were made and go digging for changed code. If everything looks and functions correctly then you should be okay to update on live website or push staging to live.
Hi u/uniquevoid! Some first measures I'd recommend:
- Set a secure password that you're not using anywhere else.
- Only use Plugins and Themes from a trusted source - either the WordPress repository or a reputable vendor. Never install "Nulled"(pirated) plugins or themes as these are used to distribute malware.
- Disable User Registration if you don't need it.
- Install a solution that provides a Web Application Firewall.
- Install a solution that provides 2-factor authentication.
As far as documentation is concerned, there's so many sources it's difficult to track them all down, but we do have a pretty excellent set of learning resources available at:
Here is a good video about this from the Wordfence team: https://www.wordfence.com/blog/2017/10/should-you-hide-wordpress-login-page/
I'm late to the party but lemme explain what did you just found, first of all.
- First picture
It's just the root directory of the phishing campaing, probably generated with SET or another tool
- The rest of the pictures.
That's a webshell called, WSO, version 2.4 (what's this?)
It shows a shared hosting, that's why you see the tables which are folders, you see red in the right side because you lack permissions, you see the CPanel user space where all the emails, files, and configs are used for this specific user. Most of these configs are useless for you just as the cert and keys.
With this info you could probably hack all of the users in the webserver, since this is a shared hosting and it seems that it's hosting a lot of webs you can probably mass-deface or set a ransomware. but that's if you're a bad guy.
Very interesting comment and link on the article, hadn't seen this before:
"I don't understand why this source is not cited more often and more prominently in references to the original leak. Wordfence is a WordPress security company. It sells WordPress security plugins and sends out security bulletins to its customers. It did as thorough and as neutral an investigation of the “hack” as we are ever going to get: https://www.wordfence.com/blog/2017/01/election-hack-faq/
Remember this claim that Ukrainian malware was used during the election attacks? https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
> The IP addresses that DHS provided may have been used for an attack by a state actor like Russia. But they don’t appear to provide any association with Russia. They are probably used by a wide range of other malicious actors, especially the 15% of IP addresses that are Tor exit nodes.
> The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.
Security through obscurity is weak. As you said you've been using WP since 1.5/2.0, I would bet that as long as you applied good security before, changing the login url was not needed. Spend the time building walls around your data instead of trying to hide it.
Edit: Wanted to add this - https://www.wordfence.com/blog/2017/10/should-you-hide-wordpress-login-page/
Inga sådana bevis har presenterats för allmänheten och det som har presenterats av FBI har motbevisats av infosec sektorn.
Alltså har FBI visat sig vara lögnare, således kan man inte lita på att de har videobevis och annat skit som de påstår.
Här kan du läsa lite, alla tekniska detaljer finns i den första länken i den första paragrafen.
It's worse: It's "hack one simple server that's managed/secured by the people who made WordPress". I haven't tried to break in because that would be a criminal act, but WordFence nearly succeeded last year.
This is a hack that is already known and effect quite a few wordpress sites as well. If they had a exploit on the server writing to the files w/o DB access is quite possible and easy.
https://www.wordfence.com/blog/2017/10/cryptocurrency-mining-wordpress/
Be careful of this extension, it was recently hacked and taken over. Source
The Wordpress security team(Wordfence) analyzed some of the supposed malware and figured out it didn't even originate in Russia, it originated in Ukraine and was outdated.
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
More of the IP addresses were identified to originate from USA than Russia which is worth absolutely nothing either way because of VPNs and TOR.
This was their conclusion:
>But they don’t appear to provide any association with Russia. They are probably used by a wide range of other malicious actors,
>The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.
Not sure why this isn't more widely known.
> The Russian intel is NOTHING like this. It is not based on a human source. It is based on digital "fingerprints" left by Russian hackers. There is nothing second hand or circumstantial about it. The evidence has in fact been released publicly by the CIA
The only "digital evidence" was outdated Ukranian malware which had no link to the Russian government. To summarise:
> The IP addresses that DHS provided may have been used for an attack by a state actor like Russia. But they don’t appear to provide any association with Russia. They are probably used by a wide range of other malicious actors, especially the 15% of IP addresses that are Tor exit nodes.
> The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.
The fact that the CIA is trying to link outdated, Ukranian malware to the Russian government as "evidence" shows that they truly have nothing. At least when they claimed Saddam Hussein attacked the United States with anthrax, there was an anthrax attack.
We've been tracking all the defacement campaigns in depth: https://www.wordfence.com/blog/2017/02/rest-api-exploit-feeding-frenzy-deface-wordpress-sites/
Wrote a follow-up post on the growth we're seeing in each campaign:
https://www.wordfence.com/blog/2017/02/rapid-growth-in-rest-api-defacements/
Coverage in the BBC and just a ton of other publications: http://www.bbc.com/news/technology-38930428
~mark
The real issue is the corruption exposed in the emails.
The journalists who exposed the Watergate scandal were heroes. Nowadays, Obama would paint them as Russian hackers interfering in US politics.
People who expose corruption are heroes, no matter where they're from.
Also, Wordfence, who are cyber security experts for Wordpress, have conducted a very detailed analysis confirming the malware in the CIA report was Ukranian.
It's a very detailed article, but if anyone wants a quick summary, this is their conclusion:
"The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website."
So there you have it. IT experts confirm that Obama and the CIA are liars.
Nope.
The US gov's released evidence is nonsence. It's basically a case of blinding by bullshit with a big dose of "trust us it's secret". Read the report. Seriously, it's basically an allegation wrapped in a management presentation. ~ the kind of thing you'd give someone when you can't be assed writing a real report and know the reader can't tell the difference.
I'm presuming they included the super sophisticated secret russian php tumb as some kind of 'shits and giggles' in joke.
Try not to laugh, but here is a <em>real</em> analysis of it.
And your tl/dr analysis conclusion:
>The IP addresses that DHS provided may have been used for an attack by a state actor like Russia. But they don’t appear to provide any association with Russia. They are probably used by a wide range of other malicious actors, especially the 15% of IP addresses that are Tor exit nodes.
> The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.
As for the "Indicators of Compromise (IOCs) associated with RIS cyber actors" that they included with the JAR in two additional files, Wordfence, another security company, had a look at those:
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
Here's a comment from the author, which summarizes their findings:
One guy asks
"Would the DHS refrain from including damning evidence of how the Russians were pinpointed for fear of tipping them off as to how they were discovered?"
And the author replies:
"Yes I'd think so. We don't exactly advertise all of our methods for identifying attacks and turning them into firewall rules. Same situation for DHS/FBI. But one would hope that what they do reveal is at least a little compelling. This data isn't just a non-event - the Ukraine malware connection is just plain weird.
We (Wordfence) do an awesome job for $179 if you need it cleaned. https://www.wordfence.com/wordfence-site-cleanings/
Otherwise if you don't want to pay, this will help: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
I just had a look at one of those sub-pages, Securing your Working Environment. It started off good, until the section on "An alternative way to manage passwords". Two problems:
(1) Using a formula to change a master password for each site does not stop the problem of that attacker discovering your passwords on other sites once he knows your password on one site. The attacker can try such a formula too.
(2) The counter-argument to (1) is that can be deterred by making your formula more complex and keeping the formula secret. But that comes at a usability cost. The only people who are going to try a complex, secret formula are those who are most paranoid about security. The advice does not protect 99.9% of the population.
Themes are licensed under the GPL. There is no legal ramifications to using a "nulled" theme as they are free to be redistributed.
That said, it's not really a good idea. In addition to not supporting the developer, many of these nulled themes contain viruses made to infect your site.
https://www.wordfence.com/blog/2014/11/wordpress-security-nulled-scripts-cryptophp-infection/
https://blog.sucuri.net/2015/05/fake-jquery-scripts-in-nulled-wordpress-pugins.html
http://premium.wpmudev.org/blog/free-wordpress-themes-ultimate-guide/
There are at least a few that either are owned by GoDaddy or that resell their Managed WordPress platform that were also affected.
Hi. Sorry, I only saw this now. Our support team are very active in our free support forums which you can find here: https://wordpress.org/support/plugin/wordfence/
Phil, Tim, Scott and the guys are full-time employees of our company - as opposed to volunteers - and we strive for a high resolve rate in those forums. So post any questions you have there OP and we'll be more than happy to help. If you want the VIP treatment, you can find out how to upgrade to Premium support on www.wordfence.com.
I hope we gain you as a customer, either free or paid. Thanks for tagging me /u/summerchilde !!
Thanks for the contribution
The subreddit rules state we link to the source and not news sites where possible - https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/
I will remove this one and replace accordingly
The only safe website is one that isn’t online. Every CMS, every server software, everything has its weak points. Don’t believe all the people that try to sell you that their proposed solution is bulletproof or hack-resistant. The thing is being smart, no matter what you choose. Security requires paying attention. It requires updating things. It requires treating owning a website as a responsibility and not as this silent thing that “makes money why you sleep”. No, you don’t have to stay glued to the computer night and day but you also can’t just expect it to take care of itself. If you want to read an article about whether WordPress is secure or not without all the BS try this
Make sure to update their WordPress plugin as recently they found SQL injection vulnerability in their plugin which allows attackers extracts sensitivity information from website's database.
Wordfence has a guide to using their plugin to clean a site available at this link:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
You might also find the malware removal section at https://Wordfence.com/learn helpful.
Cloudflare and Wordfence work well together. Cloudflare is for caching. Wordfence is for security. Cloudflare offers a firewall if I am not mistaken but there are several reasons not to rely on cloud firewalls. You can read more about that here:
https://www.wordfence.com/blog/2017/08/cloud-firewall-vs-endpoint-firewall/
The main thing to remember when using both is to whitelist your server IP and Wordfence's IP address range in Cloudflare. Make sure to select the Cloudflare option ( Use the Cloudflare "CF-Connecting-IP" HTTP header to get a visitor IP...) on the Wordfence Dashboard > Global Options page in the General Wordfence Options section where it says "How does Wordfence get IPs".
i think you are already using the right tool. get more info on country blocking by wordfence
https://www.wordfence.com/help/blocking/country-blocking/
personally i don't recommend country blocking for long period so you can use it for temporary period so spammers become hostage and if you find successful un-block it again.
you can also change your setting for double-opt in for contact form so no fake email id or spam bot could ever sign in. (you will get only genuine users not a single fake id)
u/nbloglinks
Or you could follow WordFence and/or Securi, who reported this and reported on the existence of the update on Sept 1st/4th.
- https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/
- https://www.wordfence.com/blog/2020/09/millions-of-sites-targeted-in-file-manager-vulnerability-attacks/
- https://blog.sucuri.net/2020/09/critical-vulnerability-file-manager-affecting-700k-wordpress-websites.html
KEEP YOUR CORE AND PLUGINS UP TO DATE! I really don't get how it's so difficult for folks. I manage over 100 sites and it takes a very tiny part of my day, and saves days/weeks of issues or lost clients.
Watch this: https://www.wordfence.com/blog/2017/10/should-you-hide-wordpress-login-page/
You're better off implementing actual security, rather than obscurity.
Make sure you aren't leaking usernames. Use complex password. Use Wordfence. Use Cloudflare. Keep your plugins up to date. That's literally all you need to do.
Start with something like Wordfence plugin - if you have basic sysadmin skills, it's very straightforward. https://www.wordfence.com/
90% of what you need will probably be supported by Wordfence.
Also - if you are using a commercial WP hoster - they usually will take care of the back-end stuff.
That's a point. OP should use vultr's backup feature.
Wordfence has an article about it.
https://www.wordfence.com/help/firewall/optimizing-the-firewall/#hide-userini-nginx
Should consider using Stackpath WAF. It will block a request for that file.
Hi there /u/FederalArugula!
In order to keep this discussion as vendor neutral as possible, I'll keep this really short.
With a quick glance, Loginizer appears to be a more WordPress login-centric security solution, whereas Wordfence is a fully rounded security solution that has features like a firewall, malware scanner, login security and live traffic feed, just to name a few.
Please visit this page for contact info where you can reach out to the Wordfence team directly if you would like a more specific information. :)
Ukraine has historically been one of the worst. But we've seen other specific scenarios like IIRC a large cluster of infected home routers in Algeria that were being used as a botnet to target WP sites. So it varies. Ukraine is home to several bulletproof hosts - hosts that let you do anything you want including criminal activity. We've outed several and one of them tried to C&D us recently to take down the research we published, but we just ignored them. Happy to fight it out in court if they decide to do that.
We haven't had any reports of country blocking being resource intensive. The actual library used is incredibly fast - as in 300,000 queries to the BerkelyDB file per second don't generate significant resource usage.
We have no plans to build a CPanel or WHM plugin. Wordfence runs before any other PHP code executes, so it can protect any vulnerable code. So we're already at the front of the line in the execution path.
The WP security team do a pretty good job. Nothing is at the top of my xmass list right now. I think many folks including us would like to see code signing at some point. This will protect WP sites if the central plugin repo is compromised. I refer to this as the Barry Doomsday Scenario. Kind of tongue in cheek, but Matt Barry who is part of our team actually found a bad vulnerability in the core WP infrastructure a while back, so I came up with that nickname for the case of core WP infrastructure being hacked. It's actually super interesting research because the WP devs had accidentally used a hashing algorithm designed for spacecraft (not terrestrial web applications) which was created by Mark Adler who used to work for JPL. Well Mark Adler actually commented on the post, which we thought was pretty cool - to have a rocket scientist weigh in on our WP security research. Matt's research and Mark's comment here: https://www.wordfence.com/blog/2016/11/hacking-27-web-via-wordpress-auto-update/
Yeah sadly you've been hacked :( Bastards.
You'll probably need shell + database access to clean it up. Wordfence have a help page on post hack steps here...
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Post cleanup - install the Wordfence plugin (free version available). But most importantly.... always always always keep WP + plugins + themes regularly patched.... it's the most hacked CMS on the planet!
It's definitely WP GDPR compliance and needs updating to v1.4.3 as a matter of urgency: You can read all about it on the official Wordfence blog...
It was announced today that there was a vulnerability in the GDPR plugin.
Update your plugin, delete the user - you might be ok with just doing that.
I would first install the Wordfence plugin and let that run, then start checking out https://www.wordfence.com/blog/2018/03/cleaning-a-hacked-website/. Good luck!
That's not the same. In bigger environments the only way to change files or to apply a patch is via deployment, everything else is blocked as one action to prevent unknown exploits from working.
But yeah, this should not hinder small sites on shared hosting without composer or access to drush to get automatic updates in my opinion.
The challenge is to have a secure way to do it, and wordpress is not the best example. (https://www.wordfence.com/blog/2016/11/hacking-27-web-via-wordpress-auto-update/)
See also https://www.drupal.org/project/ideas/issues/2940731
It's real. They were mining on my pool. I seized their payouts as soon as I was notified of the wordfence blogpost that this article is based on. https://www.wordfence.com/blog/2017/12/massive-cryptomining-campaign-wordpress/?utm_source=list&utm_medium=email&utm_campaign=122017
It seems they since moved along...
The attacks will get more and more sophisticated as more and more wallets and transactions come on-line. Another interesting threat vector is mining malware that takes control of a website and uses resources on that machine for mining - check it out here:
https://www.wordfence.com/blog/2017/10/cryptocurrency-mining-wordpress/
I can see that mining malware could potentially execute a 51% percent attack but would be interested to hear any feedback on that.
I have downloaded files from the internet from numerous computers in numerous countries, and you don't get consistent download rates. That simply isn't true. Dress it up in whatever technical language you want, but I know what I've seen with my own eyes. Transfer rates vary even when downloading a single file.
Spez: Also, as has been known for months now, the malware used by the CIA to push the fake Russia narrative was actually Ukranian, not Russian. Which you would have mentioned if you were studying this objectively.
"The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website."
Yeah, Crowdstrike's founder has a real bone to pick with Russia. Independent analysis pretty well shit all over their conclusions using the info provided by DHS.
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
OP may be referring to the recent browser bug involving Unicode domains, so the URL and SSL actually looks like it's foo.com because google chrome thinks the site is foo.com because the domain name is the Unicode version xn--foo.com and google displays foo.com.
It was a recent revelation i saw posted on this blog: https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
The only way decent around that is with an EV SSL Cert which is expensive, but worth it. Otherwise, Let's Encrypt is fine.
Also, according to cyber-security experts, the fingerprints they left were actually Ukrainian, not Russian:
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
>The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.
Download and install Wordfence. It is free. After installing and activating it run a site scan. This will indicate what files have been compromised if any and give you options to fix them.
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Check if you have any new users added to the site as well and if there are any you did not add delete them.
Change all your passwords - User passwords, database passwords and hosting passwords.
Once everything is cleaned start taking regular backups of your site including the database. Install and configure a plugin, like Wordfence, to make your site more secure. There is TONS of info on hardening a wordpress installation you just need to start Googling.