arrow_upward

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Watchout and Warning: Malicious WordPress Redirect Campaign Attacking Plugins
#1
I've come across at least two instances of WordPress plugin attacks at another hosting Forum that fortunately were picked up by our server security filters and led to instant suspension of the sites.  Otherwise it may have led to warnings to our Datacentre and possible blacklisting of our IP.  Then today I found a really great blog article from WordFence that explains what must have happened.  WordFence, a WordPress Security Specialist identified and is tracking an active attack campaign targeting a selection of new and old WordPress plugin vulnerabilities.  The one I came across at the other hosting Forum was Contact Form 7 for example.  Those attacks maliciously redirect traffic from the victims' sites to a number of potentially harmful locations.  It's a real sad situation for users who used to be able to run WordPress sites in reasonable safety.  It's no longer safe to have a WordPress site UNLESS you know what you are doing, are completely up to date with every plugin and theme in your site, and have proper security tools such as WordFence as part of your site.

You can read more about the WordFence blog article at the URL below:
https://www.wordfence.com/blog/2019/08/m...l-plugins/

Interesting part of the article is the behaviour analysis of the exploits.  The attackers rotate their domains with frequency with new domains appearing every few days, and attacks involving older domains taper off.  The examples given in the article are just the examples WordFence has been tracking.  I could probably provide WordFence with more examples.  Although I'm a bit too exhausted to do that.  For me however the sophistication with which WordPress is being manipulated is so complex and threatening, I'm definitely going to think of new ways to publish blogs.  I still have to start with this.  OR one should only use VERY reliable plugins that are regularly updated and tested, and as few as possible.  And of course have WordFence as a plugin as well.

Another interesting fact that came out for me during an experience with Contabo was that these guys are masters at manipulating IPs from different servers.  Like with the old IP I had at Contabo, even with me being the owner, there were four other active domains registered with my IP number as active Websites - Namecheap was the Registrar.  So basically if they had been used as part of the attack, then blacklisting systems would have immediately connected them up with the Contabo IP and those domains being situated on the VPS, which they had not been, and I don't have a real idea how that came about.  

Maybe it's as simple as that when a Registrar allows a person to add name servers to a domain, there is no real authentication to make sure that the name servers point to a legitimate site.  It can really point anywhere, including the victim's site that they have managed to infiltrate.  So maybe some of this is the fault of Domain Registrars?  They have domains listed with IPs that aren't really associated with the domains.  Possibly there should be a new system created where if one adds one's name servers, there needs to be a verification of exactly what IP is associated with the name server to make sure it's not being used by rogue malicious attackers.
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
#2
What a sad experience.
WordPress is the most famous and used CMS on the web, still it is not very secure. Malicious plugin is a issue that affects WP since the first releases. There isn't much security over plugin deployment, for example on Google Play or App Store an app must be validated before becoming publicly available.
Themes are also dangerous, the most of theme are pay-to-use and they are deployed directly from author's site, WP don't have any control over them.
So who you can trust? Answer: Nobody. You could read and analyze the source of the addon but it need a lot of time.
When I use WP I feel a bit lost, surfing the plugin section you will always find: Not tested for your version or HIGH STARRED plugin with no sense.
So after experiencing problems like this I think that WP plugin management is very lacking and should be reported.
There are a lot of alternative tools to create blogs such as Drupal, Joomla... they are all seen as "not so supported (by devs) and plugin provided as WordPress" but I think that if WP plugin security is so lacking, the advantage of WP over Drupal, Joomla & others is now fading away.

Regarding your domain experience, I know only people that uses CloudFlare as registrar and no one reported a issue like yours. Maybe lacking from NameCheap?
Thanks to Post4VPS and Bladenodefor VPS 14
#3
(08-23-2019, 10:34 PM)LightDestory Wrote: Regarding your domain experience, I know only people that uses CloudFlare as registrar and no one reported a issue like yours. Maybe lacking from NameCheap?
At one point of my researches about those four domains with my Contabo VPS IP, I landed with complaints agains Namecheap and GoDaddy about the DNS issue.

I just Googled again (couldn't find my previous research, however did find these interesting articles by Securi and Cisco about manipulation/exploitation of changing IPs. And how it provides opportunities to be used by miscreants.
https://blog.sucuri.net/2016/07/fake-fre...sites.html

https://umbrella.cisco.com/blog/2013/04/...s-domains/
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
#4
@LightDestory: I agree that it was a very bitter experience. This is not kinda what's expected out of WordPress. As you said it is the most famous CMS, as it powers 33% of the public internet. 

It's also my personal favorite plugin. Many of my websites were based on it. However, the way WordPress is written makes it vulnerable. WordPress is written very poorly with a lot of security holes. Most of the free themes and plugins are but backdoors to get access to your website. The worst part of this is that WordPress themselves don't have any control over it since its directly listed from the publisher's website.

Previously, a lot of complaints have come in the Feedback section of WordPress, but they do not seem much bothered about it. This is an issue (other than the high server load WordPress causes) due to which we at HelioHost recommend our users not to use WordPress.  WordPress is a cause of many accounts being frequently suspended at HelioHost.

Talking about alternatives to WordPress, there are a lot of them - namely Joomla, Drupal, etc. However, the interface that WordPress provides is way better than other CMSes. I hope @deanhills, you'll agree with me coz I find your own blog is powered by WordPress. As @LightDestory said, if something's not done to prevent these security holes, WordPress' superiority over other CMSes might fade.

As far as the domain issue is concerned, I agree with your suggestion of the verification of nameservers, which is exactly what's done in eu.org, to ensure the authenticity of that IP.

Regards,
Sayan Bhattacharyya,

Heartiest thanks to Post4VPS and Virmach for my wonderful VPS 9!
#5
The problem is we can't ditch Wordpress these days. What we can do is try to make sure our sites are up to date and secure. Sometimes developers abandon themes after a while and using these type of themes is a security risk, not just plugins. Also, I rarely use brand new themes. WordFence a pretty good plugin also Now jetpack also provide some security.


~ Be yourself everybody else is taken ~




#6
this is why i like to keep system files on its own part and mount tmp and other doable mount points as nodev,noexec,nosuid. With a hope that that mitigates some attacks at least.

Also updating regularly and using themes and plugins under active development is a must nowadays. You will have to remain proactive even after that.

Also i think it is not very fruitful to point at guys at wordpress. I am sure they are doing their best. But code bases and projects have become vast nowadays and vulnerabilities are bound to crop up more before everyone starts using some kind of provably safe code (like they do in many realtime mission critical systems). but then that will hamper creativity and collaboration.

we need to remember that these projects are are run by many people together and at various levels. so we will have to be tolerant.

be proactive. may be use better firewall. if it handles sensitive data then may be you should do it yourself or hire peeps.

no point blaming or ditching them. they have their uses.
Sincere Thanks to VirMach for my VPS9. Also many thanks to Shadow Hosting and cubedata for the experiences I had with their VPSs.
#7
(08-25-2019, 08:07 PM)rudra Wrote:  Also i think it is not very fruitful to point at guys at wordpress.

True. Hopefully you didn't get to that conclusion from my Post. Having WordPress site however puts greater responsibility on the person to tread very carefully. Like it isn't a luxury any longer to have your theme and plugins up to date. You can't take chances any longer, as there are focused and active attacks on them alive and doing very well on the Internet - they work in bots, are fast and furious and more unstoppable than every before. That is what the warning is about. Don't use an old theme. Check your theme regularly. Don't have an old plugin that you are no longer using in your WordPress site. Check your plugins regularly, only keep the ones you are using, make sure they are up to date from the author by checking out the comments and WordPress feedback about how long since the plugin has been maintained, and make sure the plugin is always up to date.

Thing is, those attacks are not bad, like with catching a cold, and getting a wrap on the knuckles, but SUPER BAD, as all of those fancy anti-spam places that like to blacklist spammers, then get to target the site of someone innocent who got caught by the bad guys. They get their hosting account suspended and IPs black listed. Like everything is interrelated. Once a Datacenter has received a complaint about your WordPress site causing other sites to be attacked, you're already listed on blacklists and anti-spam lists everywhere. And as soon as you start to try and sort this out, those bad guys have already left, and are already working on another poor victim with the same issue, doing their bad act.
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
#8
Redirect Campaign? it sound like that it is used for advertising marketing and that some kind of thing . for avoiding this make sure to know what plugin you install and always try to you the latest version and avoid nulled or cracked plugin . you can also block the domain and ip that is listed on the article
Terminal
humanpuff69@FPAX:~$ Thanks To Shadow Hosting And Post4VPS for VPS 5


person_pin_circle Users browsing this thread: 1 Guest(s)
Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - Hyper Expert - Shadow Hosting - Bladenode - Hostlease - RackNerd - ReadyDedis - Limitless Hosting