WordPress Malware (PHP.Trojan.Uploader & Php.Trojan.StopPost)

WordPress as a platform is fantastic, and usually its a fairly secure. However, plugins that you use might be a different story. Some plugins are updated on weekly basis, and then there are those that are updated monthly, annually or sometimes are never updated again.

One of our clients runs a very active and informational website. The client had refused to do any updates because they were afraid that it might “break” something on their website. Which is totally understandable. For those of you who do updates on daily basis, sometimes its not a smooth progression and you spend more time troubleshooting the issue than anything else.

Client was hosted on a shared web server, and our firewall had alerted us that the website had been sending a large amount of SPAM. Approximately 200-300 emails per minute. We had immediately disabled the website and had ran a scan on the entire server.

As it turns out their website had been compromised via plugin and had injected itself authorizing use of the server’s mail resources. Upon further investigation the server had not been compromised just the clients website.

Here’s the complete log of what had been infected:

{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-includes/ID3/header.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-includes/images/smilies/options.php.suspected
{HEX}php.base64.v23au.184 : /home/user/web/website.com/public_htmlx/wp-includes/images/wlw/object.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/themes/twentyfourteen/inc/inc.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/uploads/2015/ajax.php.suspected
{HEX}php.cmdshell.unclassed.358 : /home/user/web/website.com/public_htmlx/wp-content/uploads/phpini.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/tinymce-advanced/css/test.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/eventON/assets/js/javascript.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/eventON/assets/css/test.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/display-widgets/session.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/shortcodes-ultimate/inc/core/general.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/shortcodes-ultimate/assets/images/player/view.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/business-directory-plugin/vendors/anet_php_sdk/lib/ssl/include.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/business-directory/business-directory-plugin/vendors/anet_php_sdk/tests/AuthorizeNetDPM_Test.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/wordpress-seo/model.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/wordpress-seo/vendor/yoast/api-libs/google/service/Google_BatchRequest.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/wordpress-seo/vendor/yoast/api-libs/class-api-libs.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/wordpress-seo/vendor/yoast/license-manager/samples/sample-theme-functions.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/stop-auto-update/dump.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/search.php.suspected
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/validation/object.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ajax/static/css.php
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_basic_album/module.nextgen_basic_album.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_pagination/view.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/fs/package.module.fs.php
{CAV}PHP.Trojan.Uploader : /home/user/web/website.com/public_htmlx/wp-content/plugins/seo-image/javascripts/css.php.suspected
{CAV}Php.Trojan.StopPost : /home/user/web/website.com/public_htmlx/wp-content/gallery/gal1/thumbs/ajax.php.suspected

Unfortunately, the best we could do is restore from previous backup and perform a plugin update along with wordpress.

Moral of the story is, update your plugins people. And if the plugin is old, we wouldn’t recommend using it.

Rogers SureTap Wallet Review

Paying by tapping your phone instead of your credit card seems like a great idea. The technology has been around ever since NFC came out, and there are a few banks that have applications that are capable with it. Now Rogers is getting into the banking game. Since they are a telecom the process should be easy? Right? What’s required:

1) NFC capable phone
2) NFC Sim card
3) Application that will tie all this together
4) A card that’s compatible with the application

Lots of requirements are required, not to mention there are some phones that are NFC capable however are not included with the application which automatically excludes the user. At the time of writing these are the handsets that are compatible with the Rogers SureTap Wallet App:

Samsung GALAXY Alpha™
Samsung GALAXY Note 4™
Samsung GALAXY Note 3™
Samsung GALAXY Note II™
Samsung GALAXY S4™
Samsung GALAXY S III™
Samsung GALAXY S5™
HTC One™
HTC One (M8)
LG G3
LG G Flex
LG G2
LG Optimus G
BlackBerry® Z10
Sony Xperia® Z3
BlackBerry® Z3
Samsung Core LTE
BlackBerry® Z30
BlackBerry® Q10

I went to the Rogers store and picked up a NFC sim card listed at $9.99+tax at the time of purchase. Rogers (over the phone) was offering free NFC sim cards, however I wanted a NANO sim card and I had a feeling because I was testing it with Z10 that Rogers would mail me Micro sim card instead.

Swapping current nano sim card to NFC nano card was fairly easy on Rogers.com My Account. The change was instant, took less than 2-3 minutes to do.

Next was to download the application. Since I was using a BlackBerry Z10 I went to the BlackBerry World app and download Rogers SureTap Wallet. I registered and apparently during the registration process there is additional information that is burned on the NFC sim card. The process was easy and I had my Rogers SureTap Wallet successfully installed. The security involved is a 4 pin password requirement along with two security questions.

Now to add a card, at the time of posting Rogers was offering their branded Rogers MasterCard with additional credit included. I added the card and this process did take a bit for the card to be downloaded (approximately 2 hours). Once that was done I was set. Time to test.

Here’s the list of merchants that is successfully worked:

  • Metro
  • McDondals
  • Tim Horton’s
  • Pizza Pizza
  • Harveys
  • LCBO

The list of merchants that did not accept suretap (seem to accept only swipe or chip insertion):

  • Target
  • Walmart
  • Wendy’s

How to get SureTap to work:

When the merchant tells you the total, and asks you how you are paying. Simply say Master Card. The merchant will usually tell you “go ahead when ready”. On your phone click on the SureTap Wallet app, type in your 4 digit password, click on your Rogers MasterCard and click on Pay Now. Place your handset over the terminal (rest it on top of it if you can). Wait for the “beep”, and leave it for additional 2-3 seconds. That is. The coin term “TAP”, does not work. I find it that the transaction would initiate, however time-out after the beep.

Please note that I had the application pre-loaded each time with my 4 digit code entered, the only step left was to click on Pay Now. I found that on Z10 it took a while to do it from scratch, and one of the merchants cash register actually timed out while I was trying to load the application. For full proof use, load it ahead of time while the merchant is scanning the merchandize.

Security:

The most common scenario is that people will end up switching phones, or wipe the phone clean (format it). What happens to the SureTap Wallet then? Also what if I wanted to run SureTap from a backup, was it possible? Here we go.

First test was, I backed up my Z10. I grabbed my BlackBerry Passport and tried to restore SureTap Wallet to it. Keep in mind that Passport is not on the accepted list of phones. The restore was successful, however the application would get stuck on the splash screen. SureTap wins this one.

Next, I wiped the Z10 clean and performed a restore of just the SureTap Wallet application. When I loaded the application I received strange errors, that the proper sim card wasn’t inserted, etc. SureTap wins this round as well.

Next, I wiped the Z10 one more time, and freshly installed SureTap Wallet application. It asked me for my 4 digit password. I entered it, and all of a sudden it presented me with the 1st security question (please note that you are only asked the 4 digit code when you setup) that I created a month ago. The odd part was that I actually forgot. Not to mention that the responses were case sensitive. I got my first response wrong, and then I was presented with a second security question. Needless to say, I typed that one wrong as well.  The application locked me out. SureTap wins. I was asked to call Rogers for them to unlock the application.

I phoned Rogers, and the rep unlocked it. A temporary 4 digit password was sent. However, here’s the kicker, when I entered the 4 digit temporary password, it said that the code was wrong. I typed in my own 4 digit and it accepted. Strange. First flaw in the SureTap system. What would happen if I forgot my 4 digit password?

Next, I had to guess if my 2 security words were case sensitive or not. I got the first security question wrong, the second one “I think” I got right, however I got stuck on verification for good 20 minutes. The verification eventually timed out and booted me back to my 4 digit password. After I typed in my 4 digit password, I managed to guess my first security word. The security verification passed and it went to this screen that I haven’t seen as of yet:

Updating Rogers Suretap Wallet

However, after about 5-10 seconds I receive the screen below(tested with LTE, 3G, EDGE and WIFI)

Rogers Suretap Wallet Try Again

After you click on “Try Again”, it takes you back to your 4 digit password. The process and the cycle are in the never ending loop. I tried reinstalled the application, reloading the operating system. Nothing worked.

I reached out on twitter to @RogersHelps (Really helpful staff at Rogers). The rep refreshed my account, and tried a few things out, however nothing really changed. The issue was escalated and it could take 10 days to fix.

Final Words (Review):

Rogers Suretap Wallet seems to work, I do find it slow on my Z10 (hence I had to have it pre-loaded while the cashier scans the product). I found it NOT to be a TAP solution, more like HOLD and WAIT to pay.

Word of warning, there doesn’t seem to be any contingency plan if you forget your 4 digit number. The temporary 4 digit number that was sent via text by Rogers never worked. And according to the SureTap Rogers rep the two security words if you forget them completely it is a pain to recover. I personally think that you are SOL if you forget the two security words. Kiss your wallet goodbye.

I’m curious how they will fix my problem, I have the 4 digit password and the security words. It seems to me that there might be a additional layer of security that has blacklisted my sim card or my IMEI. Unfortunately, I don’t have another approved device to try and test if the situation would change with a different IMEI.

I have to wait 10 days for them to fix the issue. When you think about it, 10 days is unacceptable, especially when money/paying is involved. I will keep you updated if my Wallet gets sorted.

UPDATE (January 14, 2015): Nothing from Rogers yet. However, I did mess around with the application a bit more. My intention was to lock myself out on purpose and give Rogers a call. I inputted wrong responses and got locked out. But I was able to get back into the application each time. Please note that the original lock-out, I was not able to get back into the application. This time around, I can get back into it each time. I didn’t want to mess with my 4 digit number though, that might be next if Rogers doesn’t solve this issue.

UPDATE (January 22, 2015): I called Rogers SureTap Wallet 1-855-640-7914 phone number. The rep I got told me that they no longer have access to accounts as of Monday. And that the back office team is working on the issues. My ticket has also not been viewed yet. Therefore, who knows how long until I see my SureTap Wallet again.

Please do note that I did try to access SureTap Wallet and the connection kept timing out. I got a new JAVA error which I’ll post later.

UPDATED (March 2, 2016): Rogers has officially decided to pull the plug with SureTap as of April 30, 2016. If you have funds, try to spend them or request a refund: https://suretap.com/refund/

It was a very promising project that failed at launch. Too many different handsets, and every handset had some sort of an “App” issue. Its a shame. RIP Rogers SureTap

Spam Links showing up in WordPress

I was contacted by a client who had experienced odd links / advertisements showing up in his WordPress setup. Furthermore, he had experienced emails bouncing back from his Contact Us form. The client has a dedicated servers with 5 ip addresses. Other websites are not experiencing any issues nor are the other 4 ip addresses. The odds are his entire server was not compromised.

Upon examining his infected website it appeared that majority of the links traced back to: http://www.genericstts.com. Some of the keywords that were used in linkage were: Play Craps Online, Play Bingo Online, and Meilleurs Casino en ligne.

This was a multiple task, first we needed to find out why his dedicated server was blacklisted and second, we needed to find out what was causing these links / advertisements.

There was absolutely no point in trying to un-blacklist his ip address because we needed to solve his website spam problem.

The obvious solution was to find if its a plugin or theme causing this or the actual WordPress that was compromised. After narrowing it down, it appeared that a plugin was compromised.

This is where you need to make a decision. Do you just wipe the entire system or delete just the plugin or trace the issue and try to eliminate the malware manually and keep the plugin and the website in tact. It all depends how much information you have stored in your wordpress setup, how much time you want to spend, or how much money you want to spend for someone to spend the time to narrow down the problem. The client wanted to trace the issue down. According to Fox IT, the proper solution should be to eliminate the user and to wipe the system down.

Now you can try and install clamav or maldet to see if it will find the malware and remove it for you, or you can try to find the issue manually.

I did it manually, since I knew which plugin was infected I took a look at each file manually. As it turns out it was a .PNG file that was infected. It did drop itself in two different spots. After getting rid of the two .PNG files, I also made sure you couldn’t write into those two directories.

After getting rid of the malware, I went to de-list the blacklisted IP.

All was back to normal.

If you require any sort of malware removal on your dedicated server (or shared) CONTACT US

 

Sirefef – Microsoft, Feds Disrupt ZeroAccess Botnet

Because Microsoft found that the ZeroAccess malware disables security features on infected computers, leaving the computer susceptible to secondary infections, it is critical that victims rid their computers of ZeroAccess by using malware removal or anti-virus software as quickly as possible,

This is a very dangerous bot that surface on the peer-to-peer networks. What it would do is basically hijack your web browser and direct you to infected websites which would attempt and install further malware into your computer. If successful the infected computers can be used for various purposes. The scammers could then steal personal information or fraudulently charge businesses for online advertisement clicks. Criminals have also disguised ZeroAccess as legitimate software, tricking people into downloading it.

Redmond company in conjunction with Internet Service Providers and other entities in control of the Internet domains and IP Addresses were asked to disable access to the botnet and preserve any content and material associated with it to help with Microsoft’s case.

Sirefef  infected nearly 2 million computers all over the world, and cost online advertisers more than $2.7 million each month.

Rogers down for 3 hours due to software glitch

Rogers wireless has approximately $9.42 million wireless customers and all of them were down between 6:00 PM and 10:30 PM. The most interesting part is that voice and SMS were down, however DATA was up and running.

The apparent software glitch was due to heavy traffic and was not handled properly by the switching system causing a major crash. There have been no specific reports of how the software works and what it has to do with switches. The assumption is that there is a two way system where one voice is carried over and the other signals between the towers, therefore when you are driving it makes sure that it switches you over to the nearest tower to you. Allegedly that’s what failed which caused the primary system to run into a loop.

There is an underlying denial that hacking was involved taking down the system.

Current result and resolution is the update of the current software thats being used (fixing the hole) and giving all the postpaid subscribers a day of service refund (if you are paying $30 monthly, you would get $1 discount on your next bill).

The most disturbing factor in all of this is that 911 was not functioning. Interesting part is that Rogers recommends users of having a land line if they are required to make 911 phone calls. Who has a land line anymore?

PRO TIP: If your provider is ever down, take out your sim card, reboot the phone and let the phone roam on any network to make that important 911 call. Hopefully, you can do all of these steps while in an emergency situation. Or get a Bell land line.

Blacklist for stolen phones in effect (Canada’s first)

The Canadian Cell Phone “blacklist” database has been created a while ago, but it was never implemented by any of the Canadian telecoms. Needless to say the technology has been used in various countries such as U.S. and U.K.

Blackberry if you recall had been using this technology in their own eco-system for many years. What they would do is disable any of the core service such as BBM, and email. Therefore, you were only able to use anything that wasn’t Blackberry service related. They did this particularly with Demo models and did implement stolen blackberries to be included in the database as well.

Why did all the telecoms agree and decided to share the current database. It’s possible due to the rise of robberies in the Greater Toronto Area particularly Rogers stores there was a consensus to kick-start the database.

What’s in included in the database?

IMEI which every handset has. You can check your IMEI by typing *#06#.

Therefore, if you are planning on purchasing a used or new handset, now you can check online if it has been “blacklisted“. Click here

If you are unable to go on the internet to check the IMEI, the easiest way to check is to pop in a SIM correlating to the cell phone. If you are unable to make a phone call the chances are your cell phone was blacklisted.

UPDATE: Its important to note that the database DOES NOT include any of the phones stolen prior to September 30, 2013.

iMessage for Android

iMessage for Android

iMessage for Android iMessage Description

There was no word about it anywhere, iSheep followers were stunned, what happened you ask? iMessage for Android was released by Apple. Wait, no it wasn’t by Apple, it was by a guy named Daniel Zweigart (Alias?). What he did is pretty remarkable. He took what I could only assume propitiatory code, rewrote it, created his own server (in China of course), created valid handshakes, and got iMessage to function with individual Apple logins. Pretty impressive. The only problem is, the information is floating back and forth on a server located in China and so is your Apple login information.

How does it look aesthetically, well its remarkably familiar to those who have used iOS before:

iMessage Aesthetically

Thus far the reviews have been either fantastic or awful within the Android community:

iMessage Android Reviews

If you have used the application I would suggest to reset your Apple password, I would even go as far in saying to remove the application from your handset.

How long will the application be on the Google Play store is difficult to say. I’m actually shocked its still there.

iMessage for Android

UPDATE: As of 6:00 PM (EST) the app is no longer available on the Google Play Store.

Facebook wall post exploit

I’m sure everyone by now has read or heard about the wall post exploit where the a man from India posted on Mark Zuckerberg‘s wall without being authorized as his friend. The exploit has been patched up, however below you will see how easy it was executed. Is your information safe?

What this exploit is about
When you make a new status on Facebook, the default value of making a status is set to your profile. By changing a single value, you will be able to make a post on any wall you want.

Step 1
Open Facebook, write a status message but don’t submit it.

Step 2
Open the profile you wish to make a post on, and copy the username, or ID, right after the facebook.com part. Example:

http://www.facebook.com/zuck
Copy zuck and put it after this URL: http://graph.facebook.com/

http://www.facebook.com/zuck -> http://graph.facebook.com/zuck

Step 3
Go back to your Facebook status, and open Google Developer (F12) or Inspect Element (Firefox) and click on the status

Step 4
Scroll up, till you find an input-tag with name set to “xhpc_targetid”. It looks like this:

input type=”hidden” autocomplete=”off” name=”xhpc_targetid” value=”12345″

Step 5
Go back to the graph.facebook.com tab you opened before, and copy the ID.

In that case, the ID would be 4.

Step 6
Go back to your Facebook status, and replace the value=”xxx” (from step 4) to your new ID. Example:

input type=”hidden” autocomplete=”off” name=”xhpc_targetid” value=”12345″

changed to:

input type=”hidden” autocomplete=”off” name=”xhpc_targetid” value=”4″

Once that is done, all you need to do now is press “Post”. Your post will now be posted on the target’s Facebook wall!

Source: http://khalil-sh.blogspot.co.uk/p/facebook_16.html