Tag Archive for Wordpress

| November 26, 2021
Comments Off on GoDaddy WordPress Sites Hacked?

GoDaddy WordPress Sites Hacked?

GoDaddy WordPress Sites Hacked?GoDaddy (GDDY), the world’s largest domain name registrar, disclosed that it had been hacked. According to reports on Monday (11/22/2021), an unknown attacker gained unauthorized access to the system used to provision the company’s Managed WordPress sites. This breach impacts up to 1.2 million GoDaddy WordPress customers. This number does not include the number of customers of websites affected by this breach.

GoDaddy logoThe company posted, We are sincerely sorry for this incident and the concern it causes for our customers,” “We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down.

GoDaddy resellers also compromised

On Tuesday (11/23/2021), GoDaddy confirmed that some of their resellers were also compromised in the attack. If you purchased your WordPress domains from

Assume your WordPress site has been compromised.

According to the SEC report filed by the Scottsdale, AZ-based firm, the attacker gained access via a compromised password on September 6, 2021. The attacker was discovered on November 17, 2021, when the attacker’s access was revoked. The attacker had more than two months to establish persistence, so anyone currently using GoDaddy’s Managed WordPress product should assume compromise until they can confirm that is not the case.

What happened at GoDaddy?

credentials in cleartextSeveral sites are reporting that GoDaddy stored sFTP (Secure FTP) credentials so that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords or providing public key authentication, which is industry best practice. This decision allowed an attacker direct access to password credentials without cracking them. According to their SEC filing: “For active customers, sFTP and database usernames and passwords were exposed.”

What did the attacker have access to?

The SEC filing indicates that the attacker had access to:

  • User email addresses,
  • Customer numbers,
  • Original WordPress Admin password that was set at the time of provisioning,
  • SSL private key and
  • sFTP and database usernames and passwords.

What could an attacker do with this info?

The attackers had unrestricted access to these systems for over two months. During that time, they could have:

  • Secure FTPThey have taken over these sites by uploading malware or adding a malicious administrative user. This allows them to maintain persistence and retain control of the sites even after the passwords are changed.
  • The attacker would have had access to sensitive information, including website customer PII (personally identifiable information) stored on the impacted sites’ databases.
  • Sometimes, an attacker could set up a man-in-the-middle (MITM) attack that intercepts encrypted traffic between a site visitor and an affected site.
  • The exposed email addresses and customer numbers cause increased phishing risks.

How to resecure your GoDaddy host WordPress site

GoDaddy should be notifying impacted customers. In the meantime, experts recommend that all Managed WordPress users assume that they have been breached and perform the following actions:

  1. If you run an e-commerce site or store PII (personally identifiable information) and GoDaddy verifies that you have been breached, you may be required to notify your customers of the breach.
  2. Change passwordsChange all of your WordPress passwords.
  3. Force a password reset for your WordPress users or customers.
  4. Change any reused passwords and advise your users or customers to do so. 
  5. Enable 2-factor authentication wherever possible. 
  6. Check your site for unauthorized administrator accounts.
  7. Scan your site for malware using a security scanner.
  8. Check your site’s filesystem, including wp-content/plugins and wp-content/mu-plugins, for any unexpected plugins or plugins that do not appear in the plugins menu.
  9. Be on the lookout for suspicious emails.

rb-

These GoDaddy data breaches are likely to have far-reaching consequences. GoDaddy’s Managed WordPress offering makes up a significant portion of the WordPress ecosystem, affecting site owners and their customers. The SEC filing says that “up to 1.2 million active and inactive Managed WordPress customers” were affected. Customers of those sites are most likely also affected, which makes the number of affected people much larger.


Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| October 30, 2020
Comments Off on WordPress Botched it

WordPress Botched it

WordPress Botched itImagine my surprise when I got a notification this morning (10/30/2020) at 11:42AM (local time)  – Your site has been updated to WordPress 5.5.3-alpha-49449. has been updated automatically to WordPress 5.5.3-alpha-49449. No further action is needed on your part. 

Say what?!?

WordPress botched an update and auto-updated sites from the standard release channel to a development alpha channel – with no warning or reason.


WordPress bug
According to WordPress Development, it’s a bug. Not only did they move my site from the standard release channel to a dev release channel which gets updated every night. They also added back all of the 20xx WordPress default themes – Which I had already deleted.

@hellofromTonya at WordPress.org reports that the unwanted update is, “a side effect of another issue that occurred on 5.5.2.

WP says there are 2 options to resolve this problem:

  1. Click the Re-install WordPress button on the Update screen to reinstall 5.5.2
  2. Wait to update when 5.5.3 is released (coming soon)

Please note, 5.5.3-alpha-49449 also installed bundled themes. Any of these themes the site doesn’t need will need to be deleted manually.

@johnbillion at WordPress.org posted, “When 5.5.3 is released, you’ll be updated to that stable version and you won’t be alpha or beta testing from that point onward.”

WP now recommends – if you trust them – to update to version 5.5.3.

I did and it appears to have gotten me back to a stable version – but we will see overnight. If I get another dev edition – we will know it is still broke.

This smacks of an MSFT type auto-update “feature.” Make me start to question my faith in this new-fangled WP auto-update functionality.

Just as I was about click Publish on this post – I got another alert that I needed to install WordPress 5.5.3 again – so much for their earlier fix !!!!

Get it together WordPress

 

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| June 17, 2019
Comments Off on Is Yuzo on Your WordPress site?

Is Yuzo on Your WordPress site?

Do You Yuzo?I am still busy unpacking and re-arranging the furniture at the new home of Bach Seat. One of the nicer things about my new host is that I can now get WordPress alerts. And I have been getting a ton of alerts from the firewall that it blocked “yuzo-related” attack attempts. So I decided to see WTF “yuzo-related” attack attempts were about and found an excellent explanation on the WordFence site.

60,000 WordPress websites

Unpatched vulnerabilityDan Moen at WordFence explains that the Yuzo Related Posts (YRP) plugin for WordPress has an unpatched vulnerability that was publicly disclosed by a security researcher on March 30, 2019. The flaw which allows stored cross-site scripting (XSS), is now being exploited in the wild. The buggy plugin is installed on over 60,000 websites and has been removed from the WordPress.org plugin directory.

WordFence recommends that all users remove the plugin from their sites immediately.

The blog’s author writes that the vulnerability in YRP stems from missing authentication checks in the plugin routines responsible for storing settings in the database. The code below is the crux of the problem. There is more in-depth coding tech-talk at WordFence.

8 }elseif( is_admin() ){ // only admin

He says developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used.

Injects malicious JavaScript

System administratorThe result is that an unauthenticated attacker can inject malicious content, such as a JavaScript payload, into the plugin settings. That payload is then inserted into HTML templates and executed by the web browser when users visit the compromised website. This security issue could be used to deface websites, redirect visitors to unsafe websites, or compromise WordPress administrator accounts, among other things.

As evidenced by the number of probes against my site, threat actors have begun exploiting sites with YRP installed. The exploits in the wild inject malicious JavaScript. When a visitor lands on a compromised website containing the malicious payload, they will be redirected to malicious tech support scam pages – like this example:

Fake tech support pageThe WordFence analysis shows that the attempts to exploit this vulnerability in YRP share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare and Easy WP SMTP.

The security researchers found all three campaigns so far have used these exploits:

  • A malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53.
  • Involved exploitation of stored XSS injection vulnerabilities and have deployed malicious redirects.

WordFence is confident that the tactics, techniques and procedures in all three attacks point to a common threat actor.

WordFence recommends WordPress Site owners running the Yuzo Related Posts remove it from their sites immediately, at least until a fix has been published by the author.

rb-

What to do?

    • WordPressKeep your WordPress and plugins up to date.
    • Do you really need Yuzo Related Posts? Here is a list of alternatives from WordPress.
    • Make sure you have good backups of your WordPress site – and you can restore it.
    • Get a firewall on your WordPress site
    • Block the IP 176.123.9[.]53. From your site.
    • Harden your WordPress site.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| January 15, 2012
One comment

Congress Prepares to Destroy the Internet

Congress Prepares to Destroy the InternetThe Stop Internet Piracy Act (SOPA) legislation being debated in Congress has the potential to destroy the internet as we have come to know it. If passed, SOPA would require internet providers to block access to sites in other countries hosting stolen intellectual property (IP) from the U.S. It also puts any site that has even an accidental link to a protected intellectual property (IP) at risk for legal action according to the BusinessInsider and many others.

DetroitMichigan Democratic Congressman John Conyers Jr, husband of convicted Detroit City Council bribe-taker, Monica Conyers, not only supports SOPA, but was a co-sponsor of SOPA (H.R.3261) according to ProPublica.

Conyers support of SOPA may have been purchased for $158,574 in campaign contributions in 2010 from the Computers/Internet and TV/Movies/Music industries according to ProPublica. This is an increase of nearly $14,000 from the 2008 election cycle.

Stolen IP is a very broad and vague term. Most of the leading Internet sites rely on user-generated content and links that might have protected IP on them. BI predicts that some of the web’s favorite sites may cease to exist because of the bill Conyers sponsored.

Which sites? The BusinessInsider asked anti-censorship advocacy groups like the Free Software Foundation, the Electronic Frontier Foundation, and the Participatory Politics Foundation for some answers and they projected the following (This is NOT a comprehensive list).

Reddit logoThe experts say Reddit is a forum for linking to and commenting on content, and it’s all user-generated. As a result, some users are going to post or link to content that doesn’t have the rights to. Both of those are big no-nos for SOPA according to BI. Alexa ranks Reddit #115.

The virtual artist platform deviantART attracts 45 million unique visitors per month. The site allows emerging and established artists to exhibit, promote, and share their work on the web. It makes the SOPA hit list because if an artist infringes upon a copyrighted work, both the artist and the site may be subject to legal action. deviantART will have to closely censor what is uploaded on the site says BI. Alexa ranks deviantART #131.

The virtual auction house and e-commerce site eBay (EBAY) makes this list because of sellers who use the site to distribute counterfeit merchandise. The article says the site does discourage selling these types of items with policies on IP. Alexa ranks eBay #20.

Amazon (AMZN) could also be at risk due to sellers who attempt to distribute counterfeit goods. Alexa ranks Amazon #9.

Etsy, the virtual marketplace of over 800,000 active “shops” is threatened by SOPA because it allows users to buy and sell handmade or vintage items, art, and supplies according the BI. Etsy faces risk from SOPA because it will have to monitor the handmade goods it offers. If an IP holder claims to be harmed by any activity on the site, Etsy could be forced to suspend their service. That would harm all the vendors on the site and not just those accused of IP theft. Alexa ranks Etsy #162.

The BusinessInsider says YouTube is at risk from SOPA despite its effort to keep pirated content out. If copyrighted works are found on YouTube by an IP holder, it could mean a suspension of service. SOPA will further censor the kinds of content the YouTube community can upload. Alexa ranks YouTube #3.

FacebookFacebook also makes the experts list because if one of its 800 million users shares a link to a copyrighted work or to a site that is accused of infringing IP, Facebook could be held liable as well. SOPA will likely force Facebook to further monitor and censor its users. Facebook is ranked #2 by Alexa.

Like YouTube, if copyrighted works are found on Flickr by an IP holder it could result in the suspension of service. SOPA will further censor the kinds of content the Flickr community can upload. Under SOPA, any copyright violation complaint made could suspend both the site and its revenue streams according to the article. Flickr is ranked #42 by Alexa.

Wordpress logoOver 70 million people use WordPress to publish their blogs. WordPress faces risk by SOPA because the bill could mandate the site to further monitor and censor the bloggers. If a WordPress site is accused of violating IP protected works or a commenter links to a copyrighted work, BI predicts that could potentially shut down all the blogs hosted on the site. WordPress is ranked #18 by Alexa.

Over 40 million people use Tumblr to share photos, poems, posts, and other creative content. Tumblr faces the same threat as WordPress according to BI. If a blogger or commenter uploads or links to copyrighted works, then Tumblr and its users could be at risk. Tumblr is ranked #40 by Alexa.

Vimeo logoVimeo is a video-sharing website and has a reputation for being the place where creative types in the video and film industry upload their original work. However, given the user-generated nature of the site, BI says, Vimeo still faces risk from users who include even a portion of copyrighted material in their film. Vimeo is ranked #11 by Alexa.

Internet sites at risk

Experts say these Internet site are at most risk from SOPA include:

Google (GOOG) ranked #1 by Alexa.

Yahoo (YHOO) is ranked #4 by Alexa.

Wikipedia ranked #6 by Alexa.

Twitter ranked #10 by Alexa.

Microsoft‘s (MSFT) Bing is ranked #26 by Alexa.

The BusinessInsider concludes that the real victim of SOPA would be the startups (which Conyers says SOPA will save jobs)whose innovation will be restricted by this bill. Smaller websites may not have the lawyers to fight a bill like SOPA and other sites may not consider launching at all for fear of prosecution.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| July 2, 2011
Comments Off on AccountKiller KO’s Online Accounts

AccountKiller KO’s Online Accounts

AccountKiller KO's Online Accounts AccountKiller.com says it is a website dedicated to helping social network users reclaim their personal data. The website helps users reclaim their personal data by explaining and ranking social networking sites. The website explains how to delete online accounts and ranks them by how hard it is to reclaim your personal information.

AccountKiller provides instructions to remove your account or public profile on most popular websites, including Skype, Facebook, Microsoft (MSFT) Windows Live, Hotmail, MSNTwitterGoogle (GOOG), and many more.

The creators of AccountKiller have also created a blacklist of sites that do not allow their users to reclaim their online account information.  According to the website a black-listed site indicates it’s probably impossible or highly difficult to get rid of your account. Among the sites AccountKiller has blacklisted are:

The grey-listed sites may cost you some irritation or effort – but it should be possible to terminate your online accounts says AccountKiller. These sites will require you need to send a mail to the site, send a message using a webform or even call them to recover your personal information.

The creators of AccountKiller say that social media sites purposely make it difficult or even impossible to delete your account for two reasons. First, because they are profiting from their users’ data. These sites are in the business of data customer retention.  Alternatively, they suggest that these developers may simply be ignorant, lazy, or incompetent, i.e. not being able to create some account deletion function.

rb-

Kudos to the creators of AccountKiller, I now recommend this site to anyone who has questions about these social networking sites. It is time for social networking sites to provide transparency into their real business model, data collection, otherwise, there could be a social networking bubble.

What do you think?

Do you know how to get out of your social networking sites? Can you?

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Apple (AAPL)
Category: Data protection | Tags: , , , , , , , , , , , , , ,
« Older Entries