Podcast Episode 64: Backdoors, Webshells, and the Growing Risks of Leaks & Breaches

We take a look at the annual hacked site report from GoDaddy’s Sucuri Security and the types of malware they found in various CMS and shopping cart applications. Microsoft reports they’re finding 77k webshells daily, and WP Scan’s roundup lists a number of popular plugins and themes with recent vulnerabilities. A report from students at Harvard University exposes the growing risks of online leaks & breaches.

Here are some timestamps if you want to jump around:

1:27 The 2019 hacked website report from our friends at GoDaddy’s Sucuri Security
5:02 Microsoft says it detects over 77,000 active webshells daily
5:21 What is a webshell, and why it’s dangerous
6:07 WSOShell, a PHP based shell we often see on hacked WordPress sites
7:25 WPScan lists 37 plugins and 9 themes with vulnerabilities disclosed in January 2020
8:16 The growing risks of data leaks and breaches, and how you can limit your exposure

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 64 Transcript

Hi, welcome to Think Like a Hacker, the podcast about WordPress security and innovation. This is Kathy Zant, Director of Marketing here at Wordfence and this is episode 64. It is the first week of February and it is the official kickoff of WordCamp season. This weekend we have WordCamp Phoenix. I’ve been working as the Sponsor Wrangler. My living room right now is literally a sponsor swag warehouse. I am very much looking forward to getting all of these boxes downtown so that all of the sponsors can start distributing some of this great swag. Can’t wait to see what’s in some of these boxes! Thank you to all the sponsors who are making this event possible. It is now sold out, so if you don’t have a ticket to WordCamp Phoenix, sorry you’ll have FOMO, but I’m sure you will have fun watching the event on social media with the hashtag of WCPHX.

If you’re going to be at WordCamp Phoenix, please find the Wordfence team, say hi and learn how to pick a lock. We also have some new swag this year if you let them know you’re listening to Think Like a Hacker. I’d love to hear from you. Please also find me and say hi. So today we don’t have an interview for you, but we do have some security news and we’ll go over that now. Our friends at GoDaddy’s Sucuri Security have released their annual report about the state of website security in 2019. Sixteen people contributed to this over 40 page report. I really enjoy reading what types of malware infections other security companies are seeing and because Sucuri works with more than just WordPress, they had some interesting data and were able to compare various content management systems and shopping carts such as Magento, etc.

So it’s a great review across a broad spectrum of different types of infections and content management systems. So here’s what they found. First they found about half of the infected sites that they cleaned had back doors, which makes sense. If you’re going to invade a house and you think you might want to get back into that house, maybe you leave a key somewhere or leave a way to get back in. Same thing with a website. A backdoor is just code that could be added to a normal file or it could be a standalone file that allows a hacker basically unrestricted access to a compromised site. It allows them to access all the files within that hosting account. They could look like normal PHP code or it could be obfuscated. A backdoor can be inserted into a valid file as just even one line of code that looks rather innocent.

Now usually the reason why a hacker compromises a site is for a financial motive, so it’s pretty rare you just find a backdoor. You usually find it in conjunction with other malware affecting that site. The most common infection that they found, 62% of the websites that they cleaned had SEO spam. Now obviously hackers will compromise WordPress and other CMS websites in order to put spam links that will boost rankings for their sites within the search engines. And I found this interesting that they stated that they found a number of sites compromised with spam that did not have any backdoors. This could indicate that they saw a number of site cleaning customers coming in with database security issues. Unfortunately, there are ways of posting spam links into a WordPress database without having any vulnerable PHP code on your site if, for example, a hosting provider has a service vulnerability. I have cleaned numerous sites like this where hosts had problems securing their MySQL databases and we’ve worked with hosts in order to help them secure those.

Sucuri’s report also states that they saw over 56% of all content management system or CMS applications out of date at the point when that site had an infection, but they did report that WordPress, of all the CMS and shopping cart applications that they had cleaned, WordPress was experiencing the most updates. So that is a good thing for our little neck of the woods on the internet. I definitely recommend looking at Sucuri’s report, but keep in mind that this is data from their site cleaning team. It is not indicative of the internet as a whole. It’s not indicative of WordPress as a whole. So take all of that information as definitely interesting, but with a grain of salt, of course.

In a somewhat related article, Microsoft says that they have detected over 77,000 active web shells on a daily basis. They say that this has spread across 46,000 infected servers daily. This is what they’re seeing. So what is a web shell? A web shell basically is a backdoor, it falls into that category. It’s actually a fairly powerful tool, allows you to browse the file and directory or folder contents of a server using just your web browser. So imagine a hacker has a tool on your web server and this file has the same permissions as your website. If your email on your server has those same permissions, they’ve also got access to your email. They basically can browse anything within that hosting account using this web shell. If customer information is on your web server and it’s stored and owned with the same permissions as your website that that shell is using, then the hacker has access to all of your customer information, which of course is not a good thing.

A few years ago we wrote an article and looked at the WSO shell, named because of the acronym web shell by ORB. It is a PHP based shell we often see on hacked WordPress sites as backdoors that allows hackers to do all sorts of things. These basic functions such as renaming files, copying things, moving things, editing, uploading new files to a server or also changing file directory permissions and creating an archive and downloading all of the data from your server. Now it’s interesting to me that Microsoft is seeing this many shells and this many servers on a daily basis. The real danger for enterprise settings and enterprise customers is that these shells can be used, if permissions and server security isn’t tightened, to pivot into more sensitive environments than just a web server. So it’s really important that all aspects of your security are looked at because an attacker can get into a WordPress site and if it’s hosted even in a demilitarized zone or outside of your firewall, that can still be pivoted into more sensitive areas.
So definitely interesting article there. Our friends at WPScan who manage the WP Vuln DB, the basic vulnerability database for WordPress, published a January 2020 vulnerability roundup. There were quite a few vulnerabilities in January, 37 different plugins, 9 different themes, quite a few large plugins and themes listed. We will have a link in our show notes. Now if you’re using Wordfence, your scans will let you know that your plugins or themes have an update that fixes a security problem and if you’re using Wordfence central, this is another great tool, also free, that will help you manage numerous WordPress installations and stay on top of those updates. So the partnership that we have there really helpful for our users.

Our final news article this week is from students at Harvard University. Two students at the John Paulson School of Engineering and Applied Sciences explored data leaks for their final project in privacy and technology. So you’ve been listening to Think Like a Hacker over the last year, you probably remember Mark and I talking numerous times about data leaks and breaches that have happened. This report from Harvard was interesting because they really started to piece together what this means for the average internet user.

See these data leaks pose a larger threat than most people realize. So these hackers can find and exploit sensitive not only about your virtual identity but your real identity and can really do some damage. So what does this mean? So let’s say you wanted to buy a tee shirt for a friend from a pretty small storefront. It was really unique though, something that you can’t find on Amazon. So you go, you enter your billing and shipping information, your friend gets their tee shirt, many laughs were had and a year later that website gets hacked and your data and the data of all of the other customers who purchased from that site gets downloaded. And maybe they used one of those web shells to do so, maybe another method, but either way your data ends up in a dark place.

Now, some people call this the dark web, the peer-to-peer network that isn’t indexed by search engines like Google and has to be access through software called Tor. On the dark web, there are forums where hackers share or sell data that they found on vulnerable sites like the tee shirt shop in our example. Now according to the work done by these students at Harvard, this data’s pretty easy to find. Now what’s more alarming is how much data they found and how they were able to piece together information about various people. So if you’re like me, you probably remember that a credit reporting company, Experian, and the breach that happened in 2015 that contained personal information and over six million individuals.

So the data set that is available on the dark web that they found was divided by state. So they focused on just Washington, D.C. and the data contains 69 different variables, everything from a person’s home address and phone number to their credit score, the history of their political donations, and even how many children they have. So they looked at individuals across other leaks that had occurred, combining stolen personal information from hundreds of sources. Now we have Troy Hunt’s tool called Have I Been Pwned, where you can put in your email address and see how many breaches and leaks your information has been in. These Harvard students created something like this on the dark web that performs these kinds of look-ups at scale. They then started to find vulnerabilities in an individual’s online presence very quickly. One frightening stat, of the 96,000 passwords that they found only 2,600 were unique, so start using those unique passwords, start using your two factor authentication, use your password managers.

But it’s worse than that. So here’s an example of how scary this could be. So in less than 10 seconds, they produced a data set with over 1,000 people who meet these criteria; they have a high net worth, they’re married, they have children, and they also have a username or password found on a cheating website. So you start seeing how hackers can start using this information for very targeted attacks against specific individuals. Another query that they talked about was pulling up a list of senior level politicians, revealing their credit scores, phone numbers, addresses of three U.S. Senators, three U.S. Representatives, the mayor of Washington D.C., and a Cabinet member. This is definitely an article and some ideas that are worth exploring. We’ve got this linked in the show notes on wordfence.com/podcast, but what can you do to protect yourself?

You only wanted to buy your friend a unique tee shirt you couldn’t get anywhere else, right? So there are things you can do to limit your exposure in this world of data breaches and leaks. First, use unique passwords everywhere. If you’re using a new site, make sure it has a unique password, a password you’re not using anywhere else. Password managers are literally the only way to stay on top of it these days, 1Password and LastPass are some great options. Use unique email addresses for certain sites. If you are using Gmail, you can use Gmail’s ability to create a unique email by appending a plus sign and another phrase to the end of your username. So for example, if I was kathy@gmail.com, I could have an email that was kathy+tshirts@gmail.com. It would still arrive in my inbox, but in a sort or search on the dark web, it will show up as a different email.

If a compromise happens, it makes it a little harder for hackers to piece together a picture of you when you’re using unique emails and you can also tell where a compromise might have happened when you’re using this methodology of segmenting your Gmail account or rather segmenting your Gmail inbox. Also watch your credit card statements regularly for suspicious activity of course and watch your credit reports and two factor authentication. We talk about this a lot. Rather than using SMS based two factor authentication, we do recommend the time-based one time passwords. There are a number of tools that allow you to use this and you can indeed stay safe out there.

Thanks for listening to this episode 64 of Think Like a Hacker. If you are listening on Apple podcasts, give us a rating, review. If you are going to be at WordCamp Phoenix, definitely come say hi. Say hello on Twitter or any other social media. I am Kathy Zant everywhere and leave a comment on the post on wordfence.com. Thanks for listening. We’ll be back next week with an interview and if there’s a story that you’d like us to cover, please reach out to Kathy AT wordfence [dot] com and we’ll talk to you soon.