WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Doesn't work - all site have code injections and php backdoors installed (10 posts)

  1. estherrosie
    Member
    Posted 1 year ago #

    doesn't work.

    I install this on all site I build assuming wrongly that it would protect them.

    I now have a number of sites with javascript iframe code injections and some of these have had php backdoor viruses installed too.

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. MickeyRoush
    Member
    Posted 1 year ago #

    And you blame this on a plugin? I'm sorry but there is no one plugin or combination of plugins that will protect you from every possibility. How does a plugin protect you from a theme or other plugin that you installed that was already containing malicious code if you didn't check for it first yourself? Most plugins only help compliment the hardening of your site. It's up to the site's owner to be diligent and observant.

  3. estherrosie
    Member
    Posted 1 year ago #

    Hi Mickey

    I am not blaming the attack on the plug in merely wondering why it doesn't do what it says on the tin.

    It specifically says it helps prevent code injection.

    And I do scan all my software before installing thanks

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    First off i am sorry your sites got hacked - it sucks. ;)

    Yep MickeyRoush has made an excellent and very valid point.

    Here are some things that BPS cannot protect against.

    1. Passwords being cracked: FTP, SSH, Control Panel and WordPress Login.

    2. Host Server itself has been hacked – not your individual website, but the Server that your website is on (ARQ Infinity in BPS Pro does offer individual site protection when a Host Server is hacked).

    3. Directory permissions that are set incorrectly – if you have set directory permissions to 777 by mistake then BPS cannot do anything to protect those directories because they are writable to everyone.

    4. Installing a plugin or theme that contains exploitable code that appears to be legitimate and valid code - we are working on this one, but it is proving to be a very difficult task since usually the exploit is caused by a coding mistake and not intentional malicious coding. BPS will block a lot of different attack strings, but if the coding mistake in a plugin or theme is done in a way that that hacker would not need to use an attack string then BPS would not see that as an attack/hacking attempt. ;)

    5. A weak point of entry on 1 or more sites under the same Hosting Account - Example: If you have 10 websites and 9 of them are protected, but a hacker manages to compromise/hack 1 of your websites with a Shell script, then that Shell script has the capability to access/control/hack all of your other 9 websites under that Hosting Account. BPS Pro compartmentalizes sites by utilizing ARQ so other sites would actually still be protected.

    6. And of course if your website was already hacked before installing BPS – hacked websites should be cleaned up or restored before installing BPS.

    Personal Note: if i could afford to support BPS Pro for free then i would have given it away for free - currently i am working 16 hour days to keep up with BPS Pro support. ;)

  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Also i guess i should have pointed out that the end result of a hackers payload delivery could be javascript iframe code. A Shell script can do anything to your website that you could imagine. Inject code into files, delete files, upload files, crack your DB password and the list goes on and on. Basically a Shell script is about 100 times more powerful than a WordPress Admin Dashboard.

    My point is this - the initial attack method and successful hack was probably done by exploiting some vulnerable code on your site and not actually code injection. The code injection was most likely done after your site was already hacked.

    One of the things I see all the time just by googling for hacked websites on any given day is that a site that is hacked by one group of hackers is left wide open and exposed for any other hacker or hacker groups or just a random person to come along and do anything they want to the site. Professional hackers do not want you to know they have hacked your site. The Kiddies like to show off and do blatant stuff like defacing your website. ;)

    To find hacked websites by googling you just need to know what to search for. Google these search strings below and you should find at least 10 hacked websites that have Shell scripts on them that enable you to do anything you want to the hacked website just as if you were a hacker yourself.

    o---[ r57shell - http-shell by RST/GHC | http://rst.void.ru  | http://ghc.ru  | version 1.24 ]---o
    
    o---[ r57shell - http-shell by RST/GHC | http://rst.void.ru | http://ghc.ru | version 1.31 ]---o

    What is ironic is if you do deface a website that has already been hacked with a Shell script and that website owner does not know that their site is hacked then you are actually doing them a favor by alerting them that their site is hacked. ;) I obviously am not recommending this and send them an email myself. But in that past i have gotten very nasty replies from these folks accusing me of hacking their website. hmm now why would i send them an email from my domain name? Logic does not come into play when people are freaking out - just a warning. ;)

  6. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    And actually we were in the final stages of testing this new .htaccess code which will lock down plugins and protect them from being accessible using remote hacking scripts. This still leaves one door open which is if the hacker is trying to execute script from your website from a Browser then the referrer checks will show your site as the referrer - this severely limits their attack methods/strings. This new coding closes all doors to remote execution of scripts and the most common form of hacking is automated remote script execution/bots.

    We are looking for Beta Tester volunteers to test this new coding so anyone interested please give it a test ride and post your findings/results.
    http://wordpress.org/support/topic/beta-testers-wanted-new-htaccess-code-to-protect-plugins

  7. estherrosie
    Member
    Posted 1 year ago #

    Hi AITpro

    Huge thanks for taking the time to reply and with such useful information.

    I am fairly proficient at cleaning up hacks but also low in knowledge as to the technology behind them actually happening.

    It was actually our Filezilla SiteManager files on two separate devices that were 'stolen' so obviously I won't be using that anymore! We do connect to some of the same sites so I am assuming that something got in somewhere. No viruses or malware on our devices.

    I would dearly love to know how so that I can try and protect against anything close happening again.

    So no your system can't project against that which is completely fair enough and I still use it on all my clients sites.

    Massive thanks again for taking so much time to answer. Great support.

  8. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Website hack cleanup is a nightmare. I know, i used to do that service. In the final days of doing that service i always tried to lean toward doing a clean install and then import the DB tables into the new DB. Nothing worse then having to redo your work all over again if you missed something. ;)

    Yep FTP password cracks, mining, theft is in the top 3 most common hacker entry points for this obvious reason - if a hacker can get your FTP password then he/she will "own" the site/Hosting Account. Another obvious point of entry is cracking a WordPress Admin login password - The BackTrack 5 R3 Penetration Testing Distribution makes cracking weak WordPress Login passwords child's play. ;)

    We are currently researching a way to protect against FTP break-ins, but this is obviously a very complex thing since FTP passwords are a Server-side and not a client-side thing. For example how would you be able to check or block someone from using an FTP password that they stole for you if they are logging into your site from anywhere in the World? I am pretty sure no one has figured this out yet, but maybe someone has. If it can be done we will figure it out. ;)

    Very welcome and always glad to be of assistance. ;)

  9. thommy1499
    Member
    Posted 1 year ago #

    Hello,

    is it possible, after activating and making all necessary things, that i deactivate the plugin to save performance?

  10. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    BPS is performance optimized and uses almost nothing in website resources. The .htaccess files themselves will cause a performance hit of something like .01 seconds and the plugin files themselves are pretty much zero for resource usage. So basically you would not really gain anything by deactivating BPS. Do some benchmarking tests with YSlow or other tools to see if your website performance results show any differences at all with BPS activated and deactivated.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.