22
sedev
8y

WTF!!!!! I officially have someone trying to extort me just had this in my email box this morning!

--------

Hello,

My name is [name removed], I'm an IT security expert and I found a security issue on your website.
This email is personal and in no way related to any of my employers.

I was able to access to a lot of files which contains sensitive data.
I attached a screenshot of the files I found to this email.

I would be happy to give you the method I used to access these files in order to let you fix it.
Would be a monetary compensation possible?

Please forward this email to the right person, if your are not responsible for the security of the website.

Best Regards,
[name removed]

---

He can basically see the contents of my wp-config.php. How has he managed this?

Comments
  • 6
    Well gg, I dont know much about hacking but you might want to look into your server's security :p
  • 5
    by right the server should prevent this. chmod securely the files and folders concerned. talk to server support, forward them this email. validate security breach, change all admin and db passwords and put security key.
  • 12
    @SalocinDotTEN
    Could be a plugin also, more likely.
  • 1
    @Linux could be. in that case turn off all plugins except the premium ones. I'm a WordPress Web developer by day. had this happen somewhat before.
    also consider Trend micro if you've it on a dedicated server.
  • 2
    @SalocinDotTEN ok so I am running a ec2 I have ran the cmd: find /var/www -type f -exec sudo chmod 0664 {} /;

    He has basically sent me a screen grab of sublime editor showing the Wordpress root folder and index.php so I am trying to validate if it's even my root
  • 4
    @SalocinDotTEN
    Well, I am a sysadmin and I deal with wordpress every day and the developers who work with it. Wordpress and the plugins are avaible to read the wp-config file without problem.
  • 2
    @SalocinDotTEN
    And a premium plugin does not guarantee that it bug-free. Sadly
  • 0
    @Linux @sedev. ok. so it's likely a plugin or an infection of files by malware that allow an attacker to index files. check files for unusual strings in the first lines usually.
    not sure if he showed you the actual contents of the config file. if so and it is yours, you'll need to take the recommendations earlier.
  • 0
    @Linux he has sent a screen grab of the entire root how do hackers even do this I am securing all my file I am sure that they were already secure. What would you suggest to check for exploits?
  • 1
    @SalocinDotTEN
    Wordpress is used by a enormous amount of websites so it makes sence that hackers are targeting wordpress and popular plugins (or old plugins which are'nt updated anymore).
    @sedev
    But can he really "cat" files outside your DocumentRoot? Does your website (vhost) run as separate user?
  • 0
    @Linux hhhhmmm I am not sure I haven't set anything up to make it run as a separate user. Is there a cmd I can run to check?
  • 1
    @sedev
    Just check the owner of the files and catalogues
    (ls -la)
  • 0
    @Linux so the vhosts folder is under ec2-user apache. All the domains and subdomains are also under this. Apologies for turning devrant into stackoverflow I will continue to rant shortly ;)
  • 3
    @sedev
    I dont mind if you ask question or want help here on devrant.
    Could you tell if there is any AssingUserID in the vhost file?
  • 0
    @Linux no just checked I have no AssignUserID calls
  • 1
    @Linux yes. which is why we have a schedule to constantly update WordPress and plugins as well as remove unwanted ones.
  • 1
    @sedev
    check htop also, when you are visiting your site
  • 2
    @SalocinDotTEN sorry he didn't show me the contents on the wp-config.php just the index.php here is the image he attached https://s3.amazonaws.com/clouds3me/...
  • 1
    @sedev
    lol, is that true? If I would you, just ignore it. But check your files after some Strange x64 encoded crap
  • 1
    @Linux ahahaha ok cheers all, thanks for your advice I'll email him back and ask him to show me the contents of my wp-config.php see what he says. What a way to start a Saturday morning a crying baby, someone threatening to hack me which may or not be true and a fly kept landing on me whilst all this is happening wife telling me we need to be out the house by 2, going to be one of those days!!!
  • 0
    lol! Scammers!!
  • 1
    nice to see the Nigerian Prince has finally managed to take some of all that money which was blocked in the bank by the government and decided to put it to some good use by learning web app security ha ha ha.
  • 6
    @sedev I'd say don't contact the guy at all and double check your security settings and change all the passwords with more secure ones just in case. I study security and such scammers are all over the place. if you contact them they will know a lot from you, one of which is that you are not quite sure of your security fortifications for the site and next that they have got your attention. don't give him attention and simply ignore him on your end but don't ignore the potential for a threat on your side.
  • 1
    @codeRetard cheers for the advice
  • 0
    @Letmecode I only ever connect to the server via ssh and a pem file with the ec2 security group locked down to my ip.
  • 1
    @Letmecode I'd say the lad is a scammer with phishing aspirations!
  • 0
    @Letmecode ok thanks all
  • 3
    Also threaten him because he pen tested your website without explicit permission.
    PS: are running a commerce plugin ?
  • 0
    I know what happened if you want i can disclose it here. We can talk in private also if you have problem talking here.
  • 1
    @skonteam I'd advise against that since they have numerous methods of evading such threats and will reappear like cockroaches from some other crack of the net. besides doing that will also fall under the category of letting them know they have got your attention which is not what you want.

    However, keep the email and and contact info for a period of 6 months and should things escalate inform the relevant authorities in your area and let them deal with him.
  • 0
  • 0
    @skonteam I have s2member and woo commerce for my multisite setups.
  • 0
    @rjcrystal yes please disclose it. That's the thing about hacking why isn't there a resource where people openly show the exploits or hacking techniques at least we can all run and test. The hacking community should be open unless there is a resource I am missing. I don't disagree with hacking I think it shows exploits and helps systems move forward but I want to know what methods people use to do these kind of hacks so we can test ourselves
  • 3
    @sedev That's why PenTesting companies have a job my friend
  • 7
    @sedev this guy is legit. We got the same kind of email from him.
    I know what the vulnerability it is, in the text editor screenshot can you see the red dot? That indicates that means he has the .GIT FOLDER. Here's what you have to do.
    Remove git folder from your public html or just restrict access to that folder. hope that helps. Also if you wanna double check just try
    Git clone www.xyz.com/.git and it should work. Let me know if it helps ☺️ And hackers live on secrets that's their leverage, specially ethical hackers. There is shitloads of money involved in it. And vulnerabilities most of the times are very simple things that we overlook.
  • 1
    @sedev if your website is mission critical or has financial implications it is always considered best practice to consult a reputable Web App Penetration Testing company at least once a year for a security audit. You can also list your site on the bug bounty websites such as Bugcrowd if you want to keep it cheap.
  • 0
    @sedev Finally there is a really nice article on WPMUDEV on scanning WordPress called; "How to scan your WordPress Site and Patch security vulnerabilities" that you might want to read. It nicely sums up some automated methods you can scan your site on your own. However I still advise you to have some third party person who does this for a living to do it and you onky worry about patching them.
  • 1
    @rjcrystal thanks for the info I'll check that any idea or code I can run to run the same hack this guy is using? How has he gained access to my .git folder?
  • 4
    I'd just like to mention that the image is incredibly generic - those files are in every installation of WordPress, so there's no evidence that it's your site... I'd relax if I were you 😄

    You might need to ask for some actual proof of it being your site, unless that has already been provided?
  • 0
    @codeRetard there should be a open community supplying code and techniques people are using. So we can all keep on top of vulnerabilities. Is there anything like that about?
  • 2
    @sedev yes just open up a Linux terminal and type git clone www.yourwebsite.com/.git it should start cloning your entire git repository.
  • 2
    @rjcrystal AHHH I totally see now it looks like he has hacked our git account you are correct just noticed we don't even store out wp-config.php in git it's in our gitignore and after checking the screen grab again there is no wp-config.php in it so it is our root but he doesn't have access to any sensitive data, worrying tho.
  • 2
    @sedev in a nut shell not really! no such one place for all vulnerabilities exist as this community, the security community that is, works much like the spies used to work during the cold war. New vulnerabilities are kept hushed and in closed mail groups until they emerge for highest destructive or financial impact for the people who found them or others who chose to use them as weapons. Also the technology owners keep a closed ledger of their vulnerabilities fearful of showing how messed up their fortifications and software design was to begin with. this leaves end users and admins at the mercy of automatic vulnerability testing applications and odd articles scattered on the net. It such a fast paste evolving field that even the PenTesting companies struggle tl keep pace with all the new developments
  • 0
    @sedev yeah, happy to help. Never store credentials in git.
  • 0
    @codeRetard your right ;) I'm just frustrated I would happily try and hack my website all day long to make it more secure. It's just the not knowing and the fact I have to be in some hidden restricted community to find this stuff out.
  • 0
    @sedev It' amazing to want to learn new things, such as hacking in this case, and to be eager about doing it on your own, but you stand no chance against an experienced tester who is doing this for a living. while I don't want to discourage you from trying to conduct security checks on your site, I strongly advise you yet again to consider a penetration testing company if your site holds valuable and / or mission critical data. Trust me it is well worth the investment!
  • 2
    @chasb96 I am one such person pal but this is not the way to disclose a security vulnerability especially since I am sure @sedev did not give him his permission to conduct vulnerability testing on his site!
  • 1
    @chasb96 yeah I think extortion was a little bit of a over reaction on my part . But not far off.

    "the practice of obtaining something, especially money, through force or threats."
    "he used bribery and extortion to build himself a huge, art-stuffed mansion"

    I guess it wasn't really threatening.
  • 1
    @chasb96 I'd say polite black mail is more like it. as it stands @sedev can press serious charges against him which can have severe ramifications for the guy. No tester, white hat or grey, will ever attempt to find security vulnerabilities on websites which are not in the Bugcrowd listings, don't have a bug bounty program of their own or explicitly asked them to do such tests. Even then they don't touch it before some very tight contract and test restrictions has been made up!
  • 0
    I know this is reaching but if your servers are using norton, which is common, there is an exploit that allows,that takes advantage of an unpatched compression library that with the right code will execute the code as root instead of scanning it. This bug was found a month or two ago by a google security researcher. There is a patch that can be applied but it requires a reboot and must be manually applied. Don't know if this is what happened but just another reason to love norton
  • 1
    @sedev I know I'm a bit late to the party. I would recommend changing all passwords (ftp, wordpress, mysql).

    check chmod, update plugins, install security plugin to harden the website. They normally protect your wp-config file among other things.

    If possible do a virus scan via ssh.

    Most the time it's a known exploit of a plugin/theme.

    I strongly recommend always installing a security plugin for all wp sites.
  • 4
    looool are you all serious? that's the default WordPress index file... it's open source, everyone can make that screenshot... also, in that directory there isn't even the wp-config, so he just extracted the zip downloaded from WordPress.org
  • 1
    If you want to block access to your .git repository and other sensitive directories it is easy to do using the .htaccess file. Check out html5 boilerplate's .htaccess file as I've incorporated it into a lot of my projects.
  • 1
    @nuts that is indeed my root and it is a legit hack please see @rycrystal comments above
  • -1
    well ditch php, ditch it now
  • 1
    I don't see a wp-config.php in that screenshot?
    Just a default WordPress installation that hasn't been setup yet. Unless I'm not getting something here?
  • 3
    @fuzzy hi the reason you cannot see the wp-config.php is because we don't store this in our git repo and the screenshot is off our git repo we have it added to our .gitignore file on our local version. It's a bit of a rookie error on our part but I am certain other people will be in the same position. @donkeyscript comment was super helpful with the html5 boilerplate suggestion. I am sure someone can write script via the shell that can ping thousands of domains checking for this exploit example.com/.git check the response code if it's not forbidden. Then if they are like the guy that contacted me they can try and blackmail then for money for a fix!
  • 0
    @sedev Ahh right OK, I've never setup a WP install on GitHub so wasn't aware of how it works. Either way I hope you get it sorted whatever happens! :)
  • 2
    @sedev Like how your brain works mate, you can have a bright future in security! ha ha
  • 2
    @codeRetard lol I remember once years ago I was asked to help out a guy in a call centre to build a system for him to help his sales team, I asked him how he gets all the numbers of people to call? He said I shouldn't really show you this opened a spreadsheet put one mobile number in the top record added a +1 and then dragged down a thousand lines and said there is a 1000 mobile numbers, he then had a service to ping them all checking if they are real and what network they were on then he would do those annoying "your at the end of you contract cold calling". Blows your mind sometimes how the simplest of methods still work.
  • 1
    @sedev That was just amazing! when you think the biggest Word Press zero day bug in recorded history was due to an expired redirected add domain which was still in the depths of the downloaded version you won't be surprised as much! That one seemingly simple oversight made my friend rich over night ha ha
  • 1
    @codeRetard haha amazing ;) and as this is devrant and I'm in a ranting mood ;) I think being a developer when you start out we are all guilty of trying stuff to test the boundaries as you learn, I'm guilty of setting up a Twitter live search api app and leaving a text base search on the tweets for gmail, Hotmail etc and having over half a million emails in two days "never done anything with them" but thought I was a genius ( which I now know I am not due to the fact I can't secure my .git folder ;( ) or the fact you can use Facebook graph api run a for loop through all the profile id's and create a collage and think you are some sort of wizard "millionaire island here we come". So at the end of the day this guy has helped me secure my system I just don't agree with asking for money for the privilege, maybe if he had worded his email better lol!
  • 1
    @wade
    no, this is not legit.
    In you case maybee, but not this
  • 0
    @wade
    or just check their permissions on the files/catalogue
  • 0
    @rjcrystal Yes. this seems to be a common bot doing it. And we all seem to be making the same mistake... I for one made this error back in 2012, when i was just starting, and i was an idiot who did not know that gitignore existed :D
  • 0
    @rjcrystal thanks man! I got the same email and the threat was real. I never contacted the guy back and was able to fix it thanks to this post.
    I've git in all my webs, the Nginx ones were safe but the one with Apache no.
  • 0
    @markomitranic hahah Yeah its totally possible .
  • 0
    @lautaroe no problem man. It was a very silly mistake. Happy to help
  • 1
    This is very much a known vulnerability and very much a serious issue.

    Your .git folder NEEDS to be out of your web root. In the case that for whatever reason you need to have it there, you need to be SURE it is hardened and restricted from all access.

    This StackOverflow article deals with tactics and code you can use to fix this issue:
    http://stackoverflow.com/questions/...
  • 0
    @steve22 Yeah, found it a while back, thank you :)
  • 0
    recently recieved this shit.

    did you experience any sort of attack after giving unsolicited vulnerability assessment?
Add Comment