Exploits

HTTP Trusted Hosts for Drupal 7

Make sure your Drupal 7 site doesn't have an identity crisis!

Drupal 8 introduced a "Trusted Hosts" configuration value which makes sure your site is responding only when it should. Essentially, it stops people from registering their own domain names and pointing them at your site, whereupon Drupal "detects" that bad domain name as the site's default URL and serves stuff anyway. Various versions of this exploit can lead to problems ranging from people duplicating your site to steal your SEO, all the way up to on-site security vulnerabilities allowing people to gain access to your site. For Drupal 7 users, this feature is not in core but there are a variety of ways to handle the problem, depending on what type of behavior you are trying to limit.

There is a great writeup on Drupal.org that clearly outlines the issue and give you some very basic pointers on how to clean-up your situation - check it out at https://www.drupal.org/node/1992030

Tags: 

I cleaned my Wordpress site but the malware came back!

Malware and trojans return after cleaning Wordpress site!

While remediating an appliance distributor's (who shall remain nameless) websites from the SoakSoak exploit, the site owner complained about malware "coming back" after being cleaned over-and-over by the former service provider. I logged into their InMotion Hosting control panel where I was greeted with a warning that there was a potential man-in-the-middle attack due to an expired certificate! Then I got another warning that their version of MySQL was obsolete and needed to be upgraded. Digging deeper, I found a variety of user accounts in both the application and the database that had the signature of a hacker - not totally random, but cryptic and/or occasionally named to sound official, like "system account" and such. I'm not sure how InMotion Hosting's certificates were invalid, but once I saw warnings about the host themselves and the back-door, system-wide user accounts I figured it was time to get the hell out of there.

Tags: 

Subscribe to RSS - Exploits