Welcome, Guest: Register On Nairaland / LOGIN! / Trending / Recent / NewStats: 3,152,456 members, 7,816,064 topics. Date: Friday, 03 May 2024 at 01:47 AM |
Nairaland Forum / Science/Technology / Webmasters / Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence (11835 Views)
How Do I Build Wordpress Plugin Like Yoast / Semalt: A Guide For Beginners On How To Install Wordpress Plugin (2) (3) (4)
Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by fleps(m): 9:28pm On Apr 07, 2016 |
Mossack Fonseca (MF), the Panamanian law firm at the center of the so called Panama Papers Breach may have been breached via a vulnerable version of Revolution Slider. The data breach has so far brought down the Prime Minister of Iceland and surrounded Russian President Putin and British Prime Minister David Cameron with controversy, among other famous public figures. It is the largest data breach to journalists in history, weighing in at 2.6 terabytes and 11.5 million documents. Forbes have reported that MF was giving their customers access to data via a web portal running a vulnerable version of Drupal. We performed an analysis on the MF website and have noted the following: The MF website runs WordPress and is currently running a version of Revolution Slider that is vulnerable to attack and will grant a remote attacker a shell on the web server. Viewing this link on the current MF website to a Revolution Slider file reveals the version of revslider they are running is 2.1.7. Versions of Revslider all the way up to 3.0.95 are vulnerable to attack. Mossack Fonseca running vulnerable Revolution Slider It appears that MF have now put their site behind a firewall which would protect against this vulnerability being exploited. This is a recent change within the last month. Looking at their IP history on Netcraft shows that their IP was on the same network as their mail servers. Screen Shot 2016-04-07 at 9.58.56 AM ViewDNS.info further confirms that this was a recent move to protect their website: Screen Shot 2016-04-07 at 10.09.51 AM According to service crawler Shodan, one of the IP’s on their 200.46.144.0 network runs Exchange 2010 mail server which indicates this network block is either their corporate network or at the very least has a range of IT assets belonging to the company. We also show they’re running VPN remote access software. You can view the IP addresses used for email for MF below which are all on the same network block: Screen Shot 2016-04-07 at 10.01.52 AM To summarize so far: We’ve established that they were (and still are) running one of the most common WordPress vulnerabilities, Revolution Slider. Their web server was not behind a firewall. Their web server was on the same network as their mail servers based in Panama. They were serving sensitive customer data from their portal website which includes a client login to access that data. A theory on what happened in the Mossack Fonseca breach: A working exploit for the Revolution Slider vulnerability was published on 15 October 2014 on exploit-db which made it widely exploitable by anyone who cared to take the time. A website like mossfon.com which was wide open until a month ago would have been trivially easy to exploit. Attackers frequently create robots to hit URLs like : http://mossfon.com/wp-content/plugins/revslider/release_log.txt Once they establish that the site is vulnerable from the above URL the robot will simply exploit it and log it into a database and the attacker will review their catch at the end of the day. It’s possible that the attacker discovered they had stumbled across a law firm with assets on the same network as the machine they now had access to. They used the WordPress web server to ‘pivot’ into the corporate assets and begin their data exfiltration. Technical details of the vulnerability in Revolution Slider This is a brief technical summary from one of our analysts describing the nature of the vulnerability in Revolution Slider that was exploited. Revolution Slider (also known as Slider Revolution) version 3.0.95 or older is vulnerable to unauthenticated remote file upload. It has an action called `upload_plugin` which can be called by an unauthenticated user, allowing anyone to upload a zip file containing PHP source code to a temp directory within the revslider plugin. The code samples below point you to where the specific problem is in revslider. Note that the revslider developer is allowing unprivileged users to make an AJAX (or dynamic browser HTTP) call to a function that should be used by privileged users only and which allows the creation of a file an attacker uploads. Screen Shot 2016-04-07 at 10.31.37 AM A demonstration of Revolution Slider being exploited The following video demonstrates how easy it is to exploit the Revolution Slider vulnerability on a website running the newest version of WordPress and a vulnerable version of Revolution Slider. Conclusion As a courtesy we have reached out to Mossack Fonseca to inform them about the Slider Revolution vulnerability on their site and have not yet received a response. They appear to be protected against it being exploited, or perhaps re-exploited in this case but the WordPress plugin on the site still needs updating. To protect your WordPress installation it is critically important that you update your plugins, themes and core when an update becomes available. You should also monitor updates for security fixes and give those the highest priority. You can find out if a WordPress plugin includes a security update by viewing the changes in the “Changelog”. In this case the site owners did not update for some time and it resulted in world leaders being toppled and the largest data breach to journalists in history. https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/?utm_source=list&utm_medium=email&utm_campaign=mfon 2 Likes |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by fleps(m): 9:30pm On Apr 07, 2016 |
Quite Interesting... |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by imohchard(m): 9:55pm On Apr 07, 2016 |
Hmm.... And I have been wondering how my websites got hacked recently... 2 Likes |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by Donald3d(m): 1:54am On Apr 08, 2016 |
Oya na,when i dey tell people for that "flash share" thread se any thing dey hackable dem no believe. 1 Like 2 Shares |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by charsobodo(m): 6:08am On Apr 08, 2016 |
Cyber crime is a huge threat to all webmasters, hence adequate attention and priority should given to any process or routine that can make a site safer, though we can't completely eliminate the threat but we can reduce it to the bearest Minimum. So as a webmaster, always update your plugins as soon as an update is available... 1 Like |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by yomalex(m): 7:09am On Apr 08, 2016 |
You go fear outdated plugins na. Need Ithemes Security plugin to protect your WordPress site? Send a PM for a token. |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by fleps(m): 11:20am On Apr 08, 2016 |
cc Lalasticlala seun dominique |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by fleps(m): 11:28am On Apr 08, 2016 |
This is a call to all websites using wordpress... Even some themes are vulnerable. If you cannot hide your Theme Name, at least use a security plugin or change the admin area to the blog. I get to see a lot of www.yourwebsite.com/wp-admin as the back end. now that's appalling. You have a lot of resources on how to change that with the help of a plugin. Wordpress is awesome in building a website. Even almighty CNN website is running on WordPress (but you'll never know) and that fact has been blocked out. Looking at the source page will reveal nothing. I still wonder why a high profile web like that will make use of wordpress to power that part of the site. It's like GTB using wordpress for her website (many money go don miss) cc Lalasticlala seun adewasco2k 2 Likes |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by emmanuelcrawler(m): 1:59pm On Apr 08, 2016 |
H |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by MadCow1: 2:00pm On Apr 08, 2016 |
Ewooooo! |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by Abbeyunique2(m): 2:01pm On Apr 08, 2016 |
there is nothing like secret. Even dem celebrity nude pix was hacked and it was on apple cloud platform 1 Like |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by SuperSuave(m): 2:01pm On Apr 08, 2016 |
Space for sale!! Nothing is free even in Freetown not to mention Nairaland |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by Nobody: 2:01pm On Apr 08, 2016 |
It seems the person that exposed those documents really planned it, how on earth did he download a file of many. 2.5 terabyte. |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by Lilimax(f): 2:02pm On Apr 08, 2016 |
Abeg, make una break am to a common man language 2 Likes |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by kinziking(m): 2:02pm On Apr 08, 2016 |
I smell something |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by emmanuelcrawler(m): 2:03pm On Apr 08, 2016 |
J |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by Ayento: 2:03pm On Apr 08, 2016 |
Abbeyunique2:Abi na |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by Sirme411(m): 2:03pm On Apr 08, 2016 |
Be expectin McBrooklyn he go soon cum type "who you epp" ere.. .... ...... |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by fathomberry: 2:04pm On Apr 08, 2016 |
I believed so much in WordPress. 1 Like |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by 9jatatafo(m): 2:04pm On Apr 08, 2016 |
There is no absolute secret in life |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by 4nobody4every1: 2:05pm On Apr 08, 2016 |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by vision2050: 2:05pm On Apr 08, 2016 |
Panama Jean's. I remind of younger days. I wan ask is it true that Obama is Osama, I watched one video on YouTube the kinda resemble each other. |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by Generalkorex(m): 2:09pm On Apr 08, 2016 |
Ok |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by macaranta(m): 2:14pm On Apr 08, 2016 |
Hmm if the site was running on https then the company providing the S service is liable to pay for damages. |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by samuelchimmy(m): 2:22pm On Apr 08, 2016 |
now this is what am talking about! |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by Nobody: 2:26pm On Apr 08, 2016 |
If they had used C# ASP.Net this hack would not have been possible. |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by arsenal33: 2:27pm On Apr 08, 2016 |
Looters Exposed. That is what matters most. 1 Like |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by Nomswag: 2:28pm On Apr 08, 2016 |
mheen don't f*ck with hackers oo.....everything is hackable.
even nuclear security programing ,ios name it. |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by bufness(m): 2:35pm On Apr 08, 2016 |
vision2050: |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by 4just: 2:44pm On Apr 08, 2016 |
Ko le ye mi lai lai ooo this is too panama listic grammatic ooo oyibo na winsh 1 Like |
Re: Panama Paper: Wordpress Plugin, Possible Cause Of Hack - Wordfence by Enouwem(m): 2:50pm On Apr 08, 2016 |
Wpscan makes the work easier |
Web Design Trends That Will Be Common In 2014 / Google Nigeria Now Available In Pidgin English ("Google Naija") / Nairaland Is The Most Visited Website In Africa...
(Go Up)
Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health religion celebs tv-movies music-radio literature webmasters programming techmarket Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) Nairaland - Copyright © 2005 - 2024 Oluwaseun Osewa. All rights reserved. See How To Advertise. 26 |