Latest on Being Hacked

Read through Part 1 if you feel out of the loop

I still do not know for certain what the cause had been, but I’m feeling fairly confident that it was due to outdated plugins (I could not find remotely uploaded files that would have been the result of XSS) I’m very gracious to have a good friend that is also a security researcher than ran my website through the WPScan tool.   I’ve decided to paste in the report results along with my comments.  For ease of reading, I’m going to block quote on my responses:

_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 2.9.2
Sponsored by Sucuri – https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://honeybadgerofmoney.com/
[+] Started: Thu Oct 5 20:09:45 2017

[+] robots.txt available under: ‘http://honeybadgerofmoney.com/robots.txt’
[+] Interesting entry from robots.txt: http://honeybadgerofmoney.com/wp-admin/admin-ajax.php

That’s fine (admin-ajax.php has no-follow directive in header) used for allowing ajax capability by some front-end components

 

[!] The WordPress ‘http://honeybadgerofmoney.com/readme.html’ file exists exposing a version number

DELETED since incident

 

[!] Full Path Disclosure (FPD) in ‘http://honeybadgerofmoney.com/wp-includes/rss-functions.php’:

DELETED (DEPRECATED) since incident

 

 

[+] Interesting header: SERVER: nginx/1.12.1
[+] This site has ‘Must Use Plugins’ (http://codex.wordpress.org/Must_Use_Plugins)
[+] XML-RPC Interface available under: http://honeybadgerofmoney.com/xmlrpc.php

That’s fine, this seems fairly standardized

 

 

[!] Upload directory has directory listing enabled: http://honeybadgerofmoney.com/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://honeybadgerofmoney.com/wp-includes/

 

Routed to custom error pages instead that reveal IP address of user 👁 ⓒ ⓤ 👁

 

[+] WordPress version 4.8.2 (Released on 2017-09-19) identified from advanced fingerprinting, meta generator, links opml
[!] 1 vulnerability identified from the version number

[!] Title: WordPress 2.3-4.8.2 – Host Header Injection in Password Reset
Reference: https://wpvulndb.com/vulnerabilities/8807
Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
Reference: https://core.trac.wordpress.org/ticket/25239
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295

 

HUH… If the password reset functionality was poisoned and they got an autoresponder link I DID HAVE A PASSWORD RESET REQUEST OCCUR ON 3-27-2017! (but I feel like that could have been me). Looking through the raw headers, I do not see that the from address was poisoned – also I would have seen other malicious activity like spam email being sent (I use imap configured settings, so I presume all past messages of spam would have been revealed – or at least someone else would have told me ‘stop sending spam’)

 

[+] WordPress theme in use: islemag – v1.1.0

[+] Name: islemag – v1.1.0
| Location: http://honeybadgerofmoney.com/wp-content/themes/islemag/
[!] The version is out of date, the latest version is 1.1.7
| Style URL: http://honeybadgerofmoney.com/wp-content/themes/islemag/style.css
| Theme Name: IsleMag
| Theme URI: http://themeisle.com/themes/islemag/
| Description: A modern and clean free WordPress theme for tech magazines, news and newspaper media websites, pe…
| Author: Themeisle
| Author URI: http://themeisle.com

Updated the IsleMag theme since indicent

[+] Enumerating plugins from passive detection …
| 5 plugins found:

[+] Name: contact-form-7
| Latest version: 4.9
| Location: http://honeybadgerofmoney.com/wp-content/plugins/contact-form-7/
[!] Directory listing is enabled: http://honeybadgerofmoney.com/wp-content/plugins/contact-form-7/

[!] We could not determine a version so all vulnerabilities are printed out

[!] Title: Contact Form 7 <= 3.7.1 – Security Bypass
Reference: https://wpvulndb.com/vulnerabilities/7020
Reference: http://www.securityfocus.com/bid/66381/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2265
[i] Fixed in: 3.7.2

NA from what I can see, it’s not messaging spam.

 

[!] Title: Contact Form 7 <= 3.5.2 – File Upload Remote Code Execution
Reference: https://wpvulndb.com/vulnerabilities/7022
Reference: http://packetstormsecurity.com/files/124154/
[i] Fixed in: 3.5.3

Again, nothing points to remote execution (can’t find malicious remote files nor html nor php files in remote folders such as the Uploads directory)

 

[+] Name: crayon-syntax-highlighter
| Latest version: 2.8.4
| Location: http://honeybadgerofmoney.com/wp-content/plugins/crayon-syntax-highlighter/
[!] Directory listing is enabled: http://honeybadgerofmoney.com/wp-content/plugins/crayon-syntax-highlighter/

[!] We could not determine a version so all vulnerabilities are printed out

[!] Title: Crayon Syntax Highlighter <= 1.12 – Remote File Inclusion
Reference: https://wpvulndb.com/vulnerabilities/6056
Reference: http://ceriksen.com/2012/10/15/wordpress-crayon-syntax-highlighter-remote-file-inclusion-vulnerability/
Reference: https://secunia.com/advisories/50804/
[i] Fixed in: 1.13

[!] Title: Crayon Syntax Highlighter <= 2.6.10 – Local File Disclosure
Reference: https://wpvulndb.com/vulnerabilities/7904
Reference: http://www.kevinsubileau.fr/informatique/hacking-securite/crayon-syntax-highlighter-local-file-disclosure-vulnerability.html
[i] Fixed in: 2.7.0

[!] Title: Crayon Syntax Highlighter 2.0 – 2.6.10 – Defacement
Reference: https://wpvulndb.com/vulnerabilities/7912
Reference: https://research.g0blin.co.uk/g0blin-00044/
[i] Fixed in: 2.7.0

 

Upgraded Crayon Syntax Highlighter since indicent

 

 

[+] Name: woocommerce
| Latest version: 3.1.2
| Location: http://honeybadgerofmoney.com/wp-content/plugins/woocommerce/
[!] Directory listing is enabled: http://honeybadgerofmoney.com/wp-content/plugins/woocommerce/

[!] We could not determine a version so all vulnerabilities are printed out

[!] Title: WooCommerce 2.0.17 – hide-wc-extensions-message Parameter Reflected XSS
Reference: https://wpvulndb.com/vulnerabilities/6673
Reference: http://packetstormsecurity.com/files/123684/
Reference: http://www.securityfocus.com/bid/63228/
[i] Fixed in: 2.0.17

[!] Title: WooCommerce 2.0.12 – index.php calc_shipping_state Parameter XSS
Reference: https://wpvulndb.com/vulnerabilities/6674
Reference: http://packetstormsecurity.com/files/122465/
Reference: https://secunia.com/advisories/53930/
[i] Fixed in: 2.0.13

[!] Title: WooCommerce <= 2.1.12 – Reflected Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7575
Reference: http://seclists.org/fulldisclosure/2014/Sep/59
Reference: https://security.dxw.com/advisories/reflected-xss-in-woocommerce-excelling-ecommerce-allows-attackers-ability-to-do-almost-anything-an-admin-user-can-do/
[i] Fixed in: 2.2.3

[!] Title: WooCommerce <= 2.2.2 – Reflected Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7699
Reference: http://seclists.org/fulldisclosure/2014/Sep/59
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6313
Reference: https://secunia.com/advisories/61377/
[i] Fixed in: 2.2.3

[!] Title: WooCommerce <= 2.2.10 – Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7801
Reference: http://seclists.org/fulldisclosure/2015/Feb/75
Reference: http://packetstormsecurity.com/files/130458/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2069
[i] Fixed in: 2.2.11

[!] Title: WooCommerce 2.3 – 2.3.5 – SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/7846
Reference: http://www.wordfence.com/blog/2015/03/woocommerce-sql-injection-vulnerability/
[i] Fixed in: 2.3.6

[!] Title: WooCommerce 2.0.20-2.3.10 – Object Injection / XXE
Reference: https://wpvulndb.com/vulnerabilities/8039
Reference: https://blog.sucuri.net/2015/06/security-advisory-object-injection-vulnerability-in-woocommerce.html
[i] Fixed in: 2.3.11

[!] Title: WooCommerce <= 2.4.8 – Authenticated Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8242
Reference: http://blog.fortinet.com/post/fortiguard-labs-discloses-another-wordpress-woocommerce-plug-in-cross-site-scripting-vulnerability
[i] Fixed in: 2.4.9

[!] Title: WooCommerce <= 2.6.2 – Authenticated Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8563
Reference: https://woocommerce.wordpress.com/2016/07/19/woocommerce-2-6-3-fixsecurity-release-notes/
Reference: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_woocommerce_using_image_metadata__exif_.html
[i] Fixed in: 2.6.3

[!] Title: WooCommerce <= 2.6.3 – Stored Cross Site Scripting (XSS) via REST API
Reference: https://wpvulndb.com/vulnerabilities/8619
Reference: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_woocommerce_wordpress_plugin.html
Reference: http://seclists.org/fulldisclosure/2016/Sep/20
[i] Fixed in: 2.6.4

[!] Title: WooCommerce <= 2.6.8 – Authenticated Tax-Rate CSV XSS
Reference: https://wpvulndb.com/vulnerabilities/8710
Reference: https://www.fortiguard.com/advisory/fortinet-discovers-wordpress-woocommerce-plug-in-cross-site-scripting-vulnerability-1
Reference: http://blog.fortinet.com/2016/12/16/woocommerce-tax-rates-cross-site-scripting-vulnerability2
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10112
[i] Fixed in: 2.6.9

Been Fairly consistent updating WooCommerce as it relates to payments for the store.

 

[+] Name: wp-super-cache
| Latest version: 1.5.6
| Location: http://honeybadgerofmoney.com/wp-content/plugins/wp-super-cache/
[!] Directory listing is enabled: http://honeybadgerofmoney.com/wp-content/plugins/wp-super-cache/

[!] We could not determine a version so all vulnerabilities are printed out

[!] Title: WP-Super-Cache 1.3 – Remote Code Execution
Reference: https://wpvulndb.com/vulnerabilities/6623
Reference: http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/
Reference: http://wordpress.org/support/topic/pwn3d
Reference: http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html
[i] Fixed in: 1.3.1

[!] Title: WP Super Cache 1.3 – trunk/wp-cache.php wp_nonce_url Function URI XSS
Reference: https://wpvulndb.com/vulnerabilities/6624
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
[i] Fixed in: 1.3.1

[!] Title: WP Super Cache 1.3 – trunk/plugins/wptouch.php URI XSS
Reference: https://wpvulndb.com/vulnerabilities/6625
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
[i] Fixed in: 1.3.1

[!] Title: WP Super Cache 1.3 – trunk/plugins/searchengine.php URI XSS
Reference: https://wpvulndb.com/vulnerabilities/6626
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
[i] Fixed in: 1.3.1

[!] Title: WP Super Cache 1.3 – trunk/plugins/domain-mapping.php URI XSS
Reference: https://wpvulndb.com/vulnerabilities/6627
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
[i] Fixed in: 1.3.1

[!] Title: WP Super Cache 1.3 – trunk/plugins/badbehaviour.php URI XSS
Reference: https://wpvulndb.com/vulnerabilities/6628
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
[i] Fixed in: 1.3.1

[!] Title: WP Super Cache 1.3 – trunk/plugins/awaitingmoderation.php URI XSS
Reference: https://wpvulndb.com/vulnerabilities/6629
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2008
[i] Fixed in: 1.3.1

[!] Title: WP Super Cache <= 1.4.2 – Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7889
Reference: http://blog.sucuri.net/2015/04/security-advisory-persistent-xss-in-wp-super-cache.html
[i] Fixed in: 1.4.3

[!] Title: WP Super Cache <= 1.4.4 – Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8197
Reference: http://z9.io/2015/09/25/wp-super-cache-1-4-5/
[i] Fixed in: 1.4.5

[!] Title: WP Super Cache <= 1.4.4 – PHP Object Injection
Reference: https://wpvulndb.com/vulnerabilities/8198
Reference: http://z9.io/2015/09/25/wp-super-cache-1-4-5/
[i] Fixed in: 1.4.5

 

Upgraded WP Super Cache since incident

 

[+] Name: wordpress-seo – v5.5.1
| Latest version: 5.5.1 (up to date)
| Location: http://honeybadgerofmoney.com/wp-content/plugins/wordpress-seo/

 

Likely I updated this as the scan was running

 

[+] Finished: Thu Oct 5 20:10:33 2017
[+] Requests Done: 96
[+] Memory used: 137.207 MB
[+] Elapsed time: 00:00:47

 

As we can see, not much more revealed…but its really nice to have  scan to review for possible issues.  I know of wordfence but didn’t necessarily give it consideration due to feeling like it was bloatware when running some tests with it on weed4bitcoin.com…I’ll probably give it a second look through in the comming weeks.  Thank you and shoutout to @deanpierce for helping me address security here on honeybadgerofmoney.com!

 

Post Author: Frankenmint

From the pristine land of the internetz, the Frankenment was bred from machine. While looking to embrace the new world Linux regime he is truly a windows bred. I’ve come from the darkness to the light to share with you other internetz fol-ken to share the message of virtual money. Through our actions, we can make the virtual world yet again beyond the decree of the internet, with the decree of internetz money! Bitcoin, the Supercurrency, the official tender of the internetz that will be accepted by all countries and all fol-ken Alike!