Message Boards Message Boards

Miscellaneous

MCTB2 site appears to be hacked

Toggle
MCTB2 site appears to be hacked
Answer
1/15/20 3:36 PM
I was trying to look up some information in MCTB2 today.  Googled 'MCTB2' from Toronto and a click on the top link, the table of contents, took me to some spam site or other which I quickly Xed out of.  Same result with second hit for the title page.  

RE: MCTB2 site appears to be hacked
Answer
1/15/20 3:51 PM as a reply to Ben Sulsky.
Ben Sulsky:
I was trying to look up some information in MCTB2 today.  Googled 'MCTB2' from Toronto and a click on the top link, the table of contents, took me to some spam site or other which I quickly Xed out of.  Same result with second hit for the title page.  


mctb.org functions like it should do, when I opened it now. Doesn't look to be hacked.

With google search, there are some websites that scan search terms that people use for different topics, and put those search terms in their SEO with a related search result title, and when you open the link, you find a completely different thing, that is why it's good to check the URL of search result item when you click on it.

RE: MCTB2 site appears to be hacked
Answer
1/15/20 4:59 PM as a reply to Ben Sulsky.
The MCTB.org site is fine - not hacked. I was able to navigate to it just fine:

https://mctb.org/

or

https://mctb.org/mctb2/

RE: MCTB2 site appears to be hacked
Answer
1/15/20 5:23 PM as a reply to Ben Sulsky.
I was able to reproduce this result. Searched for MCTB2, clicked top link, got redirected to http://sweeps0448.nonamenmnb49.live

RE: MCTB2 site appears to be hacked
Answer
1/15/20 5:33 PM as a reply to Ben Sulsky.
Ben is correct. The same thing happened to me this week for a DuckDuckGo search that pointed to https://mctb.org/mctb2/table-of-contents/part-iv-insight/31-the-three-doors/

I tried to repeat it a number of times so I could report it but was unable to. Clearly the hijack is well-disguised.

RE: MCTB2 site appears to be hacked
Answer
1/15/20 5:56 PM as a reply to mrdust.
mrdust:
Ben is correct. The same thing happened to me this week for a DuckDuckGo search that pointed to https://mctb.org/mctb2/table-of-contents/part-iv-insight/31-the-three-doors/

I tried to repeat it a number of times so I could report it but was unable to. Clearly the hijack is well-disguised.


This address:

https://mctb.org/mctb2/table-of-contents/part-iv-insight/31-the-three-doors/

Was in the URL box of your browser? Or it displayed in the search results when you clicked on it?


RE: MCTB2 site appears to be hacked
Answer
1/15/20 5:56 PM as a reply to mrdust.
The page that gave me the malicious redirect was https://mctb.org/mctb2/table-of-contents

The redirect happened on an iPad with Safari but not on Linux with Firefox

RE: MCTB2 site appears to be hacked
Answer
1/15/20 6:14 PM as a reply to Derek2.
This from my friend SG who does cybersecurity:


So a user who can get the fake link should right click the link on the search page so that the link itself if can be viewed.

If the link itself is referencing another site and is just parading as MCTB, you can submit a request to remove the fraudulent link on each search engine. 

If the link in the search results is fine but is referencing http://mctb.org instead of https://mctb.org then the problem is probably a mix of: the site does not enforce https or prevent cross-site scripting (or the cached version in search results did not have an https address) and the user has malware on their computer. 

The second case is more likely.

If there are other bad links that would be useful to. A reputation checker has no opinion on the link included. The .live domain there that someone found has only existed for two days. Strangely, that page is hosted in New Jersey. More likely malware is randomly redirecting to one of several malicious sites, but if it's just one that would be fascinating and more targeted.

[color=rgba(244, 191, 117, 0.870588)]"ip": 193.37.253.135
[color=rgba(244, 191, 117, 0.870588)]"country_name": United States
[color=rgba(244, 191, 117, 0.870588)]"state_prov": New Jersey
[color=rgba(244, 191, 117, 0.870588)]"city": Secaucus
[color=rgba(244, 191, 117, 0.870588)]"latitude": 40.78830
[color=rgba(244, 191, 117, 0.870588)]"longitude": -74.05497
[color=rgba(244, 191, 117, 0.870588)]"time_zone": America/New_York
[color=rgba(244, 191, 117, 0.870588)]"isp": M247 Ltd.
[color=rgba(244, 191, 117, 0.870588)]"currency": US Dollar
[color=rgba(244, 191, 117, 0.870588)]"country_flag": [color=rgba(244, 191, 117, 0.870588)]

RE: MCTB2 site appears to be hacked
Answer
1/15/20 8:44 PM as a reply to Daniel M. Ingram.
Hi Daniel,

I would not put too much weight on the location in the zone record. Likely, the perpetrators are in China or Eastern Europe. There is a small server hosting company with data centers in New Jersey that is not so particular about the customers it rents its servers to (in all fairness, most of the smaller players are not), unlike GCP which will simply cut you off at the knees if it detects you are misusing your rented servers.

RE: MCTB2 site appears to be hacked
Answer
1/16/20 3:15 AM as a reply to svmonk.
nslookup sweeps0448.nonamenmnb49.live gives 193.35.50.251 which is in Russia.

RE: MCTB2 site appears to be hacked
Answer
1/16/20 6:29 AM as a reply to Siavash Mahmoudpour.
I was on iOS / Safari and using DuckDuckGo on Tuesday with the following search
https://duckduckgo.com/?q=door+mctb+fallinh&t=iphone

I clicked the DuckDuckGo result, and the malicious site I ended up on had spammed the back history so badly that I could not go back far enough to confirm for the original URL when I tried.

I closed the window (because Spam) so I could reproduce it from the same search results page, but from then on it hasn't reoccurred for me on various browsers / operating systems. I assumed I was cookied, but who knows. I believe I also confirmed that the SERP link was actually to mctb.org but can't be certain of that.

As far as I'm aware DuckDuckGo does not mask or intercept clicks, the SERP doesn't seem to have changed, and the target URL is https.

There are multiple reports on this issue from various users across various browsers / operating systems within just a few days.

I see how troubleshooting or confirming a fix given the hard to reproduce nature is going to be tricky, but in my opinion the likelihood that a niche Bluehost Wordpress site has some cleverly disguised malicious code on it is substantially higher than any of the other theories offered so far.

RE: MCTB2 site appears to be hacked
Answer
1/16/20 7:01 AM as a reply to mrdust.
mrdust:
I see how troubleshooting or confirming a fix given the hard to reproduce nature is going to be tricky, but in my opinion the likelihood that a niche Bluehost Wordpress site has some cleverly disguised malicious code on it is substantially higher than any of the other theories offered so far.


I notice the site refers to a WordPress plugin called ultimate-member, which has had numerous security problems in the past.

RE: MCTB2 site appears to be hacked
Answer
1/16/20 1:59 PM as a reply to Derek2.
I also confirmed that the SERP link was actually to mctb.org but can't be certain of that
the target URL is https
spammed the back history so badly

Initially the most probable thing would probably just be malware on someone else's computer/and-or issues with HTTPS on that page (not always on by default for me). 

Given the evidence above it is a lot more likely to be a compromised machine or plugin.

I recommend:

1) Updating WP and all the plugins.

2) Install the plugin really-simple-ssl (the page is not SSL by default for me).

3) Installing the plugin wp-cerber, and configuring it. This is a free security plugin for WP that can run scans and quarantine certain malicious objects. I believe it also has a setting to try to prevent cross-site scripting, and it offers automated IP blocking and some DDoS protection.

4) Checking the WP admin to see what users exist. I have seen compromised WP sites with many fake users. Disable any you don't recognize.

Look for comments on pages that shouldn't exist or anything else weird/possibly injected.

5) Experiment with disabling all the potentially compromised plugins one-by-one. 

6) Get someone to help look at this at the server level. See if the Apache logs are still logging and if they record what is happening specifically with the redirects.

I would guess a WP/plugin vulnerability was taken advantage of and something was injected somewhere in the WP database that shouldn't be there.

It is not very likely but there could be something like a corrupted .htaccess file or some weird Apache settings.

I have seen cases where a WP link accidentally forwards to a malicious IP due to a malformed url somewhere, like something ending in "com.com."

Check the WP salts!

Worth checking for any other signs of intrusion.

7) Have someone harden server security settings in Blue Host (ports open, is the DB on another server/is that publicly accessible, etc).

Work out who has SSH access.

Make sure there is no access with just an easy password.

No harm in installing things like fail2ban (more IP blocking for malicious login or ssh attempts) and ClamAV (free antivirus scanning, runs on Linux).

8) Consider migrating the site.

It is not totally helpful to do this without knowing what the problem is (don't want to bring it with you). On the other hand, a once compromised server is hard to trust. 

-SG

RE: MCTB2 site appears to be hacked
Answer
1/16/20 1:52 PM as a reply to S..
https://wpscan.io shows outdated plugins and XSS vulnerabilities:

subsolar-novela-shortcodes
Version Unknown    We could not detect the version in use.

ultimate-member
Version 4.9.13    We are not aware of any vulnerabilities affecting this version.

easy-digital-downloads
Version 2.9.6 (Outdated)    
Easy Digital Downloads <= 2.9.15 - Stored XSS - Fixed in version 2.9.16

table-of-contents-plus
Version Unknown    We could not detect the version in use.

page-list
Version 5.1 (Outdated)    We are not aware of any vulnerabilities affecting this version.

jetpack
Version 6.3.2 (Outdated)    
Jetpack <= 6.4.2 - Authenticated Stored Cross-Site Scripting (XSS) - Fixed in version 6.5
Jetpack 5.1-7.9 - Vulnerability in Shortcode Embed Code  - Fixed in version 7.9.1

Updating the plugins will not necessarily remove malicious injections into the database. As SG says, who knows what's there if the server is compromised. Consider rebuilding as a static site?