Category Archives: wordpress

Finding bluekai, exelator, adnxs etc on your wordpress site?

I recently noticed rather a lot of tracking urls on one of your sites. I did some digging and they didn’t generally seem to be good things, various references to it possibly being malware or PuP.

Well after way too much digging the problem was being caused by a snippet of code from 33across dot com. They do a thing which tracks when people copy and paste off your site which I’d been testing on a couple of sites, and the same code got inadvertently copied to a couple of sites to other sites through reusing parts of themes.

These were the main domains I which were being called:

idsync.rlcdn.com

loadus.exelator.com

ib.adnxs.com

stags.bluekai.com

Well apparently this code seems to add a bunch of tracking and potentially not so great urls, *maybe* also with the ability to redirect occasional visitors? dunno.  Either way it’s gone now and solved the problem.

When I was looking there was lots of mentions of things being potential malware but the 33across connection was never mentioned and nothing about this *seems* malicious so far but who knows what I’m not seeing.

Although the stuff in the links below seems to be a slightly different thing, namely some sort of installed malware (but also related to bluekai.com), that the domain tracking stuff on my site is even slightly associated with that isn’t what I’m looking for, so it had to go:

Suggestion on How to Remove Tags.bluekai.com

Tags.bluekai.com virus

 

WPforce – wordpress pen-testing tool..

Just found this wordpress penetration-testing tool – looks pretty handy, especially since it seems to have some follow-up tools to do stuff once you’ve gained access. Another one for the testing arsenal!

How-to guide by DoxSec here: https://doxsec.wordpress.com/2017/04/13/wpforce-wordpress-attack-suite/

and a youtube vid demoing it too..

This: Brute Force Attacks Build WordPress Botnet

Brute Force Attacks Build WordPress Botnet

I am seeing this sort of activity every day and the scale has gone bonkers recently. One of my sites was seeing an attack with several thousand intrusion attempts per hour, but each from unique IPs. Each IP was only used once or twice at most. I had to turn off the blacklist email notifications from our bot filter so that I didn’t go through my monthly sending quota in a matter of hours.

Thankfully we’re still standing because it was relatively easy to make adjustments to our bot filtering system but still. yikes.

I realise this isn’t exactly news (given the date of the article) but this fight has been ongoing for a while now.  Recently things seem to have escalated though as both defensive and offensive sides have been upping their game. WordPress security is now something you actually need to have a plan for or prepared to become a casualty. Not if but when.

WordPress is great in so many ways, but its popularity makes it attractive as a botnet platform, as well as the bandwidth from the nice always-on servers vs compromised pcs, which tend to get switched off and have crappy upload speeds.

It’s so easy to get going with wordpress (by design) that it ensures the “botherders” have an almost endless source of potential zombies by way of folks who haven’t yet figured out that wordpress security is actually a thing.

Krebs’ was apparently taken down recently by a DDOS from IoT devices so imagine what you could do with a network of wordpress sites…

death-star-destroys-alderaan-o

If you run a wordpress site and don’t run somesort of defences, the chances are you’re probably not monitoring login notifications either which means that you’re not seeing the potentially thousands of intrusion attempts on your site that are happening all the time and at best occupying your server by making it load the page thousands of times for someone who’s trying to harm you.

So basically you won’t even know that anything’s going on until it’s already happened.