You are here

Malware Warnings, Drupal Bugs and Security

John T. Haller's picture
Submitted by John T. Haller on February 3, 2012 - 11:44pm

Earlier today, a 'possible malware' warning appeared about PortableApps.com within Norton 360, Mozilla Firefox, within Google search results and similar products. This was due to an attempted hack on PortableApps.com via a Drupal exploit Plesk exploit. No PortableApps.com portable apps, databases, logins, user data, project data or security credentials were compromised. A full security audit was undertaken in the hours after the attempt to ensure nothing else was affected (it wasn't) and additional security measures were implemented to ensure everything keeps on working. The full details follow...

Drupal Vulnerability

Drupal, the content management system that runs PortableApps.com, released a security update yesterday to deal with this issue. Unfortunately, we did not receive the standard security update notification from Drupal.org to update the site. Compounding the issue, it seems one of the automated scanners that scans websites for this vulnerability was updated to include it before many Drupal sites had been updated.

Update on February 11th: It wasn't Drupal...

The Attempted Exploit (a bit technical)

The exploit allows a third party, under certain circumstances, to enable the inclusion of certain Javascript from another site (referred to as Cross Site Scripting or XSS) in the code of a website for potentially nefarious purposes. The automated attack permitted a portion of Javascript code to be included on PortableApps.com via an unused file within our Drupal theme. The attack was not fully successful, however, as the code was incomplete. The code the attack attempted to insert is what's known as a blackhole toolkit, a set of Javascript commands designed to exploit known vulnerabilities in the visitors browser. As long as a user has an up to date browser, operating system and plugins, they would be immune even if a blackhole toolkit was able to execute on their system. The code did however setup a potential Javascript redirection to a 3rd-party server that appears to have been compromised earlier in the day. This server appears to have been removed from service at around the same time or soon after the redirect was setup. While we cannot fully rule out the possibility that a small number of users may have been served a Javascript file from that server, we have no reports of any users experiencing any issues.

The Detection and Warnings

Although the exploit did not fully succeed on the PortableApps.com server, enough of the Javascript code and redirect was present to trigger a detection of the file through Google and Norton 360's automated scanners. This detection accounts for any warnings you may have seen when accessing the site via Mozilla Firefox today or through Google's search results.

Patching and Proactive Security Measures

As soon as the potential security vulnerability was known, the Drupal patch was applied and verified and a full security audit was begun. All files updated within the last 24 hours were verified and the one affected file was removed. We also elected to take extra time and reset all remote login criteria and database access passwords. Although no unauthorized access to any of these systems had been made, we thought it best to err on the side of caution and be absolutely sure that no further issues occur. We then fully cleared the website cache and had it rebuild all 26,000+ pages of PortableApps.com along with all associated files. Finally, full virus scans have been run on all our machines and all have come back clean. If you'd like to err on the side of being extra-cautious, scanning your machine and drive for badware is always a good idea.

Awaiting Warning Removal - (UPDATE: Warnings Removed)

The malware removal systems are much quicker at identifying a potential security risk than in being updated to see a server is confirmed clean, so although the site did not host any malware and is confirmed clean, the Google/Mozilla warning system is was still showing the site as a possible security issue several hours later. Google was notified that the site was confirmed clean at 4pm NY time today. Symantec has already removed their warning from Norton 360 and shows no issues now. Bing has also removed any warnings.

UPDATE FEB 4 @ 1AM NY TIME: Google has removed PortableApps.com from its potentially suspicious sites list. Mozilla Firefox users no longer see a warning. Search results in Google still show a warning but this will hopefully be resolved shortly. The Google search result warnings were removed a few hours later.

Google, Feb 4 @ 1AMA review for this site has finished. The site was found clean. The badware warnings from web search are being removed. Please note that it can take some time for this change to propagate.

Next Steps

We've added additional policies to ensure that Drupal security vulnerabilities are addressed much sooner after being announced so we can beat the automated tools to the punch on future vulnerabilities. We've also added additional monitoring to keep an eye on potential threats as they arise as well as implementing faster notifications of admins when this occurs. Finally, we have added in additional paid antivirus scanning and paid automated vulnerability scanning by an industry-leading external party.

On a personal note, I'd like to apologize for any inconvenience or scare this has caused any of our developers and users. We take every precaution to ensure the safety of our apps, data and website, so it's always a bit frightening when something like this occurs, even when the attempted intrusion doesn't fully succeed and apparently hasn't negatively impacted any of our users. We will continue to give our all to ensure you have access to the best, most-secure, most-consistent and fully legal set of portable software in the world for years to come.

Kind Regards,
John

Comments

John T. Haller's picture

One of our Facebook followers asked "Why in the world would somebody attack PortableApps.com?" I thought the answer would be of interest to folks on here as well.

"It was an automated attack. There are scripting tools that just scan websites using common content management and forum systems (Drupal, Joomla, WordPress, etc) and automatically report back the vulnerability and let the attacker insert code (in this case, an attempt to redirect a Javascript file to a 3rd party site in India on a server that was compromised). Folks basically sit running these tools on all websites, especially the most popular sites. As PortableApps.com is in the top 5,000 sites in the world, we get auto-scanned a lot. And as Drupal has been getting more popular as a CMS, the hacking tools have gotten better at implementing exploits for it more quickly."

Sometimes, the impossible can become possible, if you're awesome!

The main reason why these "folks" attack high traffic sites is because if they are successful in changing just a bit of code on the website to redirect visitors to another page, or to a automatic download of a virus, they are able to make a lot of money unethically.

The Benefit of Open Source content Management frameworks such a Drupal (used by PortableApps.com) and Wordpress is that many developers around the world try an find security holes and when found make it possible for people to update and fix those holes.

Unfortunately the attackers are more motivated to attack(since there is money in it for them), than the website owners to update (since it could mean incompatibilities with plugins etc)

I was shocked to see that PortableApps was labeled as a Malware site, and it is sad that Google / StopMalware doesn't allow speedy rescanning to confirm you are clean.

It also seem Google places websites into "groups" or "neighbourhoods" and if enough websites in that neighbourhood is branded, then the lot gets branded.

Well, I hope the Malware warnings gets corrected soon, as PortableApps.com provides an invaluable service! (PS: Nearly all Mac Apps are already Portable, so someone has to help the Windows users..)

Thanks again for the great website and service over the years!

I went on a downloading binge yesterday and today and haven't seen any warnings and at all. Thanks for the information, I'll scan all my apps just to be sure.

I will say: thumbs up for the quick reaction on this irritating problem. Also my compliments for communicating this with the users of the site.

Most sites and company's hopes that nobody finds out what happend and keep there mouth shut.

Sorry for my bad English. I'm dutch so it is hard for me to write the English text.

John T. Haller's picture

It is true that many companies would hope to sweep something like this under the rug, especially since it doesn't appear to have affected anyone. In my opinion, the responsible response is to be up-front and try to make things as clear as possible to both the techies and non-techies. Brushing it under the rug and just saying 'everything was fine' without explaining what occurred to the best of our knowledge, wouldn't be fair to our community's past, present or future members. As one of the world's largest open source projects, it only makes sense to be open and honest about it.

Sometimes, the impossible can become possible, if you're awesome!

I agree John. Job well done. I find your response to the entire situation very refreshing. It's sad that it is not the norm in this day and age.

vf2nsr's picture

Not sure why but 10:13 NY (Maine) time I attempted to access PA Tracker page via my Google bookmarks and I still get the Firefox Warning Page

Updated Noon this issue resolved

“Be who you are and say what you feel because those who mind don't matter and those who matter don't mind.” Dr. Seuss

Pyromaniac's picture

I didn't go online yesterday, so I missed the whole shebang, but I'm glad the issue got resolved quickly.

dave-in-brasil's picture

...when I came to your site yesterday, just as I wanted to dload those fabulous portable apps that I had just discovered on the web the day before! But life was nice again this morning, to see your website being recovered and clean again!
Thanks a lot and keep on a-p-p-i-n-g!!

Regards
Dave Wink

Dave in Brazil

truthseeker's picture

Welcome back Smile

I wasn't able to visit your website for awhile, I was warned it's a risk to do so.

How can we be completely confident and certain that all files are clean?

solanus's picture

I tried to reply to post 30976, using links to various posts within PortableApps.com, and I got a message from Drupal saying "A little bit of server maintence is under way."
But the URL bar says portableappsDOTcomSLASHspamSLASHdenied.
What gives?

I made this half-pony, half-monkey monster to please you.

John T. Haller's picture

We're experimenting with re-enabling bits of the spam filtering system with some new settings this weekend. You had a post that was marked as spam.

Sometimes, the impossible can become possible, if you're awesome!

solanus's picture

As we discussed in the chat room, that post was actually a normal post that the filter mistakenly marked as spam (you estimated that at the time, the filter was flagging 40% of posts mistakenly). It was actually a post meant to help a noob. I don't want people to think that I post anything bad.

I made this half-pony, half-monkey monster to please you.

https://portableapps.com/spam/denied And It Said

A little bit of server maintence is under way. You can download apps directly from the PortableApps.com Platform 10.0.1.

Have some tea and we'll be back before you know it...

(There were some biscuits around here somewhere, too, but we think one of our hard-working developers ate them all.)

And It Was Quite Funny.

PHP5, MySQL, Apache, Ruby, Batch, EXE, CRX (Chrome Extensions), AU3(AutoIT v3), JAVA, JAVAScript, INI, INF, Flash, Visual Basic, C, C++, Turbo C, C#, BASIC, Pascal.

rj10328's picture

Thanks for clarifying this issue John.

Though i do have to say i like the old font style of the menu bar better than the new one.

BuddhaChu's picture

Thanks for the post. I didn't check this site yesterday for updates so I guess I 'missed' all the fun.

Clear communication to users on what happened and what the site is doing to rectify the situation is always the way to go. I wish more sites (*cough* Sony Playstation Network *cough*) would have done this in the past. Web sites with people that 'get it' running them always set the bar high in this area (PortableApps, Zappos, etc).

Cancer Survivors -- Remember the fight, celebrate the victory!
Help control the rugrat population -- have yourself spayed or neutered!

ezechias's picture

Just to let you know, for the first time, I just got a Malware warning about this site a few minutes ago. In fact, it showed on my portable Opera speed dial. When I clicked on the speed dial, it showed the warning that the site has been reported for distributing malware. I know that's not true so I came here anyway, but thought you should know.

John T. Haller's picture

I took the site offline to double-check things. The site scanner and all blacklists show as clean. I'm running deeper scans and monitoring now to be sure.

Sometimes, the impossible can become possible, if you're awesome!

I just thought you were having afternoon tea.......

“Be who you are and say what you feel because those who mind don't matter and those who matter don't mind.” Dr. Seuss

John T. Haller's picture

The warning has been removed and the site has scanned clean with Opera's warning provider. We're investigating further on the cause. I'll post here when I have more information.

Sometimes, the impossible can become possible, if you're awesome!

I have been happily using this program for sometime and went to update it today. Bullguard has just stopped an infected download.

Virus Name:Gen.Trojan.Heur.FU.dyW@aeT8pei

Infected Object: kent.dl.source.net/project/portableapps/PortabbleApps.com%20Platform/Additional%20Versions/PortableApps.com_Platform_Setup_10.0.1exe

Is this because of the recent attack or something else?

Chris Morgan's picture

That's a generic heuristics-based false positive. They're quite common, unfortunately.

I am a Christian and a developer and moderator here.

“A soft answer turns away wrath, but a harsh word stirs up anger.” – Proverbs 15:1

John T. Haller's picture

After doing a more thorough investigation with our engineering team at Rackspace, we've determined a bit more about the hack. First off, it was not due to the Drupal exploit as we had thought. It was due to a vulnerability within Plesk, an administrative interface to the server used to handle server management.

As we have a server running an older version of Red Hat Enterprise Linux (RHEL), we're not running the current version of Plesk but an older version. Unlike the other server packages like PHP, mySQL, Apache, etc within RHEL, Plesk is not automatically updated. It is updated upon request for new features or whenever Plesk's publisher notifies users that there is a security vulnerability. Unfortunately, there was a vulnerability and a patch for it that Plesk did not notify Rackspace about. This exploit affected numerous websites including some large companies as well.

The exploit was in Plesk's ability to change the contact name on a given domain which, when exploited properly, gave a 3rd party limited access to Plesk's file manager. This is what the attacker used to place the malicious Javascript file in a location that would cause Drupal to cache it along with our standard files. The attacker also used this exploit to place a PHP file allowing them to re-place the Javascript file at a later date without needing to use the Plesk exploit.

This past Friday, the attacker re-placed the Javascript, again pointing to a compromised international server that was taken down quite quickly. The attack was found much more quickly this time (before any of the major vulnerability scanners even found it) and this allowed us to determine the root cause and remove the affected Javascript file as well as the leave-behind code to re-place it. Plesk was also patched to fix the exploit. Just to be absolutely sure, we setup a firewall to wall off Plesk from everyone except Rackspace and our NYC office.

We spent additional time Friday reviewing all the access logs for Plesk, Drupal and Apache and no additional files were accessed or altered by the 3rd party. The PortableApps.com portable apps, user details, website data, administrative logins, database passwords, etc were all uncompromised again. So your portable software and personal information are still safe.

Thank you again for bearing with us during this incident and week-long investigation. We look forward to providing you with awesome portable software for years to come.

Kind Regards,
John

Sometimes, the impossible can become possible, if you're awesome!

Simeon's picture

I am glad nothing serious happend and you got it fixed so quickly!

"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate