Understanding CSP: Your First Line of Defense

Think of CSP as the bouncer at an exclusive club. Itâ€s a security measure that restricts which resources—like scripts and images—your website can load. Without it, malicious attackers could slip in with harmful scripts, hijacking sessions or stealing data. During penetration tests, experts check if your CSP is doing its job, ensuring no vulnerabilities are left unchecked.

The Silent Threat: Weak CSP Policies

A weak CSP policy is like having a bouncer whoâ€s easily tricked. Attackers can inject malicious scripts, execute code injections, and steal sensitive information. Common issues include missing headers or overly permissive policies that allow inline scripts, making XSS attacks easy to carry out. For instance, if your site lacks a CSP header, it’s an open invitation for trouble.

Building Your Security Strategy: Implementing CSP

To fortify your digital fortress, start by implementing CSP in report-only mode—a test phase where potential issues are flagged without blocking resources. This allows you to identify and fix any breakages before full enforcement. Hereâ€s a simple example of how it works:

Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' trusted-cdn.com; report-uri /csp-report-endpoint/

Once tested, enforce a stricter policy to ensure only trusted resources are loaded.

Testing and Monitoring for Robust Security

After setting up CSP, itâ€s crucial to test regularly. Use browser tools like Chrome DevTools to check blocked resources and verify your policy with commands such as:

curl -H "Content-Security-Policy: ..." https://your-site.com

Set up a reporting endpoint to log violations, ensuring you stay proactive in maintaining security.

Continuous Improvement: Staying Ahead of Threats

Security isnâ€t static. Regularly review and update your CSP policy as your site evolves. Avoid unsafe directives like eval or innerHTML, and use nonces for inline styles. By continuously monitoring and refining your strategy, you ensure that your digital fortress remains impenetrable.

Conclusion: Secure Your Digital Assets

A robust CSP is vital in safeguarding against XSS attacks and other injection threats. Start with report-only mode to test without disruption, enforce strict policies post-testing, and monitor violations for ongoing protection.

Ready to enhance your web security? Our experts are here to help you build a resilient digital fortress. Contact us today for a consultation and protect your online assets from cyber threats.

The post Guarding Your Digital Fortress: The Essential Guide to Content Security Policy (CSP) appeared first on Giedrius Majauskas blog.

There are multiple standalone and integrated into version control CI platforms, e.g.

Jenkins: Jenkins is a popular open-source automation server that can be used to automate the building, testing, and deployment of software. It is widely used in the industry and has a large community of users.

Travis CI: Travis CI is a cloud-based continuous integration and deployment platform that is easy to set up and use. It supports a wide range of programming languages and frameworks.

CircleCI: CircleCI is another cloud-based platform that provides continuous integration and deployment services. It is known for its speed and ease of use, and has integrations with many popular tools and services.

GitLab CI/CD: GitLab CI/CD is a part of the GitLab platform, which provides a complete DevOps solution. It supports continuous integration, testing, and deployment, as well as container registry and Kubernetes management.

TeamCity: TeamCity is a powerful on-premises build server that provides continuous integration, testing, and deployment capabilities. It is known for its flexibility and scalability, and has integrations with many popular tools and services.

BitBucket Pipelines: Integrated CI/CD platform that is part of Atlasian BitBucket.

As I am using Bitbucket currently, lets take a look how to implement laravel automated deployment using Bitbucket Pipelines

Setting up repository

There are some things required prior implementing deployment

• Set up ssh keys for deployment in Bitbucket. This is a nice guide how to set up this.
• Enabling pipeline support for repository in Bitbucket. Repository->Settings->Pipeline->settings
• Creating bitbucket-pipelines.yml file

Bitbucket-pipelines.yml file

image: php:8.2-fpm #image file as basis

pipelines:
  default:
    - step:
        name: GenerateTest #install and compile everything
        script:
          - apt-get update && apt-get install -qy git curl unzip ssh
          - curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
          - curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.1/install.sh | bash
          - source ~/.bashrc
          - nvm install lts/fermium
          - npm install
          - npm run build
          #- docker-php-ext-enable gd exif pdo_mysql zlib
          - composer install --ignore-platform-reqs
          #- ./vendor/bin/phpunit test
        caches:
          - composer
        artifacts:
          - vendor/**
          - public/**
    - step:
        name: Lint #lint files so it would abort on syntax errors
        script:
          - ./vendor/bin/pint .
    - stage:
        name: Deploy to stagings
        deployment: staging
        steps:
          - step:
              script:
                - apt-get update && apt-get install -qy git curl unzip ssh
                - ssh-keyscan [host]  >> ~/.ssh/known_hosts
          - step:
              script:
                - pipe: atlassian/rsync-deploy:0.10.1
                  variables:
                    USER: [user] 
                    SERVER: "[host]"
                    REMOTE_PATH: "[dir]"
                    SSH_KEY: $DEPLOY_SSH_KEY
                    LOCAL_PATH: "${BITBUCKET_CLONE_DIR}/*"
                    DEBUG: "true"
                    SSH_ARGS: " -o StrictHostKeyChecking=no "
                    EXTRA_ARGS: "--exclude=storage/logs/*" 
                - pipe: atlassian/ssh-run:0.4.3.  #RUN commands to migrate
                  variables:
                    SSH_USER: "[user]"
                    SERVER: "[host]"
                    SSH_KEY: $DEPLOY_SSH_KEY
                    COMMAND: "cd [dir];php artisan migrate --force;php artisan db:seed --force;php artisan cache:clear;"
                    EXTRA_ARGS: " -o StrictHostKeyChecking=no "

And that is pretty much it.

As long as prior steps do not break, code + installed/generated JS+PHP libraries will be installed using BitBucket Pipelines.

The post Bitbucket pipeline for laravel web app deployment appeared first on Giedrius Majauskas blog.

Ahrefs plans start at 99 USD ( there were limited free ones as well). It would be quite a good price except these plans might leak data to your main competitors. You can get topics and posts your competitors think are important easily and for free without logging in into Ahrefs account. That is a big leak: it can help to determine what competition is working on and where you can improve.

See, Ahrefs tries to render the pages that someone else is monitoring on your site. First time I noticed it in my log files researching them for different reason. I was interested why they re-fetch style files even if the expire header is set for much longer time frame.

The letter is kind of a lie, as the posts that fetch CSS are not the ones that have the most traffic or the most important, nor it is an backlink index update. Also, I have noticed that Ahrefs fetches CSS for the same URI all the time again and again ( Link is checked 2x per day per average). That is huge: no search engine checks same files that aren’t updated in months so often. My guess it is competitor analysis for someone using ahrefs and having entered either competitors or important keywords.

1. The links rendered could be treated as important for me at some point of history e.g. Delta hijacker;
2. However, part of them are expired in importance and have low queries/month based on google keyword tool;
3. On some of them I have never ranked well. That is really important, as it allows to improve in the future.

The fetching is done to crawl JS links and evaluate page scores. It does not do this for the whole internet, just for important pages. And that lets us filtering the pages easily:

Step 1.  Download your access log file

run grep :
grep Ahrefs access_log |grep style.css > ahrefsleak.txt
you can replace style.css with any js or stylesheet name your site uses. You will get lines like this :

163.172.65.199 – – [18/Mar/2018:19:08:16 +0000] “GET /wp-content/[zzzzzz]/style.css HTTP/2.0” 200 24327 “https://www.[site.com]//[uri]” “Mozilla/5.0 (compatible; AhrefsBot/5.2; +http://ahrefs.com/robot/)”

where https://www.[site.com]//[uri] is the uri someone is interested in. I got around 3000 lines from the week worth of data. Now lets filter them further. Note, that the IP it uses for fetching styles is different from the main bot IP.

Update : Since 2018 April 10, Ahrefs does not show referer information. However, it still leaks paid account data. So, you might need to craft a bit fancier grep command:
grep Ahrefs logs/access_log |egrep -B1 "(css|js)" |egrep -v "(css|js|--)"

Step 2.  Import the file to spreadsheets

You should import this data into google sheets, excel or libreoffice spreadsheets using space as separator. Delete all columns except the ones referencing https://www.[site.com]//[uri]. Sort data by this column.

Step 3. Delete duplicate data

For google spreadsheets, this is good tutorial that one could use: https://developers.google.com/apps-script/articles/removing_duplicates. I got around 200 URIs and basic keywords that someone is interested in and careless enough to submit them to Ahrefs.

Now you can check the rankings of these posts manually, improve your content and you will benefit from the Ahrefs without paying for it.

Ahrefs could solve this problem in several ways:

1. Stop showing referrer data when fetching scrips and styles. However, this would be easy to overcome and check too. (That is what happened on April 10)
2. Start adhering to silly internet standards like expires header and render multiple pages in batches.
3. Fetch styles for all the pages.

At the moment I suggest stopping entering new important keywords into its monitor if you use paid plan.

The post How to use Ahrefs data leak for competitor reasearch appeared first on Giedrius Majauskas blog.

The malspam campaign, delivering payloads of File Spider virus, began sometime around 10th of December. Its main targets were Balkan countries, and this means that regions of Serbia, Bosnia and Hercegovina and Croatia were the ones to be exposed to the infection. The sent emails had a twist: they were informing people of their case debt collections.

This financial theme is definitely successful as it is most likely to trigger a response from the recipients. If you would receive a letter about an alleged debt and its payment, I presume you would feel slightly intimidated and have no choice but to open it. However, you have a decision, and you can decide to check the legitimacy of the sender before figuring out the next step.

The opened letters contained .doc files which open in Microsoft Word program. As soon as users launch the downloaded executable, they would be introduced with a rather regular text. Before continuing further, people frequently click on the “Enable Editing” button which makes the reviewing of the document a little easier. However, this is exactly the choice that hackers are expecting you to make. Therefore, the “Enable Editing” button becomes “Click here to become infected with File Spider ransomware”. Once this decision has been made, the hidden malicious macros are run, and an operating system becomes tainted with a File Spider crypto-virus.

Enc.exe and dec.exe processes begin after the malware is fully activated. Files become encrypted with AES-128 bit encryption, and hackers make their demands clear in the ransom notes and TOR website. Authors had also decided to allow victims to select from a couple of languages in which the ransom letters are displayed. Lastly, crooks expect the payments for decryption to be made in 96 hours. If victims do not follow the rules, their files are going to be permanently deleted.

In my opinion, it is never appropriate to pay the ransom even if it is small. With this action of surrender, you are allowing hackers to realize that this file-encryption-ransom strategy is working. Since many victims still choose to pay money in order to retrieve their files, it is doubtful that the developers of ransomware viruses are going to move on. Why would they if this technique brings them the money they desire? I do understand that the possibility of losing all your digital files is devastating. If that is the case, do not be ignorant and store them in an appropriate backup storage. Since there are new methods of ransomware-distribution coming out on a regular basis, file-backuping appears to be the only guaranteed prevention method.

The post File Spider – ransomware threat targeted to Balkan countries appeared first on Giedrius Majauskas blog.

1. They force to use irreversible payment systems like Bitcoin (and prepaid cards were working OK in the past). This is one of main reasons ransomware is popular today as scareware makers had some problems processing credit cards in the past. While these issues could be solved, this reduced profitability and downtime when some payment gateway got stopped.

2. The do a very high damage potentially, much larger than the money they are asking for. Loosing medical records or even work and study documents might be costly.

3. The development costs for ransomware itself is not that big. The encryption algorithms used are not new and lots of code samples are available. For example, lots of minor ransomwares are based on Hidden Tear project ( https://github.com/goliate/hidden-tear ) which itself does not encrypt properly and is educational sample only. Other types of scareware depend on locking system which is much harder to do properly and requires better system knowledge.

Thus ransomware will not go away as long as there are payment options, they are easy to do and people are ready to pay.

However, we have 2 powerful ways to protect oneself from ransomware attacks:

1. Antiviruses and other software – based approaches to prevent ransomware from running or stop it early on. There is lots of promise in canary file -based approaches, early warning systems like Hitman Pro Alert and so on.

2. Backups to reduce or remove possible harm.

The problem with backups is that they are implemented badly usually. Typical backup try to help in cases of accidental deletion of data or hardware failure at most. While this is ok, ransomware requires quite different approach. There should be a possibility to restore older versions of the file and a way to prevent older file deletion in case of infection.

There are some interesting development in versioned file systems that keep several iterations of the same file. However, the malware could delete all copies of the files if it would be aware of their existance like they do with shadow volume copies.

Remote backups (either in NAS or in remote web services) are somewhat better, as long as files are versioned there and it is impossible to delete all versions at once from the original systems. As long as file servers are not comprimissed at the same time as the PC, you will have a working backup.

I see another possiblity for backups : Flash-based storage with versioning capabilities and hardware controls for accessing to older copies of the files. This would ensure that files  can be restored even if encrypted files are backed up on top or deleted. Sadly, I could not find an existing version of such hardware.

The post The best ways to reduce ransomware risks appeared first on Giedrius Majauskas blog.

I have never been really happy with the network link between them and Europe. However, I think it is acceptable and maybe I am really too much used. to great network speeds I got here. I need to serve websites for local customers in Brazil anyway and that is the single thing that matters. This year, everything got just worse. There was a network outrage that lasted for a day couple months ago. The communication by support looked poor. This Friday something similar happened and Hostdime support had hit new low.

Friday on 6 pm local I have noticed that site does not work and rebooted it. I have managed to connect through SSH but website was not working and connections just died suddenly after entering simple commands. The problem was weird, and hard to track down remotely. The support was not helpful at all : They kept repeating that everything is fine and asking for pings and traceroute data when the problem was in their data center. That continued for like 6 hours, then silence.

During next day I have managed to identify when the connections will fail: Each bigger data transfer (around a screen full of symbols, or ls -la data for medium sized folder) will cut the data connection. My data was hostage on the server and the Hostdime 24/7 support did totally nothing. I got really interesting answers to my tickets later on and I do not understand how can one tell these things to any customer.

At that point I have decided to move my site out, managed to purchase, configure and recover data from backups. The databases were easy as I had backups ready in good format. But I had to organize some files. On late Saturday night I got my server running on another provider and serving visitors. I got my site up in ~32 hours and at the moment of writing (45 hours since incident )  the old server and network still got the same problems.

The Hostdime support procedure is bad

Hostdime claims that it provides 24/7 technical support. That is partially true. There are support people that can respond to your issues but it looks like they can’t perform actual infrastructure fixes. This particular answer shows me the depth of this problem:

The admins are checking the problem. They monitor it. They can’t tell how long it would take to fix them. They don’t have time to describe the problem to customers and what steps are taken to mitigate or solve the problem. They don’t have time to reply to support ticket updates for 6 hours. Maybe I am not important for them like (undoubtedly) other customers affected. But hey, they at least monitor it and after multiple hours in their own data center they know that the problem exists. Somewhere. And it is too complex for me to understand.

The first answer about what is particular problem was received 20 hours and it was in Portuguese. The short version “It’s out of our control, network problems, sorry, we are trying to work with other parties involved to fix them” even if they claim that they knew about them almost a half day ago.

Hostdime gets a lot of “Out of our control” problems that take long to fix

This is a second such problem (I mentioned the one couple of months ago). And it is weird how Hostdime has no procedure to fix it in timely manner. It looks like there is no plan for network outrages.

Hostdime reacts to complaints and not to the issues 

It took them hours to find problem after I have complained even if the problem could not affect me only. They either don’t monitor service or don’t want to scare their customers by notifying them about problems with the services. The communication looks like they wanted to hide the fact that there is outrage and hoped that it will be fixed soon.

There are few things worse than support that does not acknowledges the problems and communicates backs in timely manner.

Update about HostDime:

~48 hours after the network started showing problems, the services got restored and I received email :

The issue was resolved, we saw some bad routes, and optimize they.

Good to hear, HostDime, that it was not something serious. But aren’t the network routing something you control?

The post I am leaving Hostdime hosting and you should plan to do so too appeared first on Giedrius Majauskas blog.

By definition, rogue antiviruses have these signs :

1. Fake databases
2. Unjustified claims earlier or after install to make people download and buy the product
3. Hard to uninstall or use other programs.

While 1 and 3 is enough to label program a rogue, the second statement (fake advertisements or unjustified claims) are not. It is enough to label such programs as PUPs, though (potentially unwanted programs).

Here are some of the fake claims used by MacKeeper by Kromtech advertisers. The advertisement is shown when you click on any link it some movie streaming website, through I do not think siteowner cares what he promotes..

Even if you have such proof, makers of such program try one of several tricks to avoid listing):

1. Claiming that the review breaches patent or DMCA. Reviews do not breach either, by the way.
2. Speaking about libel and promotion of competing products
3. Claiming that advertisements are made by third party (which should be  their concern).

While it is possible to battle such claims, many do not bother. It is clear that I won’t promote Kromtech programs till they stop using fake claims in the advertisements no matter how their program performs ( not so good at the moment).

The post Legitimate rogues in 2015 appeared first on Giedrius Majauskas blog.

However, we were attacked as a company by the makers of YAC in various ways. They tried to convince me to come into some sort of partnership, then they send legal looking emails about trying to sue us for providing information. At the moment they have resorted to fake comments. The sad fact is that these comments are written from the same (taiwanese) IP using different names, thus they are clearly fake. The bad thing is they use names of people that are known in this market and have similar websites. Impersonating other people is dishonest. 

I know that this comment is fake. And this is a strong signal not to use YAC. Additionally, its makers are known as hijacker makers already – they are connected to V9 search engine that was promoted in similar manner. 

The post About YAC appeared first on Giedrius Majauskas blog.

1. Distributing plugins with bundles or trojans (aka “movie downloads”, etc).
2. Purchasing popular plugins and releasing ad-supported versions.

While second way is almost legitimate, it is handled by browser makers effectively and is not so dangerous. Fast burning a plugin with significant user base is not something most adware makers want.

However, the makers of trojan – distributed adware plugins try to make sure their ads will be difficult to block permanently or tracked to their companies without caring about how long the plugin itself will last. Thus there is increase in CDNs supported popups. They are hard to block as the same infrastructure is used for legitimate content and pages.

What is CDN

CDN is short for content delivery network. These services help website load faster by keeping copies of website images and other static content in several locations around the globe. This helps a lot, and in majority of cases there are no reason not to use CDN for global websites.

The speedup is two-fold. Firstly, it the loaded content does not use main server. Secondly, it is automatically closer to the end-user and thus it loads much faster.

There are plenty of CDNs to choose from. The most popular ones are cloudflare (which helps with website page caching as well), Amazon’s cloudfront, to some extent Amazons AWS, AkamaiHD and several more. All of them were used by advertising networks at some point. More about CDNs in general and their list is available on Wikipedia. Personally, I use Cloudfront for some of my sites.

Why malware makers use CDN

Malware makers use CDN for the same reason as legitimate users: They need to show content faster, reduce load on their own servers. Additionally, they have one more reason: it helps them avoid blockage from various antivirus applications.

Many antivirus applications will block blacklisted domains and does can’t blacklist whole content delivery network at once. They have to rely on blacklisting various patterns which can be changed faster than changing domains and servers. Thus some of CDN-delivered malicious content will be shown to end user even if it has decent malware blocking program.

As and example, lets look at static.icmapp.com – a domain having huge Alexa rating ( ~6500).  The registration is private and the DNS services are ones of cloudflare – webpage acceleration network. Lots of legitimate pages use it, so it is not possible to block sites by IP that easily. I think it is used in Plus-HD plugin family that is made for advertising only.

They haven’t bothered to set up real page at all. icmapp main domain is godaddy parking page. Some advertising networks care enough to provide some placeholder to explain themselves. Not so in this case.

What happens now? First, even if the domain will be blocked it is quite easy to launch other domains under same (or different) name under cloudflare without bigger changes to infrastructure. There won’t be a need to change icmapp com mains servers as they are not visible for end user. Even if they are kicked, there won’t be enough checks to make sure such thing won’t happen again.

There is still hope that majority of browsers will change the way plugins get installed and perform checks for installed non-market plugins. This would be privacy risk, but would solve issue with malicious advertisings once and for all.

Currently, browsers try to limit plugins to the ones available in their public repositories. This reduces amount of malicious plugins but does not solve problems fully.

The post Maladvertising networks use CDNs to hide their tracks appeared first on Giedrius Majauskas blog.

Secondly, there are several bigger spam – hosting providers. As far as my sites concerned, the leader is PegTech, which should be blocked. At the time of the writting, I block 3 IP ranges there :

deny from 192.74.224.0/19
deny from 198.2.192.0/18
deny from 137.175.1.0/17

Thirdly, there are some other ways to get list of spam IPs. As an example, one might run

SELECT comment_author_IP, count(comment_author_IP) as c FROM `wp_comments` where comment_approved=’spam’ group by comment_author_IP order by c desc

 

This would show the most popular spamming IPs:

However, one could do even better at researching bad commenter IPs. We can see that same subnetwork repeats itself :

SELECT IP,count(IP) as c from (SELECT substr(comment_author_IP FROM 1 FOR locate (‘.’,comment_author_IP,locate(‘.’,comment_author_IP)+1)) as IP FROM `wp_comments` where comment_approved=’spam’  ) as t group by IP order by c desc

Here, I get “subnetworks” that spam the most.

The next step is to research what network is it and should i block it whole or not. The IPs from 60.168 might belong to several entities, so that is a required step to prevent accidental block of good visitors. So, we pick some IPs from the first log and enter them in MaxMind Geo IP demo. In our case, these are chinese IPs again, which would be blocken by rule deny 60.160.0.0/11 . If you need to calculate which IPs would be blocked by particular rule, you could use one of several Netmask calculators like this one:  http://jodies.de/ipcalc .

The post Blocking bad commentators – how to get IPs you should block. appeared first on Giedrius Majauskas blog.

Although this unwanted application is not considered a malware and does not harm your computerâ€s system, it is recommended to remove, especially if you did not install it intentionally. HotStartSearch virus is not only an annoying program causing redirections but it also breaches your privacy by collecting information about your browsing habits, search terms used, data provided in social websites such as Facebook, Twitter, etc. These records might be used for various purposes, mostly for targeted advertisement campaigns.

Those having HotStartSearch virus complain that cannot remove it by simply uninstalling because the program is not listed in Control Panel Add and Remove programs list or under “Extensions” in “Tools”. This is quite a common practice for browser hijackers and adware. It might be that the application is named by a different title or hidden. The quickest and safest way to remove HotStartSearch virus is by using special antimalware tools like Spyhunter. Scan your computer with it. The program will not only detect the latter unwanted application but also any other adware or browser hijackers that might have been installed together with it. After the scan is completed you may also need to reset search providers manually.  A good  guide on removing unwanted search engines is here.

The post HotStartSearch virus – what it is and how to remove appeared first on Giedrius Majauskas blog.

The hijacking problem is not new. Recently, AVAST posted a blog entry covering long-term hijacker top list. Delta Search  virus was not worthy for inclusion due to short life span of hijackers without real functions like Babylon or ask toolbar. Such hijackers have to employ various techniques to prevent removal like protecting search settings and trying to infect cloud – based settings as well. Luckily, many of anti-adware programs remove them.

It is recommended to remove Delta Search virus as it does not add any value to your search. Moreover, the results you get are mixed with advertised links therefore you never know if you open the website you looked for or a promoted one. Please note, some of the advertised links might lead to corrupted web pages that have viruses.

Delta Search virus as many other browser hijackers is difficult to remove manually. Its developers are motivated to have as many application users as possible therefore they made uninstall procedure complicated. Those that are not that computer savvy, are advised to use an automatic  removal method:

1. Download and run antimalware program, such as Spyhunter. If you want to use anything else, check beforehand if the tool can remove this particular threat. Many antivirus programs cannot.
2. Check if there are no applications related to Delta Search virus in Control Panel -> Add and remove programs list. If you see any, uninstall them. IMPORTANT : you should remove all programs that got installed at the same time as Delta or the settings might be reverted.
3. Adjust your Internet browser settings with our guide.

Delta Search engine is used for couple other hijackers as well. So stay clear from shareware downloads, always use custom installation for such software and unmark additional toolbar selections when installing. Information about this particular hijacker is available on 2-viruses.com as well.

The post How Delta Search Virus Works appeared first on Giedrius Majauskas blog.

This cron job launches 3 times per hour and downloads /executes single command. It is very simple, but it allows downloading and executing single command on one’s server. I am still blaming for not noticing it earlier.

The post The case of simple server backdoor appeared first on Giedrius Majauskas blog.

Since the application is free of charge, it earns money from the advertisements displayed and web pages being promoted. Those having fbDownloader say that it changed their home page and search engine to its own, most commonly search(dot)fbdownloader (dot) com. In some cases it affects Facebook profile as well by displaying pop-up web pages on new windows or inserting a link on Facebook page.

Although fbDownloader itself is not related to malware, it makes a computer having the application more vulnerable to infections. The main reason is that the company does not take any responsibility for the advertisements displayed. These might be malicious or lead to corrupted websites. You may click on such an advertisement accidently and get your computer infected.

If you haven‘t installed fbDownloader yourself or if you got annoyed by redirections it causes, you should remove it from your computer. Please note, that similar unwanted applications are programmed to be resistant to removal therefore deleting it from Control Panel Add and Remove Programs might not be enough. You might even not find it there. The most effective removal method is using special antimalware programs, e.g. Spyhunter. Adwcleaner works really well at fixing such search hijacks too. If you decide to use anything else, check beforehand if it is known to be effective in adware and browser hijackers‘detection. Not all of the software work well against adware.

The post FbDownloader – how to uninstall it appeared first on Giedrius Majauskas blog.

MapsGalaxy can be categorized as adware for several reasons. First of all it changes an affected computer‘s home page and search engine without leaving any option for a computer user to choose them. Even if you try to reset these in your browser settings, you will be redirected to home.mywebsearch.com as if no changes were made. When you work with computer or make any search inquiries, you will be displayed with various advertisements. Mindspark Interactive Network, Inc. that is behind the toolbar promotes its search page and wants to drive as much traffic there as possible. This is where it earns money from. Mindspark mixes sponsored search results with other and once a user clicks on a promoted link, the company gets paid for it.

MapsGalaxy can be downloaded from the company‘s official website or its affiliate web pages. To increase the number of its users not fair means are also used. One of the most common ways of distributing adware like MapsGalaxy is to bundle it with other freeware. When a person installs a wanted program together with it, she gets other unwanted applications. These were marked to be installed by default. Only using a manual installation option it is possible to refuse other installs but many choose an automatic one and do not read any instructions.

I recommend to remove MapsGalaxy and all the files related to it as soon as you see its symptoms. In some cases you will be able to uninstall it from control panel, but it might leave browser configuration hijacked. To get rid of it, use Spyhunter or other anti-malware program, which detect potentially unwanted programs. In some cases you will have to fix your search settings manually.

The post How to get rid of MapsGalaxy adware appeared first on Giedrius Majauskas blog.

I have written on WordPress security in the past and listed some plugins that cover popular security issues. I have used Simple Login log in the past, and it is quite good although no longer good enough solution to secure WordPress admin area alone.

Typical solution will block admin folder only and maybe wp-login. This is no longer good enough, as it will not prevent someone from using login page to brute-forcing your password. As I have found out the hard way, this might cause serious problems. 

Using .htaccess to secure WordPress admin and other areas

Recently, one of my WP blog servers had connection problems. They were caused by someone trying to guess admin user’s password couple tries per second. Simple Login Log tracks such things and increases the load even further (as it writes such entries to db). This was complicated further by spam bots (I get around 2500 spam comments per day on that blog).

So, how to  prevent this from happening, preferably on all blogs hosted on the same server?

Interestingly, you can add allow/deny directives for single file (or group of files) as well, and they work on server-basis if added in the main config file (/etc/httpd/conf.d/httpd.conf in my case).

The rules look like this :


<files wp-login.php>
Order Deny,Allow
Deny from All
allow from xxx.xxx
allow from xxx.xxx.xxx.xxx
</files>


There are 2 ways to white-list IPs.
XXX.XXX or XXX.XXX.XXX – subnet where you login from without fixed IPs,
and xxx.xxx.xxx.xxx are ip you login from.
Now each attempt to brute-force your password into your WordPress admin it will result in adding 2 lines to log files : one to access log and one to error log. It will not be processed by PHP.

Another part to whitelist-only is XML-RPC backend on wordpress (xml-rpc.php). It is used for remote administration, but you should not leave it open in most of the cases as it allows brute-forcing passwords. You can include it under similar rule in global config file. This increases security of your wordpress admin and reduces server load.

Using global config to block bad commenters

Additionally, one could use this way to block some popular (Chineese mostly) spam bot IPs:

<Files wp-comments-post.php>
Order Allow,Deny
allow from all
deny from 113.212.70
deny from 123.156
deny from 218.72
deny from 60.182.158
</Files>


We write out bad ips and networks here. 

Using IP Geo Block to block bad visitors

On many sites I use IP Geo Block currently to secure WordPress admin. It blocks separate areas by using GEO IP databases that it downloads to the wordpress servers.

Why this is useful ? Well, it is better in some cases than global blacklist list due to following:

• It refreshes list of IPs by countries regularly, thus you don’t need to maintain it
• It blocks against some common exploits as well.
• It blocks IP’s access to wp-login or xml-rpc after some bad tries. This secures WordPress admin dashboard even from attacks from the same network (if you IP is dynamic, you might have to use this).
• It keeps logs if you wish and you can turn them off if you have too many attacks. 

It is great solution to prevent some location-based spam and attack bots, though it is not suitable to block non-location based networks from access commenting.

The post How to secure WordPress blog admin area on dedicated machines appeared first on Giedrius Majauskas blog.