Peer certificate CN=`your.server.com’ did not match expected CN=`smtp.office365.com’ (WHM/cPanel issue)

Problem: When you configure a script to use an external SMTP server, you get an error message that the certificate on your server doesn’t match the one on the remote SMTP server.

Solution: The issue is that cPanel has changed its security settings and now disables remote connections to SMTP servers by default in order to help combat abuse (eg. if your website gets hacked the hackers cannot use it to send spam through a 3rd party SMTP server). The way it does this is by looping back all outgoing SMTP connection attempts back to itself. Since your server is not in fact the server you are trying to connect to, you get an error similar to the one above about the certificates not matching. If it’s your own server the solution is relatively simple. Log into your WHM control panel, and select

Read more

Florida Dept. of Health Officers Advised Not to Let Schools Know If It’s Unsafe to Reopen

On July 6th, 2020, Richard Corcoran, Commissioner of the Florida Department of Education, issued DOE order no. 2020-E0-06. This order in part dictated that all brick and mortar schools must open this August at least 5 days a week for all students, subject to the advice of the FL Department of Health:

On July 15th, 2020, the Volusia County School Board held a special session meeting, via video conference, where one of the topics was whether or not it is safe to reopen the schools next month. During the meeting there was a dialog between Mr. Ruben Colón, one of the members of the Volusia County School Board, and Miss Patricia Boswell, an administrator for the Florida Department of Health in Volusia County.

During their discussion Miss Boswell revealed that apparently all of the health officers around the state of Florida have been advised not to say whether or not it is safe to allow the children and teachers to go back to school, despite the fact that the DoE order explicitly states that the schools must rely on the advice of the FDOH when making the decision as to whether or not they will actually reopen. Below is the excerpt of the meeting where this discussion took place and a transcript of the conversation.

Mr. Colón: So I am gonna – unlike Miss Cuthbert I am not gonna go down the road of hope, amd I’m going to speak about the responsibility that the governor has put on the Department of Health. Now, for the record I did submit these question to our wonderful health department so this is not a gotcha moment it’s a true question, so upon consider, so I am looking at the actual emergency order, it reads, “Upon reopening in August all school boards and charter school governing boards must open brick and mortar schools at least 5 days a week for all students, subject to advice and orders of the Florida Department of Health, local departments of health, Executive Order 20-149 and subsequent executive orders.” And so, my question to you Miss Boswell, is as the director of the Florida Department of Health, because you have been called upon by the governor to advise the school district, do you feel that based on current data, understanding that we are talking about today, do you feel that the current covid rates for our county are conducive to the safe reopening of the Volusia County Schools at this time.

Miss Boswell: The Department of Health and, you know, all of the health officers around the state has asked the Department of Health for guidance with this question, cause we’re all being asked this question by school boards. And we were… we’ve been… advised that our role here is to just advise as to what – how – what can we do to make the environment in schools as safe as possible with covid-19. It is not to make a decision on… on whether or not to open up the school.

Mr. Colón: Ok. Thank you for that. My next question is, as the director of the Florida Department of Health will you provide this board a date stamped letter indicating that based on a time certain date you feel that schools are safe to open, again the order reads subject to the advice and orders of the Florida Department of Health. So are you able to provide that to our board for guidance?

Miss Boswell: The county health departments are not providing those letters.

Mr. Colón: Thank you, and my last question is: will you provide the board a letter within 7 business days of the start of school indicating that your department still continues to feel that the return of students and teachers to our brick and mortar school buildings continues to be safe.

Miss Boswell: It would only be advisement on how to make the environment safe.

Mr. Colón: Ok, and so now I will turn to my colleges and say that one of the things that we’ll have to consider is that the department of health is not telling us that it is safe for students and teachers to come back to school, so upon that I think it’s gonna really be on us to make that decision because they are not, and again, no fault of yours Miss Boswell, I have dealt with your department in a professional manner, both career-wise and today and all the work you have done for out school district, and it’s unfortunate that the governor has put your office in a very uncomfortable position because once again the order says subject to the advice and orders of the Florida Department of Health, and again I understand that you’ve been given this directive, however I… in not having the advice of the Florida Department of Health you know I feel personally that the schools are not safe to open. And so I’m turning to the folks that we are being told that we are supposed to be working with and we are not getting that advice, so I have deep concern and I truly believe that this burden is going to be on us.

Does Evidence Suggest Robert Mueller Did Not Know The Special Counsel’s Investigation Was Ending Last Friday?

Last Tuesday, 3/19/2019, on “The Rachel Maddow Show”, Rachel discussed a filing by the Special Councel’s office that was made that day requesting an extension of time to file a response to a motion in Paul Manafort’s case. The reason cited for their request was because, “The counsel responsible for preparing the response face the press of other work and require additional time to consult within the government.” Rachel muses as to why they would need this additional time, and does suggest that

Read more

HostPapa Hosting Still Sucks: Now Extorts Customers

A few years back I blogged about HostPapa getting hit with a widespread hack that they lied to their customers about, and instead tried to blame on a non-existent WordPress security issue. More than just WordPress sites were affected, so obviously it was not that. It was most likely a cpanel bug that other hosting companies actually let their customers know about, and while they never did admit wrong eventually the sites stopped getting hit, so odds are they just quietly fixed it behind the scenes. However, since lying to your customers is bad form even if you eventually fix the problem, ever since then I have done my best to warn people against hosting with them. There are a ton of decent hosts out there at reasonable prices (my recommendation as always is Hostgator), so in this day and age there is no reason for anyone to go with (or stay with) one that gives crappy service.

A couple of days ago a woman named Kristina Birkhof (@sexypartyanimal) contacted me about helping her dehack her website, highclassbadass.com, since I clean hacked WordPress installations professionally. She said that HostPapa told her

Read more

New WordPress Backdoor Style Discovered – Hackers Think They Are Sneaky

I was cleaning a client’s site today that had been hacked, when I discovered a new backdoor implementation that I had never seen before. This one is a perfect example of why automated scans are often not sufficient when cleaning up a hacked WordPress installation. You can see the full file here: 99bde887d.php.

The file was dropped into the theme that the client is using, and is coded to mimic a core WordPress file, using some of the same function names and coding conventions that WordPress itself uses. It is designed so that most people opening it and actually looking at the code would still not notice that it was anything malicious. I have seen enough back doors though that even creative ones will often stand out to me. It is definitely not something that would be picked up with any of the existing scripted scans out there. While of course someone can update their plugins or scripts to include specific strings to look for that this file contains,

Read more

Warning: WordPress.org Does Not Tell You If You Download An Infected Plugin From Them

Have you ever logged in to your WordPress dashboard, noticed that there were some updates pending, but simply couldn’t be bothered pushing the button to run them? Sure you have. Who hasn’t? A good majority of my work comes from dehacking websites that have been compromised, and even I slack on that from time to time. I mean, if there are no security bulletins about the updates, and I am only using plugins I have downloaded directly from WordPress.org I should be fine, right?

Wrong.

The day before yesterday I rebuilt a client’s site that had ben hacked, grabbing fresh versions of all of the plugins he was using. I noticed that one of the plugins, Social Media Widget, didn’t download though, and when I went to investigate why

Read more

Hosting with HostPapa or Netregistry and Hacked? Switch Hosts Now. (hacked by hacker)

It looks like another pair of hosts have joined GoDaddy in the “Not our fault” game when their servers get breached. Yesterday I had a few people contact me whose sites had been hacked, all with the identical symptoms: the only thing showing on their sites are the words hacked by hacker in plain text, on a white background. The one thing they all had in common is that they were hosting with either HostPapa or Netregistry, and the one thing that both hosts had in common is that they refused to own up to the problem:

 

 

and in HostPapa’s case they are even trying to blame it on WordPress:

 

 

Isn’t it nice the way they are able to determine that it is a WordPress issue, without even knowing which site it is? These styles of hacks, which usually have a specific hacker’s tag or signature rather than just “hacker”, often indicate to me that something other than a standard scripting exploit is at play. Whenever I see a site hit with a similar defacing hack, the first thing I do is check to see if there are other sites affected on the same host.

Warning: I am on Linux, which is unaffected by viruses that can affect Windows users. Unless you are on Linux or a Mac you should exercise extreme caution when looking for hacked sites, even if you have up to date antivirus software installed.

The way I check is I ping the infected domain in order to get the IP address, which in this case was srv03.netregistry.net (180.235.128.204), which I then plug into Bing using their “ip:” advanced search option (search by IP), plus the phrase “powered by WordPress”:

http://www.bing.com/search?q=ip%3A180.235.128.204+%2B%22powered+by+Wordpress%22

Clicking through those results I could easily see that this was far from isolated, and by using Bing’s cache I was able to determine that many of these sites were in fact up to date running the latest WordPress version before getting hit. I then tried several other of their servers (srv01.netregistry.net, srv02.netregistry.net, and srv04.netregistry.net), all with the same result. I sent them a tweet letting them know that they appeared to have an issue, and they replied, as shown in the screenshot above, that they were able to “confirm there’s been no server security breaches”. I then gave them examples of 15 identical hacks across 4 different servers of theirs here, here, here, and here. As of yet they have not bothered to reply to those tweets.

While I was in the midst of investigating Netregistry, someone else contacted me with the exact same hack, only their site was hosted with HostPapa. Going through the same process (as well as checking with recent forum posts from people with these symptoms) I checked hp82.hostpapa.com (76.74.128.200), hp78.hostpapa.com (76.74.128.160), and hp86.hostpapa.com (76.74.242.140), and found the same issues with all of them. Regardless of the evidence, however, HostPapa is still insisting that this is a WordPress issue:

 

 

There are a few issues with them trying to blame this on WordPress. First off, if this were an issue affecting WordPress installations that were up to date with the latest (which is 3.4.2, which quite a few of these sites were running), then it would be much, much more widespread, and it would not be isolated to just these two hosts. Secondly, if this were a WordPress issue then why was I able to find at least 1 Joomla site on HostPapa with the exact same hack?

 

 

I let HostPapa know this via a tweet, but they were uninterested in addressing that. Instead they seem more intent on blaming it on WordPress, telling their clients that they don’t help with hacking issues, and pretending that everything is fine. Just because a slew of sites that get hacked on a server are all running WordPress does not make it a WordPress issue. WordPress is a database driven platform, and is the most popular one out there. If a hacker locates a MySQL based exploit on a given host then the fastest ways to find a large number of sites to target would be to do searches similar to the ones I did above and aim for the WordPress ones. I am guessing this is actually what happened here, and it is obvious that this isn’t some 0-Day WordPress exploit (like both HostPapa and this idiot here are trying to claim).

Regardless of whether or not they eventually own up to it, if you are one of the unfortunates who happens to be hosting with either of these companies I would highly recommend you switch hosting, even if you are not one of the ones that got hacked. Again, I always recommend Hostgator, both for their security and for the fact that they happen to have better performing servers than many of the other hosts out there.

If you did get hit and you just want to get back up and running as fast as possible, luckily with the instances I saw this isn’t actually too difficult. While the next wave of hackers who come through might do more damage, at this point it seems to simply be a matter of replacing your root index.php with a fresh one from a clean WordPress install, and replacing either your index.php or header.php (or both) inside your theme using backups or clean downloads (assuming you have a readily downloadable copy of the theme you are using). I also saw some instances of people being unable to log in to the WordPress admin interface. The solution to that, as I described here, is to go in to your database through the phpmyadmin in cpanel and look at the wp_users table. If they switched the admin username and email, edit the record to switch it back and then go through the Lost Password function on the WP login page.

One thing to be careful of is that often times in cases like these the hackers will drop back doors on the sites, so that even once the host fixes the initial issue the hackers can just get right back in again later. If anyone has any issues where they keep getting hacked, even after moving to a new host, I am available to do professional cleanings. Feel free to contact me for more information. Also, Hostgator does offer free migrations in some instances, but if you have multiple or complex sites that you would like migrated to them I can assist with that as well (or to another host if you prefer, of course).

More resources:

How To Clean Hacked WordPress
WordPress FAQ: My site was hacked
How to find a backdoor in a hacked WordPress

Best.Nigerian.Scam.EVER! (We gonna send you to jail if you don’t read this email, do you get me?)

I have seen some pretty off the wall Nigerian Scam letters in the past, but this one has to be one of the most amazing I have ever received. Reading through this is an anthropological goldmine of insight into just how disconnected the scammers in that country are from how life really works here in the US. The basic premise of the letter is that they are going to arrest me (through email, no less) if I don’t “read the attached email and comply”… but if I do they will send me $10 million. What a deal, huh? 😀 Oh, and on top of that these people are apparently under the impression that the Director of the FBI sends out arrest warrants to people via his personal AOL email address.

Here is the email in it’s entirety for your reading pleasure, as it came to me in an attachment actually named “warrant of arrest.txt”:

Read more