Tonight I was browsing the Internet, when my virus software notified me of a potential threat from openstat.ws. None of the websites open in Firefox had a link to this site in the source. After some investigation, it appears that the potentially malicious site is called by Google Adsense.

Avast Anti-virus Warning Message

I use Avast Antivirus on my computer and tonight it gave the following warning message while I was browsing the Internet:

Sign of "HTML:Iframe-inf" has been found in "http://openstat.ws/top.php\{gzip}" file

The inclusion of a URL made me suspect that one of the sites I was browsing was linking to a dodgy website (ie openstat.ws).

The obvious thing to do was to check the source of the sites open in Firefox, to see which one was the culprit. However, openstat.ws did not appear in the source of any of the pages. Not to be put off, I used the Web Developer toolbar to examine the generated source. Still nothing.

Google Says Openstat.ws Is Suspicious

Next stop, a Google search for openstat.ws. The number one result was the Google Safe Browsing diagnostic page for openstat.ws page. Because the nature of this page is that it may change often, I’ve grabbed a screenshot of what it’s showing tonight:

Okay, so Google are saying:

Site is listed as suspicious – visiting this web site may harm your computer.

They say the site was only listed for suspicious activity once in the last 90 days, but they also say:

Of the 6 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent.

I’m not a security expert and I may be reading this wrong (please let me know if I am), but that seems to be indicating that there’s a 50% chance of malicious software being installed from openstat.ws.

Norton Say Openstat.ws Is A Threat

The third result in the Google search was Norton Safe Web’s page on openstat.ws. Let’s see what they say about openstat.ws:

Norton are saying that there are two threats found on openstat.ws, one of which is:

Threat Name: Direct link to HTTP Malicious Toolkit Variant Activity

Location: http://openstat.ws/top.htm

The file Avast picked up on my computer is top.php, but top.htm is pretty close. HTTP Malicious Toolkit Variant Activity sounds pretty nasty. Norton say:

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Okay, I’m convinced now that I don’t want openstat.ws being called on my computer. But how can I stop it where I can’t find where it’s being called from.

Looking Under Firefox’s Hood – Sessionstore.js

If openstat.ws wasn’t being called by the websites I was visiting, perhaps it was being called by Firefox itself. I started thinking that Firefox or one of the extensions I run must have been compromised. I started looking through the Firefox files – admittedly without much of an idea of what I was looking for.

I started by looking in the \Documents and Settings\[username]\ Application Data\Mozilla\Firefox\Profiles\[profilename] folder. I ordered the files in date order and started going through the most recently modified files.

I soon came to sessionstore.js. It gave me the answer, although it wasn’t the answer I was expecting. Sessionstore.js seems to store the current session, presumably so it can be restored in the case of Firefox crashing. I’m not sure if this is default behaviour or part of the Session Manager extension.

It consists of a series of entries tags, one for each tab that’s open. In examining this, I found the following:

EDIT: Due to Syntax Highlighter performance issues, I’ve moved the sessionstore.js snippet into a text file.

That’s not particularly readable, but it’s saying that I’ve got Ozh’s Handling Plugins Options in WordPress 2.8 with register_setting() post open. Inside that there is a child URL open (http://googleads.g.doubleclick.net/etc) which is a Google Adsense ad. Inside that, there are some further children, down until we come to one for http://openstat.ws/top.php, which is our suspicious site.

At this point we are still inside the Google Adsense child, meaning that the site that Google lists as suspicious is actually being served through Adsense. This is a little worrying to say the least!

Note: There is absolutely nothing wrong with Ozh’s site apart from the fact that he is running Adsense – as do I and hundreds of thousands of other sites.

Final Thoughts

As I said, I’m not a security expert, so I’d love some feedback from some more knowledgable. I’d also love to hear if anyone else out there has come across this problem.

I recently listened to the WordPress Podcast – Episode 44. Although it’s a couple of months old now, it was quite interesting and one issue really caught my eye ear: the security related question for Matt Mullenweg at around 1:13:30 of the podcast.

A listener, Simon Jones from beforeiforget.co.uk, talked about the difficulty of changing the default WordPress user name from admin to something a little harder for hackers to guess. The only way to do this is to change it in the database itself – it can’t be done through WordPress.

Simon’s main question was "Why isn’t there an easier way to change the default user from admin to something else?". Matt didn’t actually answer this, presumably because Simon’s question was fairly long and to be honest, could have been a little more to the point.

However, Matt did mention that it’s very difficult to brute force WordPress because such an attempt would need to submit thousands of requests per second and web servers won’t allow that many requests. He also mentioned that he’d changed his user name, though obviously not for security reasons, because he told everyone what it was!

Anyway, the podcast has inspired me to go on to discuss a couple of points related to WordPress security:

Password Strength

What Matt didn’t say (because it’s elemental) is that having a strong password is essential. A user name / password combination of Admin and dS35Hg68p1d will be much harder to break than one of admin and WordPress.

If you have a strong password, leaving user name as admin is less of an issue. So make sure your password is reasonably strong.

Protecting The Wp-admin Folder

For the paranoid, such as myself, who are worried about their WordPress login being hacked, it’s possible to add an extra layer of security to the wp-admin folder. This is more effective than just changing the default user. There are different ways to do this, including:

• only allowing users from a certain IP address or range to access the wp-admin folder
• using the AskApache Password Protect plugin to password protect the wp-admin folder
• using CPanel to password protect the wp-admin folder (here’s a general tutorial, but one that could be applied to wp-admin)

The second two methods will present the user with an additional user name / password prompt before the normal WordPress login screen can be accessed. This obviously takes longer to log in, but it also makes it much more unlikely that your site can be hacked.

Problem With Password Protecting The Wp-admin Folder

When I first tried to password protect the wp-admin folder, using the AskApache Password Protect plugin, I ran into a serious problem. I wasn’t given the “Authentication Required” window, I just got a 404 File not found message. This meant I was unable to log into my WordPress system and couldn’t access the plugin screen to turn off the password protection.

So how did I get access to my site again? I logged into my host via FTP and removed the following files:

• .aahtpasswd from the public_html folder
• .htaccess from the public_html/wp-admin directory (not the one from public_html)

I later experienced this same problem when password protecting the wp-admin folder via Cpanel, but of course, I could just turn off the password protection again via Cpanel.

I found a permanent solution to this problem at Developed Traffic’s WordPress admin password protection 404 post. The solution is to create an empty file called myerror.html and upload it to your public_html folder, then add the following to your .htaccess file (in public_html):

ErrorDocument 401 /myerror.html
ErrorDocument 403 /myerror.html

If you want to store the myerror.html file in a folder, rather than in public_html, then simply add the folder’s name to the two lines, ie:

ErrorDocument 401 /foldername/myerror.html
ErrorDocument 403 /foldername/myerror.html

That should fix the problem – although I’m not sure what impact it may have on other things (ie by having 401 and 403 go to the new file rather than WordPress handling it). If anyone out there know this please let me know in the comments.

The Real Lesson About WordPress Security

This post is all about trying to minimize the slight chance that someone may be able to break into your WordPress system via the login screen. I’m willing to bet that out of all the WordPress blogs ever hacked, very few of them would have been hacked via the login screen.

In the previous section, I mentioned how I locked myself out of the WordPress login screen, but got around it by FTPing in. All that security on the login screen is worth nothing if someone gets access to your host account via FTP.

From what I’ve heard, most hacked sites were compromised via:

• their host login being stolen after their email account was hijacked and used by the hackers to get the login details from the host service provider
• through an XSS exploit in WordPress

So the real lesson is to keep your computer free of viruses and spyware and your WordPress installation up to date with the latest security releases.

If you have any further thoughts on WordPress security, please let me know in the comments.

In a recent post, I talked about poor customer service from BullGuard, the anti-virus software company. A relative of mine paid for their subscription to be renewed, but the money was lost and their protection was disabled.

I’m pleased to say that BullGuard have now resolved the situation satisfactorily and my relative is now happily using BullGuard once again.

After my previous post, I was contacted by both Ovidiu Anton, Head of Customer Support and Bronwyn Gascoigne, Australian Sales Manager.

I hadn’t realised that BullGuard has an Australian office. They aren’t listed in either the White Pages or the Yellow Pages and a Google search didn’t turn up any results.

There is now an Australian Office listed on the BullGuard Contact page, but this page only included the UK, Denmark and Romanian offices when the issue first occurred. There’s still no phone number for BullGuard’s Australian office, but that’s because BullGuard doesn’t have phone numbers.

BullGuard are a modern Internet based company that uses Live Chat for support. That’s fine for modern Internet users, but there are plenty of potential customers out there who are a little more old-fashioned and are looking for a phone number. That’s not a criticism, just an observation.

Anyway, BullGuard do have staff in Australia and they are very helpful, if Bronwyn’s example is anything to go by. Most of my correspondence was with Bronwyn who did a great job of communicating. She answered emails quickly, politely and clearly and advised us when the problem was resolved.

Bronwyn also sent my relative what appears to be 3 free copies of BullGuard. I’m not sure how long the licenses are for, but they’ll be able to give it to their friends to try the product. I may even give BullGuard a whirl myself – although I’m quite happy with Avast, so we’ll see.

The situation was probably helped by my relative sending a scanned letter from the bank, confirming that the cheque was sent to Global Collect BV. It wasn’t straight forward to get the letter or they would have done this sooner. I have to say that BullGuard really should have been able to investigate the situation without this letter.

It took about three days from the time BullGuard got the scanned letter, until the subscription was renewed and BullGuard started working again. It probably should have been done immediately – the problem was with Global Collect BV, not my relative – but anyway, BullGuard is working again and my relative is happy that the situation has been resolved.

In hindsight, it seems to have been a simple administration error between BullGuard and Global Collect (although my relative still lost out). The problem could have been avoided if a credit card had been the method of payment instead of a cheque.

The Lesson: Use a credit card when purchasing over the Internet.

There are concerns about credit card fraud online, but you’re probably protected by your credit card company. If you’re dealing with a traditional ‘bricks and mortar’ company, a cheque may be fine, but if you’re dealing with an Internet based company, credit card is the way to go.

To conclude, BullGuard’s customer service was poor in the first place, but they recovered well and resolved the situation quickly, rather than let it fester. Thanks BullGuard for sorting this out!

In my last post I wrote about comment spam. Today, I’m writing about BullGuard, the anti-virus / spam software. Unfortunately, I’m not writing about BullGuard because of their software – I’m writing about them because one of my relatives lost their money when he tried to renew his subscription.

My relative would prefer that I don’t publicly identify them on the Internet, so for the purposes of this post, I’ll call them Jack.

Jack received a subscription renewal notification in early April and duly paid for another two year’s subscription (AUD$134.95). Six weeks after paying, he has received neither the subscription, nor his money back.

The BullGuard software is no longer working and I’ve had to replace it with Avast. At this stage it seems unlikely that he will receive his money back.

The Full Story

The story started in early April. Jack was advised that his subscription was about to expire, so he went to BullGuard’s website and placed an order for another two years subscription.

When he reached the payment option section, he chose not to use credit card, due to the various stories he’d heard of people losing money because of keyword logging software etc. Instead, he chose to pay by cheque. It was here that the problems started.

BullGuard don’t have an office in Australia, but their website provided instructions to make the cheque out to Global Collect BV and to send it to a Locked Bag in Lakemba, Sydney, NSW.

Jack followed these instructions and sent the cheque. Three days later (in mid-April), the cheque was cashed and the money left his account.

The money never made it to BullGuard. Presumably the money is with Global Collect, an international payment service. The problem is, Global Collect doesn’t have an office in Australia either. Who knows who actually cashed the cheque! Perhaps an agent who works for Global Collect in Australia?

Two weeks later, the BullGuard subscription expired and BullGuard stopped working. At this point, Jack hadn’t realised that the renewal hadn’t gone through, so he was left completely unprotected for a whole day while he tried to sort things out with BullGuard.

BullGuard advised that it can take 2 to 3 weeks for payment to appear in their account, so they extended the previous subscription by several weeks, so that Jack’s computer was protected.

They also suggested sending “a scanned bank statement as a proof of your payment”. However, Jack wasn’t willing to send a scanned bank statement, showing all his bank account details, to anyone (not just BullGuard).

Subsequent emails from BullGuard were nicely worded, but stated that they could not make any inquiries to Global Collect without this. They stated: “All we need is the bank statement containing a visible BullGuard payment”.

The problem with this (apart from the fact that Jack wasn’t willing to send it), is that the bank statement only shows “Personal Cheque” along with the cheque number and the amount. It doesn’t mention BullGuard at all!

BullGuard had already been supplied with the name on the cheque, the date it was cashed, the cheque number, who it was made out to, the amount it was made out for. The only extra information on the statement were the words “Personal Cheque”.

After emails back and forward over a two week period, this is where it ended. BullGuard need to see the statement, but Jack wasn’t willing to send it. He’s trying to get a letter from the bank as proof of payment, but of course the cheque was not made out to BullGuard (it was made out to Global Collect BV), so it remains to be seen if this will be of any use.

The additional subscription period expired and BullGuard stopped working again. I helped Jack out by adding Avast to his computer so that he is protected against viruses and spam.

Jack also sent a letter to the same Locked Bag that he sent the cheque to, asking for the situation to be rectified. He did not hear back.

Bad For Business

BullGuard haven’t followed up since the subscription expired for the second time. That seems to be pretty poor customer service to me.

I’ve spent most of my career working, in management roles, for an international software development company. I’d never have let this situation develop as far as it has. No company is perfect, but if I had a customer complaining that they’d paid, then the extended cover expired, I’d at least contact them again to touch base.

Note, I’m not saying that they should have extended the cover (although there is an obvious case for that), I’m just saying that they should have contacted the customer! Is that too much to ask?

BullGuard are operating in a fiercely competitive market, dominated by companies such as McAfee, Norton, Trend Micro, Kaspersky and with free alternatives such as Avast, AVG and AntiVir. BullGuard have done well for themselves, but don’t want to get a reputation for bad customer service.

Also, they are sitting on a lawsuit waiting to happen. It’s only a matter of time before someone has the same problem, is left unprotected as a result and is infected by a virus. If you were to lose all your data in such circumstances, wouldn’t you consider legal action?

You Win Some, You Lose Some

So who are the winners and losers in this farce?

Jack is the big loser, having paid AUD$134.95, which he will likely never see again, for nothing! But he is not the only losers – BullGuard are losers too:

They’ve lost a customer, they didn’t get the money that the customer tried to pay them, and they got a little bad publicity to boot. Also, as I mentioned above, this sort of thing is bad for business.

GlobalCollect (or whoever collects their cheques) are the winners – they are $134.95 up and it appears unlikely that it will be passed on to the intended target. If they do this often enough, then they’ll being seeing nice profits!

A Scam?

Let me emphasise: I do not believe that BullGuard or GlobalCollect intentionally ripped anyone off. I’m sure that this is not a scam. I think it is just an administrative mess up.

However, the result is the same: Jack paid his hard earned money to get a service from BullGuard. He ended up with neither the service, nor his money.

Final Thoughts

This whole episode has left a bad taste in Jack’s mouth. He is still hoping to make some progress with BullGuard, but has almost given up. I can’t say I blame him. I certainly won’t be using BullGuard at any point in the future.

Anyone out there like to comment on their experiences, good or bad, with BullGuard?