As long as there have been websites, there have been hackers and malware whose sole purpose is to gain access to a website and wreak havoc. As such, it is crucial that as a business owner, you do your part to protect your company website from those entities with malicious intent. However, even in taking steps to protect your website, there is still malware that can cause a significant amount of trouble. For instance, the recent GoTrim botnet malware has been causing problems since this Fall.
GoTrim, is attacking self-hosted WordPress websites and then uses brute force practices to obtain the administrator’s password to take over the website. The bot is designed to work in 2 modes – “client” and “server”. It works by using a bot network to scan a site and attempt to brute-force the admin accounts by using stored credentials. If it gains access, GoTrim then spreads to the command and control server (C2). The bot then uses PHP scripts from a hardcoded URL to delete the script and the brute-forcing component from the infiltrated system. When successful, the bot reports credentials to the C2 server. GoTrim is designed to steal credit card information, making it a threat to you and your clientele.
It should be noted that the GoTrim requests for access are sent to C2 every few minutes. If, after 100 tries and not getting a response, the bot will then automatically self-terminate. This is because the goal of the bot is to evade detection- which is why the primary targets are self-hosted websites as many WordPress users do not employ proper security practices. However, if the bot is successful in getting through then the following information can be accessed by GoTrim:
- Target URL
- Username
- Password
- Command ID (1 for WordPress, 3 for OpenCart, as well as several others)
- Brute force status (“0Good”)
In studying how the GoTrim bot affects sites, it has been found that while WordPress CMS sites are the most affected since they make up 40% of the market share, other targets include self-hosted Joomla!, OpenCart, and DataLife Engine. In addition, GoTrim is also capable of bypassing some anti-bot techniques used by host providers. It is designed to copy legitimate requests from Mozilla and even supporting content encoding algorithms like gzip and Brotli, while also detecting what CAPTCHA plugins are being used. Of special import is that so far, GoTrim cannot override Google, WP Limit Login Attempts and Shield Security’s CAPTCHAs.
What to Do About Malware
So, now that you are aware of GoTrim, and perhaps others, you may be wondering what you can do to protect your website. Fortunately, there are several proactive measures you can implement.
- Set up a two-factor authorization (also known as a 2FA) – This is the most common step to take and the one recommended by Page Progressive and many other website pros. Two-factor authorization is required on bank, government sites, military sites, and many others where the proper level of security is common. However, due to so many hackers, identity thieves, etc. out there lurking around for sit e access 2FA has become common for many other types of sites. A tool we recommend is Wordfence.
- Be sure your site is set up as an HTTPS – If you have not updated your site to be an HTTPS, then you are more susceptible to being attacked by malware. If your site is HTTPS compliant then not only will the URL begin with HTTPS but there will be a green lock symbol with the word “secured” in the URL. This lets your customers know that you have taken proactive measure to protect their financial information. Making this change will also help your Google search ranking- so it’s a win for everyone!
- Use a CDN (Content Delivery System) – A Content Delivery System uses a separate system to keep malware and viruses away from the backend of your website.
Have firewalls in place – A firewall restricts traffic to and from your website, and only allows trusted guests to enter. A firewall also protects against dangerous SQL (structured query language) statements and cross-site scripts that could shut down your site.- Always Backup Your Information – Don’t loose vital information because of a hardware failure (or worse, a cyber-attack) and not have anything backed up. While no one wants to think about the aftermath of being hacked or hit with a malware attack such as GoTrim, you can’t ignore the risk! Be sure to run scheduled backups- ideally daily. Talk to your web host provider to set this proactive measure in place.
- Implement services such as SiteLock, Cloudflareand Sucuri – These services use good bots to automatically block the bad ones. They are designed to eliminate backdoor breakthroughs, keep your plugins and website’s core components updated and mitigate malicious use of CAPTCHA.
Have firewalls in place – A firewall restricts traffic to and from your website, and only allows trusted guests to enter. A firewall also protects against dangerous SQL (structured query language) statements and cross-site scripts that could shut down your site.Keep in mind that bots can be quite powerful, and they will cause a significant damage. As such, they should not be ignored. After all, when it comes to protecting your website, it is up to you to do your part. Take advantage of the various proactive measures available to protect your website, as well as the information- yours and your guests-that is stored there.
If you are unsure if you have taken the necessary measure to protect your website, now is the time to make updates. The Page Progressive team is well-versed in implementing security measures and tactics to protect your website from GoTrim and other bots. Give us a call today to schedule a consultation and learn how we can help you protect your website.