Possible security issue – website defaced

  • gregscott

    (@gregscott)


    10 years ago

    Here’s my website:
    https://www.infrasupport.com

    Take a look at “Greg’s Blog” and you’ll find a bunch of posts about computer troubleshooting and IT issues. But a few posts about wigs and prom dresses and other stuff also ended up in my blog. Posted by user “WordPress.”

    OK, admittedly, this is partially my fault for having a weak password for user wordpress, “wordpress”. I just fixed that. But the thing is, this is a self hosted website and nobody outside my own subnet can launch wp-admin. So my security should not depend on passwords – nobody outside these walls should even be able to attempt a login. So something else is going on.

    I noticed I need to allow POST operations to a file named /usr/share/wordpress/wp-admin/admin-ajax.php to make some plugins and maybe other stuff work. Could somebody be crafting a malicious string and POSTing it here? Somehow, some way, somebody is getting through a first layer of security and making me depend on a password. This makes me nervous.

    How do we fix this?

    Here is a copy of my infrasupport.conf file:

    [root@www conf.d]# more infrasupport.conf
##<VirtualHost www.infrasupport.com:80>
<VirtualHost *:80>
    ServerAdmin [email protected]
    DocumentRoot /usr/share/wordpress
    ServerName www.infrasupport.com
##    ErrorLog  "/usr/share/wordpress/logs/error_log.log"
##    CustomLog "/usr/share/wordpress/logs/access_log.log" combined

Alias /wordpress /usr/share/wordpress

<Directory /usr/share/wordpress>
  #
  # Directives to support Permalink settings by post name instead of the default
.
  # See Settings...Permalinks.
  #
  <IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]
  </IfModule>

  AllowOverride Options
  <IfModule mod_authz_core.c>
    # Apache 2.4
    ##Require local
    Require all granted
  </IfModule>
  <IfModule !mod_authz_core.c>
    # Apache 2.2
    Order Deny,Allow
    Deny from All
    Allow from 127.0.0.1
    Allow from ::1
 </IfModule>
</Directory>

<Directory /usr/share/wordpress/wp-content/plugins/akismet>
  <FilesMatch "\.(php|txt)$">
    Order Deny,Allow
    Deny from all
  </FilesMatch>
</Directory>

#
# Need this for the ReallySimple CAPTCHA plugin
#
<Directory /usr/share/wordpress/wp-content/uploads/wpcf7_captcha>
  Order deny,allow
  Deny from all
  <Files ~ "^[0-9A-Za-z]+\.(jpeg|gif|png)$">
    Allow from all
  </Files>
</Directory>

<Directory /usr/share/wordpress/wp-admin>
##  AllowOverride Options
  AllowOverride All
  <IfModule mod_authz_core.c>
    # Apache 2.4
    ##Require local
    Require ip 10.10.10
    ##Require all granted
  </IfModule>
  <IfModule !mod_authz_core.c>
    # Apache 2.2
    Order Deny,Allow
    Deny from All
    Allow from 127.0.0.1
    Allow from ::1
    Allow from 10.10.10
  </IfModule>
  <Files "admin-ajax.php">
    <IfModule mod_authz_core.c>
      # Apache 2.4
      Require all granted
    </IfModule>
    <IfModule !mod_authz_core.c>
      # Apache 2.2
      Order Deny,Allow
      Allow from All
    </IfModule>
  </Files>
</Directory>

</VirtualHost>
[root@www conf.d]#

    thanks

    – Greg Scott

Viewing 13 replies - 1 through 13 (of 13 total)
  • robinmnz

    (@robinmnz)

    Not seeing your website come up at all, but perhaps FTP in and check if there are any stray files that a hacker has put in.
    Check under
    user files
    and
    wp-content/uploads
    particularly, and any other extra dirs you haven’t added yourself.

    Good luck!

    Thread Starter gregscott

    (@gregscott)

    Thanks Robinmnz – the website is self hosted and the Century Link Internet connection coming into here had an outage last night right about the time you checked. Back online now.

    I was about to say there is no ftp access to the site. But I just tested it from the outside and to my horror, ftp did give me a login prompt. GETs and PUTs don’t seem to work however. You can bet I’ll be turning that off at my firewall today! Carelessness on my part.

    I took a look through the whole WordPress directory structure and I don’t see anything I’m not able to identify.

    Even though I was careless, I don’t think this was an ftp attack. Apparently, somebody knows how to penetrate WP 4.1. I’ll do some digging through my access_log files and see if anything interesting turns up.

    – Greg

    Thread Starter gregscott

    (@gregscott)

    Hmm… This log entry is ugly:

    78.6.46.218 - - [19/Feb/2015:08:11:07 -0600] "POST /wp-login.php HTTP/1.1" 200 2910 "https://www.infrasupport.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0"

    It just dawned on me, all these admin-ish PHP files are sitting in the top of the directory structure. I should probably block access to this from the outside in my .conf file. I wonder if WordPress has any facility to monitor login failures?

    – Greg

    robinmnz

    (@robinmnz)

    That’s beyond me but maybe there is a plugin that could do that.

    I’d suggest getting rid of the Meta widget in any case ??

    Sorry I am not of much more help – usually when we have issues I have out server folks put in IP blocks against the offenders …

    bernbe01

    (@bernbe01)

    wordfence

    Thread Starter gregscott

    (@gregscott)

    Re: Robinmnz – what meta widget? Those admin-ish PHP files are core components of WordPress. The log entry I posted is raw data left by Apache every time somebody accesses my website. The status code of 200 means somebody at that outside IP Address touched the WordPress wp-login.php. That’s because I have to set Apache to grant access to that directory for the whole world, which means I must trust any security mechanisms built into WordPress. I wish WordPress would collect all these scripts the webmaster uses into a separate directory so it can be locked down.

    Re: Bernbe01 – possibilities – thanks!

    – Greg

    bernbe01

    (@bernbe01)

    anytime @gregscott

    robinmnz

    (@robinmnz)

    The meta stuff here:

    https://www.dropbox.com/s/o52ml018llei415/meta.gif?dl=0

    robinmnz

    (@robinmnz)

    Let me know when you’ve seen that and I will kill it.
    Annoying not being able to upload pics …

    Thread Starter gregscott

    (@gregscott)

    Oh wow – I never paid any attention to that. Thanks. I’ll figure out how to get rid of it. It’s probably one of those Responsive widgets. Now I get what you’re trying to tell me – thanks!

    – Greg

    Thread Starter gregscott

    (@gregscott)

    That turned out to be an easy fix – it should be gone now.

    – Greg

    robinmnz

    (@robinmnz)

    Cool – is everything working OK now?

    Thread Starter gregscott

    (@gregscott)

    Hard to say. Getting rid of that widget was easy – just a drag and drop. But the fundamental problem, that the world can still touch wp-login.php is still with us. Here is a sample a few minutes old from my /etc/httpd/logs/access_log:

    78.7.192.66 - - [23/Feb/2015:22:32:22 -0600] "POST /wp-login.php HTTP/1.1" 200 2910 "https://www.infrasupport.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML like Gecko) Chrome/31.0.1650.57 Safari/537.36"

    It looks like the only thing protecting me from the bad guys by default is a strong password.

    – Greg

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Possible security issue – website defaced’ is closed to new replies.