This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • bobjonkman repeated a notice by lnxw48a1 31 January 2021
      RT @lnxw48a1 @geniusmusing Yeah. :-( I think the #blockwars folks may have indirectly caused this. There are people who file complaints against client apps that don’t build in blocklists against specific servers whose moderation policies they dislike. I think that #Matrix / #Element competes with one or more Google-owned chat-type services. Since they gatekeep the […]
    • Favorite 31 January 2021
      bobjonkman favorited something by lnxw48a1: @geniusmusing Yeah. :-( I think the #blockwars folks may have indirectly caused this. There are people who file complaints against client apps that don’t build in blocklists against specific servers whose moderation policies they dislike. I think that #Matrix / #Element competes with one or more Google-owned chat-type services. Since […]
    • New note by bobjonkman 30 January 2021
      And I can't figure out how to connect to a particular server. The #Patchwork #SSB client I'm using has a "+ Join Server" field, but it requires an invitation code. Which I can't generate unless I have a pub server. Which I can't join until I have an invitation code... Sigh. #SSB: Concept: A+ ; […]
    • New note by bobjonkman 29 January 2021
      I was on #SSB Secure Scuttlebutt for a while (attended an #SSB seminar at last year's LibrePlanet conference), but the application was so resource intense that my laptop couldn't keep up. And, there wasn't the network effect I needed to make it useful. While there are probably interesting people to converse with, I have no […]
    • New note by bobjonkman 23 January 2021
      Oh, hang on. It's @joeyh who reveals the inadequacy of #journalism. Not the article author, @Jonemo@twitter.com #ReadingComprehension
    • New note by bobjonkman 23 January 2021
      @lnxw48a1 writes "In this post, Joey H. accidentally reveals a major reason why #news_media / #journalism is so bad today." This didn't leap out at me. Is it because good, in-depth reporting requires A LOT of research and hard work, and that modern journalism is adequately rewarded by re-Tweeted sound bites?
    • New note by bobjonkman 23 January 2021
      What an excellent #LongRead article! "Exploring the Supply Chain of the Pfizer/BioNTech and Moderna COVID-19 vaccines" https://blog.jonasneubert.com/2021/01/10/exploring-the-supply-chain-of-the-pfizer-biontech-and-moderna-covid-19-vaccines/
    • bobjonkman repeated a notice by lnxw48a1 23 January 2021
      RT @lnxw48a1 Explaining the supply chain of Pfizer & Moderna #COVID-19 vaccines: https://nu.federati.net/url/279451 Source: https://octodon.social/@joeyh/105606567412940936 #2019-nCoV | #coronavirus | #SARS-CoV-2 In this post, Joey H. accidentally reveals a major reason why #news_media / #journalism is so bad today.
    • Favorite 23 January 2021
      bobjonkman favorited something by lnxw48a1: Explaining the supply chain of Pfizer & Moderna #COVID-19 vaccines: https://nu.federati.net/url/279451 Source: https://octodon.social/@joeyh/105606567412940936 #2019-nCoV | #coronavirus | #SARS-CoV-2 In this post, Joey H. accidentally reveals a major reason why #news_media / #journalism is so bad today.
    • New note by bobjonkman 22 January 2021
      That was much better than I expected it to be. Covers the spectrum of opinions of several #ITSec professionals, and does not strike an alarmist note. Sadly, somewhat devoid of practical advice, tho. https://www.hipaajournal.com/hipaa-password-requirements/

Recovering from a WordPress hack

Posted by Bob Jonkman on 29th October 2013

WordPress logo cleaved by axe

WordPress Hacked!

Last Friday I was finally getting around to upgrading the WordPress installations on the SOBAC server from v3.6 to v3.6.1. Surprise! WordPress v3.7 had just been released the night before!

WordPress upgrades are famous for their ease of installation. Surprise! After upgrading the first installation most of the plugins were missing, and the theme was broken. A quick look at a directory listing showed that the plugins and themes were still installed. A quick look with a text editor showed some peculiar PHP code at the top of every .php file in the plugins folders. Surprise! This WordPress installation had been hacked! Fortunately, of the five instances of WordPress on this server, only two appeared to be affected. This Blog Is Not For Reading was not one of them.

Each .php file started with something like this:

<?php $zend_framework="\x63\162\x65(…)\x6e"; 
@error_reporting(0); 
zend_framework("", "\x7d\7(…)

Injected, obfuscated PHP code at the top of every .php file, referencing the zend_framework

Searching the Internet for “wordpress plugin invalid header zend_framework” I found a reference that makes me think this may have been possible because of a flaw in an earlier version of the WordPress code that handles comments. Most likely one of the comment fields (user name, e-mail, web address or the comment text itself) wasn’t properly sanitized, and allowed some kind of code injection (probably PHP injection, not a MySQL injection; the contents of the databases appeared to be untouched).

From the backups of the server it appeared that the breach occurred in or before August — either just before the release of WordPress 3.6 on 1 August 2013 or just before the release of WordPress 3.6.1 on 11 September 2013. If I had not been slack in upgrading to WP v3.6.1 then this breach might have been identified much sooner.

The upgrade to WordPress identified the modified files because the injected code preceded (and corrupted) the WP headers, and so WP v3.7 disabled any affected plugins and themes.

The Fix Is In

I renamed the directory containing the WordPress code, installed a fresh copy of WP3.7, cleaned and copied the wp-config.php and .htaccess files, uploaded a small image to create the wp-content/uploads hierarchy, then copied the upload folder (which didn’t contain any .php files), and then re-installed and re-configured the themes and plugins directly from the WordPress site.

Aside from the additional PHP code, there didn’t appear to be any other damage to the system. So I used the original wp-config.php (but cleaned, and with the “Authentication Unique Keys and Salts” section refreshed), and the new installation just used the existing databases. If there’s any malcode in the databases then that could re-infect the system, so I’m keeping an eye on it.

I have no idea what the malcode was intended to do. It didn’t corrupt the databases or anything else, but it’s possible it was acting as a keylogger or phoning home some other way. If I feel inclined I might try to de-obfuscate the injected code, but right now I don’t really feel like doing forensics.

Someone suggested using AppArmor to make the WordPress directories read-only. I’m not sure that locking down the WP directory is a good idea. The big new feature in WordPress 3.7 is its automatic update feature. If the WordPress directories are locked down then future security updates won’t be applied automatically. If there is an exploit and WordPress issues a new release to fix it, then a locked-down site will experience a delay in upgrading until the SysAdmin notices and upgrades manually (which is what used to happen before v3.7, but it seems a bad idea to delay upgrades when that’s no longer necessary). Also, the plugin and themes directories would be locked down, and they still require fairly frequent manual upgrades.

I sent the users on the affected sites this message:

While doing upgrades on WordPress yesterday I saw that your blog had been hacked sometime during or before August. I’ve fixed it (re-installed the code, copied your media library, re-installed themes and plugins). I don’t think any damage was done beyond the insertion of malicious code in some of the WordPress files. I don’t know what the action of that code was intended to be, but you should change your WordPress password just in case the bad guys captured it. You can change your password on the “Users, Your Profile page” once you’ve logged in.

After spending some time on Saturday fixing the two hacked WordPress sites I’m a little paranoid, and making sure to implement updates quickly. But a little paranoia is good — it’ll ensure I won’t become complacent again.

–Bob.

WordPress Hacks by Rafael Poveda is used under a CC BY-NC-SACreative Commons — Attribution-NonCommercial-ShareAlike — CC BY-NC-SA license.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in code, How To, security, System Administration | Comments Off on Recovering from a WordPress hack

Charming comment spam

Posted by Bob Jonkman on 6th July 2012

Smoke curls up

Genie in the bottle

This blog may not have many readers who leave comments, but it sure does have a lot of commenters who leave spam! Still, I make sure to go through the list of pending comments in case there’s a real one in there. Today, I came across one comment that was obviously spam, but charming with its fractured English and a punch line I hadn’t heard before:

AftequeAlew:
A houseman was walking on the beach harmonious day and he bring about a bottle half buried in the sand. He irrefutable to provide it. Stomach was a genie. The genie said,” I resolve agree to you three wishes and three wishes only.” The gentleman prospect there his beginning demand and decided, “I think I be deficient in 1 million dollars transferred to a Swiss bank account. POOF! Next he wished after a Ferrari red in color. POOF! There was the transport sitting in van of him. He asked in search his settled hanker, ” I wish I was irresistible to women.” POOF! He turned into a box of chocolates.

Genie in the bottle by zenoka is used under a CC BY-NC 2.0CC BY-NC 2.0 license.

Tags: , , , , , , ,
Posted in blogging, spam | 3 Comments »

 
Better Tag Cloud