This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • New note by bobjonkman 30 May 2023
      I'd be more inclined to say "people voting the way the polls said they should..."
    • bobjonkman repeated a notice by hubert 30 May 2023
      RT @hubert I have to laugh and shake my head at Smith calling it a "Miracle on the Praries". No, you were leading in the polls pretty much the whole time. You're in a strongly conservative province. I mean, if you're saying that it's a miracle that the majority of Albertans chose to ignore your […]
    • bobjonkman repeated a notice by blacksam 28 May 2023
      RT @blacksam I’ve been getting more into the game Gaslands with my son and also with adult friends. It’s a Mad Max-esque tabletop game where you’re expected to create your own game pieces by kitbashing with toy cars. I already have all the crafting, painting and 3d printing supplies I need from my other wargaming […]
    • Favorite 28 May 2023
      bobjonkman favorited something by blacksam: I’ve been getting more into the game Gaslands with my son and also with adult friends. It’s a Mad Max-esque tabletop game where you’re expected to create your own game pieces by kitbashing with toy cars. I already have all the crafting, painting and 3d printing supplies I need from […]
    • Favorite 28 May 2023
      bobjonkman favorited something by blacksam: Here are a couple more cars I've made for #gaslands
    • Favorite 28 May 2023
      bobjonkman favorited something by tobias: I'm in need of a little Nerd-Pr0n... what little useful thing comes into your mind as tool of at the Linux command line? Not a super-nerdy command to sophisticated resolve a problem, but a tool for actual problems that would also be useful for n00bs to take their fear about […]
    • bobjonkman repeated a notice by tobias 28 May 2023
      RT @tobias I'm in need of a little Nerd-Pr0n... what little useful thing comes into your mind as tool of at the Linux command line? Not a super-nerdy command to sophisticated resolve a problem, but a tool for actual problems that would also be useful for n00bs to take their fear about using the CLI?So […]
    • Favorite 23 May 2023
      bobjonkman favorited something by steve: From mcnees@mastodon.social on Mastodon: If you aren't too busy, take a minute to look through NASA's Project Apollo archive on Flickr. https://www. flickr.com/photos/projectapoll oarchive/albums This is a totally safe use of your time, you definitely won't look up two hours from now and ask where your morning went. Images: NASA
    • bobjonkman repeated a notice by geniusmusing 9 May 2023
      RT @geniusmusing @lnxw48a1 I have my own workaround for just this issue. I raise my hand to the "Stop/Hold" position. Get to a point where I can stop and leave myself a note on the next thing to do. Then let them interrupt me. I have even done this to my former boss and the […]
    • Favorite 9 May 2023
      bobjonkman favorited something by lnxw48a1: https://www.monkeyuser.com/2018/focus/ This is me.

Recovering from a WordPress hack

Posted by Bob Jonkman on 29th October 2013

WordPress logo cleaved by axe

WordPress Hacked!

Last Friday I was finally getting around to upgrading the WordPress installations on the SOBAC server from v3.6 to v3.6.1. Surprise! WordPress v3.7 had just been released the night before!

WordPress upgrades are famous for their ease of installation. Surprise! After upgrading the first installation most of the plugins were missing, and the theme was broken. A quick look at a directory listing showed that the plugins and themes were still installed. A quick look with a text editor showed some peculiar PHP code at the top of every .php file in the plugins folders. Surprise! This WordPress installation had been hacked! Fortunately, of the five instances of WordPress on this server, only two appeared to be affected. This Blog Is Not For Reading was not one of them.

Each .php file started with something like this:

<?php $zend_framework="\x63\162\x65(…)\x6e"; 
@error_reporting(0); 
zend_framework("", "\x7d\7(…)

Injected, obfuscated PHP code at the top of every .php file, referencing the zend_framework

Searching the Internet for “wordpress plugin invalid header zend_framework” I found a reference that makes me think this may have been possible because of a flaw in an earlier version of the WordPress code that handles comments. Most likely one of the comment fields (user name, e-mail, web address or the comment text itself) wasn’t properly sanitized, and allowed some kind of code injection (probably PHP injection, not a MySQL injection; the contents of the databases appeared to be untouched).

From the backups of the server it appeared that the breach occurred in or before August — either just before the release of WordPress 3.6 on 1 August 2013 or just before the release of WordPress 3.6.1 on 11 September 2013. If I had not been slack in upgrading to WP v3.6.1 then this breach might have been identified much sooner.

The upgrade to WordPress identified the modified files because the injected code preceded (and corrupted) the WP headers, and so WP v3.7 disabled any affected plugins and themes.

The Fix Is In

I renamed the directory containing the WordPress code, installed a fresh copy of WP3.7, cleaned and copied the wp-config.php and .htaccess files, uploaded a small image to create the wp-content/uploads hierarchy, then copied the upload folder (which didn’t contain any .php files), and then re-installed and re-configured the themes and plugins directly from the WordPress site.

Aside from the additional PHP code, there didn’t appear to be any other damage to the system. So I used the original wp-config.php (but cleaned, and with the “Authentication Unique Keys and Salts” section refreshed), and the new installation just used the existing databases. If there’s any malcode in the databases then that could re-infect the system, so I’m keeping an eye on it.

I have no idea what the malcode was intended to do. It didn’t corrupt the databases or anything else, but it’s possible it was acting as a keylogger or phoning home some other way. If I feel inclined I might try to de-obfuscate the injected code, but right now I don’t really feel like doing forensics.

Someone suggested using AppArmor to make the WordPress directories read-only. I’m not sure that locking down the WP directory is a good idea. The big new feature in WordPress 3.7 is its automatic update feature. If the WordPress directories are locked down then future security updates won’t be applied automatically. If there is an exploit and WordPress issues a new release to fix it, then a locked-down site will experience a delay in upgrading until the SysAdmin notices and upgrades manually (which is what used to happen before v3.7, but it seems a bad idea to delay upgrades when that’s no longer necessary). Also, the plugin and themes directories would be locked down, and they still require fairly frequent manual upgrades.

I sent the users on the affected sites this message:

While doing upgrades on WordPress yesterday I saw that your blog had been hacked sometime during or before August. I’ve fixed it (re-installed the code, copied your media library, re-installed themes and plugins). I don’t think any damage was done beyond the insertion of malicious code in some of the WordPress files. I don’t know what the action of that code was intended to be, but you should change your WordPress password just in case the bad guys captured it. You can change your password on the “Users, Your Profile page” once you’ve logged in.

After spending some time on Saturday fixing the two hacked WordPress sites I’m a little paranoid, and making sure to implement updates quickly. But a little paranoia is good — it’ll ensure I won’t become complacent again.

–Bob.

WordPress Hacks by Rafael Poveda is used under a CC BY-NC-SACreative Commons — Attribution-NonCommercial-ShareAlike — CC BY-NC-SA license.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in code, How To, security, System Administration | Comments Off on Recovering from a WordPress hack

Calendaring Server Software

Posted by Bob Jonkman on 12th October 2012

I’m looking for a free/libre calendar server to run on a GNU/Linux server.

It needs to have CalDAV connectivity, so that I can use Evolution, Sunbird or Thunderbird/Lightning as my only client. Ideally, it will also have a Web interface for both administration and calendar viewing, exports to iCal (.ics) files, supports iMIP, and offers Atom/RSS feeds of calendar items.

Here’s what I’ve found so far. If you know of others, please leave a comment.

There’s also a list at CalConnect’s CalDAV Servers

Name WebUI Export iCal (.ics) CalDAV
Admin View Edit iCal (.ics) iMip Atom/RSS
Kolab              
DAViCal              
phpGroupWare       No     No
Chandler Project              
Bedework              
Zimbra Yes, but.. Yes Yes Yes   No Outlook only
EGroupware Community Version              
WebCalendar             No
Darwin Calendar Server              
Tryton Calendar              
ownCloud Yes Yes, but not Public, Read-only Yes No No No Yes
Citadel ? ? ? ? ? ? ?
Baikal ? ? ? ? ? ? ?
Horde ? Yes Yes Yes ? Maybe Yes

WordPress Plugins

The other calendars I’ve been trying are WordPress plugins. There is much promise in their description blurbs, but so far I’ve rejected most:

Name Export iCal (.ics) CalDAV Notes
iCal (.ics) iMip Atom/RSS
Calendar JCM         Rejected: no longer supported
Event Calendar / Scheduler         Rejected: missing .php modules when running
The Events Calendar         Rejected
WP Events Calendar Yes, with iCal for Events Calendar plugin   No No Works
My Calendar Only lists current month   Partial  
CalPress Pro ? ? ? ? This is a commercial plugin;
All-in-One Event Calendar by Timely By tweaking the “Add to Google” URL ? ? WebCal Possible privacy concern
  • 11 January 2011
    Originally posted
  • 26 March 2011
    Added Linuxaria’s suggestions
  • 16 April 2011
    Added WordPress plugin info; added CalDAV column; filled in some attributes
  • 11 October 2012
    Updated feature list for Zimbra
    I’ll be writing a review of Zimbra Open Source Edition soon, detailing some of my experiences (eg. requires Flash for the administrative Web interface)
  • 12 October 2012: Put WordPress calendars in table format, added My Calendar
  • 5 November 2012: Added Dosch’s suggestions
  • 16 November 2012: @Encyclomundist dents about Citadel.org
  • 26 September 2013: I’ve started to use ownCloud 5.0 as a calendar repository accessed with Lightning using WebCal. ownCloud doesn’t publish an iCal feed or have a public read-only view, but since it’s Free Software constantly under improvement I’ll stick with it for a while.
  • 9 November 2013: I think @postblue turned me on to Baikal: Using #Baikal to sync tasks, contacts and calendars
  • 9 November 2013: I’m now using Timely All-In-One on some blogs, will be upgrading others. It’s not the perfect iCal plugin, but the best one yet.
  • 9 November 2013: @McScx and @lxw37 both introduce me to Horde.
  • 13 August 2015: Just discovered Blaise Alleyne’s post on Degooglifying (Part IV): Calendar. This is pretty much the same solution I’ve settled on; ownCloud + Thunderbird and Lightning. I’m not quite as advanced as Blaise on the mobile front, though.

This is a “living” post, so it will float back to the top of the blog as I update it.

–Bob.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Calendars and Schedules | 11 Comments »

 
Better Tag Cloud