This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • New note by bobjonkman 14 January 2023
      I seem to recall there's a standard API that should be common to all the #StatusNet derivitave servers. I'm pretty sure that in its infancy Mastodon conformed to that API. But Mastodon's API expanded beyond that, and I suspect some of the common API was removed, probably around the time #OStatus was dropped from Mastodon […]
    • New note by bobjonkman 14 January 2023
      Twidere has stopped working for Twitter accounts. My Mastodon account still works nicely. I thought maybe the Twidere API keys for the developer had been revoked, or that something had gone wrong with my phone (It's a vanilla Samsung with Android 12, but I've refused to install any of the Samsung or Google apps). I […]
    • bobjonkman repeated a notice by heluecht 14 January 2023
      RT @heluecht !Friendica Admins As you might have heard, there are issues with the Twitter API. Several favourite clients stopped working, while others (still) do. By now there hadn't been any word if there is some massive Problem or if this was some deliberate action. Whatever is causing these issues, at least my connection still […]
    • Favorite 5 January 2023
      bobjonkman favorited something by lnxw48a1: https://imaginary.ca/blog/2017/06/16/top-hat/#more-231 [imaginary ca] I am glad this instructor thinks this way. Too many don't seem to care how badly a vendor's product affects students.
    • Favorite 5 January 2023
      bobjonkman favorited something by lnxw48a1: https://500ish.com/mastodon-brought-a-protocol-to-a-product-fight-ba9fda767c6a #Medium link; don't be surprised if it does weird things before showing you the article. "Mastodon brought a protocol to a product fight" > Yes, yes, the network is under immense strain as people flee the Elon strain infecting Twitter. But come on, there are folks who really believe […]
    • bobjonkman repeated a notice by lnxw48a1 5 January 2023
      RT @lnxw48a1 https://500ish.com/mastodon-brought-a-protocol-to-a-product-fight-ba9fda767c6a #Medium link; don't be surprised if it does weird things before showing you the article. "Mastodon brought a protocol to a product fight" > Yes, yes, the network is under immense strain as people flee the Elon strain infecting Twitter. But come on, there are folks who really believe this is going […]
    • Favorite 5 January 2023
      bobjonkman favorited something by lnxw48a1: > For now, I’ll just say that while I fully understand why everyone wants Mastodon to be the new Twitter. Or the better Twitter. The more ideal Twitter. Or whatever. It’s just not going to happen. Mastodon brought a protocol to a product fight. Maybe Ivory or another client can […]
    • bobjonkman repeated a notice by clacke 4 January 2023
      RT @clacke NZ PM Jacinda Ardern called ACT leader David Seymour a prick on a hot mike in parliament. She apologized, he accepted, they had a laugh, and now together they've framed and signed a transcript of the exchange, selling it to the highest bidder, currently at 100 kNZD. The proceeds will go prostate cancer […]
    • Favorite 4 January 2023
      bobjonkman favorited something by clacke: NZ PM Jacinda Ardern called ACT leader David Seymour a prick on a hot mike in parliament.She apologized, he accepted, they had a laugh, and now together they've framed and signed a transcript of the exchange, selling it to the highest bidder, currently at 100 kNZD. The proceeds will go […]
    • New comment by bobjonkman 14 December 2022
      @lnxw48a1 "Pop" is also the Canadian word for carbonated soft drinks...

Recovering from a WordPress hack

Posted by Bob Jonkman on 29th October 2013

WordPress logo cleaved by axe

WordPress Hacked!

Last Friday I was finally getting around to upgrading the WordPress installations on the SOBAC server from v3.6 to v3.6.1. Surprise! WordPress v3.7 had just been released the night before!

WordPress upgrades are famous for their ease of installation. Surprise! After upgrading the first installation most of the plugins were missing, and the theme was broken. A quick look at a directory listing showed that the plugins and themes were still installed. A quick look with a text editor showed some peculiar PHP code at the top of every .php file in the plugins folders. Surprise! This WordPress installation had been hacked! Fortunately, of the five instances of WordPress on this server, only two appeared to be affected. This Blog Is Not For Reading was not one of them.

Each .php file started with something like this:

<?php $zend_framework="\x63\162\x65(…)\x6e"; 
@error_reporting(0); 
zend_framework("", "\x7d\7(…)

Injected, obfuscated PHP code at the top of every .php file, referencing the zend_framework

Searching the Internet for “wordpress plugin invalid header zend_framework” I found a reference that makes me think this may have been possible because of a flaw in an earlier version of the WordPress code that handles comments. Most likely one of the comment fields (user name, e-mail, web address or the comment text itself) wasn’t properly sanitized, and allowed some kind of code injection (probably PHP injection, not a MySQL injection; the contents of the databases appeared to be untouched).

From the backups of the server it appeared that the breach occurred in or before August — either just before the release of WordPress 3.6 on 1 August 2013 or just before the release of WordPress 3.6.1 on 11 September 2013. If I had not been slack in upgrading to WP v3.6.1 then this breach might have been identified much sooner.

The upgrade to WordPress identified the modified files because the injected code preceded (and corrupted) the WP headers, and so WP v3.7 disabled any affected plugins and themes.

The Fix Is In

I renamed the directory containing the WordPress code, installed a fresh copy of WP3.7, cleaned and copied the wp-config.php and .htaccess files, uploaded a small image to create the wp-content/uploads hierarchy, then copied the upload folder (which didn’t contain any .php files), and then re-installed and re-configured the themes and plugins directly from the WordPress site.

Aside from the additional PHP code, there didn’t appear to be any other damage to the system. So I used the original wp-config.php (but cleaned, and with the “Authentication Unique Keys and Salts” section refreshed), and the new installation just used the existing databases. If there’s any malcode in the databases then that could re-infect the system, so I’m keeping an eye on it.

I have no idea what the malcode was intended to do. It didn’t corrupt the databases or anything else, but it’s possible it was acting as a keylogger or phoning home some other way. If I feel inclined I might try to de-obfuscate the injected code, but right now I don’t really feel like doing forensics.

Someone suggested using AppArmor to make the WordPress directories read-only. I’m not sure that locking down the WP directory is a good idea. The big new feature in WordPress 3.7 is its automatic update feature. If the WordPress directories are locked down then future security updates won’t be applied automatically. If there is an exploit and WordPress issues a new release to fix it, then a locked-down site will experience a delay in upgrading until the SysAdmin notices and upgrades manually (which is what used to happen before v3.7, but it seems a bad idea to delay upgrades when that’s no longer necessary). Also, the plugin and themes directories would be locked down, and they still require fairly frequent manual upgrades.

I sent the users on the affected sites this message:

While doing upgrades on WordPress yesterday I saw that your blog had been hacked sometime during or before August. I’ve fixed it (re-installed the code, copied your media library, re-installed themes and plugins). I don’t think any damage was done beyond the insertion of malicious code in some of the WordPress files. I don’t know what the action of that code was intended to be, but you should change your WordPress password just in case the bad guys captured it. You can change your password on the “Users, Your Profile page” once you’ve logged in.

After spending some time on Saturday fixing the two hacked WordPress sites I’m a little paranoid, and making sure to implement updates quickly. But a little paranoia is good — it’ll ensure I won’t become complacent again.

–Bob.

WordPress Hacks by Rafael Poveda is used under a CC BY-NC-SACreative Commons — Attribution-NonCommercial-ShareAlike — CC BY-NC-SA license.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in code, How To, security, System Administration | Comments Off on Recovering from a WordPress hack

Ubuntu 13.04 Raring Ringtail Release Parties on Thursday, 25 April

Posted by Bob Jonkman on 22nd April 2013

Ubuntu Tri-leaf logo

The KW chapter of Ubuntu Canada is having a release party for the latest version of Ubuntu, named “Raring Ringtail” on Thursday, 25 April 2013 at 7:00pm at the Kwartzlab Makerspace.

You’ll meet Ubuntu people from all over Canada during the IRC meeting from 7:00pm to 8:00pm; the Kwartzlab Radio team will be recording a podcast at 8:30pm; and there will be a live installation demonstration on a fancy new Lenovo laptop with UEFI and SecureBoot. And, of course, there will be cake, deviled eggs, and we may order out for pizza…

What: KW Raring Ringtail Release Party
When: Thursday, 25 April 2013 7:00pm – 10:00pm EDT iCal 1
Where: Kwartzlab, 33 Kent Avenue, Kitchener, Ontario Map 1
Online:
#ubuntu-ca on Freenode Web Chat
Registration: KW Release Party on Ubuntu Canada LoCo Events (Registration is optional, but appreciated)


Ubuntu Canada logoThere is also a Toronto Raring Ringtail Release Party. Join Michael Kaulbach for a bottomless cup of coffee and free Ubuntu cupcakes!

What: Toronto Raring Ringtail Release Party
When: Thursday, 25 April 2013 8:00pm – 11:00pm EDT iCal 2
Where: Alio Lounge, 108 Dundas Street West, Toronto, Ontario Map 2
Online: #ubuntu-ca on Freenode Web Chat
Registration: Toronto Release Party on Ubuntu Canada LoCo Events (Registration is optional, but appreciated)


And there are rumours afoot of a Raring Ringtail Release Party in Guelph. More details as I unearth them….

Updated 26 April 2013: It’s here!

What: Guelph Raring Ringtail Release Party
When: Friday, 10 May 2013 7:00pm to 10:00pm iCal 3
Where: Diyode Community Workshop, Unit B, 71 Wyndham St. S, Guelph, Ontario Map 3
Online: #ubuntu-ca on Freenode Web Chat
Registration: Guelph Raring Ringtail Release Party on Ubuntu Canada LoCo Events

Tags: , , , , , , , , , , , , , , , , , , , , , , ,
Posted in FLOSS, GNU/Linux, Operating System, Ubuntu | Comments Off on Ubuntu 13.04 Raring Ringtail Release Parties on Thursday, 25 April

 
Better Tag Cloud