Fresh 4.1 Install Defaced
-
Hi,
Just a heads up.. I stopped using WP for a while due to my feelings of it’s poor security. I watched as loads of 4.xx sites got owned recently and stupidly assumed you had tightened things up with 4.1.
I made a fresh install of 4.1 on xmas day, no plugins, standard theme and all general sec measures taken.. woke up today to find it had been defaced within the space of 12 hours.
I’m not that bothered about the site in question but due to an exploit in your software it affected quite a few domains and TBH I will never use WP again. You guys need to concentrate on sec instead of new features for a while IMO. It’s been like this for years, WP is a very easy target, always has been and IMO always will be unless you stop concentrating on new and fix the old.
Sorry for the slightly grumpy post but sort it out FFS.
-
I watched as loads of 4.xx sites got owned recently and stupidly assumed you had tightened things up with 4.1.
Do you mean the few hacks which targeted vulnerable third-party plugins? There were no wide-spread hacks which targeted WordPress directly last year.
I made a fresh install of 4.1 on xmas day, no plugins, standard theme and all general sec measures taken.. woke up today to find it had been defaced within the space of 12 hours.
Would you please detail *how* it was defaced?
Also, did you ever have a site defaced before on that hosting provider, and if so, did you plug the vulnerability, or just clean up the mess?
I’m not that bothered about the site in question but due to an exploit in your software it affected quite a few domains and TBH I will never use WP again.
Were you able to identify the exploit, or are you referring to the fore-mentioned vulnerabilities in third-party plugins from earlier this yet?
I was referring to soaksoak, not to mention the hundreds of WP sites I have seen defaced over the years.. third party plugins or not you should have some type of vetting process for the code you allow to be hosted on your website, especially when your target audience are in general not tech savvy and can install plugins from the back end of their websites.
Defaced as in they used a root kit to wipe files and upload a quite funky anti-gov message/image/swf (with music) that I actually agree with (I went to speak with them afterwards briefly but their English is not so great).
http://s16.postimg.org/qelvmcskl/Screenshot_38.png <– IMAGE
No the sever is pretty solid, no past hacks or defaced sites (until a matter of hours after putting the first ever vanilla WP install on it). I’m guessing they recently found the exploit and just dorked WP sites as I had no time to remove the mass amount of footprints in the install. They have done at least 4/5 WP4.1 sites I know of today, you can check on hacking archives such as zone-h.
I would expect more “I’ve been hacked” threads shortly TBH.
No I didn’t even bother trying to identify the exploit as it clearly came from the WP install (with no plugins/themes) but could check it out I guess, though I feel it a waste of my time as I don’t plan on using WP again unfortunately, despite it’s good points.
Sorry to be a bit of a grump but WP is just an easy target. I have been building websites for well over ten years and never seen any free/paid open source script get owned as much. Apologies for my lack of quoting also I’m not used to this forum software.
some type of vetting process for the code you allow to be hosted on your website
We do have a very heavy vetting process for plugins hosted at https://ww.wp.xz.cn/plugins/ but we have no control over plugins hosted/sold elsewhere. WordPress is open source software.
The plugin developers are responsible for providing safe quality code.
Defaced as in they used a root kit to wipe files and upload a quite funky anti-gov message/image/swf (with music) that I actually agree with (I went to speak with them afterwards briefly but their English is not so great).
That has absolutely nothing to do with WordPress and can happen to any kind of site (WordPress, Drupal, Joomla, Ghost, plain HTML, literally any kind of site). They simply replaced or modified your index file using an existing backdoor on the server.
If this did happen to multiple sites on your server today, it’s time to think about a new hosting provider.
It happened directly after installing WP 4.1. Deny this as much as you like but that is how they got the shell script into the account. Yes some other domains that were sub/addon domains on the same WHM account were affected but none under different accounts on the server.
The domain in question had been empty for some time with a few active addon domains on the account while I made plans for the WP site (that was not yet installed) I was planning to build there.
Sorry but there is no doubt that if I had not installed WP this would not of happened IMO. My server provider is fine as is the general security on it.
Sorry root kit was the wrong term. Shell script.
http://s17.postimg.org/cl0g9phov/PHP_Webshell_H.png <– PHP/Webshell.H
They got that shell script up via the WP install, nothing else.
It happened directly after installing WP 4.1.
If it happened directly after installing WordPress 4.1, then the shell script was already there.
If the server is not properly secured by a decent hosting provider, all it takes is one compromised account on a shared server to endanger everyone on the same server.
Sorry but there is no doubt that if I had not installed WP this would not of happened IMO.
Then I guess WordPress isn’t for you. In 10 years of managing hundreds of WordPress sites, I have never had a single security issue. I’m sorry you did, but it wasn’t WordPress.
Deny this as much as you like but that is how they got the shell script into the account.
I’m not here to deny or defend anything, just here to share my over 10 years of knowledge and experience to help you understand the situation and make decisions about the future.
Whether or not you choose to hear (or respect) that knowledge is totally up to you.
Sorry but I feel like you are twisting my words. Or possibly I’m not wording things correctly. It happened within a 12 hour period of installing it while I was sleeping. If it was already in the script you guys had better check your download of it as I got it directly from here.
After reading this though it wouldn’t surprise me: http://www.eweek.com/enterprise-apps/wordpress-with-release-4.1-aims-to-be-distraction-free.html
‘One of the most interesting minor fixes in WordPress 4.1 corrects what is labeled by WordPress developers as a “suspicious comment” in a piece of WordPress’ php code. The class.smtp.php file had a comment in it that stated “hacked by Lance Rushing.”‘I do however fully disagree with your comment of “It was not WP” when it clearly was.
I feel I am coming across as slightly aggressive and if I am I apologise. I am just annoyed as I had some good plans for the site and there is no other blogging software that has what I need to build the website I planned. Luckily it was a fun site not a money site.
The server is secure. It does have other accounts and scripts on it BUT as I keep saying the shell script came about via my WP install that had no plugins or themes installed at the time.
And no I fully understand. I also have a similar time frame of knowledge, probably in slightly different fields but am pretty fluent in PHP/JS/HTML/CSS/MySQL, a bit of ethical hacking and started building mobile chat sites before I even had a decent internet connection (some of which are still up on hotscripts I believe).
Maybe I should go through the logs and work out what exactly the exploit was and on what file but I don’t feel it’s my job in all honesty and have many other paid jobs to be getting on with.
I would love to use WP for the site I had planned, but I can’t compromise the other sites on the server again without getting to the bottom of this :-/
It happened within a 12 hour period of installing it while I was sleeping. If it was already in the script you guys had better check your download of it as I got it directly from here.
I’m probably not making myself clear, or am not being read.
The attack you got hit with can happen to any kind of site (WordPress, Drupal, Joomla, Ghost, plain HTML, literally any kind of site). They simply replaced or modified your index file using an existing backdoor on the server.
This happened on your server through an existing backdoor. This type of attack has existed for *years* it’s nothing new. On a poorly secured shared server, it only takes one compromised account to put the entire server at risk. It doesn’t even have to be your account that’s compromised.
Again, if you are still reading, this has nothing to do with WordPress and everything to do with the security on your server.
I really don’t have as much time as you’d think to repeat myself constantly, but I have many years of experience in working with WordPress, and many years of experience in cleaning up this specific type of attack.
My evidence that it is not WordPress is my experience cleaning up this type of attack. Your evidence that it was WordPress is simply that it happened, and judging by your history on these forums, you seem to blame WordPress for a lot without much evidence. I merely ask you to weigh the evidence, the likelihood, and make a rational decision.
If you don’t want to use WordPress, that’s fine. That’s your choice, I don’t care. But, don’t come to these forums and spread FUD when it’s a type of attack that any competent systems administrator with less than a year’s experience would know is a server-level script exploiting an existing backdoor and not WordPress.
Some people take security concerns more seriously than others, and it’s not fair to them to whip them into a panic based on an unverified assumption of yours.
I do understand what you are saying. I will look further into the server security but it seems a bit odd that it happened after this install and only that domain and sub domains of it were affected, why not take the whole server?? Why is nobody else reporting defacements or hacks from the other accounts that did not have WP installed??
There is no doubt WP has been an easy target for hackers/skiddies for years… you seem to miss the point of even your official code containing dubious comments etc…
I do want to use WP for one site but not when it causes this, which I truly believe it did as we have had no problems on the server for a very very long time. If I get the time I will work out how they done it and come back to prove you wrong.
I don’t blame WP for anything but think sec is low on your priority list and use many other scripts that are patched much faster.
Either way as I said at the start this is just a heads up. It happened and I honestly beg to differ that it was a server sec issue.
You seem to try and deny it but hoards of WP sites get pwned simultaneously. I have been around and seen it happen. I can drag up the articles and zone-h records if you like??
Either way I’m going leave now as I’m getting slightly angry with you.
If I find the exploit I will post it publicly to prove the point.
I take security seriously hence my post and if it had not been the festive season this would of just cost me a very profitable money site to be down for 10-12 hours.
Peace <3
I’m closing this topic, it’s just frankly pointless. The latest exploit has been thoroughly demonstrated not to be a WordPress exploit.
Give this a read and you may understand why this is circular.
http://wpengine.com/2013/05/08/wordpress-core-is-secure-stop-telling-people-otherwise/
If I find the exploit I will post it publicly to prove the point.
Should you actually find an exploit in WordPress or even another plugin or theme then please report it responsibly.
http://codex.ww.wp.xz.cn/FAQ_Security#Where_do_I_report_security_issues.3F
Edit: Should you need assistance securing your site then please avail yourself of this link too.
The topic ‘Fresh 4.1 Install Defaced’ is closed to new replies.