Category Archives: Wordpress

14Nov/16

How to harden wordpress

[huge_it_share]Almost 75% of websites and blogs are built in wordpress which is the mostly used CMS(Content Management System) . But unfortunately websites that use wordpress are mostly prone to attacks and vulnerabilities .So lets see how we can harden wordpress to resist the attacks .

As we know wordpress is a free tool .So anyone can try installing it .The same thing is the reason for most of the wordpress attack since anyone can install it everyone know the basic settings that we are going to use in our wordpress including the hackers .This is one of the main reasons hackers get into the because they know the default settings we are going to use .So one main thing we should do is change everything as possible from default settings in wordpress .Here I will be pointing some of the main things you can do to protect your wordpress sites . Continue reading

30Oct/15

Error: Failed to create temporary file

Issue
======

The apache error log shows

[Wed Oct 28 23:49:30 2015] [error] [client xx.xx.xxx.xxx] ModSecurity: Input filter: Failed to create temporary file: /root/tmp/20151028-234930-VjGXSkAWQiQAA@W7VAsAAAAD-request_body-nKiZdT [hostname "www.xxxx.com"] [uri "/wp-admin/admin.php"] [unique_id "VjGXSkAWQiQAA@W7VAsAAAAD"]

The issue is because the modsecurity has no access on /root/tmp directory.

So while accessing /root/tmp it will show the error “Failed to create temporary file”

Fix
===

The issue can be fixed by adding the following lines on the configuration file of modsecurity.

# vi /usr/local/apache/conf/modsec2.conf

Add these below lines in /usr/local/apache/conf/modsec2.conf

SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp
SecRequestBodyAccess On

Now you need to restart apache to make the changes effective

 service httpd restart

This will fix the issue normally

13Dec/14

Detecting WordPress Outbound Bruteforce attack

We have heard a lot about the WordPress inbound Bruteforce attacks. On checking we can see the inbound attack IP’s  may have cpanel installed and  are actually generating from some other server which is infected.

Two day before,we  got a message from a client of ours saying data center has informed them that server is infected and is generating attacks on other servers. Initially I am not able to get any of the details regarding the attack as no rogue process is running neither scan using gave me any valid clue on this attack .

I was just checking the result of tcpdump to see the what all data is being transferred from the server.

user@host ~ # tcpdump -A -i eth0 -s 1500 port not 22

While checking the results I can see something is going on and many wp-login.php entry was going on.

Sample tcpdump Output (changed domain and hostnames)

v.G....pPOST /restaurants/wp-login.php HTTP/1.0^M
Host: domain.com^M
Content-Type: application/x-www-form-urlencoded^M
Content-Length: 30^M
^M
log=admin&pwd=minedoruksay2940
06:15:22.056294 IP host5.domain.com > host6.domain.com48202: Flags [P.], seq 2779525802:2779527849, ack 2761432155, win 3216, options [nop,nop,TS val 166530731 ecr 1994475337], length 2047

I tried to stop apache and mysql ,psa, and still some process were running as www-data user and the process was some thing like the below.

www-data 1258 10.8 1.5 18327 1268 ? Ssl Dec10 129:10 /usr/bin/host 

I took the lsof result of this command and I got the culprit (account ) responsible for this attack 🙂 Thanks to lsof command to give me correct location and scripts.

Relevant output from lsof command

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
host 20636 username cwd DIR 9,2 4096 60874901 /var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js
host 20636 username rtd DIR 9,2 4096 2 /
host 20636 username txt REG 9,2 120240 68160132 /usr/bin/host
host 20636 username DEL REG 9,2 60817452 /var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/bruteforce.so
host 20636 username mem REG 9,2 22928 23855190 /lib/libnss_dns-2.11.3.so
host 20636 username mem REG 9,2 51728 23855282 /lib/libnss_files-2.11.3.so
host 20636 username mem REG 9,2 12582912 60827148 /var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/.frsdfg
host 20636 username DEL REG 9,2 60817412 /var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/libworker.so
cwd : /var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js

The above entry from lsof means attack is being generated from this folder and scripts are located in this location.

/var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/bruteforce.so

/var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/.frsdfg

/var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/libworker.so

Above 3 files are the main hack files in which /bruteforce.so was not present in the server at that time . This script was removed soon after the attack in initiated.

To fix this , I have removed the entire “js” folder and then kill all these process. Also asked client to remove the plugin. It will be good if we can remove the host binary (/usr/bin/host) file. If it is there, they can again come back with the attack and can kill the server reputation within few hours.

17Jul/14

Product images not working and giving “Warning: Creating default object from empty value” Error

Last day there was an issue for a wordpress installation. None of the product images are not working and if we take the image directly in the browser, we can see the below errors

==================
Warning: Creating default object from empty value in /home/wp-user/public_html/wp-content/plugins/shopp/core/model/Asset.php on line 123

Warning: Cannot modify header information – headers already sent by (output started at /home/wp-user/public_html/wp-content/plugins/shopp/core/model/Asset.php:123) in /home/wp-user/public_html/wp-content/plugins/shopp/core/model/Asset.php on line 199

Warning: Cannot modify header information – headers already sent by (output started at /home/wp-user/public_html/wp-content/plugins/shopp/core/model/Asset.php:123) in /home/wp-user/public_html/wp-content/plugins/shopp/core/model/Asset.php on line 200

Continue reading

09Jul/14

Find domains targeted for wordpress brute-force attack in Plesk

The following script will give an overview of all the domains and the corresponding hits to wordpress login page. By analyzing the result, you will be be able to find which all domains are facing brute-force attack.


for dom in `ls -l /var/www/vhosts/ | awk -F” ” {‘print $9’}`; do if [ -f /var/www/vhosts/$dom/statistics/logs/access_log ]; then COUNT=`grep wp-login.php /var/www/vhosts/$dom/statistics/logs/access_log |wc -l`; echo “$dom:$COUNT”;fi; done | sort -n -t “:” -k 2 -r

29Jan/14

Blocking Maliciuos bots from accessing your website

It is always a nuisance when unnecessary bots start hitting your website. It can increase CPU load on your server and may cause MySQL overhead as well, if your website driven by any database. Though the bot access says to be controlled using robots.txt files, most malicious bots do not honor rules defined in robots.txt file. The most reputed bot crawling( like google bot ) can be controlled by robots.txt file or via the web master tools. But for the rest of the bots, the best bet is to block them if they are hitting your website hard.

Following is a sample .htaccess rule, that will help you to block specific bots from accessing your website.

RewriteEngine On
SetEnvIfNoCase User-Agent “BOT” bad_agent
Deny from env=bad_agent

Please note that you should replace “BOT” with corresponding BOT name. For example, the following lines shows access from Bing Bot and Baidu.

Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)”
Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)”

So to block the above two bots, we can add the following lines to .htaccess file of the respective website.

RewriteEngine On
SetEnvIfNoCase User-Agent “bingbot/2.0” bad_agent
SetEnvIfNoCase User-Agent “Baiduspider/2.0” bad_agent
Deny from env=bad_agent

In such way, add “SetEnvIfNoCase” line with corresponding BOT Name before “Deny from” entry for each bots you want to block and that will do the trick.

17Jun/13

WordPress – Some quick notes!

What is WordPress?

WordPress is a well known PHP based CMS with MySQL back-end, mostly used to build blogs. In addition to develop blogs, WordPress is commonly used to develop websites as well. Even though the WordPress is build as a blog software, it is very flexible and we can develop beautiful websites with it. There are millions of WordPress powered websites run in Internet now. It built in plug-in architecture and a template system.

Features

1. Customization :- As WordPress is built and operates based on a template system, it provides lots of opening to customize your web pages.

2. Dashboard :- The dashboard of WordPress is quiet nice and very user friendly. Among the other CMSes available in the market, it is very simple but powerful and can be managed even by a newbie easily.

3. Themes :- We can easily switch WordPress themes. There are thousands of themes available in the market; both free and paid versions. As it is a very popular application, your search for good theme will end up in a good result.

4. Plugins :- Plugin support is another big advantage of WordPress. You can find almost all types of your plugin needs with WordPress. Due to its wide range of user-base, plugin development and maintenance is very active in the community.

Continue reading