7,612
edits
Changes
Jump to navigation
Jump to search
== Design ==The styling involves LOTS of changes to various php and (some) css files. Generally, if you see a file with a .bak extension then changes have been made to it. The changes were too extensive to document.
== Styling ==
=== Header===
=== Sidebar ===
=== Content ===
=== Footer ===
=== Blog Posts ===
====Titles====
==== Author Info ====
== Usability Features ==
===RSS===
===Subscription Rules===
== User Accounts ==
Wordpress Blog Site (Tool) (view source)
Revision as of 19:35, 18 October 2017
, 19:35, 18 October 2017no edit summary
Add a custom (text/html) widget from the widgets to put in the 'Contact Us' and social media icons.
== Requirements Styling ==
=== Image Uploads ===
*Images uploaded, both attached to posts and unattached, are added to the media library.
*They are categorized in the backend per the month and the year in which they are uploaded.
**** find images from Creative Commons
**** add these images for each post - the Pixabay button can be seen next to the Add Media button on the create post screen.
==Adding pluggins==
*https://help.ubuntu.com/lts/serverguide/ftp-server.html
*http://askubuntu.com/questions/666858/vsftpd-service-will-not-start-for-14-04
==Upgrading the blog==
===Pharma Hack===
We were hacked on or before October 4th 2017 it looked like a variant of the Pharma Hack. See:
*https://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html
*https://blog.sucuri.net/2016/09/cleaning-the-wp-page-pharma-hack-in-wordpress.html
*http://www.digitaltap.tv/featured-content/fixing-the-wordpress-pharma-hack/
This was consistent with searching the following in google:
inurl:mcnair.bakerinstitute.org cheap viagra or cheap cialis
But from /var/lib/wordpress
grep -r "wp_class_support"
returns no results!
Checking the files:
cd /var/lib/wordpress
ls -alt
produced several anomalous timestamps:
drwxr-xr-x 6 www-data root 4096 Oct 18 14:23 wp-content
-rwxr-xr-x 1 www-data root 418 Oct 4 06:16 index.php
-rwxr-xr-x 1 www-data root 1627 Oct 4 06:16 wp-blog-header.php
In wp-includes we also have (despite the directory having an older mod stamp)
-rwxr-xr-x 1 www-data root 619 Sep 20 04:08 version.php
-rwxr-xr-x 1 www-data root 144389 Sep 20 04:08 class-wp-customize-manager.php
-rwxr-xr-x 1 www-data root 65677 Sep 20 04:08 script-loader.php
-rwxr-xr-x 1 www-data root 95866 Sep 20 04:08 wp-db.php
-rwxr-xr-x 1 www-data root 43847 Sep 20 04:08 embed.php
stat index.php
stat wp-blog-header.php
index.php contains:
*define('WP_USE_THEMES', true);
*require( dirname( __FILE__ ) . '/wp-blog-header.php' );
wp-blog-header.php contains:
*All sorts of dodgy looking code redirects for images with:
**base64 encoded: aHR0cDovL2RvbWZvcnVsdHJhZG9ycy5jb20vPw
**base64 decoded: http://domforultradors.com/?
'''Which confirmed a malware issue:'''
*https://malware.expert/malware/wordfence-security-plugin/
The .htaccess file in wp-content/uploads directory contains:
<FilesMatch "(?<!1388019941)\.php$">
Order Allow,Deny
Deny from all
Both wp-content/themes and wp-content/plugins have an Oct 18 date on them. But both have subdirs with older access dates and seem clean. And the directory 2017/10 has Oct 4th dates on it but is empty. This is consistent with a numerically named php file being executed from here and then deleted.
According the malware report it should target two additional files. We don't have WordFence, so only one is relevant:
locate wfScanEngine.php
locate class-wp-upgrader.php
/home/mcnair/Downloads/wordpress/wp-admin/includes/class-wp-upgrader.php
/var/lib/wordpress/wp-admin/includes/class-wp-upgrader.php
/var/lib/wordpress_bak/wp-admin/includes/class-wp-upgrader.php
-rwxr-xr-x 1 www-data root 34995 Oct 4 06:16 class-wp-upgrader.php
This file does indeed show sign of infection!
===Upgrading Ubuntu's packages===
To start upgrade ubuntu's packages so that everything is fresh and new.
apt-get updates
(maybe need to do a separate dpkg --configure -a)
apt-get upgrade
If you have to upgrade grub, the correct drives are sda and sdb. See the bottom of [[Web_Server_Documentation#Configuring_RAID_1_on_Web_Server_.282.2F17.2F2016.29]].
===Finding the backdoor===
[[Category: McNair Admin]]
