7,612
edits
Changes
Jump to navigation
Jump to search
== Design ==The styling involves LOTS of changes to various php and (some) css files. Generally, if you see a file with a .bak extension then changes have been made to it. The changes were too extensive to document.
== Styling ==
=== Header===
=== Sidebar ===
=== Content ===
=== Footer ===
=== Blog Posts ===
====Titles====
==== Author Info ====
== Usability Features ==
===RSS===
===Subscription Rules===
== User Accounts ==
Wordpress Blog Site (Tool) (view source)
Revision as of 00:31, 19 October 2017
, 00:31, 19 October 2017→Upgrading the blog
netstat -lnt
Assuming all is good with the FTP server, we now need to update Wordpress. ===Turning the FTP server on and off=== To stop the FTP server loading at boot: service vsftpd stop mv /etc/init/vsftpd.conf /etc/init/vsftpd.conf.stop To start the service, restore the conf file first: mv /etc/init/vsftpd.conf.stop /etc/init/vsftpd.conf service vsftpd start
==Update Wordpress==
Add a custom (text/html) widget from the widgets to put in the 'Contact Us' and social media icons.
== Requirements Styling ==
=== Image Uploads ===
*Images uploaded, both attached to posts and unattached, are added to the media library.
*They are categorized in the backend per the month and the year in which they are uploaded.
**** find images from Creative Commons
**** add these images for each post - the Pixabay button can be seen next to the Add Media button on the create post screen.
==Adding pluggins==
*http://askubuntu.com/questions/666858/vsftpd-service-will-not-start-for-14-04
==Upgrading the blog== ===Pharma Hack=== We were hacked on or before October 4th 2017 it looked like a variant of the Pharma Hack. See:*https://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html*https://blog.sucuri.net/2016/09/cleaning-the-wp-page-pharma-hack-in-wordpress.html*http://www.digitaltap.tv/featured-content/fixing-the-wordpress-pharma-hack/ This was consistent with searching the following in google: inurl:mcnair.bakerinstitute.org cheap viagra or cheap cialis But from /var/lib/wordpress grep -r "wp_class_support"returns no results! ===Identified Malware=== Checking the files: cd /var/lib/wordpress ls -alt produced several anomalous timestamps: drwxr-xr-x 6 www-data root 4096 Oct 18 14:23 wp-content -rwxr-xr-x 1 www-data root 418 Oct 4 06:16 index.php -rwxr-xr-x 1 www-data root 1627 Oct 4 06:16 wp-blog-header.php In wp-includes we also have (despite the directory having an older mod stamp), but for now let's treat this as irrelevant. -rwxr-xr-x 1 www-data root 619 Sep 20 04:08 version.php -rwxr-xr-x 1 www-data root 144389 Sep 20 04:08 class-wp-customize-manager.php -rwxr-xr-x 1 www-data root 65677 Sep 20 04:08 script-loader.php -rwxr-xr-x 1 www-data root 95866 Sep 20 04:08 wp-db.php -rwxr-xr-x 1 www-data root 43847 Sep 20 04:08 embed.php stat index.php stat wp-blog-header.php index.php contains:*define('WP_USE_THEMES', true);*require( dirname( __FILE__ ) . '/wp-blog-header.php' ); wp-blog-header.php contains:*All sorts of dodgy looking code redirects for images with:**base64 encoded: aHR0cDovL2RvbWZvcnVsdHJhZG9ycy5jb20vPw**base64 decoded: http://domforultradors.com/? '''Which confirmed a malware issue:'''*https://malware.expert/malware/wordfence-security-plugin/ The .htaccess file in wp-content/uploads directory contains: <FilesMatch "(?<!1388019941)\.php$"> Order Allow,Deny Deny from all Both wp-content/themes and wp-content/plugins have an Oct 18 date on them. But both have subdirs with older access dates and seem clean. And the directory 2017/10 has Oct 4th dates on it but is empty. This is consistent with a numerically named php file being executed from here and then deleted. According to the malware report it should target two additional files. We don't have WordFence, so only one is relevant: locate wfScanEngine.php locate class-wp-upgrader.php /home/mcnair/Downloads/wordpress/wp-admin/includes/class-wp-upgrader.php /var/lib/wordpress/wp-admin/includes/class-wp-upgrader.php /var/lib/wordpress_bak/wp-admin/includes/class-wp-upgrader.php -rwxr-xr-x 1 www-data root 34995 Oct 4 06:16 class-wp-upgrader.php This file does indeed show sign of infection! ===Upgrading Ubuntu's packages=== To start, upgrade ubuntu's packages so that everything is fresh and new. apt-get updates (maybe need to do a separate dpkg --configure -a) apt-get upgrade If you have to upgrade grub, the correct drives are sda and sdb. See the bottom of [[Category: InternalWeb_Server_Documentation#Configuring_RAID_1_on_Web_Server_.282.2F17.2F2016.29]]. ===Finding the backdoor=== It really isn't clear how this thing got in, beyond being in the uploads directory at some point and having enough permissions to create a .htaccess file that it left behind. Most likely we had a vulnerable plugin. There are no anomalous user accounts but we should delete and clean up anyway. ===The Plan===*Fixed corrupted files but copying them over with clean versions from /var/lib/wordpress_bak/*Renamed dodgy .htaccess file*Turned on the FTP Server*Upgrade wordpress and its plugins. Note: DO NOT UPDATE THEMES!!!*Turned off the FTP Server*Locked down directory permissions more tightly (see below)*Remove disused user accounts (any contributions set to Anne Dayton)*Changed permissions of all users to author, except Tay to editor, and left just Ed and Anne to admin I also installed the delete-all-comments-easily plugin and easily deleted the enormous queue of junk comments. ===Changing permissions=== I used the shared server config found here: https://www.smashingmagazine.com/2014/05/proper-wordpress-filesystem-permissions-ownerships/ From the wordpress dir run: sudo find . -type f -exec chmod 644 {} + sudo find . -type d -exec chmod 755 {} + sudo chmod 600 wp-config.php Image upload was tested and worked fine, and a new plugin was also installed fine. ===Installing WordFence=== I also installed the free version of WordFence. It wouldn't have stopped our last malware, most likely, but it should stop at least some of the future annoyances. I went with the basic config. The notifications are sent to mcnair@rice.edu ===Still to do=== We should consider some extra hardening! See, for example, https://codex.wordpress.org/Hardening_WordPress That we really can't update our theme is an ongoing issue... [[Internal ClassificationCategory: Internal Resources| McNair Admin]]
