7,612
edits
Changes
Jump to navigation
Jump to search
== Requirements ==Log in to:http://www.mcnaircenter.org/blog/wp-admin/
=== Header====== Sidebar ===The styling involves LOTS of changes to various php and (some) css files. Generally, if you see a file with a .bak extension then changes have been made to it. The changes were too extensive to document.
=== Content ===
=== Footer ===
=== Blog Posts ===
====Titles====
==== Author Info ====
== Usability Features ==
===RSS===
===Subscription Rules===
== Error Logs ==We were hacked on or before October 4th 2017 it looked like a variant of the Pharma Hack. See:*https://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html*https://blog.sucuri.net/2016/09/cleaning-the-wp-page-pharma-hack-in-wordpress.html*http://www.digitaltap.tv/featured-content/fixing-the-wordpress-pharma-hack/
McNair Center Wordpress blogThis was consistent with searching the following in google: inurl:mcnair.bakerinstitute.org cheap viagra or cheap cialis
Setup:But from /var/lib/wordpressImages: grep -r "wp_class_support"1. Wordpress currently looks for images in a completely different location than the one it is uploading to.2. It also has trouble generating the three standard sizes - thumbnails, etcreturns no results!
Permissions:===Identified Malware===
Stylingproduced several anomalous timestamps:Child themes drwxr-xr-x 6 www-data root 4096 Oct 18 14:23 wp-content*Usage of child themes when creating custom design with wordpress is recommended -rwxr-xr-x 1 www-data root 418 Oct 4 06:16 index.php*Steps to create -rwxr-xr-x 1 www-data root 1627 Oct 4 06:**Create a folder in the var/lib/wordpress/16 wp-content/themes with the title of your choice**Into the newly created folder, add the blog-header.php, style.css and functions.php file from the parent theme's folder to the child theme**If the child files are blank, then all the parent theme's corresponding code is preserved.**Else, if any chunk of code is added to the child theme's file, the code overrides the code in the parent theme's code.**The webkit modules that adjust the display for mobile interfaces are best not changed.*Once the files are created, to the style.css, add the template section enclosed in '/* ' and '*/' from the parent's style.css file.*Go to the Wordpress dashboard, login as admin, and add the theme to wordpress (button should appear on the UI, along with the child theme) in the themes section
HeaderIn wp-includes we also have (despite the directory having an older mod stamp), but for now let's treat this as irrelevant. -rwxr-xr-x 1www-data root 619 Sep 20 04:08 version. Header functions changedphp -rwxr-xr-x 1 www-data root 144389 Sep 20 04: 08 class-wp-customize-manager.php* The default header that comes with the twentysixteen has the header set within the same margins that govern the body of the blog -rwxr-xr-x 1 www-data root 65677 Sep 20 04:08 script-loader.php* We want for our header to stretch across the UI like a banner -rwxr-xr-x 1 www-data root 95866 Sep 20 04:08 wp-db.php* To do so,** I removed the header from the div classes from the header -rwxr-xr-x 1 www-data root 43847 Sep 20 04:08 embed.php file.** I added some div classes around the header so that we could style
Sidebar1. Addition of text widgets* We need some text + image based widgets added to the sidebar.* These can be added with basic html and css (inline) as a text widget to the sidebar stat index.php* Fonts changed to : * border width reduced stat wp-blog-header.php
Custom menusCustom menus can be created and registeredindex. Stepsphp contains:1*define('WP_USE_THEMES', true);*require( dirname( __FILE__ ) . '/wp-blog-header. Footerphp' );
Helpful Linkswp-blog-header.php contains:*All sorts of dodgy looking code redirects for images with:**base64 encoded: aHR0cDovL2RvbWZvcnVsdHJhZG9ycy5jb20vPw**base64 decoded: http://domforultradors.com/?
Objective: Install FTPS server on the web servers on port 26 - test server followed by the production server <FilesMatch "(?<!1388019941)\.php$"> Order Allow,Deny Deny from all
Steps Followed:*Both wp-content/themes and wp-content/plugins have an Oct 18 date on them. But both have subdirs with older access dates and seem clean. And the directory 2017/10 has Oct 4th dates on it but is empty. This is consistent with a numerically named php file being executed from here and then deleted.
Helpful linksAccording to the malware report it should target two additional files. We don't have WordFence, so only one is relevant:* locate wfScanEngine.php locate class-wp-upgrader.php /home/mcnair/Downloads/wordpress/wp-admin/includes/class-wp-upgrader.php /var/lib/wordpress/wp-admin/includes/class-wp-upgrader.php /var/lib/wordpress_bak/wp-admin/includes/class-wp-upgrader.php -rwxr-xr-x 1 www-data root 34995 Oct 4 06:16 class-wp-upgrader.php
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd.pem -out /etc/vsftpd.pemThis file does indeed show sign of infection!
rsa_cert_file=/etc/vsftpd.pemrsa_private_key_file=/etc/vsftpd.pem=Upgrading Ubuntu's packages===
username: webadminTo start, upgrade ubuntu's packages so that everything is fresh and new.password: 9Million! apt-get updates (maybe need to do a separate dpkg --configure -a) apt-get upgrade
------- Aug 2nd -------------===Finding the backdoor===
Securing I also installed the FTP: https://help.ubuntu.com/lts/serverguide/ftpdelete-all-comments-servereasily plugin and easily deleted the enormous queue of junk comments.html
'''Customization:'''''''Change the port:''''Add line to /etc/vsftpd.conf: listen_port=26==Changing permissions===
Restart I used the shared server with the commandconfig found here: https: sudo vsftpd restart//www.smashingmagazine.com/2014/05/proper-wordpress-filesystem-permissions-ownerships/
Check From the installation by checking via a browser, the following addresswordpress dir run:http://128 sudo find .42-type f -exec chmod 644 {} + sudo find .44-type d -exec chmod 755 {} + sudo chmod 600 wp-config.22:26php
''''Add users''''Image upload was tested and worked fine, and a new plugin was also installed fine.
Add\Update the following lines in the /etc/vsftpd.conf: rsa_cert_file=/etc/vsftpd.pem rsa_private_key_file=/etc/vsftpd.pem '''' Adding Users'''' FTP : Files not accessible: Add the following =Still to wp-config.php if(is_admin()) { add_filter('filesystem_method', create_function('$a', 'return "direct";' )); define( 'FS_CHMOD_DIR', 0751 );} --- Back Up: Folders: Copy created Database: mysqldump -u mcnair_wp -p wordpress > backup_3Aug2016.sql -- Update: https://codex.wordpress.org/Upgrading_WordPress_Extended#Step_9:_Run_the_WordPress_upgrade_program Error Resolution: https://wordpress.org/support/topic/wordpress-45-error-after-updatedo===
''''' in case of errorsWe should consider some extra hardening! See, for example, try: '''''https://helpcodex.webcontrolcenterwordpress.comorg/kb/a992/vsftpd-ftp-server.aspxHardening_WordPress
FTP Issues:https://helpThat we really can't update our theme is an ongoing issue.ubuntu.com/lts/serverguide/ftp-server.html
http[[Category://askubuntu.com/questions/666858/vsftpd-service-will-not-start-for-14-04McNair Admin]]
Wordpress Blog Site (Tool) (view source)
Revision as of 00:31, 19 October 2017
, 00:31, 19 October 2017→Upgrading the blog
== Design Install FTP server== Log in and sudo su yourself, then: apt-get install vsftpd Man page for the vsftpd.conf file http://vsftpd.beasts.org/vsftpd_conf.html Securing the FTP: https://help.ubuntu.com/lts/serverguide/ftp-server.html ==Configuration== Edit /etc/vsftpd.conf (note next restart will reflect changes in /etc/init) #add at tend of file: listen_port=26 '''Generate keys for our website''' with the following command: openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd.pem -out /etc/vsftpd.pem Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Texas Locality Name (eg, city) []:Houston Organization Name (eg, company) [Internet Widgits Pty Ltd]:McNair Center at Rice University's Baker Institute Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:McNair Center Email Address []:admin@mcnaircenter.org Edit /etc/vsftpd.conf again #change the lines as follows: rsa_cert_file=/etc/vsftpd.pem rsa_private_key_file=/etc/vsftpd.pem write_enable=YES chroot_local_user=YES chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list ssl_enable=YES Edit /etc/vsftpd.chroot_list to contain a list of usernames (e.g., ravali) Restart the server service vsftpd restart The FTP server should be accessible. Beware local packet shaping. Connect through mcnaircenter.org:26. Otherise have a check that the process is running and listening: ps -aux netstat -lnt Assuming all is good with the FTP server, we now need to update Wordpress. ===Turning the FTP server on and off=== To stop the FTP server loading at boot: service vsftpd stop mv /etc/init/vsftpd.conf /etc/init/vsftpd.conf.stop To start the service, restore the conf file first: mv /etc/init/vsftpd.conf.stop /etc/init/vsftpd.conf service vsftpd start ==Update Wordpress== First make a copy of the wordpress folder and dbase cp -R /var/lib/wordpress/ /var/lib/wordpress_bak mysqldump -u mcnair_wp -p wordpress > backup_12Aug2016.sql (enter password for dbase found in wp-config.php) Change the permissions on every in the wordpress folder and make www-data its owner: chown -R www-data /var/lib/wordpress chmod -R 755 /var/lib/wordpress Browse to 128.42.44.180/blog/wp-adminClick update now. Enter: Hostname 128.42.44.180:26 FTP Username ravali (or some other account) FTP Password Connection Type FTPS (SSL) Leave the Akismet pluginGo to appearance, themes -> add new Choose Accesspress Lite 2.46.7 ActivateInstall all of the recommended pluggins that come with the theme Check the media library works by uploading a file (e.g., GreenRoundLogo.png) Create a child theme cd /var/lib/wordpress/wp-content/themes mkdir accesspress-lite-child vi accesspress-lite-child/style.css Add in the template from the parent folder's style.css (just the top of the file) Update the theme name and text domain to accesspress-lite-child. vi accesspress-lite-child/functions.php Add in the section that never changes <?php function my_theme_enqueue_styles() { $parent_style = 'parent-style'; // This is 'twentyfifteen-style' for the Twenty Fifteen theme. wp_enqueue_style( $parent_style, get_template_directory_uri() . '/style.css' ); wp_enqueue_style( 'child-style', get_stylesheet_directory_uri() . '/style.css', array( $parent_style ), wp_get_theme()->get('Version') ); } add_action( 'wp_enqueue_scripts', 'my_theme_enqueue_styles' ); ?> Check the permissions on the new files: chown -R www-data /var/lib/wordpress chmod -R 755 /var/lib/wordpress Active the child theme!Check out what it looks like: www.mcnaircenter.org/blog ==Customize our theme===== Middle Section ===The middle area of the blog's home page as three sections - ==== The Twitter Feed ====This widget will display the top 5 tweets of the McNair Center's twitter account. *In the Appearance -> Widgets section, the theme has the middle section sidebar. *Add the AccessPress-lite Twitter feed widget to the middle section sidebar*Log into dev.twitter.com with the McNair Center's creds.*Paste the security keys, consumer keys, etc identifying the McNair Center API into the form of the widget.*Set/reset the number of blog posts that are required ==== Categories ====This is a built in widget from wordpress that is being used in this section. ==== Custom Widgets ====Add a custom (text/html) widget from the widgets to put in the 'Contact Us' and social media icons.
== Styling ==
=== Image Uploads ===
*Images uploaded, both attached to posts and unattached, are added to the media library.*They are categorized in the backend per the month and the year in which they are uploaded. *Plugins involved: ** Enhanced Media Library*** This plugin allows us to**** create new categories**** assign images to categories**** filter in the media library section by category ** Pixabay*** This plugin allows us to **** find images from Creative Commons**** add these images for each post - the Pixabay button can be seen next to the Add Media button on the create post screen. == User Accounts Adding pluggins== #Check the ftp server is running: ps -aux | grep ftp#Restart the ftp server if not: service vsftpd start#Go to http://mcnair.bakerinstitute.org/blog/wp-admin/plugin-install.php and choose the plug in ==Useful resources if there are errors== Wordpress:*https://codex.wordpress.org/Upgrading_WordPress_Extended#Step_9:_Run_the_WordPress_upgrade_program*https://wordpress.org/support/topic/wordpress-45-error-after-update*https://help.webcontrolcenter.com/kb/a992/vsftpd-ftp-server.aspx FTP Issues:*https://help.ubuntu.com/lts/serverguide/ftp-server.html*http://askubuntu.com/questions/666858/vsftpd-service-will-not-start-for-14-04 ==Upgrading the blog== ===Pharma Hack===
Checking the files:
cd /var/lib/wordpress
ls -alt
'''Which confirmed a malware issue:'''
*https://malware.expert/malware/wordfence-security-plugin/
The .htaccess file in wp--------------------------------------------- Installing FTPS Server on Web Servers-------------------------------------------content/uploads directory contains:
If you have to upgrade grub, the correct drives are sda and sdb. See the bottom of [[Web_Server_Documentation#Configuring_RAID_1_on_Web_Server_.282.2F17.2F2016.29]].
It really isn''' Man page for t clear how this thing got in, beyond being in the vsftpduploads directory at some point and having enough permissions to create a .conf htaccess file '''that it left behind. Most likely we had a vulnerable plugin. There are no anomalous user accounts but we should delete and clean up anyway. ===The Plan=== http:*Fixed corrupted files but copying them over with clean versions from /var/lib/wordpress_bak/vsftpd*Renamed dodgy .beastshtaccess file*Turned on the FTP Server*Upgrade wordpress and its plugins.org/vsftpd_conf.htmlNote: DO NOT UPDATE THEMES!!!*Turned off the FTP Server*Locked down directory permissions more tightly (see below)*Remove disused user accounts (any contributions set to Anne Dayton)*Changed permissions of all users to author, except Tay to editor, and left just Ed and Anne to admin
===Installing WordFence===
I also installed the free version of WordFence. It wouldn''''Generate keys for ou website''''Generate t have stopped our last malware, most likely, but it should stop at least some of the key future annoyances. I went with the following command: openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpdbasic config.pem -out /etc/vsftpdThe notifications are sent to mcnair@rice.pemedu
