LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-15-2021, 08:56 PM   #16
buckbuchanan
LQ Newbie
 
Registered: Jul 2021
Posts: 6

Original Poster
Rep: Reputation: Disabled

Thanks for that info. Yeah I hadn't considered a zero day... And you are right that lack of knowledge on my part is probably the root cause.

I'll definitely lock down that file since it seems to be where they are targetting at the moment, and sounds like a few suggesting clamav so i'll give that a go as well.

Thanks again...
 
Old 07-16-2021, 08:57 AM   #17
boughtonp
Senior Member
 
Registered: Feb 2007
Location: UK
Distribution: Debian
Posts: 1,486

Rep: Reputation: 1215Reputation: 1215Reputation: 1215Reputation: 1215Reputation: 1215Reputation: 1215Reputation: 1215Reputation: 1215Reputation: 1215
Quote:
Originally Posted by jefro View Post
Is it possible that a theme or other proper use caused this?
I think a Wordpress theme is pretty much the same level as a plugin, so yes.

Anything that can be (incorrectly) coded such that user-supplied input is executed as PHP (or any other server-side language), could be the cause of this.


Inadvertently allowing code injection attacks is simple for an inexperienced developer to do - just follow the average badly written tutorial on any topic that demonstrates a concept without any consideration or mention of security.

(Preventing such attacks is also simple - remember you can't trust input, and as a minimum always use the appropriate encoding/escaping functions when outputting a variable, even when you think you know its source/contents.)


Quote:
I'll definitely lock down that file since it seems to be where they are targetting at the moment
If it's an automated attack (which is possible) that may be enough to get them to move on.
If it's a manual one, it wont make a difference (they'll pick another file).


Quote:
and sounds like a few suggesting clamav so i'll give that a go as well.
Well it wont hurt, but it also wont make a difference if they're getting in through Wordpress itself - which seems likely given the brief descriptions.

Although that is an assumption that hasn't been confirmed, and there's a bunch of answers we don't know...

Did you search the vulnerability databases? What third-party Wordpress plugins/themes/etc do you have installed?
Have you made sure you're on a supported/secure version of Apache, PHP, Wordpress, and any other software/scripts the server is running?

Have you changed all the Wordpress admin/user passwords to something unique and 12+ characters long?
(There's a plugin for changing the location of the wp-admin directory which can at least reduce automated attacks, useful if users insist on weak passwords.)

Have you looked at the Apache access logs and error logs for the past few days? If it's an automated attack there will be evidence in these logs. If you can identify the attacks as coming from a specific IP address/range you can ask your hosting provider about blocking them at a network level.


Wiping the server and starting fresh isn't bad advice for a compromised server, but doesn't solve the problem if the vulnerability is in the software (i.e. PHP/Wordpress/plugins/etc.)

 
Old 07-16-2021, 10:23 AM   #18
maw_walker
LQ Newbie
 
Registered: Jul 2021
Location: US
Distribution: FreeBSD, Kali
Posts: 28

Rep: Reputation: Disabled
Quote:
Originally Posted by buckbuchanan View Post
I didn't notice any other changes. The user had inserted code to create a user in the wordpress db. It looks like they weren't successful and as far as I can see they didn't get any further than that.

But it is interesting they tried the exact same thing 2 nights in a row.
It is entirely possible the insertion was attempted via an injection, like through a form field using sql injection. There are too many attack vectors to list but if I were trying to add a user, sql injection is the easiest attack first, rather than trying to compromise the host. If the attacker actually modified a file on the web server, this means they were able to compromise the host itself, or at least the file(s) in the web space.

Do as others have suggested and look at logs, check permissions, services, etc. You will need to look at application logs, database logs and OS logs to get a better picture of what may have happened.
 
Old 07-16-2021, 01:58 PM   #19
captain_sensible
Member
 
Registered: Apr 2010
Posts: 336

Rep: Reputation: 125Reputation: 125
The thing about Wordpress is that a default install has next to no security and admin login names are too easily divulged from a simple scan of some tools in the kit of kali.

Wordpress when i installed it on local host uses mariaDb and as you may know to connect to the database ; in WP you have to set up a database and a`user with password for database user; sounds secure ?


SO basically its incredibly easy to get an Admin user name. Then its just the case of running large password lists using the login name. if somebody has the time decent bandwidth the scan can run day and night.

Now one way that would make life harder for a hacker is to use some sort of captcha. A default install of WP doesn't use one. If you want to check for "user Enumeration" weakness DM me with web site url and i will come back and tell you if thats one problem.

One thing that you should be doing is a have a clone of your web on local host and test its vulnerability with for instance "ZAP" ; you can also fire up some software from your PC and "attack" your web using url of localhost.
 
Old 07-21-2021, 11:42 AM   #20
A-Okay
LQ Newbie
 
Registered: Mar 2021
Posts: 14

Rep: Reputation: Disabled
Check log files.

https://www.thegeekstuff.com/2011/08...var-log-files/
https://www.tecmint.com/watch-or-mon...-in-real-time/
https://www.cyberciti.biz/faq/linux-...zNAzijcnBszQci

Run AV Tools:
rkhunter --check-all
chkrootkit

Check if there're unusual processes running:
ps -A
ps -eF
watch ps auxw
watch ps aux
top
htop
pstree

Check if there are weird connections:
netstat -tunap
ss -ntp
ss
tcpdump
wireshark

Check if there are services running:
service --status-all
systemctl list-units
systemctl list-unit-files

Check command history:
cat /home/<user>/.bash_history
cat /root/.bash_history
history

Check for new users:
/etc/passwd
w
finger
who
lastlog

are some ideas I have.
 
Old 07-21-2021, 03:59 PM   #21
buckbuchanan
LQ Newbie
 
Registered: Jul 2021
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thanks for all the replies folks.

I decided to take the advice to spin up a new server. It felt a bit like looking for a needle in a haystack so I just made a new server and locked it down using some of the recommendations on this thread.

Thanks for all the useful information. It's all a learning process!
 
Old 07-22-2021, 10:21 AM   #22
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,240
Blog Entries: 4

Rep: Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263
Also be sure that the user/group that's running the web server has no read/write access to anything ... except any directories where uploaded content is specifically intended to be stored.
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] My network is hacked for sure. I want to reinstall but it will be hacked again. MsRefusenik Linux - Security 19 10-18-2010 05:02 PM
noob with a noob question phoonerorlater Linux - Newbie 2 09-29-2004 03:43 PM
Complete noob question from a noob noob_hampster Linux - Software 2 09-04-2003 12:03 AM
I think I'm being hacked. How to proceed? Noerr Linux - Security 25 05-31-2002 03:48 AM
help! ssh password being denied for ALL acccounts (hacked?) JustinHoMi Linux - Security 4 05-26-2002 05:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration