

WordPress security woes and plan of attack - jerrac
http://michaelkimsal.com/blog/wordpress-security-woes-and-plan-of-attack/

======
technion
> All of them failed to notice that a .png file had “eval(‘foo’)” PHP code in
> it.

I have found CXS[0] extraordinarily successful at identifying this sort of
thing.

Before someone says it, I agree that "nuke it and restore from backup" is the
ideal solution. But since we're talking about hacked Wordpress servers, we're
probably already talking about "cleanup after the intrusion" on unmaintained
servers with limited management and backups.

[0] [http://configserver.com/cp/cxs.html](http://configserver.com/cp/cxs.html)

------
jerrac
I shared this because it touches on the subject of blocking outgoing ports. I
was hoping it had been shared already and there'd be some interesting comments
on the subject.

So, how would blocking outgoing traffic help secure a server? Wouldn't the
malware just scan for an open port?

~~~
mschuster91
You're opening a different can of worms by preventing the WP auto-updater to
work.

Also, chmod -w on Wordpress will kill its ability to upload files - well how
do you plan on allowing users to upload media?

And how did a PNG file ever pass through the PHP interpreter? Sounds like a
veeeeery badly misconfigured Apache to me.

~~~
krapp
>And how did a PNG file ever pass through the PHP interpreter?

It is possible if you do something stupid like blindly including or requiring
the "image" file content, as part of serving the image through a PHP file.
Anything run through include() or require() is run through the parser if it
contains php tags. I vaguely remember it being an issue with user avatars in
one of the more popular PHP forums but I don't remember which.

It's one of those things where even though you _can_ do it that way in PHP, it
basically takes a comedy of errors (or just a malicious plugin writer) for it
to even occur.

~~~
mschuster91
> It is possible if you do something stupid like blindly including or
> requiring the "image" file content, as part of serving the image through a
> PHP file.

This is so stupid, it's actually awesome. fpassthru/readfile are your
friends...

