

Top WordPress sites vulnerable 6 weeks after caching plugin fixed - the_wanderer
http://hackertarget.com/running-wordpress-patch-your-plugins/

======
gesman
I just spend half day cleaning client's website from intense attack targeting
outdated timthumb vulnerability. Attacker discovered inactive old theme
(canvas) within website, scanned for thumb.php and planted external malicious
PHP script inside website. Then through that planted malicious script -
infected about 100 of other PHP files overwriting header of each with
malicious code. This type of attack couldn't be cleaned up just by
reinstalling wordpress as attacker could use _any_ of newly infected files to
re-infect the whole site again. Luckily her website was hosted at
[http://hostrum.com](http://hostrum.com) where she had a detailed report of
all suspicious files that are suddently appeared. Lessons: 1\. Make sure your
hosting company has realtime malware notification and protection. Very little
number of hosting companies do that.

2\. Do no keep uninstalled old themes or old plugins - they can be used as a
backdoors into website. Delete them if not used.

~~~
druiid
Just as an FYI, those attacks are fully automated. There wasn't really some
guy on the other end doing this. Had a client have this same thing happen to
them and the request to re-infect kept coming in long after the initial issue
was resolved.

Another good thing to do which will disable 99% of these kind of attacks, is
disable the following PHP functions:

disable_functions =
exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source

There's very, very few scripts which actually need these, and if you run
across one that does... you probably shouldn't use it anyway.

------
patio11
Thanks HN, this was news I could use. (I didn't turn out to have anything
vulnerable, but certainly could have.)

~~~
jseliger
Same here, and I did have something vulernable: Super Cache. I just updated.

You know what would be nice? Opt-in e-mail lists for each plug-in. If I hadn't
seen this article, I might not have updated for months. If I'd gotten an
e-mail that says, "SUPER CACHE COMPROMISED, UPDATE NOW," I sure would've.

------
druiid
I had an attached comment with this information but want to break it out as it
will likely be useful to people without lots of time dealing with the various
ways Wordpress can/will (mostly will) get attacked.

First: Double-check your folder and file permissions. A lot of plugins like
and love very open folder permissions so they can write stuff everywhere. Be
very careful with changing permission on core Wordpress stuff! If for instance
you give the web-server write permissions to the core, you're going to have a
bad time. This is made worse by the fact that many people are used to using
the wp-admin 'upgrade' functionality. In my view this is beyond awful. A lot
of WP exploits would be made much harder by just not allowing this and
manually upgrading the Wordpress core. It's very easy anyway.

Second: Disable the following PHP functions in php.ini on the server hosting
Wordpress

disable_functions =
exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source

You can just add that line anywhere in the php.ini, restart apache (or php-fpm
if you're using that) and you've suddenly blocked 99% of the Wordpress and
greater PHP attacks against your server. Essentially you'll run across some
PHP scripts eventually that want one or more of those permissions. If they do,
run them on a server separate from Wordpress and also keep the application way
up to date (or you'll have a bad time).

Third: Install and keep this handy [http://wpscan.org/](http://wpscan.org/)

WPScan allows you to do a URL/folder based wordpress scan looking for
vulnerable files, wordpress versions and plugins. It is a very good tool to
keep handy if you host lots of Wordpress sites.

Oh, one more little thing. The timthumb vuln issue someone mentioned below...
keep this handy for newest version
[http://timthumb.googlecode.com](http://timthumb.googlecode.com)

Any questions?

~~~
jseliger
How do you know WP-Scan itself isn't a vulnerable extension?

~~~
druiid
Wait, what? WPScan is a standalone Ruby script. You run it against a Wordpress
site. There's nothing to install on the WP website in question. You can even
run it against public WP websites if you wanted to (although I imagine you
might get some sternly worded letters from some).

------
epoxyhockey
The specific vulnerability mentioned in this article is only exploited when a
comment containing dynamic snippets is posted. Most WP blogs use comment
moderation of some sort to prevent spam and that prevents this attack from
being widely exploited, in my opinion.

------
ParadisoShlee
Wordpress.. the reverse shell with a blogging engine.

------
iuguy
I wonder how he deteremined the top wp sites? Is that via alexa, some other
ranking? It's not clear.

