• I work at a hosting company where one of our customer’s WordPress sites was hacked today. It was done by a “hacker” who discovered the WordPress database password due to an unfortunate user error. The way it happened was interesting and might affect others, so I thought I’d share it.

    (I want to emphasize that this is NOT a security problem in WordPress. It could happen with any PHP script.)

    The customer had, at some point, edited their “wp-config.php” file with a text editor that automatically created a backup copy with the name “wp-config.php~”, with a tilde at the end.

    The hacker then simply requested “http://domainname/wp-config.php~” and was able to view the source, because the server didn’t think it was a PHP file. It looks like hackers are actively running automated bots that look for that filename.

    Normally, getting the database password doesn’t do a hacker any good on our system, because we don’t allow remote MySQL connections by default. But in this case, the customer had intentionally enabled remote connections to the database for other reasons, ignoring the security warning.

    So then the hacker made a MySQL connection, modified the password of the admin user, and had full access.

    Several lessons are clear from this:

    1. WordPress users should make sure they don’t edit wp-config.php, or any other security sensitive .php file, with an editor that creates “~” backups. Hackers are actively searching for a file named “wp-config.php~”; make sure you don’t have one on your site.
    2. Hosting companies should prevent access to filenames ending in “.php~”. (We’ve done that; our blog post has a mod_security rule that others can use if interested.)
    3. Writers of text editors should not create file backups with names that change the file extension. Those extensions are sometimes used for access control.
    4. This is almost certainly solving the problem in the wrong place, but just to throw the idea out there: the default WordPress .htaccess rules could include a line to forbid requests for “.php~” files.

    Hope this information is useful to someone.

Viewing 15 replies - 1 through 15 (of 17 total)
  • Moderator t-p

    (@t-p)

    Hi tigertech,

    Thanks for sharing. Good info.

    .htaccess rules could include a line to forbid requests for “.php~” files.

    How? What would be the snippet? I use my own .htaccess in the root folder of WP, and i would like to include it in my .htaccess. Thanks.

    Thread Starter tigertech

    (@tigertech)

    What would be the snippet?

    Oh, you could do something like this:

    RewriteEngine On
    RewriteRule \.php~$ - [forbidden,last]
    Moderator t-p

    (@t-p)

    Thanks a lot tigertech.

    RewriteEngine On
    RewriteRule \.php~$ – [forbidden,last]

    As I am not a programmer, dev,or designer, I just want to make sure if this is the complete snippet. If this is not complete, please write the entire snippet. thanks.

    You should wrap that in a module check.

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule \.php~$ - [F,L]
    </IfModule>

    And place it above the WordPress rules in the htaccess file, but of course it would make more sense to use an editor that doesn’t place backups with odd extensions onto the server.

    If this is a legitimate problem, the host should impose the restriction already.

    You could also expand the matching, just incase some sneaky fella finds a way to use something other than a tilde..

    RewriteRule \.php([^\?]+)$ - [F,L]

    Anything not a question mark, after the extension, question marks are obviously expected for query strings.

    Thread Starter tigertech

    (@tigertech)

    That’s the entire thing that goes in the .htaccess file, just the two lines.

    The first line enables Apache’s “RewriteEngine” if it’s not already on. The second looks for filenames ending in “.php~”, and if it finds a match, makes Apache return a “403 forbidden” error immediately.

    I did test the rule before posting it, and it does work on our Apache 2.2 servers, at least. No guarantees beyond that!

    You should check the module is available first, not just assume it is..

    <IfModule mod_rewrite.c>
    # rule
    </IfModule>

    https://httpd.apache.org/docs/2.0/mod/core.html#ifmodule

    Moderator t-p

    (@t-p)

    Thanks t31os.

    I don’t have any file ending with tilde.
    I am just trying to educate myself to best protect the WP installation.

    How does the file with the .php~ get on the server in the first place? Did the person upload it separately from the normal .php file? So are there two different files on the server (one .php and one .php~) and is the tilde visible when looking through your files with an ftp client?

    ETA: Thanks so much for sharing the info!

    Thread Starter tigertech

    (@tigertech)

    How does the file with the .php~ get on the server in the first place?

    Several text editors, particularly Unix ones like emacs, automatically create a “backup” copy of any file you edit, giving the backup copy the same name with a tilde.

    For example, if you use “emacs wp-config.php” from a Unix shell connection to edit that file, a copy of the original will be saved as “wp-config.php~”.

    Or if you use such a text editor on your desktop computer, then upload the entire “wordpress” directory via FTP, a backup copy of the file could end up on the server that way.

    I suspect many people make the same mistake manually: it would be easy to think “Oh, I’ll just save a copy of that file as ‘wp-config.php.backup’ before I edit it.” Smart “hackers” could look for all sorts of possible filenames.

    Moderator t-p

    (@t-p)

    Hi tigertech,

    Just a general question. I thought I ask you since you work at a hosting company.

    My experience dealing with hosting companies is that whenever you contact them about any problem, they invariable say that the problem might be at your end – your software, your computer, your internet connection, etc….

    Why is it? Why they don’t they tell the truth, look into the problem sincerely, and fix the problem – if they know the problem is at their end – instead of playing the game sending you on a wild goose chase, particularly blaming the software and internet connection. It’s even laughable at times.

    Is it because they don’t hire or keep competent techs (like tigertech!)?

    Here is an article that I thought interesting. I know it’s a little old, but it still seems relevant.

    http://www.beulbek.nl/2007/07/20/emacs-php-and-the-tilde/

    It appears to offer some insight on some of the httpd server settings (as well as an emacs setting) that are purported to be effective in preventing httpd.conf from allowing a web client to open and read backup files. That is, if your default server configuration doesn’t already prevent it, and you happen to have a backup file ending in a tilde ( ~ ) in your web accessible directory.

    If you decide to try the “Order allow, deny” approach in your own .htaccess file because your server doesn’t already prevent this, take note that the “file” containers used in the example contain spaces. They probably shouldn’t contain any spaces in order to work.

    Thread Starter tigertech

    (@tigertech)

    My experience dealing with hosting companies is that whenever you contact them about any problem, they invariable say that the problem might be at your end…

    Well, in their slight defense, I will say that most of the weird problems we hear about actually are on the customer’s end. When someone says “I followed all your instructions and Outlook still doesn’t work”, for example, 99.9% of the time they either made an accidental mistake in the setup, or they’ve got freaky firewall software, etc., on their computer. Or maybe Outlook just needs reinstalling. Or something else unrelated to us.

    However, the “not investigating it to be sure” attitude irks me, too. We investigate everything for three reasons:

    1. From a purely selfish perspective, I don’t want to have to waste time answering the same question again and again.
    2. If this is one of the rarer cases where it is on our end, then we need to know about it right away.
    3. Most importantly, people are paying to have their problems solved. You can get free hosting and e-mail from several sources: one reason you choose paid hosting instead is to have someone knowledgeable to turn to who can point you in the direction of solving the problem, even if it’s “not our fault” your e-mail doesn’t work.

    This all seems obvious, I’m sure. I don’t know why some (many?) companies don’t do it. Either they’re too big to train people consistently, or they’re too small to have the resources to do something right the first time, or they don’t invest enough in developing tools to help their support staff.

    I’m not trying to toot our own horn; I know of several (mostly medium sized) hosting companies that have real support and reliability, but quality still matters (perhaps because the owner is still involved in answering tickets and gets annoyed at having to clean up a mess in the event of problems). You can find good companies — honest!

    Moderator t-p

    (@t-p)

    Thanks tigertech. I really appreciate you taking time to respond.

    You can find good companies — honest!

    How can one know he/she has found the right one (BEFORE SIGNING UP!)?
    For example, are there certain questions one may ask the potential company? Are there certain important traits to look for?….

    I am just trying to educate myself.

    Thread Starter tigertech

    (@tigertech)

    How can one know he/she has found the right one (BEFORE SIGNING UP!)?

    I’d search Google and Twitter for any hosting company’s name. Ignore paid ads and referral links on the positive side, and crackpots on the negative side. What’s left? Nobody’s perfect, but they should have enough positive comments to indicate they’ve been around a while, and few enough negative comments that they don’t obviously suck.

    I just tried this on several hosting company names, and the result closely matches what I’d expect based on years of experience dealing with those other companies (both positive and negative).

    Are you from tigertech, the host? I can’t speak highly enough about how nice it is hosting with TigerTech.net!

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘Attack against wp-config.php~ (with a tilde)’ is closed to new replies.