Support » Fixing WordPress » Desperate security advice needed- diagnose exploit & lock down install

  • WP 4.6
    Can someone point me to a tutorial or other doc with tips/advice for locking down WP on a Unix server?

    /wp-admin/ folder can be accessed without a login – is that by design or the install is missing something?

    Also /wp-content/uploads/somefolder/ can be accessed directly publicly by calling such a URL; I was under the impression that mod_rewrite forced all URL to go through WP. i.e. an image is accessed via URL like /index.php?showimg=xxxx and WP would fetch it

    The site was exploited b/c public user could upload PHP files then run them.

    Is the problem here folder permissions/missing security directives in .htaccess /etc ?
    or a problem with either admin-ajax.php or nm_personalizedproduct_upload_file plugin not verifying priveleges? Or misconfigured priveleges WP or that plugin?

    [ Moderator note: code fixed. Please wrap code in the backtick character or use the code button. This includes log data. ]

    
    107.167.98.158 – – [09/Aug/2016:00:32:04 -0400] “GET /%22http:////mydomainremoved.com//wp-content//plugins//woocommerce-product-addon//images//file.png/%22 HTTP/1.1” 301 – “http://mydomainremoved.com/wp-admin/admin-ajax.php?action=nm_personalizedproduct_upload_file” “Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.14912/37.8773; U; en) Presto/2.12.423 Version/12.16”
    107.167.98.158 – – [09/Aug/2016:00:32:06 -0400] “GET /%22http:/mydomainremoved.com/wp-content/plugins/woocommerce-product-addon/images/file.png/%22 HTTP/1.1” 404 96093 “http://mydomainremoved.com/wp-admin/admin-ajax.php?action=nm_personalizedproduct_upload_file” “Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.14912/37.8773; U; en) Presto/2.12.423 Version/12.16”
    107.167.98.158 – – [09/Aug/2016:00:32:29 -0400] “GET /wp-admin/admin-ajax.php?action=nm_personalizedproduct_upload_file HTTP/1.1” 200 505 “-” “Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.14912/37.8773; U; en) Presto/2.12.423 Version/12.16”
    107.167.98.158 – – [09/Aug/2016:00:32:31 -0400] “GET /favicon.ico HTTP/1.1” 200 – “http://mydomainremoved.com/wp-admin/admin-ajax.php?action=nm_personalizedproduct_upload_file” “Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.14912/37.8773; U; en) Presto/2.12.423 Version/12.16”
    107.167.98.158 – – [09/Aug/2016:00:32:31 -0400] “GET /%22http:////mydomainremoved.com//wp-content//plugins//woocommerce-product-addon//images//file.png/%22 HTTP/1.1″ 301 – “http://mydomainremoved.com/wp-admin/admin-ajax.php?action=nm_personalizedproduct_upload_file” “Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.14912/37.8773; U; en) Presto/2.12.423 Version/12.16”
    107.167.98.158 – – [09/Aug/2016:00:32:33 -0400] “GET /%22http:/mydomainremoved.com/wp-content/plugins/woocommerce-product-addon/images/file.png/%22 HTTP/1.1” 404 96093 “http://mydomainremoved.com/wp-admin/admin-ajax.php?action=nm_personalizedproduct_upload_file” “Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.14912/37.8773; U; en) Presto/2.12.423 Version/12.16”
    69.195.81.223 – – [09/Aug/2016:00:33:04 -0400] “POST /wp-admin/admin-ajax.php?action=nm_personalizedproduct_upload_file HTTP/1.1″ 200 525 “-” “Mozilla/5.0 (Windows NT 6.1;”
    107.167.98.158 – – [09/Aug/2016:00:33:39 -0400] “GET /wp-content/uploads/product_files/swf.js.php? HTTP/1.1” 200 239 “-” “Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.14912/37.8773; U; en) Presto/2.12.423 Version/12.16”
    107.167.98.158 – – [09/Aug/2016:00:33:39 -0400] “GET /favicon.ico HTTP/1.1” 200 – “http://mydomainremoved.com/wp-content/uploads/product_files/swf.js.php?” “Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.14912/37.8773; U; en) Presto/2.12.423 Version/12.16”
    107.167.98.158 – – [09/Aug/2016:00:33:53 -0400] “POST /wp-content/uploads/product_files/swf.js.php? HTTP/1.1” 200 19113 “http://mydomainremoved.com/wp-content/uploads/product_files/swf.js.php?” “Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.14912/37.8773; U; en) Presto/2.12.423 Version/12.16”
    107.167.98.158 – – [09/Aug/2016:00:33:54 -0400] “GET /favicon.ico HTTP/1.1” 200 – “http://mydomainremoved.com/wp-content/uploads/product_files/swf.js.php?” “Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.14912/37.8773; U; en) Presto/2.12.423 Version/12.16”
    107.167.98.158 – – [09/Aug/2016:00:34:05 -0400] “GET /favicon.ico HTTP/1.1” 200 – “http://mydomainremoved.com/wp-content/uploads/product_files/swf.js.php?dir=/home/myusername/public_html” “Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.14912/37.8773; U; en) Presto/2.12.423 Version/12.16”
    
    • This topic was modified 3 years, 2 months ago by James Huff.
    • This topic was modified 3 years, 2 months ago by Jan Dembowski.
Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Desperate security advice needed- diagnose exploit & lock down install’ is closed to new replies.