[resolved] is this some new spam attack? (36 posts)

  1. moshu
    Posted 7 years ago #

    I did not delete anything from BEFORE - only whatever has been posted AFTER my warning.

  2. nothingHappens
    Posted 7 years ago #

    Ivovic: you don't know that I don't know, and you don't know that I haven't checked. In fact, while hunting down the problem this morning, I decided to systematically check the permissions on every file and folder in my wordpress install, and correct any that were more permissive than they needed to be (a small number, but there were some). Later after finding the issues in wp-config and the header and footer files in my theme, I decided to also check modified dates. Anything whose date was not either last night at the time I did the automatic upgrade, or February 25 when I first installed to this server (copied from a previous installation elsewhere) I viewed the contents of. Since I've read or at least skimmed much of this code before (trying to fix a problem, wanting to modify some behavior, or often just out of curiosity -- I've been using WordPress for about 5 years in all) I think I can usually identify anything out of sorts.

    Telling people to keep up on security updates is excellent advice, and I think my issue today is a good illustration of what can happen when you don't, but you could definitely stand to be nicer about it. People listen better that way.

    On the other hand, doing an upgrade was a terribly unwieldy process for most users, particular those less technically inclined than we, before the automatic upgrade plugin was invented. I reiterate my kudos and gratitude to its creators.

    I think though, if you're technically savvy enough to deal with doing a database backup/restore and everything else involved in doing a complete wipe of the site (or an upgrade, back before the auto upgrade plugin), you're probably also savvy enough to poke around the code, use some things like grep and diff, and look at permissions and timestamps, so that you can fix the problem right where it is, rather than wiping out all the nifty customizations to the theme and everything else that you have most likely put a lot of work into. My opinion. Yours obviously differs, and I've heard it now, so you can stop beating me over the head with it any time you like :D

    Does an Apple II in 1985 count as having used a command line before it was cool? How about Ultrix in 1993? Not meant as an attack, just as defense :P

  3. whooami
    Posted 7 years ago #

    my my my..

    What does anyone think of the suggestion of setting the permissions of config.php to 640?

    The same reason it's not suggested for other files. Pointing out that it contains a password.. yes and?

    There are 2 scenarios:

    1. bring it up in a browser, what do you see? You better see a blank page, or you need to 1.) get a new host, or 2.) you need to stop trying to be an uber-leet linux wannabee, and learn how to admin a server properly.

    2. Another user on the server attempts to read the file. On a properly configured box, that's not how thing works. Just like you cannot read other users files, they cant read yours. If thats not the case, you need to 1.) get a new host, or 2.) you need to stop trying to be an uber-leet linux wannabee, and learn how to admin a server properly.


    The only real instance where a wp-config.php is going to be vulnerable is in the case of of a complete failure of PHP, OR in the event of a server side glitch where PHP is (accidentally) disabled --> apache 2.0 actually uses a php.conf that is included within httpd.conf, and it is possible to accidentally comment out that include, causing PHP not to be available. I've done that, by the way.

    If thats a concern there are a couple very simple 'fixes' -- 1.) a mod_access rule to disallow that file from being called directly, 2.) moving the most important bits, inside that file, out of web_root (something I have done, but have been even tricker with since I have my own server)

    Yeah, if I had lots of time on my hands ..

    You spent a lot of time here arguing for someone without a lot of time, but anyway...

    the timestamps thing is great for finding compromised files.

    keyweb.de is evil, if you have your own box, or control of your routing or iptables, nullroute them or drop the packets. you wont miss anything.

    Whoo is gonna be so disappointed...



  4. nothingHappens
    Posted 7 years ago #

    re: chmod 640 wp-config.php : Well, that's why I asked for input on the subject :D Thanks.

  5. BillRodgers
    Posted 7 years ago #

    To the mod... Please do not delete the thread, but pruning the non technical posts would be helpful for those of us who are trying to remedy this attack.

    I am trying some other things and will post any findings.

    Best regards,


  6. t3ch33
    Posted 6 years ago #

    Wow, this was a very entertaining thread. :D

    Question for the mods-can this exploit also put other non-WordPress files at risk? I ask because I don't even know how the hack works. Thanks.

Topic Closed

This topic has been closed to new replies.

About this Topic