own3mall
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: WP_Term_Query->get_terms – SQL Error – Hacked?That’s not really all that helpful. I’ve done all of the above, and I still can’t figure out why the SQL queries are wrong. Without my fix, the site is completely broken, and I’ve cleaned out as much as I can, and WordFence finds no issues other than my modified file (which I modified myself to fix the SQL issues)…
Forum: Fixing WordPress
In reply to: WP_Term_Query->get_terms – SQL Error – Hacked?My change in the core code won’t break anything since it only replaces invalid SQL if it’s there (I’m a web developer myself, so I know what I changed is fine), but yeah, I’ve been trying your suggestions. WordFence didn’t find anything extraordinary except for some old plugins I’m not using that I’ve since deleted, and I found some malicious files these casino people uploaded. Attached here:
[redacted – please do not distribute hacks]
Wish I could figure out what code was exploited or used to get these files into the uploads folder…
Also, despite cleaning things up through WordFence, my SQL queries are still wrong:
SELECT DISTINCT t.*, tt.* FROM wpme_terms AS t LEFT JOIN wpme_termmeta ON ( t.term_id = wpme_termmeta.term_id AND wpme_termmeta.meta_key='order') INNER JOIN wpme_term_taxonomy AS tt ON t.term_id = tt.term_id WHERE tt.taxonomy IN ('product_cat') AND ( ( wpme_termmeta.meta_key = 'order' OR wpme_termmeta.meta_key IS NULL ) ) AND t.term_id NOT IN() ORDER BY wpme_termmeta.meta_value+0 ASC, t.name ASCAND t.term_id NOT IN() is the problem causing SQL errors.
I downloaded the zip of WordPress 5.4.1, ran BeyondCompare against its class-wp-term-query.php vs my modified version (that I modified), and my change was the only difference. Thus, I don’t think the exploit touched any of the WordPress core files, but something happened to screw up the SQL queries.
- This reply was modified 6 years ago by own3mall.
- This reply was modified 6 years ago by Steven Stern (sterndata).
Forum: Plugins
In reply to: [WooCommerce] Modifying the Shop’s meta og:image Value?Thanks, I am not using that plugin, so it could be our theme (salient-child).
I’ve disabled all of the WooCommerce plugins I can, but unfortunately, I have yet to track down the issue.
According to WooCommerce’s status page, I only have three plugins which have not been tested with 4.0.1
WooCommerce SecureSubmit Gateway by SecureSubmit – 1.12.1 – Not tested with the active version of WooCommerce
WooCommerce PDF Invoices by Bas Elbers – 3.0.11 – Not tested with the active version of WooCommerce
Delivery Date & Time for WooCommerce by CodeRockz – 1.2.4 – Not tested with the active version of WooCommerce
Unless it’s one of these three plugins, I’m at a loss. It could always be another “tested” WooCommerce plugin, but I can’t disable things to find out because the currently enabled plugins are essential to business.
Forum: Fixing WordPress
In reply to: WordPress Installation Hacked and Being Used to Send SPAM EmailsI’m running a full scan now on the entire server using ClamAV, but I’m pretty sure the issue is just localized to this installation. I have already followed the guide for the most part, as WordFence does restore the files with the original once it detects changes.
The problem is, how are these changes being made in the first place? It keeps happening.
I opened a ticket here:
https://core.trac.wordpress.org/ticket/35532#ticket
Hopefully, I explained it OK. I think I did the best I could considering it is past midnight here for me.
Thanks for pointing me in the right direction and listening!
I’m not sure. I’ll have to think about it a bit more.
The pingbacks system is too open and easily abused, so should it have been included as a feature in the first place? I don’t see much use for it. I can see perhaps someone wanting this feature, but it just opens too many opportunities for abuse.
In my case though, I had pingbacks disabled in the control panel.
Under Discussion settings, there are two settings.
Attempt to notify any blogs linked to from the article
Allow link notifications from other blogs (pingbacks and trackbacks) on new articlesBoth of these are unchecked (disabled). Yet, when I was being attacked, even with these settings disabled, my server load was off the charts. Perhaps we could store these settings in a file so they are easily retrieved quickly? If these settings are disabled, we don’t process the request at all? Currently, it seems that with these settings unchecked, there’s still some kind of logic / database initialization going on which isn’t very efficient.
The Disable XML-RPC Pingbacks Plugin removes this logic entirely, but why doesn’t disabling the settings have the same effect? It doesn’t need to remove the function, it merely needs to not process the requests which is inefficient for the server.
With that being said, has anyone come up with an iptables rule to rate limit specifically pingback requests? If not, maybe this is what I’ll work on next.
Since the pingbacks system has no way to prevent abuse, maybe pingbacks should be disabled by default when WordPress is first installed?
Another possible solution would be to the write a file when a pingback request is received with the name of {IP_ADDRESS}.txt which contains a timestamp. {IP_ADDRESS} being the IP address from the client sending the request (PHP can grab this easily). When a pingback request is received, we check to see if the file exists, and if it does, we check to see if the current timestamp is greater than the old timestamp + 60 seconds. If it’s not, we discard this request because not enough time has passed. If it is, we process the post back and write the new timestamp to the file. If the file doesn’t exist, we create the file with the current timestamp and process the request. Then, WordPress could run a “cron” like function like it does for updating WordPress to delete these files to cleanup every once in a while. This will limit a source to one pingback request per minute, which seems more than fair. Thoughts on this potential solution? Seriously, file system operations are very fast and so are timestamp operations, so I could see this working. This would also prevent a single attacker or multiple attackers from having a noticeable impact on the server.
There’s gotta be someway to prevent the abuse from hammering the server.
EDIT: Also, would it be possible to unlock the old forum thread and merge the majority of the posts in this thread to it? I think it’s an ongoing issue that needs to be discussed or addressed. At the very least, post a link in that closed thread to here? And maybe this post needs to move? Just thinking out loud here.
It’s shown in the control panel somewhere for authenticated users to use for XML-RPC functions. That way, only the right people know what the hash is.
But that spoofed hash would only be valid for their installation of WordPress. The real WordPress installation they attack would be using a differently randomly generated HASH that was generated and saved during installation. Their request didn’t send the right hash for that install, so it’s dropped.
My idea is that the hash is known only to the server and a legit user. Bots will have no idea what the hash is, as it will be different for every WordPress installation. They’d have to spend a lot of time guessing, and they most likely would never succeed.
I will file an enhance request. Thank you for taking the time to understand what I’m trying to say. It’s not that WordPress should be invulnerable to attacks, it’s that WordPress should not allow attacks to consume a lot of resources on the server while processing the attacks.
Storing the hash in a file on the server may not be the best decision either, so maybe it could be stored in the database, but the function to look it up should be simple and quick. It does this before doing anything else. A single select statement on MySQL should be quite quick…
That, or it could be stored in a flat file, but make sure the file isn’t readable by the world (chmod it to 700 or something)
I don’t think it matters if it is spoofed. It has to match the unique hash for that particular install of WordPress. Have it be some kind of md5 hash, and the chances that an attacker will guess this hash would be slim to none. A legit user of the pingback functionality will be presented with their hash that needs to be sent with every pingback request. It would simply be a variable containing the correct hash. That way, attackers would probably never guess it correctly, and if the variable isn’t included in the request, the request isn’t processed either.
Just a thought.
Here’s an idea:
Perhaps an encryption key hash should be sent with every pingback POST request that is unique to every installation of WordPress. If the encryption key hash sent doesn’t match what is stored in a text file, the database and logic doesn’t even need to begin processing the request. This should not be very resource intensive since reading a file from the file system is much quicker and efficient than making calls to the database and performing logic on the request. This would render this attack useless, as it wouldn’t affect system resources.
Yes, bots are always trying to attack and exploit servers. I’m not questioning that. I didn’t say it was a DDOS. I said it’s a localized DOS.
My point is that the WordPress code responsible for handling pingback requests should not be putting a high load on my server due to bogus requests. It should be doing nothing if the requests are bogus instead of initializing the database and taking up additional resources every time the request is received to the point it slows my server to a crawl.
I don’t know of any other software that processes bogus requests AND slows the server to a crawl by using too many resources to filter these requests.
I’m not sure how many times I’m going to have to say this, but this issue is a WordPress issue. Sure, I can work around it by DISABLING the entire feature, but that doesn’t fix the problem. By default, WordPress is open to this attack. A bot or exploiter could DOS any installation of WordPress using this attack, and it wouldn’t be very complicated to do so.
I had a user install WordPress recently. Within a few days, his xml-rpc was being hit with the same pingback attack. No one knew about it except for me, the server admin. That is how quickly a new installation was under attack. Consider yourself lucky that your installations aren’t under attack yet. Or maybe they are, you just haven’t noticed it or care about server load. I can guarantee that once you are under attack and have noticed you’re under attack, your opinion will probably change.
A lot of people probably don’t even realize they have this problem, so I’m betting a lot more users actually have this problem more than you think. It takes a good server administrator to notice this problem. It’s not as obvious as you think.
Please explain to me how this is not a WordPress issue without reiterating there is a plugin to DISABLE not FIX this issue.
Just because WordPress has millions of installations doesn’t mean it doesn’t have security issues. Sure, you could say this isn’t a security issue, but it is, and it’s a tough one to spot when you’re being attacked. Your installation isn’t being attacked right now, but that doesn’t mean it won’t be in the future, and when it is, are you still going to suggest it isn’t a security issue? Typically, security involves mitigating problems before they even happen. Instead, WordPress wants to take the easy way out and just have the entire feature disabled.
There was no need to lock the original thread. I just wanted to use it as a record of how many times I’m having to tell users to install the disable xml-rpc pingback plugin to work around this issue. Others were commenting they had the same issue, so I’d prefer it if people could have a voice in a relevant topic.
The number of users affected by this problem are unknown. It took me a few months to discover how this attack was affecting my sever, and as such, it will probably take others a while too. I never asked for the feature to be removed. I asked that WordPress properly secure this feature against attacks.