1. Forum
  2. Fsxnet Message
  3. FSX GEN

  • /got rid of a WP site the other day..

    From Ogg@21:4/106.21 to Avon on Monday, June 22, 2020 12:46:00
    Hello Avon!

    ** On Monday 22.06.20 - 18:39, Avon wrote to poindexter FORTRAN:

    Looking to save some money, and my web hosting contract is up, so
    I'm looking at backing up 10 years of IMAP mail and a wordpress site
    to prepare to move to a new provider. I deleted close to a 100
    megabytes

    I got rid of a wordpress site the other day, got sick of the attempted logins by bots etc... so went to a static HTML site - it's bliss now
    :)

    Don't rest TOO easy. I had an index.html infection (added code) on
    several plain html-based pages. (I changed the http to hxxp below).

    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Monday Morning In July</title>
    <link rel="stylesheet" href="style.css" type="text/css">
    </head>
    <frameset cols="100%" rows="10%,*" border="0">
    <frame src="caption.html" scrolling="no" border="no" border="0">
    </frame>
    <frame src="imageset.html" border="0">
    </frame>
    </frameset>
    </html>
    <!-- ~ --><u style=display:none>
    <a href="hxxp://healthmens.org/item/cialis.html">buy cheap cialis</a>
    <a href="hxxp://bestcheappills.com/cheap-cialis.asp">cheap Cialis (Tadalafil)</a>
    <a href="hxxp://antidepresant.org/cialis_price">buy cialis online</a>

    [etc..]

    <!-- ~ --><!-- ~ --><u style=display:none>
    <a href="hxxp://healthmens.org/item/vpxl.html#descr">VPXL (Very Penis Extended Long)</a>
    <a href="hxxp://www.cooking-book.net/">?????????? ?????</a>
    <a href="hxxp://www.afghanan.net/afghanandotnetfiles/">VPXL</a>
    <a href="hxxp://agua-viva.com/rodas/">vpxl online</a>
    <!-- ~ -->

    Buggers.

    I find it frustrating that although file permissions are all set to 600 or 644 for the plain html files, the buggers can still make changes to them.


    --- OpenXP 5.0.44
    * Origin: (} Pointy McPointFace (21:4/106.21)
  • From Adept@21:1/102 to Ogg on Monday, June 22, 2020 17:40:33
    I find it frustrating that although file permissions are all set to 600
    or 644 for the plain html files, the buggers can still make changes to them.

    Man, how?!? Plain text things (or whatever you want to count HTML is, without scripting) are so read only, and yet...

    Nasty vulnerability, whatever it is.

    --- Mystic BBS v1.12 A46 2020/03/02 (Windows/64)
    * Origin: Error 404 BBS ! (21:1/102)
  • From poindexter FORTRAN@21:4/122 to Ogg on Tuesday, June 23, 2020 07:45:00
    Ogg wrote to Avon <=-

    Don't rest TOO easy. I had an index.html infection (added code) on several plain html-based pages. (I changed the http to hxxp below).

    Weird - how, if you're not running scripts on the server?

    My wordpress site got hit about 6 years ago, every single php file
    was infected. Pain in the ass to clean up.

    Luckily, the php screwed up my formatting and made it clear something
    wasn't right, otherwise I wouldn't have known.



    ... Go outside. Shut the door.
    --- MultiMail/XT v0.52
    * Origin: realitycheckBBS.org -- information is power. (21:4/122)
  • From Ogg@21:4/106.21 to poindexter FORTRAN on Tuesday, June 23, 2020 21:36:00
    Hello poindexter!

    ** On Tuesday 23.06.20 - 07:45, poindexter FORTRAN wrote to Ogg:

    Ogg wrote to Avon <=-

    Don't rest TOO easy. I had an index.html infection (added code) on
    several plain html-based pages. (I changed the http to hxxp below).

    Weird - how, if you're not running scripts on the server?

    Yes. Pure html files are not immune either. :( So, we can't just blame
    WP or php.

    My guess is that some php vulnerability gets exploited and then it
    navigates the file system for other targets whether the files are mine or another customer on the same shared host/server.


    My wordpress site got hit about 6 years ago, every single php file
    was infected. Pain in the ass to clean up.

    Over the years, I've only encountered php files being affected too,
    primarily index.php, and some others in /wp-content/themes where functions/php and footer.php were injected with crap.

    Most of the time, the injected code can be removed easily enough.

    I still have some extra pre-loaded themes for a few of my sites that I
    don't use, and they still have the injections in the php files. The
    invasive code is not detected by the courteous scans of my host isp
    because the code is plain-text html. :( I should just drop the extra themes by now, but I was using them as references for alternative designs even though they were not meant to be activated.


    Luckily, the php screwed up my formatting and made it clear something
    wasn't right, otherwise I wouldn't have known.

    I would get a very thinly disguised text at one of the corners of the
    screen with the nefarious links to direct when clicked. Or.. I would get
    a completely blank screen (which is probably a saving grace when using
    older WP themes or php server versions that don't support their new
    tricks).

    As you saw in my example the "<u style=display:none> element is nasty
    because the following links are *live* but remain hidden depending on
    where you click on the screen.

    The bottom line, WP is not solely to blame.

    I built and manage http://homeagainbacroft.ca - now over 10 years ago. I can't imagine NOT using WP for that. It's nothing fancy, but it's super
    easy to add photos, articles, expiring old notices, moving things around, etc. It's a volunteer effort - so QUICK and EASY is good for me.

    http://openxp.kolico.ca is a personal project as on online "searchable"
    user manual for my favorite offline reader / point program. The main emphasis is the "searchable" WP makes that really easy.

    I built this one http://thetimetraveller.ca for a fellow who was anxious
    to get posting his stories. WP is a very good solution.


    --- OpenXP 5.0.45
    * Origin: (} Pointy McPointFace (21:4/106.21)
  • From Ogg@21:4/106.21 to Adept on Tuesday, June 23, 2020 21:39:00
    Hello Adept!

    ** On Monday 22.06.20 - 17:40, Adept wrote to Ogg:

    I find it frustrating that although file permissions are all set to
    600 or 644 for the plain html files, the buggers can still make
    changes to them.

    Man, how?!? Plain text things (or whatever you want to count HTML is, without scripting) are so read only, and yet...

    Nasty vulnerability, whatever it is.

    I am guessing that it's a php exploit ELSEWHERE on the same/shared server that then explores the rest of the user accounts.




    --- OpenXP 5.0.45
    * Origin: (} Pointy McPointFace (21:4/106.21)
  • From Avon@21:1/101 to Ogg on Wednesday, June 24, 2020 19:06:06
    On 22 Jun 2020 at 12:46p, Ogg pondered and said...

    Buggers.

    I find it frustrating that although file permissions are all set to 600
    or 644 for the plain html files, the buggers can still make changes to them.

    Crap! Thanks for the warning I'll try and look into that else be flogging
    mens impotence products before I know it - E Gads!

    --- Mystic BBS v1.12 A46 2020/05/28 (Windows/32)
    * Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)
  • From Arelor@21:2/138 to Ogg on Wednesday, June 24, 2020 09:46:52
    Re: /got rid of a WP site the other day..
    By: Ogg to Avon on Mon Jun 22 2020 12:46 pm

    Buggers.

    I find it frustrating that although file permissions are all set to 600 or
    644 fo
    the plain html files, the buggers can still make changes to them.

    Hahaha. Did you find the penetration point?

    --
    gopher://gopher.operationalsecurity.es
    --- SBBSecho 3.11-Linux
    * Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (21:2/138)
  • From Ogg@21:4/106.21 to Arelor on Friday, June 26, 2020 19:54:00
    Hello Arelor!

    ** On Wednesday 24.06.20 - 09:46, Arelor wrote to Ogg:

    I find it frustrating that although file permissions are all set to
    600 or 644 fo the plain html files, the buggers can still make changes
    to them.

    Hahaha. Did you find the penetration point?


    As I wrote to others, I wonder if it is accomplished from another user account that is shared on the same server service.



    --- OpenXP 5.0.45
    * Origin: (} Pointy McPointFace (21:4/106.21)
  • From Spectre@21:3/101 to Ogg on Wednesday, June 24, 2020 14:47:00
    I find it frustrating that although file permissions are all set to
    600 or 644 for the plain html files, the buggers can still make
    changes to them.

    Man, how?!? Plain text things (or whatever you want to count HTML is,

    I am guessing that it's a php exploit ELSEWHERE on the same/shared server that then explores the rest of the user accounts.

    Would seem to imply you have accounts with more permissions than they need. I had a round of SQL injection the first time I set it up... but after that made the approriate code use an SQL user that only had read permissions.

    Much the same theory with the old crontab injections I used to get. Although I knew they were going to be arriving via the old BBS account setup.....

    So in short, anyone that doesn't need access to /var/www or whatever your equivalent is, take the write permissions off them completely. I don't know if WP requires write access itself to just function... if you can just run it with no write permissions... and edit it with another account that does have write access...

    Thoughts, Spec


    *** THE READER V4.50 [freeware]
    --- SuperBBS v1.17-3 (Eval)
    * Origin: Scrawled in haste at The Lower Planes (21:3/101)
  • From Ogg@21:4/106.21 to Spectre on Sunday, June 28, 2020 14:36:00
    Hello Spectre!

    ** On Wednesday 24.06.20 - 14:47, Spectre wrote to Ogg:

    I am guessing that it's a php exploit ELSEWHERE on the same/shared
    server that then explores the rest of the user accounts.

    Would seem to imply you have accounts with more permissions than they
    need. I had a round of SQL injection the first time I set it up... but after that made the approriate code use an SQL user that only had read permissions.

    I have seen people exploiting MySQL vulerabilities to acquire information about directory structures, file names, and ultimately acquiring owner
    access to files. There is one fellow on YT showing how to do just that
    with a series of videos!

    I've worked with *nix based file systems in the past and thought that the Owner-Group-World arrangement provided very nice security. But
    apparently, other things like MySQL, can trip all that up and file access
    can still happen if set to read only.


    Much the same theory with the old crontab injections I used to get. Although I knew they were going to be arriving via the old BBS account setup.....

    I can imagine how frustrating that was.


    So in short, anyone that doesn't need access to /var/www or whatever your equivalent is, take the write permissions off them completely.

    I dunno. WP is so ubiquitous and its standard structure is clearly
    defined. Unless I move my WP intallations to non-standard directory names
    and locations, there will be attacks/injections.

    Lately, it has been pretty quiet in the WP-front. One thing the injectors can't override are the actual creation dates of their files or when they accomplished write access (the clue when an actual breach took place.)


    I don't know if WP requires write access itself to just function... if
    you can just run it with no write permissions... and edit it with
    another account that does have write access...

    I can't block off writes entirely. Some of the WP sites I manage need commenting "ON".

    But.. I find it annoying that a simple html "site" ended up breached with
    an injection in its index.html file!

    https://kolico.ca/fotos/sunrise/

    Only 13 lines in the original, a couple hundred bytes. But the infected
    file was over nearly 2000 bytes with the hidden links.

    --- OpenXP 5.0.45
    * Origin: (} Pointy McPointFace (21:4/106.21)