#wordpress 2020-10-24

2020-10-24 UTC
[tantek], [KevinMarks], [chrisbergr], nickodd, [fluffy], [chrisaldrich], [capjamesg] and jeremycherfas joined the channel
# 12:31 
beko GWG++ awesome, thank you :)
# 12:31 
Loqi GWG has 35 karma in this channel over the last year (144 in all channels)
nickodd and [snarfed] joined the channel
# 16:08 
[snarfed] evidently my web site got broken into. 😐 looks like they didn’t get too far, but still. anyone familiar with wordpress forensics and clean-up post-compromise?
# 16:09 
GWG [snarfed]: Not specifically, do you back up so you could roll back?
# 16:09 
GWG How bad is it?
# 16:13 
[snarfed] oh yeah i have full db backups, not worried about losing content
# 16:14 
[snarfed] they didn’t get far enough to change content anyway
# 16:15 
[snarfed] it’s more that i don’t know where the vulnerability was, so i can’t just put the site back up as it was until i find and fix the hole
# 16:16 
GWG [snarfed]: Likely a plugin
# 16:16 
GWG First step is always assessing your least updated ones
# 16:18 
[snarfed] afaik they were all up to date
# 16:19 
GWG [snarfed]: Would you feel comfortable sharing a list?
# 16:19 
sknebel guess question is if any got patched for vulns in the meantime?
# 16:19 
GWG Or if any got abandoned
# 16:19 
[snarfed] i have the full HTTP request logs from the IP that broke in. the first POST requests were to `wp-admin/admin-ajax.php`, so that’s not too helpful
# 16:20 
GWG If you want me to look at the log piece and the plugin list, I can try to see if anything comes up.
# 16:20 
[snarfed] thank you! will do
# 16:22 
[snarfed] https://snarfed.org/logs.txt , https://snarfed.org/plugins.txt
# 16:24 
[snarfed] updated logs.txt ^ just now with the event notifs from Sucuri that tipped me off
# 16:25 
[snarfed] site is safe for now, wordpress is entirely disabled, it’s serving only from static file cache. gotta run for now, but thank you for looking GWG! i’ll be back in a bit
# 16:29 
GWG The moment they seem to get admin access seems to coincide with the ajax call. So, something has a vulnerability there
# 16:30 
GWG The two places that could be would be something in a plugin, or something embedded in a theme
# 16:30 
GWG Themes could include libraries with compromising dependencies, but themes are more likely.
# 16:31 
GWG Disable Check Comment Flood is 8 years old. But not much has changed there
# 16:32 
GWG NoIndex NoFollow All Posts is 4 years old.
# 16:34 
GWG The OpenID plugin is 2 years old, but pfefferle commented in the support for it about 5 months ago that he still uses it
# 16:35 
GWG Press This is effectively abandoned
# 16:35 
GWG So nothing obvious
# 16:37 
GWG Ryu Theme hasn't been updated in over two years.
# 16:37 
GWG In all cases, no reports of anything
[chrisaldrich] and [chrisbergr] joined the channel; nickodd left the channel
# 19:32 
[chrisbergr] [snarfed] I'm sure your security plugin would have already triggered the alarm, but just to be on the safe side, search all your files for the occurrence 'api.telegram.org'. I have experienced problems with that on many WP installations in the last weeks.
[pfefferle] joined the channel
# 19:46 
[pfefferle] [snarfed] what wp Version?
[snarfed] joined the channel
# 20:07 
[snarfed] [chrisbergr] thanks! will do
# 20:07 
[snarfed] [pfefferle] 5.5.1 😐
# 20:07 
[snarfed] and thank you for the investigation GWG! definitely helpful
# 20:10 
[snarfed] updated https://snarfed.org/logs.txt to include a diff of wordpress files between mine and stock 5.5.1, at the bottom
# 21:03 
[snarfed] also, one key piece of perspective on compromises like this, from https://www.quantable.com/architecture/wordpress-hack-cleanup-guide/ :
# 21:03 
[snarfed] > I find it helpful to remind myself that the site I’m working on was probably hacked as a part of an automated process. Unless you’re running a really big site or are particularly unlucky, the hackers who messed up your site came across it as a result of scanning thousands and thousands of sites for a particular attack method.
# 21:03 
[snarfed] …ie, it’s almost never personal or targeted.
# 21:03 
[snarfed] > Also, while the malicious code is frequently very clever, it’s also frequently very sloppy, and rarely tailored to any particular site. So when you’re scratching your head asking yourself, “what were they thinking??” — remember that the answer is that they weren’t really thinking about your site at all in particular.
# 21:09 
[chrisbergr] Yes, I mean look at the access logs, how many times 'someone' tries to login to the wp-admin... On the first sight this seems like a pretty good guide, I'll bookmark this and see if I can get something out of it for myself, later.
# 21:39 
GWG That's why I always have trouble reading logs
astralbijection joined the channel