Wordpress Blog Site (Tool)
Log in to: http://www.mcnaircenter.org/blog/wp-admin/
Install FTP server
Log in and sudo su yourself, then:
apt-get install vsftpd
Man page for the vsftpd.conf file
http://vsftpd.beasts.org/vsftpd_conf.html
Securing the FTP:
https://help.ubuntu.com/lts/serverguide/ftp-server.html
Configuration
Edit /etc/vsftpd.conf (note next restart will reflect changes in /etc/init)
#add at tend of file: listen_port=26
Generate keys for our website with the following command:
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd.pem -out /etc/vsftpd.pem
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Texas Locality Name (eg, city) []:Houston Organization Name (eg, company) [Internet Widgits Pty Ltd]:McNair Center at Rice University's Baker Institute Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:McNair Center Email Address []:admin@mcnaircenter.org
Edit /etc/vsftpd.conf again
#change the lines as follows: rsa_cert_file=/etc/vsftpd.pem rsa_private_key_file=/etc/vsftpd.pem write_enable=YES chroot_local_user=YES chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list ssl_enable=YES
Edit /etc/vsftpd.chroot_list to contain a list of usernames (e.g., ravali)
Restart the server
service vsftpd restart
The FTP server should be accessible. Beware local packet shaping. Connect through mcnaircenter.org:26. Otherise have a check that the process is running and listening:
ps -aux netstat -lnt
Assuming all is good with the FTP server, we now need to update Wordpress.
Turning the FTP server on and off
To stop the FTP server loading at boot:
service vsftpd stop mv /etc/init/vsftpd.conf /etc/init/vsftpd.conf.stop
To start the service, restore the conf file first:
mv /etc/init/vsftpd.conf.stop /etc/init/vsftpd.conf service vsftpd stop
Update Wordpress
First make a copy of the wordpress folder and dbase
cp -R /var/lib/wordpress/ /var/lib/wordpress_bak mysqldump -u mcnair_wp -p wordpress > backup_12Aug2016.sql (enter password for dbase found in wp-config.php)
Change the permissions on every in the wordpress folder and make www-data its owner:
chown -R www-data /var/lib/wordpress chmod -R 755 /var/lib/wordpress
Browse to 128.42.44.180/blog/wp-admin Click update now. Enter:
Hostname 128.42.44.180:26 FTP Username ravali (or some other account) FTP Password Connection Type FTPS (SSL)
Leave the Akismet plugin Go to appearance, themes -> add new
Choose Accesspress Lite 2.46.7 Activate
Install all of the recommended pluggins that come with the theme
Check the media library works by uploading a file (e.g., GreenRoundLogo.png)
Create a child theme
cd /var/lib/wordpress/wp-content/themes mkdir accesspress-lite-child vi accesspress-lite-child/style.css Add in the template from the parent folder's style.css (just the top of the file) Update the theme name and text domain to accesspress-lite-child. vi accesspress-lite-child/functions.php Add in the section that never changes <?php function my_theme_enqueue_styles() { $parent_style = 'parent-style'; // This is 'twentyfifteen-style' for the Twenty Fifteen theme. wp_enqueue_style( $parent_style, get_template_directory_uri() . '/style.css' ); wp_enqueue_style( 'child-style', get_stylesheet_directory_uri() . '/style.css', array( $parent_style ), wp_get_theme()->get('Version') ); } add_action( 'wp_enqueue_scripts', 'my_theme_enqueue_styles' ); ?>
Check the permissions on the new files:
chown -R www-data /var/lib/wordpress chmod -R 755 /var/lib/wordpress
Active the child theme! Check out what it looks like: www.mcnaircenter.org/blog
Customize our theme
Middle Section
The middle area of the blog's home page as three sections -
The Twitter Feed
This widget will display the top 5 tweets of the McNair Center's twitter account.
- In the Appearance -> Widgets section, the theme has the middle section sidebar.
- Add the AccessPress-lite Twitter feed widget to the middle section sidebar
- Log into dev.twitter.com with the McNair Center's creds.
- Paste the security keys, consumer keys, etc identifying the McNair Center API into the form of the widget.
- Set/reset the number of blog posts that are required
Categories
This is a built in widget from wordpress that is being used in this section.
Custom Widgets
Add a custom (text/html) widget from the widgets to put in the 'Contact Us' and social media icons.
Styling
The styling involves LOTS of changes to various php and (some) css files. Generally, if you see a file with a .bak extension then changes have been made to it. The changes were too extensive to document.
Image Uploads
- Images uploaded, both attached to posts and unattached, are added to the media library.
- They are categorized in the backend per the month and the year in which they are uploaded.
- Plugins involved:
- Enhanced Media Library
- This plugin allows us to
- create new categories
- assign images to categories
- filter in the media library section by category
- This plugin allows us to
- Enhanced Media Library
- Pixabay
- This plugin allows us to
- find images from Creative Commons
- add these images for each post - the Pixabay button can be seen next to the Add Media button on the create post screen.
- This plugin allows us to
- Pixabay
Adding pluggins
- Check the ftp server is running: ps -aux | grep ftp
- Restart the ftp server if not: service vsftpd start
- Go to http://mcnair.bakerinstitute.org/blog/wp-admin/plugin-install.php and choose the plug in
Useful resources if there are errors
Wordpress:
- https://codex.wordpress.org/Upgrading_WordPress_Extended#Step_9:_Run_the_WordPress_upgrade_program
- https://wordpress.org/support/topic/wordpress-45-error-after-update
- https://help.webcontrolcenter.com/kb/a992/vsftpd-ftp-server.aspx
FTP Issues:
Upgrading the blog
Pharma Hack
We were hacked on or before October 4th 2017 it looked like a variant of the Pharma Hack. See:
- https://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html
- https://blog.sucuri.net/2016/09/cleaning-the-wp-page-pharma-hack-in-wordpress.html
- http://www.digitaltap.tv/featured-content/fixing-the-wordpress-pharma-hack/
This was consistent with searching the following in google:
inurl:mcnair.bakerinstitute.org cheap viagra or cheap cialis
But from /var/lib/wordpress
grep -r "wp_class_support"
returns no results!
Checking the files:
cd /var/lib/wordpress ls -alt
produced several anomalous timestamps:
drwxr-xr-x 6 www-data root 4096 Oct 18 14:23 wp-content -rwxr-xr-x 1 www-data root 418 Oct 4 06:16 index.php -rwxr-xr-x 1 www-data root 1627 Oct 4 06:16 wp-blog-header.php
In wp-includes we also have (despite the directory having an older mod stamp)
-rwxr-xr-x 1 www-data root 619 Sep 20 04:08 version.php -rwxr-xr-x 1 www-data root 144389 Sep 20 04:08 class-wp-customize-manager.php -rwxr-xr-x 1 www-data root 65677 Sep 20 04:08 script-loader.php -rwxr-xr-x 1 www-data root 95866 Sep 20 04:08 wp-db.php -rwxr-xr-x 1 www-data root 43847 Sep 20 04:08 embed.php
stat index.php stat wp-blog-header.php
index.php contains:
- define('WP_USE_THEMES', true);
- require( dirname( __FILE__ ) . '/wp-blog-header.php' );
wp-blog-header.php contains:
- All sorts of dodgy looking code redirects for images with:
- base64 encoded: aHR0cDovL2RvbWZvcnVsdHJhZG9ycy5jb20vPw
- base64 decoded: http://domforultradors.com/?
Which confirmed a malware issue:
The .htaccess file in wp-content/uploads directory contains:
<FilesMatch "(?<!1388019941)\.php$"> Order Allow,Deny Deny from all
Both wp-content/themes and wp-content/plugins have an Oct 18 date on them. But both have subdirs with older access dates and seem clean. And the directory 2017/10 has Oct 4th dates on it but is empty. This is consistent with a numerically named php file being executed from here and then deleted.
According the malware report it should target two additional files. We don't have WordFence, so only one is relevant:
locate wfScanEngine.php locate class-wp-upgrader.php /home/mcnair/Downloads/wordpress/wp-admin/includes/class-wp-upgrader.php /var/lib/wordpress/wp-admin/includes/class-wp-upgrader.php /var/lib/wordpress_bak/wp-admin/includes/class-wp-upgrader.php -rwxr-xr-x 1 www-data root 34995 Oct 4 06:16 class-wp-upgrader.php
This file does indeed show sign of infection!
Upgrading Ubuntu's packages
To start upgrade ubuntu's packages so that everything is fresh and new.
apt-get updates (maybe need to do a separate dpkg --configure -a) apt-get upgrade
If you have to upgrade grub, the correct drives are sda and sdb. See the bottom of Web_Server_Documentation#Configuring_RAID_1_on_Web_Server_.282.2F17.2F2016.29.
Finding the backdoor
It really isn't clear how this thing got in, beyond being in the uploads directory at some point and having enough permissions to create a .htaccess file that it left behind. Most likely we had a vulnerable plugin. There are no anomalous user accounts but we should delete and clean up anyway.
The Plan
- Fix corrupted files
- Remove dodgy .htaccess file
- Turn on the FTP
- Upgrade wordpress and plugins
- Look down directory permissions more tightly
- Remove disused user accounts