Difference between revisions of "Wordpress Blog Site (Tool)"

From edegan.com
Jump to navigation Jump to search
 
(16 intermediate revisions by 3 users not shown)
Line 56: Line 56:
 
  netstat -lnt
 
  netstat -lnt
  
Assuming all is good with the FTP server, we now need to update Wordpress.  
+
Assuming all is good with the FTP server, we now need to update Wordpress.
 +
 
 +
===Turning the FTP server on and off===
 +
 
 +
To stop the FTP server loading at boot:
 +
service vsftpd stop
 +
mv /etc/init/vsftpd.conf /etc/init/vsftpd.conf.stop
 +
 
 +
To start the service, restore the conf file first:
 +
mv /etc/init/vsftpd.conf.stop /etc/init/vsftpd.conf
 +
service vsftpd start
  
 
==Update Wordpress==
 
==Update Wordpress==
Line 118: Line 128:
  
 
==Customize our theme==
 
==Customize our theme==
 +
=== Middle Section ===
 +
The middle area of the blog's home page as three sections -
  
== Requirements ==
+
==== The Twitter Feed ====
 +
This widget will display the top 5 tweets of the McNair Center's twitter account.
  
== Design ==
+
*In the Appearance -> Widgets section, the theme has the middle section sidebar.
 +
*Add the AccessPress-lite Twitter feed widget to the middle section sidebar
 +
*Log into dev.twitter.com with the McNair Center's creds.
 +
*Paste the security keys, consumer keys, etc identifying the McNair Center API into the form of the widget.
 +
*Set/reset the number of blog posts that are required
 +
 
 +
==== Categories ====
 +
This is a built in widget from wordpress that is being used in this section.
 +
 
 +
 
 +
==== Custom Widgets ====
 +
Add a custom (text/html) widget from the widgets to put in the 'Contact Us' and social media icons.
  
 
== Styling ==
 
== Styling ==
=== Header===
+
 
=== Sidebar ===
+
The styling involves LOTS of changes to various php and (some) css files. Generally, if you see a file with a .bak extension then changes have been made to it. The changes were too extensive to document.
 +
 
 
=== Image Uploads ===
 
=== Image Uploads ===
=== Content ===
 
=== Footer ===
 
=== Blog Posts ===
 
====Titles====
 
==== Author Info ====
 
== Usability Features ==
 
===RSS===
 
===Subscription Rules===
 
  
== User Accounts ==
+
*Images uploaded, both attached to posts and unattached, are added to the media library.
 +
*They are categorized in the backend per the month and the year in which they are uploaded.
 +
 
 +
*Plugins involved:
 +
 
 +
** Enhanced Media Library
 +
*** This plugin allows us to
 +
**** create new categories
 +
**** assign images to categories
 +
**** filter in the media library section by category
 +
 
 +
** Pixabay
 +
*** This plugin allows us to
 +
**** find images from Creative Commons
 +
**** add these images for each post - the Pixabay button can be seen next to the Add Media button on the create post screen.
 +
 
 +
==Adding pluggins==
 +
 
 +
#Check the ftp server is running: ps -aux | grep ftp
 +
#Restart the ftp server if not: service vsftpd start
 +
#Go to http://mcnair.bakerinstitute.org/blog/wp-admin/plugin-install.php and choose the plug in
  
 
==Useful resources if there are errors==
 
==Useful resources if there are errors==
Line 148: Line 185:
 
*https://help.ubuntu.com/lts/serverguide/ftp-server.html
 
*https://help.ubuntu.com/lts/serverguide/ftp-server.html
 
*http://askubuntu.com/questions/666858/vsftpd-service-will-not-start-for-14-04
 
*http://askubuntu.com/questions/666858/vsftpd-service-will-not-start-for-14-04
 +
 +
==Upgrading the blog==
 +
 +
===Pharma Hack===
 +
 +
We were hacked on or before October 4th 2017 it looked like a variant of the Pharma Hack. See:
 +
*https://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html
 +
*https://blog.sucuri.net/2016/09/cleaning-the-wp-page-pharma-hack-in-wordpress.html
 +
*http://www.digitaltap.tv/featured-content/fixing-the-wordpress-pharma-hack/
 +
 +
This was consistent with searching the following in google:
 +
inurl:mcnair.bakerinstitute.org cheap viagra or cheap cialis
 +
 +
But from /var/lib/wordpress
 +
grep -r "wp_class_support"
 +
returns no results!
 +
 +
===Identified Malware===
 +
 +
Checking the files:
 +
cd /var/lib/wordpress
 +
ls -alt
 +
 +
produced several anomalous timestamps:
 +
drwxr-xr-x  6 www-data root      4096 Oct 18 14:23 wp-content
 +
-rwxr-xr-x  1 www-data root      418 Oct  4 06:16 index.php
 +
-rwxr-xr-x  1 www-data root      1627 Oct  4 06:16 wp-blog-header.php
 +
 +
In wp-includes we also have (despite the directory having an older mod stamp), but for now let's treat this as irrelevant.
 +
-rwxr-xr-x  1 www-data root        619 Sep 20 04:08 version.php
 +
-rwxr-xr-x  1 www-data root    144389 Sep 20 04:08 class-wp-customize-manager.php
 +
-rwxr-xr-x  1 www-data root      65677 Sep 20 04:08 script-loader.php
 +
-rwxr-xr-x  1 www-data root      95866 Sep 20 04:08 wp-db.php
 +
-rwxr-xr-x  1 www-data root      43847 Sep 20 04:08 embed.php
 +
 +
stat index.php
 +
stat wp-blog-header.php
 +
 +
index.php contains:
 +
*define('WP_USE_THEMES', true);
 +
*require( dirname( __FILE__ ) . '/wp-blog-header.php' );
 +
 +
wp-blog-header.php contains:
 +
*All sorts of dodgy looking code redirects for images with:
 +
**base64 encoded: aHR0cDovL2RvbWZvcnVsdHJhZG9ycy5jb20vPw
 +
**base64 decoded: http://domforultradors.com/?
 +
 +
'''Which confirmed a malware issue:'''
 +
*https://malware.expert/malware/wordfence-security-plugin/
 +
 +
The .htaccess file in wp-content/uploads directory contains:
 +
 +
<FilesMatch "(?<!1388019941)\.php$">
 +
Order Allow,Deny
 +
Deny from all
 +
 +
Both wp-content/themes and wp-content/plugins have an Oct 18 date on them. But both have subdirs with older access dates and seem clean. And the directory 2017/10 has Oct 4th dates on it but is empty. This is consistent with a numerically named php file being executed from here and then deleted.
 +
 +
According to the malware report it should target two additional files. We don't have WordFence, so only one is relevant:
 +
locate wfScanEngine.php
 +
locate class-wp-upgrader.php
 +
/home/mcnair/Downloads/wordpress/wp-admin/includes/class-wp-upgrader.php
 +
/var/lib/wordpress/wp-admin/includes/class-wp-upgrader.php
 +
/var/lib/wordpress_bak/wp-admin/includes/class-wp-upgrader.php
 +
 +
-rwxr-xr-x 1 www-data root      34995 Oct  4 06:16 class-wp-upgrader.php
 +
 +
This file does indeed show sign of infection!
 +
 +
===Upgrading Ubuntu's packages===
 +
 +
To start, upgrade ubuntu's packages so that everything is fresh and new.
 +
apt-get updates
 +
(maybe need to do a separate dpkg --configure -a)
 +
apt-get upgrade
 +
 +
If you have to upgrade grub, the correct drives are sda and sdb. See the bottom of [[Web_Server_Documentation#Configuring_RAID_1_on_Web_Server_.282.2F17.2F2016.29]].
 +
 +
===Finding the backdoor===
 +
 +
It really isn't clear how this thing got in, beyond being in the uploads directory at some point and having enough permissions to create a .htaccess file that it left behind. Most likely we had a vulnerable plugin. There are no anomalous user accounts but we should delete and clean up anyway.
 +
 +
===The Plan===
 +
*Fixed corrupted files but copying them over with clean versions from /var/lib/wordpress_bak/
 +
*Renamed dodgy .htaccess file
 +
*Turned on the FTP Server
 +
*Upgrade wordpress and its plugins. Note: DO NOT UPDATE THEMES!!!
 +
*Turned off the FTP Server
 +
*Locked down directory permissions more tightly (see below)
 +
*Remove disused user accounts (any contributions set to Anne Dayton)
 +
*Changed permissions of all users to author, except Tay to editor, and left just Ed and Anne to admin
 +
 +
I also installed the delete-all-comments-easily plugin and easily deleted the enormous queue of junk comments.
 +
 +
===Changing permissions===
 +
 +
I used the shared server config found here: https://www.smashingmagazine.com/2014/05/proper-wordpress-filesystem-permissions-ownerships/
 +
 +
From the wordpress dir run:
 +
sudo find . -type f -exec chmod 644 {} +
 +
sudo find . -type d -exec chmod 755 {} +
 +
sudo chmod 600 wp-config.php
 +
 +
Image upload was tested and worked fine, and a new plugin was also installed fine.
 +
 +
===Installing WordFence===
 +
 +
I also installed the free version of WordFence. It wouldn't have stopped our last malware, most likely, but it should stop at least some of the future annoyances. I went with the basic config. The notifications are sent to mcnair@rice.edu
 +
 +
===Still to do===
 +
 +
We should consider some extra hardening! See, for example, https://codex.wordpress.org/Hardening_WordPress
 +
 +
That we really can't update our theme is an ongoing issue...
 +
 +
[[Category: McNair Admin]]

Latest revision as of 23:31, 18 October 2017

Log in to: http://www.mcnaircenter.org/blog/wp-admin/

Install FTP server

Log in and sudo su yourself, then:

apt-get install vsftpd

Man page for the vsftpd.conf file

http://vsftpd.beasts.org/vsftpd_conf.html

Securing the FTP:

https://help.ubuntu.com/lts/serverguide/ftp-server.html

Configuration

Edit /etc/vsftpd.conf (note next restart will reflect changes in /etc/init)

#add at tend of file:
listen_port=26

Generate keys for our website with the following command:

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd.pem -out /etc/vsftpd.pem
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Houston
Organization Name (eg, company) [Internet Widgits Pty Ltd]:McNair Center at Rice University's Baker Institute
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:McNair Center
Email Address []:admin@mcnaircenter.org

Edit /etc/vsftpd.conf again

#change the lines as follows:
rsa_cert_file=/etc/vsftpd.pem
rsa_private_key_file=/etc/vsftpd.pem
write_enable=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
ssl_enable=YES

Edit /etc/vsftpd.chroot_list to contain a list of usernames (e.g., ravali)

Restart the server

service vsftpd restart

The FTP server should be accessible. Beware local packet shaping. Connect through mcnaircenter.org:26. Otherise have a check that the process is running and listening:

ps -aux
netstat -lnt

Assuming all is good with the FTP server, we now need to update Wordpress.

Turning the FTP server on and off

To stop the FTP server loading at boot:

service vsftpd stop
mv /etc/init/vsftpd.conf /etc/init/vsftpd.conf.stop

To start the service, restore the conf file first:

mv /etc/init/vsftpd.conf.stop /etc/init/vsftpd.conf 
service vsftpd start

Update Wordpress

First make a copy of the wordpress folder and dbase

 cp -R /var/lib/wordpress/ /var/lib/wordpress_bak
 mysqldump -u mcnair_wp -p wordpress > backup_12Aug2016.sql
 (enter password for dbase found in wp-config.php)

Change the permissions on every in the wordpress folder and make www-data its owner:

chown -R www-data /var/lib/wordpress
chmod -R 755 /var/lib/wordpress

Browse to 128.42.44.180/blog/wp-admin Click update now. Enter:

Hostname 128.42.44.180:26
FTP Username ravali (or some other account)
FTP Password 
Connection Type FTPS (SSL)

Leave the Akismet plugin Go to appearance, themes -> add new

Choose Accesspress Lite 2.46.7
Activate

Install all of the recommended pluggins that come with the theme

Check the media library works by uploading a file (e.g., GreenRoundLogo.png)

Create a child theme

cd /var/lib/wordpress/wp-content/themes
mkdir accesspress-lite-child
vi accesspress-lite-child/style.css 
	Add in the template from the parent folder's style.css (just the top of the file)
	Update the theme name and text domain to accesspress-lite-child.
vi accesspress-lite-child/functions.php
	Add in the section that never changes
	
<?php
function my_theme_enqueue_styles() {

    $parent_style = 'parent-style'; // This is 'twentyfifteen-style' for the Twenty Fifteen theme.

    wp_enqueue_style( $parent_style, get_template_directory_uri() . '/style.css' );
    wp_enqueue_style( 'child-style',
        get_stylesheet_directory_uri() . '/style.css',
        array( $parent_style ),
        wp_get_theme()->get('Version')
    );
}
add_action( 'wp_enqueue_scripts', 'my_theme_enqueue_styles' );
?>

Check the permissions on the new files:

chown -R www-data /var/lib/wordpress
chmod -R 755 /var/lib/wordpress

Active the child theme! Check out what it looks like: www.mcnaircenter.org/blog

Customize our theme

Middle Section

The middle area of the blog's home page as three sections -

The Twitter Feed

This widget will display the top 5 tweets of the McNair Center's twitter account.

  • In the Appearance -> Widgets section, the theme has the middle section sidebar.
  • Add the AccessPress-lite Twitter feed widget to the middle section sidebar
  • Log into dev.twitter.com with the McNair Center's creds.
  • Paste the security keys, consumer keys, etc identifying the McNair Center API into the form of the widget.
  • Set/reset the number of blog posts that are required

Categories

This is a built in widget from wordpress that is being used in this section.


Custom Widgets

Add a custom (text/html) widget from the widgets to put in the 'Contact Us' and social media icons.

Styling

The styling involves LOTS of changes to various php and (some) css files. Generally, if you see a file with a .bak extension then changes have been made to it. The changes were too extensive to document.

Image Uploads

  • Images uploaded, both attached to posts and unattached, are added to the media library.
  • They are categorized in the backend per the month and the year in which they are uploaded.
  • Plugins involved:
    • Enhanced Media Library
      • This plugin allows us to
        • create new categories
        • assign images to categories
        • filter in the media library section by category
    • Pixabay
      • This plugin allows us to
        • find images from Creative Commons
        • add these images for each post - the Pixabay button can be seen next to the Add Media button on the create post screen.

Adding pluggins

  1. Check the ftp server is running: ps -aux | grep ftp
  2. Restart the ftp server if not: service vsftpd start
  3. Go to http://mcnair.bakerinstitute.org/blog/wp-admin/plugin-install.php and choose the plug in

Useful resources if there are errors

Wordpress:

FTP Issues:

Upgrading the blog

Pharma Hack

We were hacked on or before October 4th 2017 it looked like a variant of the Pharma Hack. See:

This was consistent with searching the following in google:

inurl:mcnair.bakerinstitute.org cheap viagra or cheap cialis

But from /var/lib/wordpress

grep -r "wp_class_support"

returns no results!

Identified Malware

Checking the files:

cd /var/lib/wordpress
ls -alt

produced several anomalous timestamps:

drwxr-xr-x  6 www-data root      4096 Oct 18 14:23 wp-content
-rwxr-xr-x  1 www-data root       418 Oct  4 06:16 index.php
-rwxr-xr-x  1 www-data root      1627 Oct  4 06:16 wp-blog-header.php

In wp-includes we also have (despite the directory having an older mod stamp), but for now let's treat this as irrelevant.

-rwxr-xr-x  1 www-data root        619 Sep 20 04:08 version.php
-rwxr-xr-x  1 www-data root     144389 Sep 20 04:08 class-wp-customize-manager.php
-rwxr-xr-x  1 www-data root      65677 Sep 20 04:08 script-loader.php
-rwxr-xr-x  1 www-data root      95866 Sep 20 04:08 wp-db.php
-rwxr-xr-x  1 www-data root      43847 Sep 20 04:08 embed.php
stat index.php
stat wp-blog-header.php

index.php contains:

  • define('WP_USE_THEMES', true);
  • require( dirname( __FILE__ ) . '/wp-blog-header.php' );

wp-blog-header.php contains:

  • All sorts of dodgy looking code redirects for images with:

Which confirmed a malware issue:

The .htaccess file in wp-content/uploads directory contains:

<FilesMatch "(?<!1388019941)\.php$">
Order Allow,Deny
Deny from all

Both wp-content/themes and wp-content/plugins have an Oct 18 date on them. But both have subdirs with older access dates and seem clean. And the directory 2017/10 has Oct 4th dates on it but is empty. This is consistent with a numerically named php file being executed from here and then deleted.

According to the malware report it should target two additional files. We don't have WordFence, so only one is relevant:

locate wfScanEngine.php
locate class-wp-upgrader.php
/home/mcnair/Downloads/wordpress/wp-admin/includes/class-wp-upgrader.php
/var/lib/wordpress/wp-admin/includes/class-wp-upgrader.php
/var/lib/wordpress_bak/wp-admin/includes/class-wp-upgrader.php

-rwxr-xr-x 1 www-data root      34995 Oct  4 06:16 class-wp-upgrader.php

This file does indeed show sign of infection!

Upgrading Ubuntu's packages

To start, upgrade ubuntu's packages so that everything is fresh and new.

apt-get updates
(maybe need to do a separate dpkg --configure -a)
apt-get upgrade

If you have to upgrade grub, the correct drives are sda and sdb. See the bottom of Web_Server_Documentation#Configuring_RAID_1_on_Web_Server_.282.2F17.2F2016.29.

Finding the backdoor

It really isn't clear how this thing got in, beyond being in the uploads directory at some point and having enough permissions to create a .htaccess file that it left behind. Most likely we had a vulnerable plugin. There are no anomalous user accounts but we should delete and clean up anyway.

The Plan

  • Fixed corrupted files but copying them over with clean versions from /var/lib/wordpress_bak/
  • Renamed dodgy .htaccess file
  • Turned on the FTP Server
  • Upgrade wordpress and its plugins. Note: DO NOT UPDATE THEMES!!!
  • Turned off the FTP Server
  • Locked down directory permissions more tightly (see below)
  • Remove disused user accounts (any contributions set to Anne Dayton)
  • Changed permissions of all users to author, except Tay to editor, and left just Ed and Anne to admin

I also installed the delete-all-comments-easily plugin and easily deleted the enormous queue of junk comments.

Changing permissions

I used the shared server config found here: https://www.smashingmagazine.com/2014/05/proper-wordpress-filesystem-permissions-ownerships/

From the wordpress dir run:

sudo find . -type f -exec chmod 644 {} +
sudo find . -type d -exec chmod 755 {} +
sudo chmod 600 wp-config.php

Image upload was tested and worked fine, and a new plugin was also installed fine.

Installing WordFence

I also installed the free version of WordFence. It wouldn't have stopped our last malware, most likely, but it should stop at least some of the future annoyances. I went with the basic config. The notifications are sent to mcnair@rice.edu

Still to do

We should consider some extra hardening! See, for example, https://codex.wordpress.org/Hardening_WordPress

That we really can't update our theme is an ongoing issue...