Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 38

Thread: Brute Force Attacks On WordPress Underway

  1. #21
    root Array Harold Mansfield's Avatar
    Join Date
    Aug 2008
    Location
    Las Vegas
    Posts
    9,445
    Likes (Given)
    1027
    Likes (Received)
    955

    Default

    Last year I got like 3 phone calls in the same month from people who's website were getting redirected FROM the Google serps. You could see the site in the search results, but when you clicked the link, it took you to a Chinese knock off pharmaceutical site (which they presented as a Canadian site. It was even on a .ca).

    It was the damndest thing. After about an hour with the first one, I decided to check the theme files since you never know where people get themes from.
    Finally found a small piece of js code in the sidebar.php file. Just sitting there. Completely out of place. From a dirty, rotten, "die all you spammers and hackers" stand point, it was pretty simple and pretty ingenious.

    I removed it and all was well again.

    I don't want to disparage the host because it probably wasn't their fault. But all 3 people were on the same host. None of them had a security plug in installed, or their log in screens redirected, and they all used the default username. And with that, the hackers installed the script. Probably from the administration editor. It's just that easy. For ANY website, if you don't take basic security precautions.

    Follow up. Recently the DOJ, Interpol and some other international agencies shut down about 100 of those pharm sites on the same day, and that one was on the list.

  2. #22
    Member Needs New Keyboard Array Brian Altenhofel's Avatar
    Join Date
    Sep 2012
    Location
    Oklahoma
    Posts
    900
    Likes (Given)
    109
    Likes (Received)
    180

    Default

    That's one of the reasons that I don't use shared hosts. Too many issues with privilege escalation or bypass that results in every site on that same server being compromised even if there wasn't a flaw in the site itself. It's also why all of my clients' sites are on separate cloud servers. If one does get compromised, whether directly or via a script on their site, the others aren't affected.

    That's also a reason that, in most jurisdictions, government agencies or entities receiving government funding are not allowed to use shared hosting.
    || VMdoh - Drupal development, consulting, and support

  3. #23
    Member Needs New Keyboard Array MyITGuy's Avatar
    Join Date
    Apr 2011
    Location
    Miami, FL
    Posts
    976
    Likes (Given)
    42
    Likes (Received)
    82

    Default

    Quote Originally Posted by Brian Altenhofel View Post
    That's one of the reasons that I don't use shared hosts. Too many issues with privilege escalation or bypass that results in every site on that same server being compromised even if there wasn't a flaw in the site itself.
    As long as the host is security conscious, implements the correct features/functionality and monitors things...there shouldn't be an issue. Unfortunately, this is not the case with allot of hosts....they try to maximize the number of clients they can have on a single server with the least amount of issues/support calls...which results in old/outdated software and lax security.

    And honestly, if I were in your position I would likely prefer a shared server, or semi-dedicated. If you have more than a dozen clients, then keeping everything up to date and secure is a full time job in itself. I.E. How long did it take for you to patch your clients servers against the recent CentOS zero day exploit (Assuming your using CentOS or a Redhat derivative)?

  4. #24
    Member Needs New Keyboard Array Brian Altenhofel's Avatar
    Join Date
    Sep 2012
    Location
    Oklahoma
    Posts
    900
    Likes (Given)
    109
    Likes (Received)
    180

    Default

    Quote Originally Posted by MyITGuy View Post
    And honestly, if I were in your position I would likely prefer a shared server, or semi-dedicated. If you have more than a dozen clients, then keeping everything up to date and secure is a full time job in itself. I.E. How long did it take for you to patch your clients servers against the recent CentOS zero day exploit (Assuming your using CentOS or a Redhat derivative)?
    Don't run CentOS/RedHat (except for Zenoss because *It just works*). I'm a Debian guy.

    But it doesn't take long at all. Anytime I push an update to my Puppet configs, Jenkins deploys ~15 cloud servers (bare minimum for my deployment - includes file server cluster, MySQL cluster, Elasticsearch cluster, Logstash, monitoring tools, message queues, web app-only servers, and Internet-facing servers), applies updated Puppet configs, and runs a series of tests both on how the servers perform and react to failure scenarios as well as with a Drupal site with several common modules, and then kills the servers. If everything passes, then I know I can push into production. Jenkins tells each server to do a git pull on the repo and then applies the new configuration (and performs a reboot if necessary due to a kernel upgrade) in the proper order. The thorough tests take a few hours to run - final application across my current deployment is ~10 minutes +/-.

    Jenkins even handle upgrading and testing Drupal modules and deploys those changes into production if they pass all tests. On the more complex sites I do, I have the client verify the cloned and updated version works before putting the change in production, but on the more simple sites I just let it go ahead and deploy on it's own.

    Jenkins is the best investment I've made in my business. When I first started running it, I had several other freelancers tell me they couldn't justify spending $80+/mo for something like that. My first week running it, it freed me up for 4 more billable hours. I'd say it's somewhere in the neighborhood of 15-20 hours per week now.

    Because of automation tools like Jenkins and configuration management tools like Puppet, the industry standard sysadmin:server ratio has increased from 1:10 to 1:100 (or more depending on how homogeneous your deployment is).

    I believe in automating everything as much as possible, and Jenkins helps me do that. Applying a config update to 30+ servers is as simple as "git push".

    And of course, I believe in thorough testing - that's why I take the extra time upfront to write tests in most cases on custom dev work. Even if all tests technically pass, it's not a "pass" unless there was also 100% code coverage.
    Last edited by Brian Altenhofel; 07-13-2013 at 08:33 AM.
    || VMdoh - Drupal development, consulting, and support

  5. #25
    Post Impressionist Array vangogh's Avatar
    Join Date
    Aug 2008
    Location
    Boulder, Colorado
    Posts
    14,986
    Likes (Given)
    250
    Likes (Received)
    509

    Default

    Not every attack enters through the host or site. One I've had to clear from a number of sites would infect your desktop or laptop and from there it would gran FTP credentials assuming you used FTP to access a server at all. The attack would then install itself in the form of .js code all over Wordpress on every site you stored login information for.

    It was a nasty thing. You could clear out most of it, but if you missed even one file it would be back in full in a few days. In addition to adding .js code it created new files that looked like they belonged, but didn't. I remember it would add an index.php file inside every images folder. The easiest way to clean it out was to save your theme and delete everything else. Then reinstall WordPress and any plugins. You'd have to clean out the theme or ideally have a clean backup of it, which wasn't usually the case. On the bright side the database stayed clean so once the files were replaced and you changed every username and password across the site and hosting account you were back in business.

    More common though is people not upgrading WordPress of plugins and something getting in through an old exploit. WordPress and/or the plugins had usually fixed the issue long before, but not everyone upgrades.
    l Join me as I share my creative process and journey as a writer | StevenBradley.me
    l Design, Development, Marketing, and SEO Tutorials | Steven Bradley's Notebook
    l Get my book about Design Fundamentals

  6. #26
    Member Needs New Keyboard Array
    Join Date
    Aug 2008
    Posts
    4,945
    Likes (Given)
    88
    Likes (Received)
    215

    Default

    Does anyone know of a program or script that will alert you to new files or recently altered files on your site?

  7. #27
    Post Impressionist Array vangogh's Avatar
    Join Date
    Aug 2008
    Location
    Boulder, Colorado
    Posts
    14,986
    Likes (Given)
    250
    Likes (Received)
    509

    Default

    Automattic created VaultPress. It's a plugin that's part of a monthly service with 3 plans. The lite plan $5/month backs up your site daily and can restore it from a backup if something happens. On the other end, the premium plan scans your site daily and alerts you to security threats and suspicious code.

    There are probably scripts that do alert you to changes, but those might have issues of their own. For example if you or someone is legitimately working on the site you're going to get a lot of alerts. Similarly when you update WP or any plugins you'll probably be getting alerts too.
    l Join me as I share my creative process and journey as a writer | StevenBradley.me
    l Design, Development, Marketing, and SEO Tutorials | Steven Bradley's Notebook
    l Get my book about Design Fundamentals

  8. #28
    root Array Harold Mansfield's Avatar
    Join Date
    Aug 2008
    Location
    Las Vegas
    Posts
    9,445
    Likes (Given)
    1027
    Likes (Received)
    955

    Default

    There's also Better WP Security. It has a ton of security features, and you can also set it to alert you of any file changes or bad attempts to gain access.
    WordPress › Better WP Security WordPress Plugins

  9. #29
    Member Needs New Keyboard Array MyITGuy's Avatar
    Join Date
    Apr 2011
    Location
    Miami, FL
    Posts
    976
    Likes (Given)
    42
    Likes (Received)
    82

    Default

    Quote Originally Posted by billbenson View Post
    Does anyone know of a program or script that will alert you to new files or recently altered files on your site?
    You have some programming experience, so I'm sure you can create something similar to the following:

    Step 1 - Get a listing of files in your home directory and load them into an array
    Step 2 - Look through your array get the MD5 SUM of the file being evaluated
    Step 3 - Compare the MD5 SUM of the current file to the previous value if one is present (I.E. 2 Variables in an SQL Table, File Path/Name & MD5 Sum....or just a text file with .MD5 as the suffix that contains the value).
    Step 4 - If the MD5 Value is not present - Send an alert and store the new value
    Step 5 - If the MD5 Value has changed - send an alert and store the new value.

    I setup something similar to monitor a website that was getting hijacked and it worked pretty well. I did it from the client side though, the process above should be server based to catch everything.

  10. #30
    Member Needs New Keyboard Array
    Join Date
    Aug 2008
    Posts
    4,945
    Likes (Given)
    88
    Likes (Received)
    215

    Default

    @Steve - Are those only wordpress options? Remember, I have a lot of my own scripts as well as the wordpress scripts.

    @Jeff, how long does it take to run? It's a pretty big site.

    If the MD5 value is not set, I'm assuming that's a file that is a possible hack if I'm not working on the site.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •