Atomicorp

Posted: **Sun Feb 05, 2017 9:56 am**

Hello,

Two wordpress properties I host were compromised yesterday and today, the attacker changed the title of the latest post to "hacked.." etc.

This is a vague question, but am I missing something from my ASL config that should've stopped them? We are running a slightly older version of wordpress but I read a message in the ASL panel that the latest zero day was already protected by ASL.

I ran wpscan on the site and the following core vulnerabilities showed up:

Code: Select all


[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8730
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
    Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
[i] Fixed in: 4.7.2

[!] Title: WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table
    Reference: https://wpvulndb.com/vulnerabilities/8731
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
    Reference: https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5612
[i] Fixed in: 4.7.2

[!] Title: WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
    Reference: https://wpvulndb.com/vulnerabilities/8734
    Reference: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
[i] Fixed in: 4.7.2

I'm no security expert but the last one seems to be the culprit, how can I configure ASL to stop these attacks?

Note: I have disabled REST API on both properties with a plugin.

Posted: **Thu Feb 09, 2017 11:07 am**

Got the same problem/question.

Got a Centos 7 / PLESK 12.5 server with ModSecurity and the add-on license for "Atomic Professional ModSecurity". Still a lot of WordPress sites have been hacked, related to "https://blog.sucuri.net/2017/02/content ... t-api.html". I thought the "virtual patching" i ASL/ModSecurity would protect us from just this kind of attacks?

Posted: **Fri Feb 10, 2017 9:38 am**

i see a lot of these attacks stopped maybe you have that rules turned off?

Posted: **Fri Feb 10, 2017 2:52 pm**

I dont see any support cases opened for this. Would you mind opening a support case so we can have our team look into this for you?

Posted: **Fri Mar 10, 2017 6:15 pm**

RE: "We are running a slightly older version of wordpress.."

FWIW.. Aside from ASL.. this in and of itself is a major problem.. The reason the WP team does updates is because of discovered vulnerabilities.. Keep up with the latest version (and all plugins and themes) is critical. Plugins/themes can be comprised and hacked regardless of how secure the operating system is.

Posted: **Sat Apr 15, 2017 8:43 am**

How did you ensure your ASL is working?
Simply installing it does not guarantee it will work.

To test it, try this terminal command from a non-ASL-whitelisted IP address:

wget http://websitetotest/foo.php?foo=httpwww.example.com

If you get 403 access denied - ASL works.

If you get 404 not found - ASL does not work.

Atomicorp

wordpress websites compromised

wordpress websites compromised

Re: wordpress websites compromised

Re: wordpress websites compromised

Re: wordpress websites compromised

Re: wordpress websites compromised

Re: wordpress websites compromised