store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sun Aug 25, 2019 12:35 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: wordpress websites compromised
Unread postPosted: Sun Feb 05, 2017 9:56 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Sep 16, 2013 10:10 am
Posts: 112
Location: Lahore
Hello,

Two wordpress properties I host were compromised yesterday and today, the attacker changed the title of the latest post to "hacked.." etc.

This is a vague question, but am I missing something from my ASL config that should've stopped them? We are running a slightly older version of wordpress but I read a message in the ASL panel that the latest zero day was already protected by ASL.

I ran wpscan on the site and the following core vulnerabilities showed up:

Code:

[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8730
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
    Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
[i] Fixed in: 4.7.2

[!] Title: WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table
    Reference: https://wpvulndb.com/vulnerabilities/8731
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
    Reference: https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5612
[i] Fixed in: 4.7.2

[!] Title: WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
    Reference: https://wpvulndb.com/vulnerabilities/8734
    Reference: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
[i] Fixed in: 4.7.2


I'm no security expert but the last one seems to be the culprit, how can I configure ASL to stop these attacks?

Note: I have disabled REST API on both properties with a plugin.


Top
 Profile  
Reply with quote  
 Post subject: Re: wordpress websites compromised
Unread postPosted: Thu Feb 09, 2017 11:07 am 
Offline
Forum User
Forum User

Joined: Wed Nov 23, 2005 8:49 am
Posts: 50
Got the same problem/question.

Got a Centos 7 / PLESK 12.5 server with ModSecurity and the add-on license for "Atomic Professional ModSecurity". Still a lot of WordPress sites have been hacked, related to "https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html". I thought the "virtual patching" i ASL/ModSecurity would protect us from just this kind of attacks?


Top
 Profile  
Reply with quote  
 Post subject: Re: wordpress websites compromised
Unread postPosted: Fri Feb 10, 2017 9:38 am 
Offline
Forum User
Forum User
User avatar

Joined: Mon Mar 18, 2013 6:26 pm
Posts: 63
Location: Earth
i see a lot of these attacks stopped maybe you have that rules turned off?

_________________
If everything was easy, then the world wouldn't need engineers.


Top
 Profile  
Reply with quote  
 Post subject: Re: wordpress websites compromised
Unread postPosted: Fri Feb 10, 2017 2:52 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4082
Location: Chantilly, VA
I dont see any support cases opened for this. Would you mind opening a support case so we can have our team look into this for you?

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: wordpress websites compromised
Unread postPosted: Fri Mar 10, 2017 6:15 pm 
Offline
Forum User
Forum User

Joined: Thu Mar 09, 2017 7:26 pm
Posts: 30
Location: California
RE: "We are running a slightly older version of wordpress.."

FWIW.. Aside from ASL.. this in and of itself is a major problem.. The reason the WP team does updates is because of discovered vulnerabilities.. Keep up with the latest version (and all plugins and themes) is critical. Plugins/themes can be comprised and hacked regardless of how secure the operating system is.


Top
 Profile  
Reply with quote  
 Post subject: Re: wordpress websites compromised
Unread postPosted: Sat Apr 15, 2017 8:43 am 
Offline
Forum User
Forum User

Joined: Wed Jul 04, 2012 9:03 pm
Posts: 29
Location: Melbourne
How did you ensure your ASL is working?
Simply installing it does not guarantee it will work.

To test it, try this terminal command from a non-ASL-whitelisted IP address:

wget http://websitetotest/foo.php?foo=httpwww.example.com

If you get 403 access denied - ASL works.

If you get 404 not found - ASL does not work.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group