wordpress websites compromised

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
imadsani
Forum Regular
Forum Regular
Posts: 112
Joined: Mon Sep 16, 2013 10:10 am
Location: Lahore

wordpress websites compromised

Unread post by imadsani »

Hello,

Two wordpress properties I host were compromised yesterday and today, the attacker changed the title of the latest post to "hacked.." etc.

This is a vague question, but am I missing something from my ASL config that should've stopped them? We are running a slightly older version of wordpress but I read a message in the ASL panel that the latest zero day was already protected by ASL.

I ran wpscan on the site and the following core vulnerabilities showed up:

Code: Select all


[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8730
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
    Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
[i] Fixed in: 4.7.2

[!] Title: WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table
    Reference: https://wpvulndb.com/vulnerabilities/8731
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
    Reference: https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5612
[i] Fixed in: 4.7.2

[!] Title: WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
    Reference: https://wpvulndb.com/vulnerabilities/8734
    Reference: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
[i] Fixed in: 4.7.2
I'm no security expert but the last one seems to be the culprit, how can I configure ASL to stop these attacks?

Note: I have disabled REST API on both properties with a plugin.
TheEniGMa
Forum User
Forum User
Posts: 50
Joined: Wed Nov 23, 2005 8:49 am

Re: wordpress websites compromised

Unread post by TheEniGMa »

Got the same problem/question.

Got a Centos 7 / PLESK 12.5 server with ModSecurity and the add-on license for "Atomic Professional ModSecurity". Still a lot of WordPress sites have been hacked, related to "https://blog.sucuri.net/2017/02/content ... t-api.html". I thought the "virtual patching" i ASL/ModSecurity would protect us from just this kind of attacks?
User avatar
hostingg
Forum User
Forum User
Posts: 63
Joined: Mon Mar 18, 2013 6:26 pm
Location: Earth

Re: wordpress websites compromised

Unread post by hostingg »

i see a lot of these attacks stopped maybe you have that rules turned off?
If everything was easy, then the world wouldn't need engineers.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: wordpress websites compromised

Unread post by mikeshinn »

I dont see any support cases opened for this. Would you mind opening a support case so we can have our team look into this for you?
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: wordpress websites compromised

Unread post by jbmoore »

RE: "We are running a slightly older version of wordpress.."

FWIW.. Aside from ASL.. this in and of itself is a major problem.. The reason the WP team does updates is because of discovered vulnerabilities.. Keep up with the latest version (and all plugins and themes) is critical. Plugins/themes can be comprised and hacked regardless of how secure the operating system is.
iv@rh
Forum User
Forum User
Posts: 29
Joined: Wed Jul 04, 2012 9:03 pm
Location: Melbourne

Re: wordpress websites compromised

Unread post by iv@rh »

How did you ensure your ASL is working?
Simply installing it does not guarantee it will work.

To test it, try this terminal command from a non-ASL-whitelisted IP address:

wget http://websitetotest/foo.php?foo=httpwww.example.com

If you get 403 access denied - ASL works.

If you get 404 not found - ASL does not work.
Post Reply