[bitfolk] Security incident: Wordpress compromise

Hi,

On 15th December a customer asked for help in diagnosing high system
load and unusual Apache logs which contained login credentials for
MySQL.

Upon further investigation it appeared that around 30th November one
of the site's legitimate Wordpress admins had logged in from an
unexpected place (a Tor exit node) and had uploaded a PHP file which
appeared to enable full filesystem traversal, downloading of file
content, shell command execution as Apache user, etc.

This was also used to read the content of the Wordpress
configuration files thereby to gain access to the database as the
Wordpress user.

It appears that the Wordpress admin's own system was earlier
compromised and this opportunity was used to further compromise
sites they were known to have access to.

A copy of the hostile PHP upload can be found here:

    https://gist.github.com/4299683

It is difficult to strongly critique the customer's setup since the
compromise was as a result of a legitimate user account with admin
privileges being used to further attack the system.

It is easy to advise that web applications should run under limited
permissions, with little access to the filesystem or other database
content. Security measures such as SELinux could be used in order to
even limit what the root user can achieve, though no proven root
compromise was noted in this case. These recommendations are easy to
make though I suspect much harder for people to put into practice on
their own personal hosting setup.

Still, perhaps this example can spur us all to think about what the
consequences could be if privileged users of our systems get
themselves compromised.

The customer's VPS has since been fully reinstalled.

Cheers,
Andy

About this email:
https://tools.bitfolk.com/wiki/Security_incident_postings

--
http://bitfolk.com/ -- No-nonsense VPS hosting