Hi All,
I run an number of wordpress sites and it's an unfortunate fact of life
that they are constantly being probed for some vulnerability or another. I
think this comes as quite a shock to some people, it did for me contrary to
common sense.
Aside from the usual thousands upon thousands of probing login attempts, I
regularly see probes to detect very specific vulnerabilities from a variety
of themes and plugins (the most famous of which in recent times was the tim
thumb exploit). I should take the time to document them because I'm sure it
would be useful to some but usually don't have time for that kind of thing!
In the end I wrote a utility script to monitor wordpress installs for
executable code appearing in non-standard areas (as well as a bunch of
other things). I also added a simple login lockdown script - although I
favour two-step authentication it's not always acceptable to clients.
Chris...
On 3 January 2013 05:43, Andy Smith <andy@???> wrote:
> Hi Jeremy,
>
> On Wed, Jan 02, 2013 at 08:05:38PM -0800, Jeremy Kitchen wrote:
> > On Sun, Dec 30, 2012 at 08:10:46PM +0000, Andy Smith wrote:
> > > It appears that the Wordpress admin's own system was earlier
> > > compromised and this opportunity was used to further compromise
> > > sites they were known to have access to.
> >
> > any details about desktop system? (os, version, etc)
>
> I'm afraid not. It is often difficult to get information out of
> my own customers, let alone people associated with them. :(
>
> In case it wasn't clear this was a third party admin user's
> credentials that were used, not the admin of the VPS concerned.
>
> > did it feel like a targeted attack or was this just a blanket "windows
> > box got owned, oh look there's a wordpress site, and look there's admin
> > privs" type of thing?
>
> I have no information on this. My customer was quite rattled after
> this and concerned even before this happened about people targeting
> their site but back then I could find no compelling evidence that it
> wasn't just random scanning.
>
> Likewise now, even though it seems a chain has been followed from
> another compromise to attack this site, there is nothing to show me
> that it was targeted in any way as opposed to just being
> opportunistic. The balance of probability is always against targeted
> attacks and in favour of opportunistic compromise, of course
>
> My customer needs to discuss this thoroughly with their user, which
> is what I have already advised them. It would be nice for me to know
> the outcome of that but it's really none of my business ultimately.
>
> Thanks for the other tips.
>
> Cheers,
> Andy
>
> --
> http://bitfolk.com/ -- No-nonsense VPS hosting
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEAREDAAYFAlDlGngACgkQIJm2TL8VSQsx7gCgnbElE2jNZWS5dj//7MsFd+Oq
> 40UAoI9Xd9A2OaD580VCHAqq3MPios6l
> =r1XM
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
>
>
