Re: [bitfolk] Being hacked

Top Page

Reply to this message
Author: Ian
Date:  
To: users
Subject: Re: [bitfolk] Being hacked
Sindre Smistad said:

> Was all the logins attempts over SSH or the WordPress software? Are you
> sure they did not gain access some other way, found the password and
> then logged in again over SSH?


SSH. I have - infamously :) - a fail2ban filter for wp-login. It's
possible that the attacker previously tried with other IP addresses
against WordPress, but if they had been successful, I would expect them
to have exploited that directly.

> This white paper that covers the malware you mentioned says that the
> main infection method is by phising the administrator. See page 4. You
> should probably run a scan on your other devices as well.


I've looked at the various PCs etc here without finding anything. That
doesn't mean it's not there - a scanning service I used to look at the
payload being sent out reckoned that ClamAV didn't detect it as being nasty.

I notice the common form of infection is via MS Office document macros -
it's LibreOffice here, with untrusted macros disabled.. and no sources
trusted.


Rodrigo Campos said:

> Is the ssh password compromised the same in some wordpress user? If
> that is the case, it might be done using this attack:
>

https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplification-attack/
>
> I've disabled the XML-RPC API completely using a plugin. Wordpress
> has not released any version fixing this.


I had not disabled it - the WordPress Android program needs it - but I
do have a fail2ban on accessing it more than a handful of times. There
were only about 16 accesses to xmlrpc.php on the Wednesday (an otherwise
typical day) spread across about that many sites.

The attacks on WordPress are getting more sophisticated - I can see IP
addresses using xmlrpc to find out what usernames actually exist before
trying to hack them. At one point, the vast majority would just (usually
correctly) assume that there was one called 'admin'..

.. so I've just disabled it on a couple of servers, even if that does
annoy a couple of people.

> What was the server running? You may want to take Logjam attack into

account
> (https://weakdh.org/sysadmin.html). I can't say it was that, but it

*might* be a
> possibility.


Debian Wheezy. I'll have a look at that.

Ian