3 Jan
2013
3 Jan
'13
4:05 a.m.
On Sun, Dec 30, 2012 at 08:10:46PM +0000, Andy Smith wrote:
It appears that the Wordpress admin's own system
was earlier
compromised and this opportunity was used to further compromise
sites they were known to have access to.
any details about desktop system? (os, version, etc)
did it feel like a targeted attack or was this just a blanket "windows
box got owned, oh look there's a wordpress site, and look there's admin
privs" type of thing?
It is difficult to strongly critique the
customer's setup since the
compromise was as a result of a legitimate user account with admin
privileges being used to further attack the system.
A read-only docroot would go a long way toward resolving this sort of
issue, for sure.
At work we separate "UGC" (user generated content, even if "user" is
"admin of site") from site code. Site code is read-only, UGC dir is
noexec, nosuid, and content is only served from there as static (no php,
cgi, etc)
It's not a perfect strategy, for sure, but it works.
Better yet would be to not even host the UGC on the same web sever, use
something like nginx, lighttpd, thttpd, etc to serve it. They're better
at serving static content than apache anyways.
-Jeremy