[bitfolk] Security incident: Wordpress compromise

Hi, On 15th December a customer asked for help in diagnosing high system load and unusual Apache logs which contained login credentials for MySQL. Upon further investigation it appeared that around 30th November one of the site's legitimate Wordpress admins had logged in from an unexpected place (a Tor exit node) and had uploaded a PHP file which appeared to enable full filesystem traversal, downloading of file content, shell command execution as Apache user, etc. This was also used to read the content of the Wordpress configuration files thereby to gain access to the database as the Wordpress user. It appears that the Wordpress admin's own system was earlier compromised and this opportunity was used to further compromise sites they were known to have access to. A copy of the hostile PHP upload can be found here: https://gist.github.com/4299683 It is difficult to strongly critique the customer's setup since the compromise was as a result of a legitimate user account with admin privileges being used to further attack the system. It is easy to advise that web applications should run under limited permissions, with little access to the filesystem or other database content. Security measures such as SELinux could be used in order to even limit what the root user can achieve, though no proven root compromise was noted in this case. These recommendations are easy to make though I suspect much harder for people to put into practice on their own personal hosting setup. Still, perhaps this example can spur us all to think about what the consequences could be if privileged users of our systems get themselves compromised. The customer's VPS has since been fully reinstalled. Cheers, Andy About this email: https://tools.bitfolk.com/wiki/Security_incident_postings -- http://bitfolk.com/ -- No-nonsense VPS hosting