Hi All,
I run an number of wordpress sites and it's an unfortunate fact of life
that they are constantly being probed for some vulnerability or another. I
think this comes as quite a shock to some people, it did for me contrary to
common sense.
Aside from the usual thousands upon thousands of probing login attempts, I
regularly see probes to detect very specific vulnerabilities from a variety
of themes and plugins (the most famous of which in recent times was the tim
thumb exploit). I should take the time to document them because I'm sure it
would be useful to some but usually don't have time for that kind of thing!
In the end I wrote a utility script to monitor wordpress installs for
executable code appearing in non-standard areas (as well as a bunch of
other things). I also added a simple login lockdown script - although I
favour two-step authentication it's not always acceptable to clients.
Chris...
On 3 January 2013 05:43, Andy Smith <andy(a)bitfolk.com> wrote:
Hi Jeremy,
On Wed, Jan 02, 2013 at 08:05:38PM -0800, Jeremy Kitchen wrote:
On Sun, Dec 30, 2012 at 08:10:46PM +0000, Andy
Smith wrote:
It appears that the Wordpress admin's own
system was earlier
compromised and this opportunity was used to further compromise
sites they were known to have access to.
any details about desktop system? (os, version, etc)
I'm afraid not. It is often difficult to get information out of
my own customers, let alone people associated with them. :(
In case it wasn't clear this was a third party admin user's
credentials that were used, not the admin of the VPS concerned.
did it feel like a targeted attack or was this
just a blanket "windows
box got owned, oh look there's a wordpress site, and look there's admin
privs" type of thing?
I have no information on this. My customer was quite rattled after
this and concerned even before this happened about people targeting
their site but back then I could find no compelling evidence that it
wasn't just random scanning.
Likewise now, even though it seems a chain has been followed from
another compromise to attack this site, there is nothing to show me
that it was targeted in any way as opposed to just being
opportunistic. The balance of probability is always against targeted
attacks and in favour of opportunistic compromise, of course
My customer needs to discuss this thoroughly with their user, which
is what I have already advised them. It would be nice for me to know
the outcome of that but it's really none of my business ultimately.
Thanks for the other tips.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAlDlGngACgkQIJm2TL8VSQsx7gCgnbElE2jNZWS5dj//7MsFd+Oq
40UAoI9Xd9A2OaD580VCHAqq3MPios6l
=r1XM
-----END PGP SIGNATURE-----
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users