Security Tips

Here you can discuss the various webmaster affiliate programs
User avatar
NoviceAmateurs
Posts: 568
Joined: Sun Jan 27, 2013 5:48 pm
Contact:

Security Tips

Postby NoviceAmateurs » Tue May 07, 2013 10:15 pm

- Free Image Hosting Services
- Free Daily Amateur Photo Sets & Mixes
- Amateur Slut Selfshots & Selfies
- Free Video Tube & Video Hosting
User avatar
Doc
Moderator and Beast Killer
Posts: 2978
Joined: Mon Jun 04, 2007 5:33 pm
Location: Reporting Posts Since Oct 23. 2007
Contact:

Re: Security Tips

Postby Doc » Tue May 07, 2013 10:36 pm

If i could like this i would.

Great post and thanks for sharing.


User avatar
cooper88
Moderator
Posts: 4055
Joined: Sat May 27, 2006 2:54 pm
Location: None of UR Business
Contact:

Re: Security Tips

Postby cooper88 » Wed May 08, 2013 11:15 am

Very good information. Thank you.

Stickied ;)
...
User avatar
oliver
Site Admin
Posts: 4417
Joined: Sat Sep 23, 2006 11:18 pm
Contact:

Re: Security Tips

Postby oliver » Sat May 18, 2013 10:35 pm

Guys, I think we should post our own advice here, too. I'll post mine in the present post, and update it whenever I find time ^^

It's copy-paste time, but all of this has been useful to me quite a few times, it's knowledge I've learned only after painful experiences :)

*

Backup.
Backup your files (usually, by FTP, simply).
Backup your databases (usually, with phpmyadmin, large databases may fail to get exporter or imported; large databases may require the use, for export and import, of cpanel or, for wordpress, the cool wp-dbmanager plugin that creates files in /wp-content/backup-db that you'll grab by FTP with the files backup).
Make these backups frequent, at least once a month, and write the date in the folders.
Backup your files and database and keep a copy of it on your disk.
Also upload a copy of your backups to a cloud hosting service (hubic.com, 25 GB for free, hint, hint).


*

To search for a text string in your local files and folders, you can use notepad++
Open the prog, hit control-F, third tab to search in the files of a folder, and then you may type the strings you want to search, tick Subfolders, mention the folder where your backup was downloaded, and Find all.

*

From a visitor's point of view, the most useful tool I ever found to find if there wasn't shit trying to be injected through a webpage is... Adblock !
In firefox, I open a page, configure adblock to show its logo in the status bar, right-click the ABP logo, and ask to be shown the list of all blockable elements. If an unknown domain, script or URL is present on the page, even when the page source code won't show it, ABP will detect it !

*

You're searching for files created or uploaded by an attacker, who regularly comes back to claim once again control of your website ?
You don't understand why the attacker gains control even though you reuploaded everything from scratch and changed all the passwords ?

If you're under shared hosting, beware of the folders even below the site's file, usually called /public_html or /www , for instance your /tmp (on the same level as /public_html, okay ?) is always user-writable, and attackers may store there nasty files on a permanent basis.

If you're not under shared hosting, you MUST also check the contents of the
/tmp
/dev/shm
/home/your_websites_username/tmp
folders.
You can delete whatever you find inside them, in the worst case you'll be losing some data for today's stats and a visitor with a logged in status will find himself logged out by surprise. Really whatever, these folders are flushed when the server reboots anyway, nothing valuable and legit is stored in there.

*

There's the occasional possibility that a file from your wordpress template may have a flaw allowing to edit other template files, with nasty shit of course.

I recommend totally disabling the editing of blog files from within the blog, in my opinion it's better to do it by FTP. You can link your FTP client, like filezilla for instance, with your text editor, like notepad++. You can also configure n++ to create backup files and even a whole history of every modification it's done in a hidden local folder, this way you can always revert back if you really screw everything up and control-Z isn't enough because you closed the text file before realizing you screwed up.

If you also agree on this, to totally disable editing files from within, you'll simply have to add this line to your blog's wp-config.php file :
define('DISALLOW_FILE_EDIT',true);

*

Wordpress themes.

A whole financial ecosystem.
Besides the legitimate players (professional developers of paying or free themes offering lots or a few of them, official themes repositories), there are TONS and TONS of falsely legit free theme repositories.
Their practices : they take themes offered for free, change their footer with commercial links (most of the time the footer gets base64 encrypted so that you may not remove the crap and keep the normal stuff), and then share it as if it's the original theme.
If you stumble upon a site doing that, forget that site, you can NOT trust its themes, who knows if it doesnt do worse than hiding commercial links in the footer ? If you like a theme, hopefully you'll be able to use that theme's credits file and name and google for the name of the actual theme developer and his website.

*

If you're under shared hosting and you have more than one site, be careful that one compromised site may be used to compromise the other sites too.

Look, under shared hosting, you only have ONE username, who has the same rights over ALL the files present on your hosting, even if these are the files of two different websites of yours.

If your data is stored in (your folder)/website1 and (your folder)/website2 , as soon as an attacker gains control of 1 website, he can access the other sites too.

And, 75% of the time, if your attacker adds backdoors to 1 site, he'll add backdoors to your other sites too.

*

Don't keep unused templates in wp-content/themes, what if some of them contain an exploitable file ?

What if you had no idea that theme was outdated and required an update that you never heard about ?

*

About templates, the #1 and HYPERWORST wordpress issue is the timthumb.php file, that used to be used by a fuckton of themes in the past, it's used to provide comfortable image management features.

It contained a flow that allowed anyone to make your blog execute anything, create files, update them, etcetera, and even the timthumb fixed version still allows to execute remote code.

Basically, unless you DO make use of the timthumb functions inside your CURRENT theme, you can (really, you can) search for every "timthumb*" file on your server and delete them.

In filezilla, it's F3, search for files containing timthumb in their name, and delete all positive search results.

*

About timthumb php allowing to execute remote code even with the new updated version, If you're a perfectionist. It whitelists certain domains but whitelistedwebsite.com.subfolder.nastyhacker.com will pass through the whitelisting, see the issue ?

If you're ready to manually update all the timthumb files to disallow any remote code, you can do it by shell with a
find / -name 'timthumb.php' -exec nano {} +

*

After you've been hacked, you cannot trust anything anymore. Attackers always leave behind "control towers", holes that allow them to come back and do whatever they want.

They may edit official files with additional bits of code, but they may also upload new files with apparently trustworthy names.

Sometimes they'll also cheat on the file extension, I once saw a suspicious .png file uploaded to one of my hacked website accounts, it was actually php code inside.
Also saw it as php.txt

*

How to know FOR FREAKING SURE if your site's files are legit ?

The solution is to COMPARE THE HACKED VERSION AGAINST AN OLDER BACKUP from a time when the site was still safe.
Or compare it against a clean copy grabbed from the distributor of your website's CMS.

I recommend that you grab a copy of the program called Beyond Compare, and use it to compare (with the Folder Compare wizard) your old backup or the clean state version with a FTP-downloaded version of your currently live site.

Sure you'd find updated wordpress/CMS files and the like, but you may also find new files, some of them not following the wordpress coding rules, some files containing code despite having a non-textual extension, or discover there's unplanned stuff left inside some other still legit wordpress files.

First : leech a portable version of the program from TPB (*cough*) (or buy it),
Second, open Beyond Compare,
Third, click Folder Compare in the upper left list of actions
Fourth, click the little refferee icon, or do Session (upper-left, it's a text) > Session Settings > tab : Comparison, and then make sure that "compare contents" is ticked, followed by ticking "Binary comparison" and by "Override quick test results".
Fifth : you're shown two panels, in the left click to browse the old safe backup or the clean state version offered by the CMS distributor, and on the left, click to browse the place where your FTp-download of the hacked version is located.

Of course you'll see tons of stuff that is not here, of course. Several files were added because of your activity.
Like the wordpress plugins you installed if you compare against a clean state copy. In that case, you can download these plugins from wordpress.org and add them manually, in the clean state, to wp-content/plugins, to make the comparison work easier and see if new edits or files were done within the plugins' folders.
Or like images that you added to their posts and that' you're self-hosting.

Eventually, you'll see in red the files that were updated, and in blue the files that were added.
Double click these occurences to see (the parts in red in the vertical bar on the left of each panel) if they contain apparently normal wordpress code (wordpress files usually follow always the same "grammar", they're quite easy to recognize) or stuff that is definitely fishy...
... Remove the new files that don't belong here... Remove the fishy code (or comment it, if you're not sure if it's not legit)... And copy these actions to your web hosting, updating the files with the code edits, removing the files that must be removed... See if the hacker manages to come back.

Important : think of yourself as a doctor in front of a sick patient. Here, you've cured the SYMPTOMS of his disease, the things that make him feel bad.
But you haven't yet cured the actual disease, solved the reason why your patient got sick. You. Must. Find. And. Fix. The. Security. Hole. Used. By. Your. Hacker !

*

Depending on your hosting account specs, it's possible that the hacker managed to run a "process" that will remain active in memory and allow hacking even after you cleaned the bad files.

If your hosting account allows it, reboot the machine hosting your website, or ask your host for a reboot of your website-related account, NOW you'll be sure no nasty stuff remains in RAM or temp folders.

*

Did you also hear that the admin of the wp-supercache plugin once found his account had been entered into, and a non-legit version of the plugin had very briefly been uploaded to the websites ? See, there are risks everywhere, sadly.

*

About false images being actually code, I've got a cool hint, a simple check to make sure they are all legit : FTP download your site to your local hard disk, bring the images into the same folder (search, copy, paste), and run a batch conversion (like acd-see's control-J, or xnview control-U) into any other image format. If the program hangs because of a broken or invalid image, you may want to open this image with a text editor like notepad++.

*

In case of security breach, usually, that ends up with :
- backup by FTP to your hard disk every file on your server (including the database, with wordpress it's simple, install the wp-dbmanager plugin, run a backup, it will be stored in the wp-content/backup-db folder, this way a FTP download of the whole site includes a database backup), label the folder as "most likely infected", and forget that folder. Later, when you have time, you'll search in that folder where the infection began.
- backup your database to another folder (phpmyadmin, cpanel, wp-dbmanager, however you care and can)
- backup the "personal" files on the server to another folder, such as images that you uploaded as part of your blog-posts in wp-content/uploads, home-made scripts, wp-config.php, etc.
- if your blog theme is customized, you may keep it but it would be more careful to use Beyond Compare to compare a FTP-download of this theme to your disk with a clean copy of this theme, to be 100% sure nothing bad was added
- in a text file, note to yourself the list of your wordpress plugins and their settings if you customized some of them, before you forget that info
- delete the entire site by FTP. Everything under public_html/ (and you may even cast a very suspicious look at what's below public_html)
- upload a clean copy of wordpress, fetched from wordpress.org
- import the database into the blog (using phpmyadmin or a neat plugin like wp-dbmanager, you'll have to upload your .sql datase dump to the /wp-content/backup-db folder , and within the Restore sub-page of the plugin you can ask that precise sql file to be restored)
- from the wordpress admin, reinstall a fresh copy of the plugins

- if it fails somehow, you've made an initial "most likely hacked" backup, remember, so even if your clean reinstall fails, you can revert back to the suspicious current version, you cannot lose data for good ;)

*

Do you have SSH access ? (hint : if your host tells SFTP upload is possible, then yes, you have SSH ^^)

You know, meaning you can open a command shell to run linux commands on your server. It's VERY powerful and if it's possible with your account, any hacker would be fucking GLAD to use it.
If you have that, and if you're on shared, you cannot delete the history of the former actions ran in the shell. I imagine it can be done on a dedi (deleting), but the one time I got an infection reaching shell status, the hacker left behind all his actions in clear for me to read them.

With "history", if your hacker managed to gain shell access and ran commands in the shell, you may see them. And then you can know what the hacker has done, heh.

To know that, log in SSH (for instance with putty, better alternatives would be mremoteNG or my beloved Putty Connexion Manager - but beware, the only working version of PuttyCM on win7 is the 0.7.1 Alpha build 223) and type "history" without the double quotes. If you see lines that you are certain you never typed, it's bad, but it's also precious info, it may tell you where are the "control towers" left behind by your hacker.
You may need to contact your web host to ask about SSH access, if you have it or not, and how to log in with it.

*

There's a BIG problem with wordpress plugins. Watch out.

This is something I noticed, wordpress will NOT tell you when one of your blog plugins is badly deprecated. I met times when I had plugins, on my blog, that were removed from wordpress.org because they contained a security flaw allowing injections, and yet, me, already using them, nobody bothered to tell me.
It's not had to know :
- open your plugins page from the wordpress admin, for every blog you have.
- using this, go to the plugin's website, and if needed if it's not on wordpress.org, to the wordpress.org page of that plugin
- if the plugin hasn't been updated in a whole year, this is already VERY fishy.
- If there isn't anymore a page for that plugin on wordpress.org even though you had a link that used to be working at a time, fucking deactivate the plugin and delete it at once, that means it was removed for security reasons !

*

If all the files are deleted from your server account and the hacker can still run shit or add files, then it means he has your login-passwords of some sort. It can be
- FTP
- MySQL (cf the "file" permission explained by NoviceAmateurs, above)
- shell (meaning : SSH commands, or SFTP - which is apparently like doing FTP, except that it is done transparently through SSH commands sent by your FTP client like filezilla, it's more secure)
- administrative with your web hosting panel (like cpanel or an equivalent)
- fully administrative with your web hosting company (your username as customer)
- the last option most people forget to suspect : with your email account ! Look, how old is your email account ? When you created it, did you care about having complex unguessable passwords ?
Did you check if your long-forgotten security question ("what's the family name of your mother ?", huhu) can't be guessed easily by someone ?
GUYS ! If your email account is compromised, EVERY SINGLE OTHER ACCOUNT CAN BE POTENTIALLY HACKED WITHOUT YOU KNOWING ANYTHING ABOUT IT ! When a website offers the "double identification" process, with an additional SMS confirmation, praise The Internet Porn God and accept that option.

If you can, prepare yourself, change ALL OF THESE DAMN PASSWORDS !
First the email.
Then the web hosting company.
Then the web hosting panel.
Then the shell.
Then MySQL.
Then FTP.

Quite possibly a few of these will share the same usernames and passwords, but if that's possible, try to have different credentials for each of those.

*

Do you have access to site logs, the error and "everything" log ?

If your attacker created a file that is NOT normally present, you can search that file's name in the logs, grab the current IP of the attacker, and try to see what other activity he's been doing.

I once had a lucky case of an attacker always using the same IP. I tracked his first activity as opening website.com/blog/wp-content/current-fucking-old-theme/timthumb.php aaaaand following it was the order to open a .txt file located in an outside page.

*

Phpbb advice.

Did you know admins and founders have the right, from their admin panel, to update local template files ? For instance to load and inject shit into the software and unto the visitors ? And that, with that user rank, it's possible to even update the user activity log in order to hide what you've done ? Yesh.

What if an admin/founder has had his email account compromised, which allows an attacker to log in as admin/founder in the forum management ?
In that case, the attacker will be able to update files with bad code.
And the attacker will be able to promote any other account with the same admin/founder rights.

Restoring backups and doing file comparisons allows to fix the files, and you'll need to check server logs to see what IP edited the file(s) used to load bad stuff, and then what other pages were visited by the IP of the attacker.
But regarding the database, you must at all costs use to scan for other Founder/Admin accounts, to make sure no other user suddenly has unwanted rights.
User avatar
oliver
Site Admin
Posts: 4417
Joined: Sat Sep 23, 2006 11:18 pm
Contact:

Re: Security Tips

Postby oliver » Thu Jun 27, 2013 4:55 pm

Thread updated with additional pieces of advice of mine, all learned after successful attacks :-/
User avatar
oliver
Site Admin
Posts: 4417
Joined: Sat Sep 23, 2006 11:18 pm
Contact:

Re: Security Tips

Postby oliver » Thu Jul 18, 2013 9:28 am

Since we're talking security here, I found that filezilla stores SFTP and FTP passwords as plain text, and doesn't even delete them when the program is uninstalled.

Do NOT allow the program to remember passwords if you use it as portable on an USB key ¬_¬
User avatar
GamObs
Posts: 20
Joined: Sun Jul 13, 2014 12:29 am
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: Security Tips

Postby GamObs » Fri Jul 18, 2014 10:39 pm

Thanks for those tips

User avatar
oliver
Site Admin
Posts: 4417
Joined: Sat Sep 23, 2006 11:18 pm
Contact:

Re: Security Tips

Postby oliver » Tue Dec 16, 2014 9:41 am

Guys, you should check that you don't have revslider as included in a wordpress theme, as this thing has had an open exploit going on for a week now, loading tons of other shit in the whole hosting account. As it comes bundled with themes, it's not mentioned with the default wordpress updates mechanisms, it seems (see what I mean, it shows as a theme update, not as a plugin update, even though it's a plugin).

If you find results with a
find /home/ -name "*revslider_admin.php*"
Then... duh, chances are you're fucked, time to check everything. I'll let you google the terms SoakSoak, Revslider, wordpress?
User avatar
NoviceAmateurs
Posts: 568
Joined: Sun Jan 27, 2013 5:48 pm
Contact:

Re: Security Tips

Postby NoviceAmateurs » Wed Dec 17, 2014 3:44 am

Oliver, Wordpress exploits are discovered all the time, that's why I mentioned to check exploit-db.com in the first post. I try to run as few plugins as possible and try to stick to popular ones.

Exploits identified since December 2014:
Wordpress Plugin Symposium 14.10 - SQL Injection
-> Hacker can read your database. Depending on the logged in MySQL users credentials they can potentially read files from your server and even write files (shell code) to your server.
Wordpress Download Manager 2.7.4 - Remote Code Execution
-> They even show an example of how to add an administrator account to Wordpress using this exploit. Once you have a Wordpress admin account, you can easily upload your own malicious code.
Wordpress Plugin Symposium 14.11 - Shell Upload
-> You are fucked. Hacker can upload a shell, run whatever code he wants, download whatever he wants from your server, etc.
Wordpress Ajax Store Locator 1.2 - Local File Inclusion
-> The user can download any file on your server provided they know the path. This isn't hard considering common locations of httpd.conf files in order to find your document roots and script configuration file defaults.
- Free Image Hosting Services
- Free Daily Amateur Photo Sets & Mixes
- Amateur Slut Selfshots & Selfies
- Free Video Tube & Video Hosting
minchia
Posts: 2
Joined: Thu Nov 23, 2017 10:10 pm
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: Security Tips

Postby minchia » Thu Nov 23, 2017 11:20 pm

Thanks for your useful post, before yesterday I thought this security tips are made by paranoid, but after a hacked site :diediedie: i think this is the best to do list that a webmaster should follow.

:jpn: :thumbsup:
W il porno

[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Who is online

Users browsing this forum: No registered users and 2 guests