[wp-hackers] WordPress security question
Mika A Epstein
ipstenu at ipstenu.org
Wed Jun 6 14:59:34 UTC 2012
I didn't say it was never allowed :) it was, once, allowed. All themes have been updated (or removed).
As Helen rightly pointed out, you do get theme update notifications. You don't for deleted ones, but I'm assuming (hoping?) the theme review folks did some sort of update? If not, yes, there are some folks with no-longer-approved themes out there, but this was pretty well posted and reported. Due dilligenece has been done. Can't make people change their oil, but the car can beep at you a lot :)
On Jun 6, 2012, at 9:08 AM, phillip.lord at newcastle.ac.uk (Phillip Lord) wrote:
>
> Unfortunately, this this is not quite true. It may be that it is not
> allowed now, but this doesn't mean that it was never allowed.
>
> What I never understood with Wordpress is why plugins have update
> notification, while themes do not. I was one of the many who get
> zero-day exploited through timthumb. The theme in question (suffusion)
> had removed timthumb quite a long time before but, of course, we got no
> update notifications, so we had not updated. More fool me, you might say.
> Well, yes, true. Also more fool many of the other thousands who got
> hacked.
>
> Combined with an largely undocumented schema change between WPMU-2 and
> WP-3 which made the restoration from backup a long, long process. I was
> thinking 2 or 3 hours (including VM set up), but it took 2 or 3 days.
>
> Phil
>
> Mika A Epstein <ipstenu at ipstenu.org> writes:
>
>> TimThumb is not a part of core, nor is it allowed in themes hosted on
>> the WP theme repo (as of the last time I looked).
>>
>>
>>
>> On Jun 5, 2012, at 7:50 AM, Mickey Panayiotakis <mickey at infamia.com> wrote:
>>
>>> I've seen plenty of hacks based on timthumb vulnerabilities.
>>> However, I don't think wordpress core uses timthumb. (I'm sure the group
>>> will correct me here, which I invite.)
>>>
>>> The user is left to fend on their own when using a free or commercial
>>> theme, to a lesser or greater extent depending on the theme vendor. Some
>>> themes do a great job of providing updates and alerting the user to theme
>>> and framework udpates (and thanks to WP3 we can see that in the usual
>>> updates area). The problem is that when you customize a theme, updates
>>> become more visible.
>>>
>>> One of the most disturbing bits of advice I heard recently is that if you
>>> use a custom theme, you shouldn't update wordpress. I'm sure what the
>>> speaker meant was to work with your vendor to make sure that WP and all
>>> plugins and themes stay up to date.
>>>
>>> mickey
>>>
>>>
>>>> Message: 1
>>>> Date: Mon, 4 Jun 2012 19:50:39 -0700
>>>> From: Andrew Freeman <andrew.s.freeman at gmail.com>
>>>> Subject: Re: [wp-hackers] WordPress security question (Dan Phiffer)
>>>> To: wp-hackers at lists.automattic.com
>>>> Message-ID:
>>>> <CALT+zmKFuBXUXjH2F8NYaYp0FHHdvdkvQe9xyvkec6dN5S7D1g at mail.gmail.com
>>>>>
>>>> Content-Type: text/plain; charset=ISO-8859-1
>>>> Howdy Dan,
>>>> Having cleaned up about a half-dozen sites in the past two months or so, I
>>>> have some suggestions for things to look for in terms of
>>>> backdoors/potential vulnerabilities.
>>>> Most hacks I've seen come from a vulnerable Timthumb hack, an old image
>>>> thumbnail script which allowed an attacker to upload malicious code to the
>>>> server, giving them full shell access (or at least as much as Apache/PHP/WP
>>>> has). You can read technical details about it here:
>>>>
>>>> http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
>>>> You can use the Timthumb Vulnerability Scanner to quickly see if you have
>>>> any outdated versions of the script lying around:
>>>> http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/ . Even
>>>> an unused theme with the old version of the script is vulnerable.
>>>> Most hacks definitely add crazy base64_decode script to the header of
>>>> important files - often index.php of site root or theme root. This one
>>>> looks like it gets around base64_decode which makes it harder to detect. If
>>>> you can, ssh into the server and grep for 'lqxizr' to find if it's been
>>>> injected into any other files. Also, checking wp-config.php is a good idea,
>>>> because I've seen old backdoors left inside the file (usually separated
>>>> above and below the malicious script by several thousand blank lines).
>>>> Other hacks I've seen append every front-facing JavaScript with malicious
>>>> code right instead of going the PHP route. I'd recommend checking your
>>>> frontend scripts for anything strange, the time last updated in FTP may be
>>>> of some help.
>>>> Also, if you can, check the raw access logs for anything suspicious. One
>>>> time I thought my server was clear of shell-like scripts, but after another
>>>> hack that day the raw access logs showed that one actually just signed in
>>>> and used the WordPress editor to make the changes.
>>>> I hope this can be of assistance and best of luck,
>>>> Andrew Freeman
>>>>
>>>
>>> --
>>>
>>> Mickey Panayiotakis
>>> Managing Partner
>>> 800.270.5170 x512
>>> <http://www.infamia.com>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>>
>
> --
> Phillip Lord, Phone: +44 (0) 191 222 7827
> Lecturer in Bioinformatics, Email: phillip.lord at newcastle.ac.uk
> School of Computing Science, http://homepages.cs.ncl.ac.uk/phillip.lord
> Room 914 Claremont Tower, skype: russet_apples
> Newcastle University, msn: msn at russet.org.uk
> NE1 7RU twitter: phillord
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list