Posted by ljmacphee on July 14, 2008 under php, security, tools | 
While doing research for the WordPress Security Suite ( Prevent Bot Registrations, Prevent bots, scrapers and other badness on your WordPress blog ) I needed some tools to pull agents, user requests and ip numbers from my log files and just give me a list of the unique ones of each.
So I wrote 3 PHP scripts to do just that.
Download the scripts, put your access-log in the same directory and run them from a command line or just load those pages in a directory on your webserver and view them. ( Be sure to block them in robots.txt if you have them on a public webserver. )
Download log parsers
Posted by ljmacphee on July 7, 2008 under security, things you should know |
I. Take your site offline.
You can do this with a temporary redirect in your .htaccess file.
RewriteCond $1 !site-offline\.html$
RewriteRule ^(.*\.php)$ http://www.yourwebsite.com/site-down-message.html [R=302,L]
2. Download everything on your website to a safe computer at home. You will want to see what went wrong and it’ll serve as an emergency backup.
3. Check all your CMS ( content managment software ) for new versions and load new, clean versions on to the site.
4. If you have a clean back up of your site upload it now, taking care not to over write the new CMS.
5. Check everything, then check it again. Make sure everything is clean and you’ve prevented future attacks by what ever method the attacker entered.
6. Check Google Webmaster tools to see if you’ve been banished and check Stop Badware. Let them both know your site has been attacked, cleaned, and it back up again.
— Many of the newer attacks plant things in your MySQL database to reinfect your site once you’ve cleaned it so be sure to wipe them too.
— But since no one is ever thinking I’ll be hacked today I think I’ll do a back up, you might not have a clean backup. Contact your hosting company, they might if you don’t.
— If there are no clean back ups you’ll have to do it by hand. This means you must find a corrupted file and see what the attacker added. Usually it will be in an iframe. If you have a Mac or Linux box you can go to the root directory of the website files and type
grep -R ‘iframe badStuff’ *
and get a list of every file that has the bad stuff in it. Replace badStuff with what ever string the attacker placed in your files. Do this also with the directory holding your MySQL backups. MySQL backups are text files and easily edited by hand.
If you have Windows you will need to download a copy of grep from WinGrep.
If you use
grep -Rn ‘bad stuff’ *
it will also give you the line number the bad stuff is found on each file.
Keep grepping for corrupted files and cleaning until you have a clean copy of your website.
Next check with all the content management systems you are using for updates. Very likely there has been an update to what ever software was hacked. Upload new, clean copies of the blogging, photo or other software. Then upload your cleaned files and restore your cleaned databases.
Download everything and check again to make sure you were not re-infected.
Now if you can run cron jobs on your webhost you will want to run the following script daily
find . -mtime -1 -print | ls -lt
And have it email you the results. This will send you a list of every file that has been changed in the last 24 hours. This way you can keep a close eye on your site until you are sure everything is locked down and secure.
And remember you can’t have too many backups.
Lastly contact Google to let them know your site is clean again
More information:
Know your enemy: web application threats
Posted by ljmacphee on June 16, 2008 under security, tools, wordpress |
The final plugin of the three part TTC ( TimesToCome ) WordPress security set is ready. This one acts as a tripwire. If a file is changed by you or more importantly someone other than you you’ll know.
Simply install and activate the plugin. Once activated go to the plugin management page and tell it you want a list of all files changed in the last 0-99 days ( pick your day ) and it will bring up a list of altered files for you.
If your WordPress install is in the top directory of your website this will check all the directories on your website. If you are down one level ( http://yoursite.com/wordpress/ ) then you can change this line:
$directories_to_read[$dir_count] = “../”; // plugins run from wp-admin so bounce up a directory
to this:
$directories_to_read[$dir_count] = “../../”; // plugins run from wp-admin so bounce up a directory
And it will check all the directories not just your WordPress directories.
Download
Part 1: WP plugin to prevent bot registrations
Part 2: WP Security Plugin: block bots, scrapers, cross-script attacks and more
Part 3: Tripwire
Install them all for best results!
Posted by ljmacphee on June 10, 2008 under security |
** 7/15/08 Turn off the security script while you do the update
Now your WP Security plugin only catches bad bots if you tell it who the bad bots are and what requests to blog. This is my current list of bad requests. You can just copy and paste it into the request blacklist after your current list and hit the update button and it will add them to your list.
8/29/08
$_GET
(java|vb)
.gif?
.jpg?
.txt?
.xml?
</script>
<SCRIPT>
?page_id=http%3A%2F%2F
admin-ajax.php?
admin-function.php?
ASCII
board.php?see=ftp
CAST
com_jd-wp
CONCAT
DECLARE
DELETE
formmail
includedir=
index.php?template=
INSERT
lwp-trivial
OPTIONS
passwd
PATH=
POST /xmlrpc.php
PROPFIND
register++++
SELECT
sidebar.php?
UNION
UPDATE
word-tube-button.php?
wp-config
wp-login.php?action=http%3A%2F%2F
wp-table-button.php?
wp-trackback.php?
x-aaaaaaaaa
Notes:
I’m also checking Emerging Threats Rules downloads, it is a great site to learn a bit more about security. Go to emerging web_sql and scroll down to the WordPress section.
8/28/08
<SCRIPT>
</script>
8/11/08
CAST
DECLARE
Grumpy old man emailed to tell me a MySQL injection attack had been tried on his site using these terms that had not been caught by the security tool. I’m adding them to my list today and suggest you do as well. See SQL injection attack using DECLARE or New SQL Injection Attack Infecting Machines for more details.
7/16/08
Removed wp-login.php?redirect_to=http%3A%2F%2F it keeps tripping on WP 2.6
7/9/08 All of these were part of several attempted but failed hacks recently
com_jd-wp
index.php?template=
board.php?see=ftp
7/6/08 I added ‘PATH=’ to the list
New additions 6/18/08 ( still testing these )
passwd
New addition 6/17/08
$_GET
New addition 6/15/08
register+++
New addition 6/13/08:
.gif?
.jpg?