There have been numerous security threats in the past month. David L. Hagen dropped a link to a articles on WordPress vulnerabilities; Anthony emailed me and so on. I’m opening this threat to permit chatting about that issue without derailing the thread on uncertainties. I’ll be shifting comments here.
44 thoughts on “Open thread to discuss site security.”
Comments are closed.
OT security heads up
Huge attack on WordPress sites could spawn never-before-seen super botnet
ARealChange.com recommends changing passwords, and wordfence.com
David–
Thanks. I have lots of roadblocks protecting wp-login. But I am seeing quite a few attempts today. I need to think about the spoofed IPs issue.
David L. Hagen, that first article annoys me. It’s claim that >90,000 machines were involved in the attacks is bogus. 90,000+ IP addresses does not mean 90,000+ machines. Heck, the piece even quotes a source which says most IP addresses it saw were spoofed. There is no reason the writer(s) of the piece should have believed there were that many machines involved.
I wonder whether the exaggeration happened due to incompetence or willful deception. I’m not sure which would be worse.
Brandon–
I was wondering about the spoofing.
1) The article say spoofs. But I’m wondering if that’s accurate. I wonder if they don’t really mean using proxy IPs. The reason I wonder is I see this sort of stuff in my killed_log.txt with incomprehensible messages.
The bold shows the stuff from the X_Forward headers. This IP wasn’t spoofed, but the person tried to access using a proxy.
2) I do cookie checks on login. If someone doesn’t accept cookies, they can’t login. If someone literally spoofs an IP, they can’t get return data, right? So they won’t set cookies… right? ( I know that if you– a human– spent time looking at the cookies I set, you can disguise this. But what I mean is if they really spoof the IP, aren’t at the IP where my server sends info. So they don’t see it… or am I missing something.
I’ve been seeing lots of forwarding involving servers IP’s.
lucia, I wasn’t going to touch on that issue since most people won’t care about the distinction (and I’ve been accused of semantic nit-picking enough this week), but since you brought it up…
You’re pretty much right on everything. Using a proxy is different than spoofing IP addresses, it is impossible* to get return messages if you spoof your IP, and the article definitely didn’t mean spoofing. Spoofing IP addresses isn’t very common because it is difficult and carries a lot of limitations.
*Technically, this isn’t true. It is possible to intercept return traffic. It just involves a level of sophistication to the attack that is too high to merit consideration.
Lucia
The Marcot uncertainty graph and your teaser graph are conceptually not broad enough, and do not include the asymmetry that would result from fully including: Systematic effects, Remaining error, and Incomplete definition.
While they could be ignored to make the point you are focusing on, I suggest incorporating these additional features sometime to show the broader asymmetric factors involved in uncertainty.
David
Brandon–
Thanks, I this case, the semantic nitpicking is welcome for reasons having to do with site security. I’m going open a thread…
Looks like my work IP got banned. Still can read through Google Reader, thankfully, at least until that goes away.
nzgsw:
Today? I had to go through and unbann IP’s who can from WUWT’s “porn” blog post. (I modified the referrer spam rules so as not to ban more and may haved missed some.)
In general: it’s useful to remember my email which is uhmmm
lucia
Let me think a minute… @
And what would the domain name be….? rankexploits.com
If you are a regular reader, it should be easy to read. Send me an email. It actually helps. Often– thought not always– I’ll whitelist or come up with a solution. I sometimes need to ask a few questions to figure out the best way to resolve the issue– and if the problem is you are using an anonymyzer, the solution is.. don’t use an anonymizer!
If using Google reader works, that’s ok too though!
All the sites I host have been inundated with probes to pick apart WordPress. For those domains I host that actually use WordPress I’ve written additional defenses, and I monitor the web logs in a way similar to what DenyHosts does for ssh/ftp/imap/pop. My response is to block the offending IP in the firewall for all services I support. Sometimes this involves blocking entire /16 networks because there are some places in the world that just play rough and I don’t care to deal with them.
The past week has been the worst in terms of volume – a new notification was coming in several times/hour. Today has been quiet.
I’m on shared hosting so I can’t have my own firewall. To get equivalent protection, I use Cloudflare and ban the IPs at cloudflare. It helps a lot.
Using ZBblock, I can protect login with this:
if( inmatch($requesturi,”wp-login.php”,””) && ($zbwhitelisted!=1) ){
$ax += 1; $whyblockout = $whyblockout . ” Visit to login by someone who is not whitelisted. Possible hack. INSTA-BAN. “;
}
After that, people who need to log in need to get whitlisted. This works like a charm for single user wordpress installations provided the single user is comfortable connecting to the files on the server to unban themselves if they get banned. For multiple users, you want to remove the INSTA-BAN and tell the other authors to contact the admin so they can be whitelisted. (or teach them to whitelist themselves.)
It’s not useful for a multiple user installation with dozens or more registered users who need to load wp-login.php.
They’re going after more than wp-login. Anything that will set a cookie is fair game.
dp
I know they are going after more than login.
Is there something about cookie setting they are doing? I want to know to see if I can create special rule for these things. If you know more than has been posted in the 3-4 big news blurbs, let me know!
The exploit patterns are just like those that hammered sites some years ago (http://xforce.iss.net/xforce/xfdb/42027) so I suspect they’re just looking for cookie-based exploits. So even if you have current patched WP versions installed they’re still slamming the server looking for these older exploits. 8,000 hits in a few minutes is a lot of load, so I’ve automated the response to multiple 403/404 errors. Add to that the brute force botnets that are going on now and you have a lot of wasted bandwidth. For the wider audience, be sure to set the security keys in WP, of course. http://wordpress.org/support/topic/set-up-a-secret-key-in-wordpress-25
dp-
Thanks for the link.
I have a flood plugin to log when an IP hits fast, but I don’t currently have something that just banns multiple 404s if they are slow enough. (403’s will get banned at cloudflare.). If it does, it gets banned– eventually at Cloudflare. Then it can’t hit for 7 days (or longer. Depending.)
Woredpress seems to now permit 8 keys– up from 4,
define(‘AUTH_KEY’, ‘blahblahbla’);
define(‘SECURE_AUTH_KEY’, ‘blahblahbla’);
define(‘LOGGED_IN_KEY’, ‘blahblahbla’);
define(‘NONCE_KEY’, ‘blahblahbla’);
define(‘AUTH_SALT’, ‘blahblahbla’);
define(‘SECURE_AUTH_SALT’, ‘blahblahbla’);
define(‘LOGGED_IN_SALT’, ‘blahblahbla’);
define(‘NONCE_SALT’, ‘blahblahbla’);
One should, of course, replace blahblahbla with 8 different horrible long keys. Suggestions from http://api.wordpress.org/secret-key/1.1/ are good.
lucia, that isn’t eight keys. Keys and salts are different things. Salting is just a way of making the use of a key stronger.
Plus, WordPress always allowed you to set the salt values. It just had default values for if you didn’t set them.
Ahhh.. Ok. But should one set one’s own salts? Seems like if we can we should.
Brandon
Re: ” It’s claim that >90,000 machines were involved in the attacks is bogus.”
Take it up with US-CERT – Computer Emergency Readiness Team
Hits to wp-login.php have escalated. Many are forwarded from sovam.net.ua through other servers.
lucia:
You might as well since you’re already there and it takes next to no additional time. Odds are good the change won’t actually matter, but there’s no downside.
David L. Hagen:
I’d be happy to. While I’m at it, I can tell them the things they post make it seem like the US-CERT is ran by a guy with access to Google and an “Idiot’s Guide to Computer Security” handbook. And the word “idiot” in the title fits the guy perfectly.
I don’t think I’ve seen anything from them that indicates any meaningful knowledge of computer security. Consider what you quoted:
All the US-CERT says here is there have been reports that “over 90,000 servers” have been used. So what if there have? That doesn’t mean those reports are right. The fact a Google search turns up claims doesn’t make those claims accurate.
What does this even mean? How does an IP address support something? If I use a proxy server, is its IP address supporting me? What about various network devices with IP addresses? Do we say the IP addresses of my ISP’s routers support any attacks I launch?
I dare anyone read what the US-CERT posted about the cyber attacks on South Korean networks last month and say the US-CERT is a good source. It isn’t. It doesn’t provide new or useful information about much of anything. You can learn more about anything with Google and just a little time.
David/Brandon–
I tend to agree with Brandon that the US-CERT reads as if they just read the pre-existing news articles. I do know many of the hits to my login files are with proxies. I know this because I’m watching the headers.
As some may likely guess, I set a few rules to catch certain types of behaviors and I’m watching that now. My sense is that the “spoofing IPs” really means proxies are being used and my logs suggest proxies.
I picked up the following URL from your RSS feed, which then emitted error messages that I was being identified as being naughty. I had to come in through the front page to reach here.
http://rankexploits.com/musings/2013/superbot-login-attempts/?utm_source=feedly
That’s interesting. This article was the newest one when I came in… several minutes later, the “superbot login” article finally became visible as the newest article.
Heh. Clicking on the superbot headline from within this site also tells me that I’m being a bad girl. I’m being quite the tart today.
Heh…. Yes. I programmed to protect anything with login in the title. I’ll go see who I “got” and unban any who were persistent. (Note it’s now spelled l0gin in the title? That pretty permalink will be ok!
Brandon
You can challenge US-CERT with needing to meet DHS Quality Guidelines
From legislated OMB’s Quality Guidelines
David L. Hagen, which standard in that do you think I could challenge the US-CERT “with needing to meet”? There is no standard which requires publications be interesting, informative or even competent. Laziness and lack of knowledge are not prohibited.
Besides, those guidelines aren’t even binding. They’re for intra-administrative concerns. I’d have practically no standing to demand the US-CERT meet them, even if there was a relevant standard.
In the future, could you be more informative when offering sources? Mindlessly quoting/linking contributes next to nothing, and it places an unfair burden on other participants. It’s like “assigning homework.”
I went into the “employee lounge” at work this morning to nuke a half-drunked cup of coffee and had to wait for some oatmeal-Warmer (word capitalized on purpose) to finish using the microwave. So I put my official coffee and tea-stained Original Blackboard Hide The Decline Global Warming Mug (thanks for making those Lucia)
http://rankexploits.com/musings/2009/hide-the-decline-mug/
on the counter and took a quick restroom break to use time wisely when at work.
(We’ll call him) Mr. Oatmeal was examining the mug upon my return, and the following conversation ensued…
Me: “So do you believe in Global Warming after looking at that mug?”
Mr. Oatmeal(haughtily): “I’ve ALWAYS believed in Global Warming.”
Me(bright and shiny): “We’ll you shouldn’t because it’s a joke.”
Mr. Oatmeal(face Warmed over with surprise): ” ”
Me(dry sarcastic tone): “Let’s take a look at this…” and rotating the mug so the graphic and explanation are easier to see…
Office Girl #1(dizzily): “What are you guys doing? What kind of oatmeal is that?”
Mr. Oatmeal Conveniently slides into Cinnamon Oatmeal Stories…
THE END 😉
Brandon @ 112134
DHS takes those guidelines seriously. If you make a complaint, and cite a violation of those guidelines, DHS will do something about it.
I have experience writing techinical documents for DHS, and those guidelines are not a joke or dismissed. That they are not legally binding means you can’t sue DHS over them and DHS employees cannot go to jail due to them, but there have been incidents of people being let go due to them (yes, you can get fired from government service… it’s just harder than in industry).
In other words, you shouldn’t get uppity with people giving you good information just because you don’t understand that it’s good information.
Spellbound,
With respect to Brandon’s specific points: What part of the guideline would be violated if the document were written “by a guy with access to Google and an “Idiot’s Guide to Computer Security†handbook”?
The document does look that way. Like Brandon, I believe “Hackers reportedly are utilizing over 90,000 servers to compromise websites’ administrator panels by exploiting hosts with “admin†as account name, and weak passwords which are being resolved through brute force attack methods. ” is true. Some people have reported 90,000 servers were used. But the named people at the server companies and Cloudflare says 90,000 IPs have been used. That’s not the same thing.
I know I’ve seen over 100 hits from 1 IP trying to log in. It’s using known proxies. The proxies are not necessarily infected, the IPs associated with many of the proxies are from companies with a long history of selling proxy services. So, I’d suggest it’s possible that those who report 90,000 proxies are infected simply don’t know and have mistaken 90,000 IPs being used with an estimate of the number of servers infected.
Spellbound, I didn’t say those guidelines are a joke. I said they are inapplicable to certain issues, like the currentuppityone. I also said David L. Hagen should do more than mindlessly post a link. As a rule, when one offers a source, he or she should point to the specific part of the reference that is relevant (this is often done by quoting it). That prevents people from having to read 10+ pages of text just to try to find something that might not even be there.
Would I have more standing to file a complaint as a citizen than I thought? Perhaps. But that doesn’t mean I’m being “uppity” by pointing out Hagen’s reference is useless for this discussion as I have no grounds for a complaint.
In other words, you shouldn’t get uppity with people saying information is bad just because you don’t understand it’s bad information.
Just a test post to see if it will force a recache of the front page for me and replace the very out of date front page that I have been seeing for the last few days
Yes that worked
clivere–
The cache plugin updated. I think it’s got some weird “features”. I thought it might just be me. I’ll go check settings to see if I can fix the feature.
I unchecked “Reduce server load and decrease response time by using the cache available in site visitor’s web browser.
Browser Cache: Enable
Enable HTTP compression and add headers to reduce server load and decrease file load time.”
It seemed to make our browser caches last forever.
ok – thought it may not be the best of plans to force users to make posts in order to be able to see if new comments have been added
clivere–
No. Unfortunately, the plugins description of precisely what a function is going to do is often less informative than optimal.
Another post to test if I am still being cached
Yes I was being cached so I can now see 112164 which I was not able to read previously even though it was listed in the recent comments. In summary I am now able to see that new comments are being made but I am not able to actually read them if they are on a page I have previously visited!
I agree with clivere that the cache doesn’t seem to be updating properly. And it seems to be losing my Name & Email a bunch lately.
Lucia do you suppose there’s a way to add a “refresh” button to the main page?
Carrick–
I can add a button, but I don’t know what part of the WP scripts link it to clear the cache created by WT3 Cache. That’s a sufficiently long complicated program that I don’t want to spend 2 days trying to figure out precisely what button would “clear” the cache (plus, I don’t want bots clearing it. Plus, I don’t want *anything* accessing things in the plugin folders directly because it’s a security issue.)
This new “feature” began with WT3 Cache updated. I’m fiddling with the settings, but if it doesn’t clear up, I need to get a different plugin. I do need to cache, but not the way this is working. (It is so bad it doesn’t refresh for me when I come out of wp-admin. I get the stale cache, and don’t get the extra features a logged in admin normally sees, which includes easy access to edit buttons even after the user edit/delete buttons vanish and so on.)
If the new choices doesn’t fix things, I’ll go find a simpler cache plugin. As these things get developed they start having more and more and more and more features. The plugin authors don’t fully describe them. For example: They have a check for using content delivery form Cloudflare. It’s new. Ok… I could check it. Or not. But in terms of nuts and bolts, what does it do? If I had a clue, I could guess whether the problem is caused by or fixed by setting it one way or another. As it stands… we have to guess.
I tried a few more settings. Let me know if you still have trouble with the cache.
Okay… it was just a thought.
Still planning on follow-ups on “adventures with dimples?”
Carrick–
Yes. But I got derailed because the sideblog on bots is picking up traffic. I’ve been reorganizing, writing things to cache, adjusting to try to ensure most the traffic is human and so on. (It’s picking up on both. But humans won’t wait for slow loading, so I needed to cache.)
I need to find some affiliate ads too. I bet there’s lost of money in selling scripts to hack pages. 🙂 (Actually, I bet there is. But of course, it would be odd to advertise that there.)
Oddly… I visited “tortalk” a few times this week. And I’m at my “bot” blog. Guess what kind of ads google is serving me? You guessed it: Ads to help me find lawyers to represent me against charges arising from use of online p0rn!! I’m guessing that’s due to visiting tortalk.
Agree with Carrick about Name and email address not showing.
I am now getting a cached page whenever I view a page but can then get a current version of that page by hitting refresh. That is a bit better for me but not so good for people who are not aware there is an issue.