PDA

View Full Version : Securing blogs from malware attacks? (a lot of blogs)



NinjaSteve
07-02-2010, 01:23 AM
I had an outdated version of wordpress comprimised. Malware injected into my index file, so this made me think...

Let's say you have 300 blogs. What's the best way to secure wordpress from malware attacks? Sure the simple answer would be "update to the latest version" but what if you're unable to do that? Is there just a simple step like accepting no comments, and htaccess password protecting the admin?

I did read this
http://codex.wordpress.org/Hardening_WordPress

NinjaSteve
07-02-2010, 01:45 AM
And what's the best way to update a ton of blogs besides SVN?

facialfreak
07-03-2010, 01:32 PM
Ya gotta love people who build hundreds of blogs without any forethought into managing them .... :ballpunch

facialfreak
07-03-2010, 01:40 PM
If all of your blogs are on the same dedicated server, it might be wise for you to spend a few bucks to have your server admin harden your server and firewall.

ed_banger
07-03-2010, 01:48 PM
Are you sure your blog was compromised due to an outdated wordpress and not malware on your own PC that sniffed your FTP passwords?

ed_banger
07-03-2010, 01:49 PM
Ya gotta love people who build hundreds of blogs without any forethought into managing them .... :ballpunch

You gotta love pompous web hosts with passive aggressive comments towards other webmasters .... :ballpunch

nurgle
07-03-2010, 03:22 PM
simple script does it in 1 min

Toby
07-03-2010, 04:05 PM
You gotta love pompous web hosts with passive aggressive comments towards other webmasters .... :ballpunch

Pompous or not, he makes a valid point.

Buncha
07-03-2010, 04:05 PM
And what's the best way to update a ton of blogs besides SVN?

Rongo wrote a good tutorial on how to upgrade multiple WP blogs on the same server. I haven't tried it yet. And I don't know if the instructions need to be updated for WP 3.0. But you should check it out.

http://bbs.mediumpimpin.com/showthread.php?t=90220&p=1304330#post1304330

Lipshtick Lady
07-03-2010, 09:31 PM
I am doing a clean up now, kinda a correction of earlier errors
but I am moving most everything to wpmu using domain mapping plugin -doing 25 blogs on each one
moving forward things will be easier to manage (at least I think so)

facialfreak
07-04-2010, 03:08 AM
You gotta love pompous web hosts with passive aggressive comments towards other webmasters .... :ballpunch

Pompous how ed? http://fc03.deviantart.net/fs9/i/2006/015/2/9/_wtf__by_Nemical.gif

I am just stating the obvious ... you can throw up 20 wordpress blogs a day until the cows come home, but eventually all of these blogs are going to require some kind of maintenance.

My vocation has no bearing on my comment. Common sense is common sense.
I honestly don't know why you felt the need to bring that into the discussion?!?

First and foremost, I was before -- and still am now, a webmaster.

NinjaSteve
07-04-2010, 05:05 AM
Are you sure your blog was compromised due to an outdated wordpress and not malware on your own PC that sniffed your FTP passwords?
This is a valid point and I think this is probably the cause. At first I thought it was wordpress, but I realize I only 2 domains that were hit. I think it's due to malware on somebodies computer that I allowed to log in through FTP. I have my firewall up and running so hopefully a sniffed password won't be an issue in the future.

NinjaSteve
07-04-2010, 05:44 AM
Rongo wrote a good tutorial on how to upgrade multiple WP blogs on the same server. I haven't tried it yet. And I don't know if the instructions need to be updated for WP 3.0. But you should check it out.

http://bbs.mediumpimpin.com/showthread.php?t=90220&p=1304330#post1304330

Thanks! This is great. I was using SVN and updating through a script but after testing Rongo's script I'm going to use it instead.

MP
07-04-2010, 10:47 AM
This is a valid point and I think this is probably the cause. At first I thought it was wordpress, but I realize I only 2 domains that were hit. I think it's due to malware on somebodies computer that I allowed to log in through FTP. I have my firewall up and running so hopefully a sniffed password won't be an issue in the future.

We have our FTP locked down to only allow certain IP's to get it, we still have issue here and there but Mojo Host has done a great job of keeping 400 plus blogs running.

ed_banger
07-04-2010, 11:19 AM
Pompous how ed? http://fc03.deviantart.net/fs9/i/2006/015/2/9/_wtf__by_Nemical.gif

I am just stating the obvious ... you can throw up 20 wordpress blogs a day until the cows come home, but eventually all of these blogs are going to require some kind of maintenance.

My vocation has no bearing on my comment. Common sense is common sense.
I honestly don't know why you felt the need to bring that into the discussion?!?

First and foremost, I was before -- and still am now, a webmaster.

When your first comment was a snide remark about webmasters in general, questioning their wisdom and forethought... before offering helpful advice, it makes you look like an ass. Do you insult your customers before helping them?

facialfreak
07-04-2010, 11:27 AM
This is a valid point and I think this is probably the cause. At first I thought it was wordpress, but I realize I only 2 domains that were hit. I think it's due to malware on somebodies computer that I allowed to log in through FTP. I have my firewall up and running so hopefully a sniffed password won't be an issue in the future.

At the risk of sounding "pompous" .... I'd like to suggest that FTP password sniffing is a big problem right now, and you need to use a Secure FTP (SFTP) client such as WinSCP or even Flash FXP allows the SFTP protocol now, which logs you in over SSH.

I am particularly fond of Flash FXP, and have recommended it to many people, because not only does it use SFTP, it will password protect the passwords file on your PC, if you set the option in the prefs., making it very hard for somebody to sniff out your password file.

facialfreak
07-04-2010, 11:43 AM
Do you insult your customers before helping them?

Well, it's obvious with 5500 blogs, I have hit a nerve with you ... I'm sorry ed.

But it is also obvious, you have never been my client (I don't have customers ... something I learned at a Jay Abraham workshop in Hawaii years ago, but I digress ...). I will give clients my personal BBM PIN if they want it, plus I have a very competent support staff available 24/7. I may not be ISPrime or National Net, but I have built a very decent business based on over-the-top client support.

One dream of mine, is to one day own a FULL SERVICE gas station ... one tht is like circa 1955 ... where when you roll over the bell rope, 4 guys - in very sharp uniform - come out of the garage and one pumps gas, one checks tires, one checks fluids and belts under the hood, and one washes your windscreens ...

I think, in modern society, we have succumbed to automation and self service for so long, that providing full service such as this, could be very popular in the right location.

Anyways .. I again have digressed from the original topic ....

Have a great day !!! :wiggles:

Lipshtick Lady
07-04-2010, 08:46 PM
At the risk of sounding "pompous" .... I'd like to suggest that FTP password sniffing is a big problem right now, and you need to use a Secure FTP (SFTP) client such as WinSCP or even Flash FXP allows the SFTP protocol now, which logs you in over SSH.

I am particularly fond of Flash FXP, and have recommended it to many people, because not only does it use SFTP, it will password protect the passwords file on your PC, if you set the option in the prefs., making it very hard for somebody to sniff out your password file.

at the risk of sounding stupid - I wish I had a clue as to what this meant?

Everyday I find I know less than I thought I did the day before...

Buncha
07-04-2010, 08:53 PM
at the risk of sounding stupid - I wish I had a clue as to what this meant?

Here's an article on how hackers get your FTP passwords and what you can do to prevent it.

http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/

pf69.com
07-04-2010, 09:09 PM
this thread is a gold mine... book marked for further reading as I know more relevant info will be posted here...

ed_banger
07-04-2010, 09:18 PM
Basically, for the past couple years, more and more website defacements and "hacks" come from infected desktops. Here is how it happens:

You happen to visit a website that is hacked and is injecting malware into the page. Your browser executes the malware and your computer becomes infected. The malware/virus then scans your computer for common FTP programs (filezilla, wsftp, and others). These FTP programs store their saved passwords in plain text files in the my documents/application data folders, so the virus simply reads the saved password files and it now knows the FTP username, password, and IP address of every FTP server you have saved.

The virus then connects to YOUR FTP server, with your username and your password, from your IP address, it scans all of the files in the FTP and it looks for index.php files. It then modifies the index.php files and injects the javascript or iframe hack, and now your website is infecting other unsuspecting web surfers.

Wordpress is a particular target because it is a favorite amongst webmasters, and bloggers tend to frequent other bloggers websites.

Now, some viruses/malware are particularly sneaky. If you happen to have your FTP client set to encrypt the saved password file, that means that the virus/malware cannot simply read the file and get the user/pass/ip info for your FTP. BUT, FTP is an unencrypted protocol, so it simply needs to install a network daemon on your computer and sniff all of your network traffic. It sees an FTP connection occurring, and your IP/User/Pass are sent in plain text over the network, and the virus/malware now have your info, and it can infect your site.

This is why you should encrypt your saved password files, AND use SFTP (ftp via ssh) or FTPS (ftp-ssl). So you aren't sending your user/pass in plain text, it is now encrypted.

And this is hoping that the virus/malware doesn't have a keylogger in it.


If your sites keep getting defaced/hacked, your own PC might be the culprit. Most wordpress security holes have been related to letting your subscribers or other non-admin users gain admin level access... or SQL injection where they actually compromise the database. If your index.php file had an iframe or javascript hacked into it, it was most likely not a wordpress security hole that allowed that.

Another thing is to not leave files or folders chmodded 777, because that means that the User (first digit), Group (second digit) and World (third digit) have 7 level permissions. 7 meaning Read, Write, AND Execute. So any files that are world writeable means that anyone in the world can update/rewrite/upload files to those folders. It just makes it easier for bad people to do nasty things to your sites/servers. Whenever any script tells you you need to chmod something 777, 99.9% of the time chmodding 775 will work just fine.

grzepa
07-05-2010, 06:15 PM
My blogs are beeing constantly spammed with fake comments, and im getting an email every time such fake comment appear....

pf69.com
07-05-2010, 06:55 PM
My blogs are beeing constantly spammed with fake comments, and im getting an email every time such fake comment appear....

why don't you disable the comments?

Buncha
07-05-2010, 07:09 PM
My blogs are beeing constantly spammed with fake comments, and im getting an email every time such fake comment appear....

Use the Akismet plug-in. Kills 99% of spam comments.

http://akismet.com/
http://wordpress.org/extend/plugins/akismet/

ed_banger
07-05-2010, 09:13 PM
My blogs are beeing constantly spammed with fake comments, and im getting an email every time such fake comment appear....

As others have said, disable comments or use akismet.


Spammers use comments because they carry good weight and linkjuice since they are deep links within a site. You can comment spam your own blogs with relevant contextual links for your other sites/blogs.

Lipshtick Lady
07-05-2010, 10:14 PM
this is super helpful... thanks for everyone who took time to explain.

few more questions...
I use coffeecup FTP - which lets you save the server and password, which is encrypted.

but the "protocol" is set to http standard port 80, there are about 10 other "protocol" options... FTPS over SSL would seem strongest - is this needed?

One more question - I usually make an FTP user for each site and use that within WP admin to update plugins etc... I type in the pw each time. Is this a really bad habit?

on another note - I just opened my FTP app and looking am finding a few accounts listed that belong to others who gave me access at one point or another and in clicking I fid they didnt close the access. this would see like a really good way to get messed up?

ed_banger
07-05-2010, 10:59 PM
this is super helpful... thanks for everyone who took time to explain.

few more questions...
I use coffeecup FTP - which lets you save the server and password, which is encrypted.

but the "protocol" is set to http standard port 80, there are about 10 other "protocol" options... FTPS over SSL would seem strongest - is this needed?

FTPS over SSL is MUCH better than plain old http/ftp. I personally use SFTP which uses SSH for encryption.



One more question - I usually make an FTP user for each site and use that within WP admin to update plugins etc... I type in the pw each time. Is this a really bad habit?

When you do that, you're sending your password in plain text over HTTP to your wordpress admin. If you truly wanted to be secure, you would use SSL so you would access your wp-admin using https:// But in the grand scheme of things, that isn't really necessary, since you're using HTTP protocol in the browser, and not FTP protocol.

There are other viruses/malware that will sniff passwords that way... but more often those ones use keyloggers so they just record every keystroke on your keyboard regardless of what sites/encryption you use. But rather than worrying about the ultimate worst case scenario that if you're infected you can't prevent, lets stick to worrying about issues we can protect/prevent, even after you happen to get infected.



on another note - I just opened my FTP app and looking am finding a few accounts listed that belong to others who gave me access at one point or another and in clicking I fid they didnt close the access. this would see like a really good way to get messed up?

I honestly would notify them and let them know you still have access, because if you have access, some other webmaster probably still has access to their accounts. I would go through your own accounts and make sure you disabled/deleted any temporary accounts you gave to other webmasters. These kind of viruses are like STD's, and every time a webmaster connects to an FTP server is like having sex... it spreads the STD... Restrict access to your servers to trusted webmasters, use FTPS or SFTP to secure the connections, and make sure your saved password files are encrypted.

grzepa
07-06-2010, 08:14 PM
Well yes i do use Akismet , and the comments doesnt show up on the site, but im still getting those emails...

nickutis
07-06-2010, 10:03 PM
for my blogs I use modified httpd.conf (directadmin) or .htaccess in root (cpanel) to secure main wordpress files and folders, which then are accessible only with my IP