Browsed by
Category: Security

Using GeoIP.dat and Apache on cPanel / WHM to block 75,000+ attacks on wp-login.php in one day

Using GeoIP.dat and Apache on cPanel / WHM to block 75,000+ attacks on wp-login.php in one day

Client denied by server configuration - protect wp-login.php

After yet another brute-force attack on our servers hosting WordPress sites today I finally decided it was time to take some drastic action.  There are a number of different approaches you can take, this is what I did to block literally over 75,000 attacks against wp-login.php today.

Step 1: Install the GeoIP database and Apache module

Step 2: Add this to /usr/local/apache/conf/includes/post_virtualhost_global.conf

# Whitelist countries allowed to access wp-login.php or wp-comments-post.php
<FilesMatch "(wp-login|wp-comments-post)\.php$">
SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry
SetEnvIf GEOIP_COUNTRY_CODE CN AllowCountry
order deny,allow
Deny from all
Allow from env=AllowCountry
ErrorDocument 403 "Forbidden."
</FilesMatch>

(We have some clients in China who need to legitimately login to WordPress, so we included them in the whitelist). Adjust your whitelist / allowed country list appropriately.

Restart apache service httpd restart and start watching the attacks get served up “Forbidden.” messages instead of hitting WordPress and database. Server load way down, yay! Sorry rest of the world, you can’t have our wp-login.php anymore.

Fix for Twitter Tools open_basedir error

Fix for Twitter Tools open_basedir error

If you’re like me you’ve been using the excellent Twitter Tools plugin for WordPress for a while now. Recently a client noticed that there was a sporadic error being shown that was similar to this:

Warning: require_once() [function.require-once]: open_basedir restriction in effect. File(twitteroauth.php) is not within the allowed path(s): (/home/fern:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/fern/public_html/wp-content/plugins/twitter-tools/twitter-tools.php on line 1516

Here is the fix that I figured out would work — add the absolute path of the file into the plugin code and it should clear this up. Obviously this isn’t an ideal long-term solution. Hopefully Alex will incorporate this simple fix into the next version of the plugin. Note that this fix applies to Twitter Tools version 2.4.

In twitter-tools/twitter-tools.php change line 1516 to:
require_once(dirname (__FILE__) . '/twitteroauth.php');

And in twitter-tools/twitteroauth.php change line 10 to:
require_once(dirname (__FILE__) . '/OAuth.php');

How to disallow browsing of .svn directories on your server

How to disallow browsing of .svn directories on your server

If you deploy projects live out of Subversion repositories to public web servers, here’s a good tip for denying access to the .svn directories to keep people from snooping around your files.

Edit your global Apache config file (httpd.conf) or .htaccess file to include the following directive:


# Disallow any .svn directory browsing
<directory ~ "\.svn">
Order allow,deny
Deny from all
</directory>

This will tell apache to not serve up any directories that are called .svn.

How to check if your DNS server is vulnerable to the recently discovered DNS exploit

How to check if your DNS server is vulnerable to the recently discovered DNS exploit

In case you’ve missed the recent news about the major DNS exploit problem and haven’t checked to see if your DNS server is vulnerable, this site has a checker that will test to see if your DNS server appears to be patched or not.

Recently, a significant threat to DNS, the system that translates names you can remember (such as www.doxpara.com) to numbers the Internet can route (66.240.226.139) was discovered, that would allow malicious people to impersonate almost any website on the Internet. Software companies across the industry have quietly collaborated to simultaneously release fixes for all affected name servers. To find out if the DNS server you use is vulnerable, click below.

Check your DNS server here: DoxPara Research.

(via David Shea @ Mezzoblue, found on RSS2)

Why you should upgrade your WordPress installation to version 2.6 (just released) today

Why you should upgrade your WordPress installation to version 2.6 (just released) today

WordPress 2.6 is Available! Security Advisory to upgrade ASAP!

First, the good news: Matt & his brave crew of WordPress coders have just released version 2.6 of the Open Source award-winningly awesome content management system called WordPress (download it here). I’ve been using it since it was called b2, and love it. I recommend it for most of my clients, and they love the simplicity and ease of use. I also really like how easy it is to customize and extend, using the excellent theme and plugin system.

If you have a WordPress installation yourself, please upgrade it today. Why should you do it today? In short, not only does the latest version of WordPress have some awesome new features (like content change tracking, a new “Press this” browser bookmark, using Google’s Gears system to make it faster, and about 194 bug fixes) it also contains the latest SECURITY FIXES.

Why should you care about security fixes? Because older versions of WordPress are vulnerable to exploits. I know this for a fact, and have been working on cleaning out a number of older installations of WordPress that have been hacked. This isn’t a fun process, and if you stay up to date, you will have the best chance of not getting hacked yourself.

This isn’t a problem exclusive to WordPress, and they’ve done a really good job generally at fixing holes (the current release proactively fixes a number of potential issues), but it is an issue you should definitely look into.

On a Unix machine, one thing to look for is this pattern in any files: md5($_COOKIE'

You can do a search through all your hosting accounts by running this command (run as root):
# grep -R 'md5($_COOKIE' /home/

That will tell you if you have any infected files (for this particular exploit). If you find any, you need to clean out those files. If you are running your sites out of version control (like using svn), this may be slightly easier.

$ svn st should tell you if any files were changed from the last time you checked them out. If you see unexpected files show up, you’ve been hacked.

To clean out your installation, not using version control method (done as root in this case):

  1. Copy your whole public_html directory to another location so you can do forensics on it and copy valid files back into your new installation:
    # cd /home/USERNAME/
    # mkdir public_html-hacked
    # mv public_html/* public_html-hacked/
  2. Download a clean copy of WordPress into your public_html:
    # cd /home/USERNAME/
    # wget http://wordpress.org/latest.zip .
    # unzip latest.zip
    # cp -R wordpress/* public_html/
    # chown -R USERNAME:USERNAME public_html/*
  3. Create a new wp-config.php file. It’s probably a really good idea to first change your MySQL database password. To create your new config file:
    #cd public_html/
    # cp wp-config-sample.php wp-config.php
    # vi wp-config.php

    Enter the correct (new) values for your MySQL database name, username, password, and the (currently 3) authorization unique key values (go to http://api.wordpress.org/secret-key/1.1/ to automatically generate the 3 keys for you to copy/paste into your config file.
  4. Next, upgrade your WordPress database: http://example.com/wp-admin/upgrade.php. You’ll have to sign in with your admin username and password. Once this is done (should go without a hitch, hopefully), examine your user table to see if there are any entries there that shouldn’t be. Delete any users that you didn’t create. Also, it would be a good idea to update the password for each user in the system.
  5. Go through all of your Settings, looking for any suspicious changes. Specifically notice what the Uploads directory is set to (in Settings->Miscellaneous). It should probably be set to something like wp-content/uploads. If it says something like ../../../../../tmp/ change it back. Also go look there to see if there are any left-over files that need to be investigated and removed.
  6. Make a local copy backup of your database and then clean out entries that don’t belong there. Check your raw database (using something like PHPMyAdmin or command line mysql tools) and examine the wp_users table. Look for a user called WordPress. Delete it! If you found it, also check the wp_usermeta table and delete all entries associated with the bogus WordPress user ID. Next, check through your other MySQL tables to look for any suspicious entries (attached files, comments, posts, etc.) Delete anything that looks incorrect or wrong, but be sure not to delete your actual content.

As you can see, there are lots of things to check for if your installation of WordPress gets compromised. So, to save yourself a lot of pain and suffering, make sure you upgrade your WordPress installation(s) just as soon as you can.

More good info if you think your WordPress installation has been hacked:

Vote Republican and keep these awesomely INSANE TSA rules in place!

Vote Republican and keep these awesomely INSANE TSA rules in place!

TSA: Republican Fear Machine

I am not making this shit up. This is not a post from the The Onion. This is an actual, U.S. taxpayer funded policy, implemented by the Republicans to “protect” us from… our fresh breath?

You can now bring toothpaste on board an airplane, in the United States, AS LONG AS YOU PUT IT IN A SMALL PLASTIC BAG before you go through the TSA screening checkpoint. If it is NOT in a baggie, then they will confiscate your toothpaste.

TSA MADNESS

Quoting from the TSA’s site:

Travelers may now carry through security checkpoints travel-size toiletries (3 ounces or less) that fit comfortably in ONE, QUART-SIZE, clear plastic, zip-top bag.

This is insanity. Vote Republican if you want more of your expensive cosmetics confiscated because it’s not in a FUCKING BAGGIE.

I asked the screener lady if she thought, personally, that this policy makes sense. She told me, “We get briefed daily by Washington. We know things, and there’s a good reason for this.” I’m sure they do get briefed daily. The TSA is part of the developing fascist police state that is America now.

TSA ‘s official page about their absurd baggie rule

What’s next? Proper papers to pass? Only certain, party-approved and loyal passengers allowed to fly or travel? We’re quickly getting there.

This is madness. Total madness.

Schneier on Security: What the Terrorists Want

Schneier on Security: What the Terrorists Want

I’d like everyone to take a deep breath and listen for a minute.

The point of terrorism is to cause terror, sometimes to further a political goal and sometimes out of sheer hatred. The people terrorists kill are not the targets; they are collateral damage. And blowing up planes, trains, markets or buses is not the goal; those are just tactics. The real targets of terrorism are the rest of us: the billions of us who are not killed but are terrorized because of the killing. The real point of terrorism is not the act itself, but our reaction to the act.

And we’re doing exactly what the terrorists want.

Schneier on Security: What the Terrorists Want

(Via reddit).

Welcome to your future if you don’t think and do the right(TM) thing.

Welcome to your future if you don’t think and do the right(TM) thing.

THIS IS SO FUCKED UP. Peacful protesters sitting on the ground in circles getting systematically broken up by police in riot gear basically pulling them up by sticking their fingers right under the jaw. Hard. FUCKED UP. Nice American style justice. Keep the dissenters quiet.

Video of Police Brutality

Not sure which the more disturbing part is: The brutality (not uncommon, really, these days, just usually is kicking and hitting with clubs) or the guys taking pictures and the video as these PEOPLE are being subjected to intense pain by our trusty HEROS Abu-Gharib-style pain inflictors. Makes me sick. This is really, really not cool.

Some good comments and discussion over at the Santa Cruz Indymedia site covering this event.

One interesting comment by “Santa Cruz PD”:

Excellent police training film

22 Apr 2005

by Santa Cruz PD
Please note the incredible restraint of the officers under repeated antagonistic taunting of the surrounding protestors. While the use of the nerve pinch is not as effective as other non-lethal means of subject control, we commend the men and women of the police force for attempting to maintain order with a minimum of surrounding outbreaks in violence and disobedience.

Please note the complete allowance of video camera’s that allow the public to properly document the incident. The camera’s were not confiscated and filming was allowed continue unless the camera operator interfered with the duties of the police officers.

We appreciate that our officers were able to go home to their families at the end of their watch.

Thank goodness they can go back to their families.

The final response to the above post:

Re: Excellent police training film

22 Apr 2005

by jim
In response to: Santa Cruz PD, who wrote
“…the use of the nerve pinch is not as effective as other non-lethal means of subject control…”

One with police/martial art training can see that the “nerve pinch” was not the only technique used. By “nerve pinch,” I believe you’re referring to the pressure point underneath the jawbone, which can cause immense pain, although it doesn’t leave lasting damage.

In both the video and the photographs, the police can also be clearly seen utilizing chokes (you can see this technique when the police are pressing about midway down the neck, on either side). Police are shown applying pressure to the carotid artery, effectively cutting off blood and oxygen flow the brain. This results in unconciousness within a few seconds.

I’m sure you are aware that this technique has caused several deaths when used by police officers in the past. I’m sure you also know that the potential of death has led to a ban on choking in some law enforcement jurisdictions.

Regardless of the legality of chokes as coercion techniques, using chokes at the protest was completely irresposible and shows horrid judgement on the part of the law enforcement officers. The protestors were completely peaceful and nonviolent.

There should be an exceptionally good reason to use chokes, given their potential of death. I don’t believe 50 students in non-violent protest, endorsing justice, democracy, peace, and creativity constitutes an exceptional reason. Your police were concerned with demonstrating their skills in pain coercion in order to make your “Excellent police training film,” with complete disregard to the appropriateness/morality of their actions.

sincerely,
jim

SOURCES
http://www.fightingarts.com/content01/judo_choke.shtml
http://judoinfo.com/chokes5.htm

” Please note the incredible restraint of the officers under repeated antagonistic taunting of the surrounding protestors.”

Please note the incredible restraint of the PROTESTORS and THEIR FRIENDS. You were choking them. They yelled back. I think that’s understandable, unlike the your actions.

(THE UC SHOULD BE CONCERNED WITH EXPANDING STUDENTS’ BRAINS, NOT CUTTING OFF THE BLOOD FLOW TO THEM)

US-CERT RSS Channels

US-CERT RSS Channels

Was working on getting the Securanix site back up after a server change and finally fixed the CERT RSS feed (they had changed their url).

US-CERT RSS Channels

US-CERT Channels
US-CERT publishes a number of XML RSS 1.0 feeds containing headlines about recently published US-CERT documents. RSS, or RDF Site Summary, allows web publishers to access constantly updated information from other web sites. For example, US-CERT provides an RSS feed for its Cyber Security Tips channel that web publishers can access. By installing calls to the US-CERT RSS files into their web sites, web publishers can ensure that their sites include up-to-date computer security information that is available on the US-CERT site.