BLOG

Shellshock

One of the most commonly installed utilities on a Linux system, Bourne Again Shell(Bash), was vulnerable to a serious Remote Code Execution vulnerability. These vulnerabilities were documented as CVE-2014-6271 and CVE-2014-7169. This allowed an attacker with the ability to execute code on a remote server giving them an ability to possibly compromise the entire server. Unlike the Heartbleed vulnerability, the attacker does leave traces of performing the exploit in the apache logs.

Although this vulnerability is very wide spread, it mainly affects web servers that have CGI scripts setup. This also affects bash scripts that call environment variables, network dispatcher scripts, and git hooks. If you do not have any of these then there is nothing to be concerned about as the vulnerability does not affect you. If you have CGI scripts and would like to check if the vulnerability has been exploited on your server, feel free to contact us to check your apache logs. As soon as this vulnerability was disclosed, we were already in the process of patching the servers and currently all servers have the latest patch regarding the shellshock vulnerability.

Check Apache logs:

grep ‘() { :;};’ /var/log/httpd/name_of_access_log

Read More:

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

XMLRPC

Recently we have noticed a large amount of hits to the xmlrpc.php files within WordPress installations and have been causing server loads to rise. This is due to functionality in WordPress called pingbacks that is being used to perform DDOS attacks on other websites using WordPress installations. The xmlrpc.php file allows for API calls for other applications and also pingback requests. If you do not use this I would recommend removing this file, as it decreases the possibility of vulnerabilities on your WordPress installation, or disable the pingback functionality using the following plugin below.

Not only will this prevent high loads on your server, but it will also prevent denial of service traffic stemming from your website. Also removing this file as well greatly reduces the attack surface of a WordPress installation. I will provide links below explaining what pingbacks are, how to disable pingbacks with a plugin, and the vulnerability information for this type of attack. Although this vulnerability does not allow for compromise of your website, it allows others to use your site to perform a denial of service attack on others. Please feel free to contact us if you have any questions.

 

http://en.support.wordpress.com/comments/pingbacks/

https://wordpress.org/plugins/disable-xml-rpc-pingback/

http://www.cvedetails.com/cve/CVE-2014-5266/

WordPress Brute Force

WordPress is one of the largest content management systems around and is often a target to a plethora of attacks. Recently WordPress brute force attacks have become more and more common. These brute force attacks are using a large amount of automated attempts to guess your username/password. Although there is no one method to prevent these attacks, there are things you can do to protect your website.

-Be sure to have a strong password with at least eight characters in total, upper and lower case characters, numbers, and special characters.
-Change your default WordPress admin username
-Ensure WordPress installation is up to date
-Secure WordPress dashboard
-Setup security plugin(iThemes Security)

These steps should help prevent brute force attacks and keep your site secure. It is important to ensure the security of your website and availability when you have a web presence and taking these small steps will increase that ability to do so. Also for apache servers you can secure your dashboard manually using your .htaccess file. Please replace 127.0.0.1 with your IP address(fetchip.com) if you wish to block access to your dashboard by IP address. As for the referrer method, which is non-intrusive and only prevents bots, you can just change the domain(example.com) with your own. Be sure to keep the back slash before the period.

Block access to dashboard by IP:
<Files wp-login.php>
order deny,allow
Deny from all
allow from 127.0.0.1
</Files>

Block WordPress logins without referrer:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ – [F]
</IfModule>

iThemes Security Plugin:
https://wordpress.org/plugins/better-wp-security/

Harden WordPress:
http://codex.wordpress.org/Hardening_WordPress