Get the most out of your Centmin Mod LEMP stack
Become a Member

Wordpress Suspicious Sucuri Alerts

Discussion in 'Blogs & CMS usage' started by selcukv, Apr 19, 2019.

  1. selcukv

    selcukv New Member

    17
    5
    3
    Sep 21, 2018
    Ratings:
    +5
    Local Time:
    5:32 PM
    nginx/1.15.3
    mysql Ver 15.1 Distrib 10.1.36-MariaDB
    Hi there,

    I was in the middle of writing the post either to WP forum, or Sucuri forum, later I decided to start from here since I use CMM. Maybe you guys have experienced the same or something similar.

    Yesterday morning when I woke up I saw these 3 emails:

    Subjects were the same: Sucuri Alert, www .mydomain. com, Post Update, 71.6.146.186

    Event: Post Update Website: http:// www. mydomain. com IP Address: 71.6.146.186 Reverse IP: inspire.census.shodan.io Date/Time: 18/04/2019 07:08

    Message: Scheduled-action status has been changed; details: ID: 1829,Old status: new,New status: pending,Title: woocommerce_update_marketplace_suggestions

    -------------------------------------------

    Event: Post Update Website: http:// www .mydomain. com IP Address: 71.6.146.186 Reverse IP: inspire.census.shodan.io Date/Time: 18/04/2019 07:08

    Message: Scheduled-action status has been changed; details: ID: 1827,Old status: new,New status: pending,Title: woocommerce_update_marketplace_suggestions


    -------------------------------------------

    Event: Post Update Website: http:// www .mydomain. com IP Address: 71.6.146.186 Reverse IP: inspire.census.shodan.io Date/Time: 18/04/2019 07:08

    Message: Media file added; ID: 1826; name: woocommerce-placeholder; type: image/png

    -------------------------------------------

    When I try to view posts through https:// www. mydomain. com/wp-admin/post.php?post=1827&action=edit, I get an error message of "Sorry, you are not allowed to edit posts in this post type." When I try to view the post through https:// www .mydomain. com/?p=1827, I get 404.

    On the other hand there's a new media file which is not added by me. I'm attaching it.

    How can I dig deeper for this? Should I worry?

    Thank you in advance.
     

    Attached Files:

  2. eva2000

    eva2000 Administrator Staff Member

    41,032
    9,163
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,062
    Local Time:
    12:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Please fill in any relevant information that applies to you:
    • CentOS Version: i.e. CentOS 6 32bit or 64bit / CentOS 7 64bit ?
    • Centmin Mod Version Installed: i.e. 123.08stable or 123.09beta01
    • Nginx Version Installed: i.e. 1.15.3
    • PHP Version Installed: i.e. 5.6.37, 7.0.31, 7.1.21, 7.2.9
    • MariaDB MySQL Version Installed: i.e. 10.0.x or 10.1.xx or 10.2.xx
    • When was last time updated Centmin Mod code base ? : i.e. run centmin.sh menu option 23 submenu option 2 or cmupdate command
    • Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? You can check via this command:
      Code (Text):
      cat /etc/centminmod/custom_config.inc
      

      Post output in CODE tags.

    1. how was wordpress installed ? manually or via centmin.sh menu option 22 https://community.centminmod.com/th...l-vs-centmin-sh-menu-option-22-install.15435/
    2. if installed via centmin.sh menu option 22, which caching method did you choose ? keycdn cache enabler, redis nginx level cache or wp super cache ?
    3. are you behind cloudflare and did you setup proper real ip pass through ? see below
    4. tried contacting woocommerce folks ?
    If you use a reverse proxy like Cloudflare, Sucuri, or Incapsula in front of Centmin Mod Nginx, you need to setup nginx realip to be passed onto Nginx. See Getting Started Guide step 5 and setting correct real ip via nginx module config at http://centminmod.com/nginx_configure_cloudflare.html.

    If using Centmin Mod 123.09beta01 and newer, there's an added tools/csfcf.sh script to aid in this. Details at:
     
  3. eva2000

    eva2000 Administrator Staff Member

    41,032
    9,163
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,062
    Local Time:
    12:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    also what's output for command to grep search CSF Firewall for IP 71.6.146.186
    Code (Text):
    csf -g 71.6.146.186

    example output as Centmin Mod 123.09beta01 on initial install tries to block all known shodan scanner IPs out of the box already
    Code (Text):
    csf -g 71.6.146.186
    
    Table  Chain            num   pkts bytes target     prot opt in     out     source               destination        
    No matches found for 71.6.146.186 in iptables
    
    
    IPSET: Set:chain_DENY Match:71.6.146.186 Setting: File:/etc/csf/csf.deny
    
    
    ip6tables:
    
    Table  Chain            num   pkts bytes target     prot opt in     out     source               destination        
    No matches found for 71.6.146.186 in ip6tables
    
    csf.deny: 71.6.146.186 # inspire.census.shodan.io - Sun Nov 11 15:34:05 2018
    

    for posting code or output from commands to keep the formatting, you might want to use CODE tags for code How to use forum BBCODE code tags :)
     
  4. selcukv

    selcukv New Member

    17
    5
    3
    Sep 21, 2018
    Ratings:
    +5
    Local Time:
    5:32 PM
    nginx/1.15.3
    mysql Ver 15.1 Distrib 10.1.36-MariaDB
    • CentOS Version: CentOS Linux 7.6.1810 64bit
    • Centmin Mod Version Installed: 123.09beta01.b094
    • Nginx Version Installed: 1.15.8
    • PHP Version Installed: 7.3.1
    • MariaDB MySQL Version Installed: 10.1.37-MariaDB
    • When was last time updated Centmin Mod code base ? : approx. 2 weeks ago
    • Persistent Config:
      NGXDYNAMIC_NGXPAGESPEED='y'
      NGINX_PAGESPEED='y'
      EMAIL='[email protected]'
      PUSHOVER_EMAIL='[email protected]'
      LETSENCRYPT_DETECT='y'
      NGINX_VHOSTSSL='y'
      SELFSIGNEDSSL_C='**'
      SELFSIGNEDSSL_ST='****'
      SELFSIGNEDSSL_L='********'
      MARCH_TARGETNATIVE='n'
    • Wordpress installed with Option 22, keycdn cache enabler, no cloudflare
    Normally real IP addresses pass through, I don't think there's any issue with that. I see my real IP as well as my username on Sucuri Alerts, when I make other changes such as post updates, setting changes, etc.

    I don't use any reverse proxy.

    Do you think that I should contact WooCommerce?
     
  5. selcukv

    selcukv New Member

    17
    5
    3
    Sep 21, 2018
    Ratings:
    +5
    Local Time:
    5:32 PM
    nginx/1.15.3
    mysql Ver 15.1 Distrib 10.1.36-MariaDB
    Code:
    [15:18][[email protected] ~]# csf -g 71.6.146.186
    
    Table  Chain            num   pkts bytes target     prot opt in     out     source               destination
    No matches found for 71.6.146.186 in iptables
    
    IPSET: No matches found for 71.6.146.186
    
    
    ip6tables:
    
    Table  Chain            num   pkts bytes target     prot opt in     out     source               destination
    No matches found for 71.6.146.186 in ip6tables
     
  6. eva2000

    eva2000 Administrator Staff Member

    41,032
    9,163
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,062
    Local Time:
    12:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yup

    also update 123.09beta01 build 94 is pretty old with build 131 being the latest, so update that first, then do nginx 1.15.12 and php 7.3.4 updates too

    Upgrading Centmin Mod Code to Latest Version



    Getting Started Guide step 19 outlines also how to keep Centmin Mod code updated or how to switch version branches or you can run cmupdate command that was recently added.

    Centmin Mod LEMP stack's script code is constantly updated for improvements, bug fixes and security fixes so keeping the Centmin Mod code up to date is important. With Centmin Mod 1.2.3-eva2000.08) (123.08stable) and higher releases, a newly added centmin.sh menu option 23 allows much easier code updates and version branch switching via Git backed environment you can setup.

    For 123.08stable that means centmin.sh menu option 23 submenu option 2 (if you previously ran submenu option 1) first, then exit centmin.sh, re-enter /usr/local/src/centminmod and re-run centmin.sh menu.

    For 123.09beta01 and higher that means running SSH command = cmupdate and then re-enter /usr/local/src/centminmod and re-run centmin.sh menu.

    Example of using 123.09beta01 cmupdate command to update Centmin Mod code on your server
    Code (Text):
    cmupdate
    No local changes to save
    Updating 5f92047..9d06ee8
    Fast-forward
     stackscripts/stackscript.sh | 11 ++++++++---
     1 file changed, 8 insertions(+), 3 deletions(-)
    


    For full details read the following links:
    Upgrading Centmin Mod involves 2 parts.
    1. Upgrading the actual Centmin Mod code outlined at Upgrade Centmin Mod. This is heart of Centmin Mod where the code is the engine that runs centmin.sh shell based menu and all the automation you're accustomed to. You can easily update within a Centmin Mod version branch or switch version branches via centmin.sh menu option 23 outlined here.
    2. Upgrade software that Centmin Mod installed or manages. For this part following outline at How to upgrade Centmin Mod software installed on your server.
    So essentially, you can upgrade from one version branch to another i.e. 123.08stable to 123.09beta01 or higher in place, but not everything is upgraded as some things like server initial environment setup isn't changed i.e. how swap, tmp setup and allocation are created etc. The main parts from part 2 above are what in place upgrades do i.e. Nginx and PHP-FPM compilation and config/settings parameters and MariaDB version from 5.5 to 10.0.x. If you want the full environment changed including tmp and swap setup to 123.09beta01 etc configuration, then you would need a fresh OS install and fresh 123.09beta01 initial install. You can think of it like upgrading Windows 7 to Windows 8. An in place upgrade will upgrade code but won't change your computer environment from when you installed Windows 7 i.e. disk configuration and partition sizes won't change from when you initially installed Windows 7. Only way to change that would be fresh Windows 8 install.
     
  7. selcukv

    selcukv New Member

    17
    5
    3
    Sep 21, 2018
    Ratings:
    +5
    Local Time:
    5:32 PM
    nginx/1.15.3
    mysql Ver 15.1 Distrib 10.1.36-MariaDB
    Thank you so much eva, I'll do that.

    Also regarding CSF firewall, there was an advanced tweak including these IPs as far as I remember, maybe I should do that too?
     
  8. eva2000

    eva2000 Administrator Staff Member

    41,032
    9,163
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,062
    Local Time:
    12:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    you must have a pretty old 123.09beta01 install before shodan scanners were automatically blocked
     
  9. eva2000

    eva2000 Administrator Staff Member

    41,032
    9,163
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,062
    Local Time:
    12:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yes if you run tools/csf-advancetweaks.sh it will add those shodan scanners to CSF Firewall block/deny list along with additional CSF Firewall blocklist options
     
  10. selcukv

    selcukv New Member

    17
    5
    3
    Sep 21, 2018
    Ratings:
    +5
    Local Time:
    5:32 PM
    nginx/1.15.3
    mysql Ver 15.1 Distrib 10.1.36-MariaDB
    Dear eva,

    Thank you so much for your help. I've updated Centmin Mod first then nginx and PHP.

    Now my nginx version is
    Code:
    nginx -v
    nginx version: nginx/1.15.12 (190419-161126-centos7-kvm)
    PHP version is
    Code:
    php -v
    PHP 7.3.4 (cli) (built: Apr 19 2019 17:07:15) ( NTS )
    Copyright (c) 1997-2018 The PHP Group
    Zend Engine v3.3.4, Copyright (c) 1998-2018 Zend Technologies
        with Zend OPcache v7.3.4, Copyright (c) 1999-2018, by Zend Technologies
    Centmin Mod version is
    Code:
    cat /etc/centminmod-release
    123.09beta01.b131
    After my update, I check whether the suspicious IP was blocked but it wasn't so I had to run /tools/csf-advancetweaks.sh, now it is OK:

    Code:
    csf -g 71.6.146.186
    
    Table  Chain            num   pkts bytes target     prot opt in     out     source               destination
    No matches found for 71.6.146.186 in iptables
    
    
    IPSET: Set:chain_DENY Match:71.6.146.186 Setting: File:/etc/csf/csf.deny
    
    
    ip6tables:
    
    Table  Chain            num   pkts bytes target     prot opt in     out     source               destination
    No matches found for 71.6.146.186 in ip6tables
    
    csf.deny: 71.6.146.186 # inspire.census.shodan.io - Fri Apr 19 18:53:48 2019
    I'll be moving to WC forum now, thank you so much for your help again :)