Join the community today
Become a Member

Wordpress Wordpress Exploit if you use Nano, VIM or VI linux text editors

Discussion in 'Blogs & CMS usage' started by eva2000, Aug 10, 2015.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    28,968
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    3:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    Heads up folks this would apply to not just Wordpress but any php app's config files being edited by VIM or VI linux text editors 1% of CMS-Powered Sites Expose Their Database Passwords » Feross.org Centmin Mod and created command shortcuts by default is set to use nano text editor on line 6 of centmin.sh. However, some folks prefer to use linux text editors like VIM or VI and there is nothing stopping folks from editing using their preferred linux text editors.

    For instance to edit MySQL settings file in SSH via linux text editor you can to either

    Code:
    nano /etc/my.cnf
    Code:
    vim /etc/my.cnf
    Code:
    vi /etc/my.cnf
    to edit the file. However, nano doesn't do auto backups by default but still do temp files.

    The exploit 1% of CMS-Powered Sites Expose Their Database Passwords » Feross.org

    I think @Matt prefers VIM ?
     
    Last edited: Aug 10, 2015
    • Informative Informative x 1
  2. RoldanLT

    RoldanLT Well-Known Member

    3,829
    929
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,258
    Local Time:
    1:26 PM
    1.11
    10.2
    Will this config fix this problem?
    Add to block.conf

     
  3. eva2000

    eva2000 Administrator Staff Member

    28,968
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    3:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    using return 444 better than deny

    this doesn't cover emacs editor though for pattern #wp-config.php# still gets through
    Code:
    location ~* \.(php~|php#|php.save|php.swp|php.swo)$ { return 444; }
    you can add it to your vhost's block.conf file but it's commented out by default so isn't active
    Code:
    #include /usr/local/nginx/conf/block.conf;
    so need to uncomment it removing hash in front and restart nginx and php-fpm

    Code:
    include /usr/local/nginx/conf/block.conf;
    or create a separate block file includes with just this change i.e. create /usr/local/nginx/conf/blockeditor-backups.conf and put into it
    Code:
    location ~* \.(php~|php#|php.save|php.swp|php.swo)$ { return 444; }
    then in vhost add
    Code:
    include /usr/local/nginx/conf/blockeditor-backups.conf;
    restart nginx and php-fpm

    in your vhost file at end add new include file
    Code:
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      include /usr/local/nginx/conf/blockeditor-backups.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    edit: oh actually you could add it to /usr/local/nginx/conf/drop.conf file that already is included heh it already has some blocks in /usr/local/nginx/conf/drop.conf
    Code:
            location = /robots.txt  { access_log off; log_not_found off; }
            location = /favicon.ico { access_log off; log_not_found off; expires 30d; }
            location ~ /\.          { access_log off; log_not_found off; deny all; }
            location ~ ~$           { access_log off; log_not_found off; deny all; }
            location ~ /\.git { access_log off; log_not_found off; deny all; }
    so add to /usr/local/nginx/conf/drop.conf
    Code:
            location = /robots.txt  { access_log off; log_not_found off; }
            location = /favicon.ico { access_log off; log_not_found off; expires 30d; }
            location ~ /\.          { access_log off; log_not_found off; deny all; }
            location ~ ~$           { access_log off; log_not_found off; deny all; }
            location ~ /\.git { access_log off; log_not_found off; deny all; }
            location ~* \.(php~|php#|php.save|php.swp|php.swo)$ { return 444; }
    
    going to update centmin mod's /usr/local/nginx/conf/drop.conf file with this too :)
     
  4. eva2000

    eva2000 Administrator Staff Member

    28,968
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    3:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    updated Centmin Mod with fix Install - Centmin Mod 1.2.3-eva2000.08 how to install & update

    Also you can do a check using find command to see if any of those such files exist

    Code:
    cd /home/nginx/domains
    find . -type f -name "*.php[~#]" -o -name "*.save" -o -name "*.sw[op]"  
    returns empty if no such files exist or returns files if exists i.e.
    Code:
     find . -type f -name "*.php[~#]" -o -name "*.save" -o -name "*.sw[op]"                 
    ./#wp-config.php#
    ./wp-config.php.save
    ./wp-config.php~
    ./wp-config.php.swo
    ./wp-config.php.swp
     
    Last edited: Aug 10, 2015
  5. eva2000

    eva2000 Administrator Staff Member

    28,968
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    3:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    Also, for Apache or Litespeed web server folks the listed apache htaccess file match block at 1% of CMS-Powered Sites Expose Their Database Passwords » Feross.org is missing the one for *.save files so instead of
    Code:
    <Files ~ "(^#.*#|~|\.sw[op])$">
    Order allow,deny
    Deny from all
    </Files>
    use
    Code:
    <Files ~ "(^#.*#|~|\.save|\.sw[op])$">
    Order allow,deny
    Deny from all
    </Files>
    if you are using Apache or LiteSpeed web server

    For whm/cpanel servers you can edit /usr/local/apache/conf/includes/pre_virtualhost_global.conf and add
    Code:
    <Files ~ "(^#.*#|~|\.save|\.sw[op])$">
    Order allow,deny
    Deny from all
    </Files>
    save file and restart Apache or LiteSpeed web server
     
  6. eva2000

    eva2000 Administrator Staff Member

    28,968
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    3:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    FYI, updated centmin mod .08 stable again and added .bak extensions to blocking location for drop.conf file update drop.conf to block .bak files too · centminmod/centminmod@0f2e9ec · GitHub as some folks like to save backups using .bak extension

    so /usr/local/nginx/conf/drop.conf last 2 lines would become where 17234 is the anchor that centmin mod checks to see if /usr/local/nginx/conf/drop.conf is the newest file so it's important to have the comment line added too
    Code:
        # for security see https://community.centminmod.com/posts/17234/
        location ~* \.(bak|php~|php#|php.save|php.swp|php.swo)$ { return 444; }
    for apache or litespeed the new filematch would be
    Code:
    <Files ~ "(^#.*#|~|\.bak|\.save|\.sw[op])$">
    Order allow,deny
    Deny from all
    </Files>
    find check would become
    Code:
    cd /home/nginx/domains
    find . -type f -name "*.php[~#]" -o -name "*.save" -o -name "*.sw[op]" -o -name "*.bak" 
     
    Last edited: Aug 10, 2015
  7. eva2000

    eva2000 Administrator Staff Member

    28,968
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,758
    Local Time:
    3:26 PM
    Nginx 1.13.x
    MariaDB 5.5
    FYI for nano nano docs

    For VIM regarding the swap files Vim documentation: recover

    so VIM now adds a hidden . dot file