Wordpress Wordpress Exploit if you use Nano, VIM or VI linux text editors

Heads up folks this would apply to not just Wordpress but any php app's config files being edited by VIM or VI linux text editors 1% of CMS-Powered Sites Expose Their Database Passwords » Feross.org Centmin Mod and created command shortcuts by default is set to use nano text editor on line 6 of centmin.sh. However, some folks prefer to use linux text editors like VIM or VI and there is nothing stopping folks from editing using their preferred linux text editors.

For instance to edit MySQL settings file in SSH via linux text editor you can to either

Code:

nano /etc/my.cnf

Code:

vim /etc/my.cnf

Code:

vi /etc/my.cnf

to edit the file. However, nano doesn't do auto backups by default but still do temp files.

The exploit 1% of CMS-Powered Sites Expose Their Database Passwords » Feross.org

I think @Matt prefers VIM ?

 

using return 444 better than deny

this doesn't cover emacs editor though for pattern #wp-config.php# still gets through

Code:

location ~* \.(php~|php#|php.save|php.swp|php.swo)$ { return 444; }

you can add it to your vhost's block.conf file but it's commented out by default so isn't active

Code:

#include /usr/local/nginx/conf/block.conf;

so need to uncomment it removing hash in front and restart nginx and php-fpm

Code:

include /usr/local/nginx/conf/block.conf;

or create a separate block file includes with just this change i.e. create /usr/local/nginx/conf/blockeditor-backups.conf and put into it

Code:

location ~* \.(php~|php#|php.save|php.swp|php.swo)$ { return 444; }

then in vhost add

Code:

include /usr/local/nginx/conf/blockeditor-backups.conf;

restart nginx and php-fpm

in your vhost file at end add new include file

Code:

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  include /usr/local/nginx/conf/blockeditor-backups.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;

edit: oh actually you could add it to /usr/local/nginx/conf/drop.conf file that already is included heh it already has some blocks in /usr/local/nginx/conf/drop.conf

Code:

        location = /robots.txt  { access_log off; log_not_found off; }
        location = /favicon.ico { access_log off; log_not_found off; expires 30d; }
        location ~ /\.          { access_log off; log_not_found off; deny all; }
        location ~ ~$           { access_log off; log_not_found off; deny all; }
        location ~ /\.git { access_log off; log_not_found off; deny all; }

so add to /usr/local/nginx/conf/drop.conf

Code:

        location = /robots.txt  { access_log off; log_not_found off; }
        location = /favicon.ico { access_log off; log_not_found off; expires 30d; }
        location ~ /\.          { access_log off; log_not_found off; deny all; }
        location ~ ~$           { access_log off; log_not_found off; deny all; }
        location ~ /\.git { access_log off; log_not_found off; deny all; }
        location ~* \.(php~|php#|php.save|php.swp|php.swo)$ { return 444; }

going to update centmin mod's /usr/local/nginx/conf/drop.conf file with this too

 

updated Centmin Mod with fix Install - Centmin Mod 1.2.3-eva2000.08 how to install & update

Also you can do a check using find command to see if any of those such files exist

Code:

cd /home/nginx/domains
find . -type f -name "*.php[~#]" -o -name "*.save" -o -name "*.sw[op]"  

returns empty if no such files exist or returns files if exists i.e.

Code:

 find . -type f -name "*.php[~#]" -o -name "*.save" -o -name "*.sw[op]"                 
./#wp-config.php#
./wp-config.php.save
./wp-config.php~
./wp-config.php.swo
./wp-config.php.swp

 

Also, for Apache or Litespeed web server folks the listed apache htaccess file match block at 1% of CMS-Powered Sites Expose Their Database Passwords » Feross.org is missing the one for *.save files so instead of

Code:

<Files ~ "(^#.*#|~|\.sw[op])$">
Order allow,deny
Deny from all
</Files>

use

Code:

<Files ~ "(^#.*#|~|\.save|\.sw[op])$">
Order allow,deny
Deny from all
</Files>

if you are using Apache or LiteSpeed web server

For whm/cpanel servers you can edit /usr/local/apache/conf/includes/pre_virtualhost_global.conf and add

Code:

<Files ~ "(^#.*#|~|\.save|\.sw[op])$">
Order allow,deny
Deny from all
</Files>

save file and restart Apache or LiteSpeed web server

 

FYI, updated centmin mod .08 stable again and added .bak extensions to blocking location for drop.conf file update drop.conf to block .bak files too · centminmod/centminmod@0f2e9ec · GitHub as some folks like to save backups using .bak extension

so /usr/local/nginx/conf/drop.conf last 2 lines would become where 17234 is the anchor that centmin mod checks to see if /usr/local/nginx/conf/drop.conf is the newest file so it's important to have the comment line added too

Code:

    # for security see https://community.centminmod.com/posts/17234/
    location ~* \.(bak|php~|php#|php.save|php.swp|php.swo)$ { return 444; }

for apache or litespeed the new filematch would be

Code:

<Files ~ "(^#.*#|~|\.bak|\.save|\.sw[op])$">
Order allow,deny
Deny from all
</Files>

find check would become

Code:

cd /home/nginx/domains
find . -type f -name "*.php[~#]" -o -name "*.save" -o -name "*.sw[op]" -o -name "*.bak" 

 

FYI for nano nano docs

For VIM regarding the swap files Vim documentation: recover

so VIM now adds a hidden . dot file