Author Topic: Wordpress and Hackers (Read 16592 times)

wraith808 · « **on:** August 20, 2014, 02:44 PM »

So, since I started really securing my sites... I don't know what to do with the data.

Evil doers (presumably) are getting locked out quite frequently. I get the data on where and who they are. But... what do I do with that data? And is it even worth it? I've been hacked once, on one domain. And yes, it was annoying. But a quick restore, and I was back up and running.

Reporting all of these idiots seems like more trouble than that.

One example... and I'm not redacting anything, because I'm just pissed like that...

Spoiler

This is the full research report for 95.132.113.5, which is an IP address.

Whois Server
whois.ripe.net
Status
ALLOCATED
Contact Email

Registrant
UKRTELNET-ADSL
UKRAINE

Administrative Contact
Remiga Alexander
JSC UKRTELECOM
18, Shevchenko blvd, Ukraine, Kiev
Telephone: 380 44 2881072

Technical Contact
Remiga Alexander
JSC UKRTELECOM
18, Shevchenko blvd, Ukraine, Kiev
Telephone: 380 44 2881072

Why would anyone even *want* to try to hack my site that I barely update?

x16wda · « **Reply #1 on:** August 20, 2014, 06:46 PM »

Why would anyone even *want* to try to hack my site that I barely update?
-wraith808 (August 20, 2014, 02:44 PM)

To insert malware-installation code in the site, of course.

ewemoa · « **Reply #2 on:** August 20, 2014, 07:23 PM »

Perhaps there's portions of the following that might be applicable?

The Scrap Value of a Hacked PC, Revisited

x16wda · « **Reply #3 on:** August 20, 2014, 08:21 PM »

^ A much better, more complete answer than the tiny insignificant portion of it I noted.

wraith808 · « **Reply #4 on:** August 20, 2014, 09:53 PM »

... but both of you are concentrating on the throwaway comment rather than the question?

Renegade · « **Reply #5 on:** August 20, 2014, 10:01 PM »

I've noticed a couple spikes in attacks lately. Lots of brute force attacks - useless - I don't even know my passwords - they're just insanely long.

ewemoa · « **Reply #6 on:** August 20, 2014, 10:21 PM »

... but both of you are concentrating on the throwaway comment rather than the question?
-wraith808 (August 20, 2014, 09:53 PM)

Opinions similar to "not worth the trouble" are what I'm familiar with (though from experiences that are perhaps outdated) -- no good ideas regarding what the situation is like these days.

app103 · « **Reply #7 on:** August 21, 2014, 03:14 AM »

Have you considered the idea that they don't want to attack you? And that they don't have any idea that they are doing it? That they could be the victim of malware?

x16wda · « **Reply #8 on:** August 21, 2014, 05:29 AM »

You could try to pull the relevant "responsible" entities by IP and/or domain and send a report to the abuse address, but my experience is that nothing will happen. So it really depends on how valuable you rate your time and how annoyed you get.

And that they don't have any idea that they are doing it?
-app103 (August 21, 2014, 03:14 AM)

Entirely possible, either through an infection on the attacker's box or through trying out a new malware construction set and turning it loose.

wraith808 · « **Reply #9 on:** August 21, 2014, 06:09 AM »

Have you considered the idea that they don't want to attack you? And that they don't have any idea that they are doing it? That they could be the victim of malware?
-app103 (August 21, 2014, 03:14 AM)

It's possible. But since all of the attacks originate from the same general area (the Ukraine), but not the same IP... is that likely?

You could try to pull the relevant "responsible" entities by IP and/or domain and send a report to the abuse address, but my experience is that nothing will happen. So it really depends on how valuable you rate your time and how annoyed you get.

-x16wda (August 21, 2014, 05:29 AM)

This is what I figured the answer would be. I also feel like taking that route would be being 'part of the problem', i.e. no one reports... so what's the reporting system good for. I've just not reported anyone in a while... so didn't know if the abuse reports had gotten any better in resolution.

MilesAhead · « **Reply #10 on:** August 21, 2014, 04:56 PM »

I wonder if it's even legit. When I registered my domain I spent a couple of extra bucks to generate dummy whois info. Probably a waste of $2 but I thought I might get phone calls if my home info came up.

Looking up favessoft.com it shows it registered to
Julius Caesar, LLC

I wouldn't waste anymore of your time on it.

wraith808 · « **Reply #11 on:** August 21, 2014, 05:22 PM »

They actually got through enough to sort of screw things up. I fixed it easy enough... but I did some more securing and moved the root of the wp site... it's inconvenient, but it should secure it a bit more.

Stoic Joker · « **Reply #12 on:** August 21, 2014, 05:47 PM »

For something with that level of exposure, I'd rename the admin account to something that was meaningful only to me. Then to be a total ass I'd create a bogus (HoneyPot) account with the default admin name that triggered an event to log as much information about said visitor as a browser session allows.

...Maybe even add an automated redirector that sent anyone with more than 10 failed login attempts in a minute to the FBI's home page...

wraith808 · « **Reply #13 on:** August 21, 2014, 07:38 PM »

It's not just renamed, it's deleted. I always make my account first as an admin, then delete the admin account.

But that last part is inspired...

Tuxman · « **Reply #14 on:** August 22, 2014, 06:05 AM »

WordPress is known for its random security issues, but so are all larger web projects I know.

"Secure" your WP by renaming your wp-content folder and removing meta info from the log-in. I guess that already helps a lot.
And don't use too many plug-ins without having checked their code.

rgdot · « **Reply #15 on:** August 23, 2014, 01:13 PM »

What Tuxman said is true.
It is a target because of its wide use, already mentioned stuff for example there are tools that change wp-login to something else, limit login attempts, disallow php execution in some directories. All will help but it will never be 100%, of course.

app103 · « **Reply #16 on:** August 23, 2014, 06:02 PM »

...Maybe even add an automated redirector that sent anyone with more than 10 failed login attempts in a minute to the FBI's home page...
-Stoic Joker (August 21, 2014, 05:47 PM)

Are you kidding? I don't allow any more than 2 failed attempts in an hour before I block the IP.

By the way, anyone wanting their Wordpress site secured the right way and don't really have a clue how to do it, contact me to discuss it.

It will take me about 3-5 hours of work, total time. I'll give you more and charge you less than anyone else on the internet.

My website isn't quite finished (still needs FAQ & About page), but I have hung up my shingle for it, complete with testimonials from some familiar faces.

Stoic Joker · « **Reply #17 on:** August 23, 2014, 06:20 PM »

...Maybe even add an automated redirector that sent anyone with more than 10 failed login attempts in a minute to the FBI's home page...
-Stoic Joker (August 21, 2014, 05:47 PM)

Are you kidding? I don't allow any more than 2 failed attempts in an hour before I block the IP.
-app103 (August 23, 2014, 06:02 PM)

No - for an environment that is actually user friendly - I'm not. The average user that forgot their password will typically try between 3 and 5 passwords a minute. The typical automated attack will try between 2 and 5 times a second. So yes, erring on the side of caution so as not to risk piss of customers/clients/visitors ... I'd say 10 tries in a minute ensures their is indeed some funny business going on.

rgdot · « **Reply #18 on:** August 23, 2014, 06:23 PM »

Are you kidding? I don't allow any more than 2 failed attempts in an hour before I block the IP.

By the way, anyone wanting their Wordpress site secured the right way and don't really have a clue how to do it, contact me to discuss it.

It will take me about 3-5 hours of work, total time. I'll give you more and charge you less than anyone else on the internet.

My website isn't quite finished (still needs FAQ & About page), but I have hung up my shingle for it, complete with testimonials from some familiar faces.

-app103 (August 23, 2014, 06:02 PM)

Didn't know about this, very cool app

Spoiler

Expect tweets and stuff about it

app103 · « **Reply #19 on:** August 23, 2014, 09:47 PM »

Didn't know about this, very cool app
-rgdot (August 23, 2014, 06:23 PM)

Thank you.

It was a spinoff from an idea that mouser had, that didn't quite get off the ground, where I was going to team up with another DC member, to offer managed hosting of secured Wordpress sites. They would have handled all the server/hosting related stuff and I would have handled all the Wordpress setup and maintenance stuff, among other things.

Since it didn't pan out as expected, I decided to take my part of it and offer it to the public, without the hosting portion. I kind of put it all on the back burner shortly after setting up that site, when I landed a fantastic long term freelance job that takes up a large chunk of my free time. (so don't promote it too heavily, please)

rgdot · « **Reply #20 on:** August 24, 2014, 12:14 AM »

Understood

Renegade · « **Reply #21 on:** August 24, 2014, 11:21 AM »

And don't use too many plug-ins without having checked their code.
-Tuxman (August 22, 2014, 06:05 AM)

While this is 110% solid advice, it's really hard for most people to do this. Very few people, and even few programmers, are qualified to actually determine security vulnerabilities. It's not easy.

Could I do it? Yes. How long would it take me? FOREVER!

I understand enough to track down issues. But I'll never actually do it because it's simply far too time consuming.

There's the actual code itself, which is relatively simple to check for things like SQL injection, etc.

Then there's the checking of the actual PHP methods, and so on down the line. NIGHTMARE!!!

My rule of thumb here is to use only commonly used plug-ins with a record of security. I have to blindly trust them because checking is too expensive for me.

Tuxman · « **Reply #22 on:** August 24, 2014, 11:46 AM »

My rule of thumb here is to use only commonly used plug-ins with a record of security. I have to blindly trust them because checking is too expensive for me.
-Renegade (August 24, 2014, 11:21 AM)

I usually try to replace plug-ins by simple functions.php snippets around twice a year. Works well. I know it sounds a bit harsh, but if you don't understand PHP, you shouldn't install WordPress. Better use the wordpress.com hosting service.

Stoic Joker · « **Reply #23 on:** August 24, 2014, 12:00 PM »

My rule of thumb here is to use only commonly used plug-ins with a record of security. I have to blindly trust them because checking is too expensive for me.
-Renegade (August 24, 2014, 11:21 AM)

I usually try to replace plug-ins by simple functions.php snippets around twice a year. Works well. I know it sounds a bit harsh, but if you don't understand PHP, you shouldn't install WordPress. Better use the wordpress.com hosting service.
-Tuxman (August 24, 2014, 11:46 AM)

That's not going to auto-magically protect someone from installing a defectoid plugin, or guarantee security. It might get you updates a little faster...but until a need for said update is known, you're still going to be just as exposed as any other vanilla install.

Tuxman · « **Reply #24 on:** August 24, 2014, 12:02 PM »

Wordpress.com didn't let you install custom plug-ins last time I checked.