5 comments

[ 4.1 ms ] story [ 25.0 ms ] thread
I shared this because it touches on the subject of blocking outgoing ports. I was hoping it had been shared already and there'd be some interesting comments on the subject.

So, how would blocking outgoing traffic help secure a server? Wouldn't the malware just scan for an open port?

You're opening a different can of worms by preventing the WP auto-updater to work.

Also, chmod -w on Wordpress will kill its ability to upload files - well how do you plan on allowing users to upload media?

And how did a PNG file ever pass through the PHP interpreter? Sounds like a veeeeery badly misconfigured Apache to me.

>And how did a PNG file ever pass through the PHP interpreter?

It is possible if you do something stupid like blindly including or requiring the "image" file content, as part of serving the image through a PHP file. Anything run through include() or require() is run through the parser if it contains php tags. I vaguely remember it being an issue with user avatars in one of the more popular PHP forums but I don't remember which.

It's one of those things where even though you can do it that way in PHP, it basically takes a comedy of errors (or just a malicious plugin writer) for it to even occur.

> It is possible if you do something stupid like blindly including or requiring the "image" file content, as part of serving the image through a PHP file.

This is so stupid, it's actually awesome. fpassthru/readfile are your friends...

> All of them failed to notice that a .png file had “eval(‘foo’)” PHP code in it.

I have found CXS[0] extraordinarily successful at identifying this sort of thing.

Before someone says it, I agree that "nuke it and restore from backup" is the ideal solution. But since we're talking about hacked Wordpress servers, we're probably already talking about "cleanup after the intrusion" on unmaintained servers with limited management and backups.

[0] http://configserver.com/cp/cxs.html