Servers
Cleaning up the Wordpress Pharma Hack
Cotton Rohrscheib called me a few days back wanting help fixing an apparent defacement (of sorts) on his website. Normally when a site is defaced, the pictures, text and other content are modified to make some sort of statement (be it political or otherwise). This hack was different - it only modified page titles and/or meta tags in order to exploit a site's search engine ranking to advertise cheap pharmaceuticals. So, instead of seeing the page titles in the search results you get this instead:
Not exactly what you wanted to see huh? It's a pretty clever concept but I'm not sure just how effective it is in selling these meds. I guess their thought is that if they can get high ranking sites to "advertise" for them then their trusted readers will purchase these items. Pretty sorry if you ask me, but as long as someone is making a dollar off of it, stuff like this will just continue.
So - how do you get rid of it? Well, it ain't so easy. Let me state up front that I am no Wordpress expert nor am I overly familiar with it's internal workings so it's possible I'm taking the long-way around. We scoured the web reading a ton of sites (special props to Sucuri) all with bits-and-pieces of the answer. None seemed to have the entire solution, so we're going to try to present our findings here. The first time we "removed" it wasn't complete - so checking periodically to see if it stays clean is pretty much mandatory. All of our servers run suPHP, but the hack was able to run successfully. I'm also not exactly sure how they "got in" so to speak, but irregardless of what others may say I believe it was a bug in Wordpress that was exploited before we applied the patch for it. suPHP will not allow a file to be read/executed unless it has correct permissions, so Wordpress itself (or one of it's many plugins) had to be the culprit. The latest ModSecurity ruleset will also help prevent these sort of attacks, but is not a solution for not patching sites as soon as possible. Security is a continuous process, not a "set it and forget it" model.
Ravencore and PHP 5.3
If you use Ravencore (it's a pretty simple little web control panel) you've probably figured out by now that it doesn't work under PHP 5.3. The reason is that the author wrote a custom function called "goto." PHP never had a goto until 5.3. His custom goto conflicts with the standard one. PHP was attempting to interpret his function as the built-in. So, one quick command line and you can fix this
cd /usr/local/ravencore/httpdocs
find . -type f -exec sed -i "s/goto/openfile/g" '{}' \;
His function was basically "opening" these files, so I just renamed "goto" as "openfile." Now your nifty little control panel works like a charm and the customer who uses it is happy once more. btw - I prefer grep, awk, sed, and vi as my control panel...;)
- Login to post comments
Using suPHP with Plesk
I wrote a while back about how we use ModSecurity as part of our standard server configuration. It has done a wonderful job in the past few years keeping all sorts of nasties away from our systems, but another layer of defense is never a bad thing right? We recently started using suPHP to add yet another level of security to our sites. suPHP is an Apache module "for executing PHP scripts with the permissions of their owners." It forces end users to run all php scripts with the proper (user configurable) permissions as well as keeping the script from executing as any other user except the owner of the file. This has some very distinct security advantages in that an end-user can be configured to have less access than the standard apache (or nobody) user/group.
Below is a typical file you might find on any Linux-based webserver:
I miss Sun
Yeah, I said it. I miss Sun Microsystems. Sun was a company that had some way-cool stuff years ago. They also had probably the best commercially available UNIX on the market (note I sad HAD) for quite a while (side note - I'm partially biased as I have certifications for Solaris 7 and 8 but I also think IBM's AIX is way cool). Then Linux happened. That threw a wrench in all of the UNIX vendors plans. Sun, IBM, DEC (Digital Equipment Corp.), Compaq (who I still despise for killing DEC), SCO, etc....all weren't really prepared for what hit them. Linux (as well as the BSD's of the world) weren't really any more feature rich than other UNIX OS's - in fact, they lacked many of the features that commercial versions had. Skip forward about 15yrs and Linux is fully featured and can go toe-to-toe with any commercial UNIX OS on the market.
UNIX System Monitoring
When you maintain several servers each running several virtual machines and have anything else at all to do, it is impossible to keep your eyes on them 100% of the time. There are a handful of software packages out there that can do this for you, but most are either too bulky, too complicated, or lack the features that you want. Scott Pinkston referred me to one the other day called Monit, which is the first one of these programs that I actually liked. Most of the others just have too much. This one is short, and to the point. Monit installs very quickly, and runs in the background as a daemon. One very simple config file holds the configuration data for the services you want to monitor, and if you so choose, you can have a secure webpage display stats on your services. It can also be configured to email you (or call the beeper, etc...) if certain events occur, and best of all, is super lightweight.
VMWare ESXi 4.0 Migration, Part Deux
As I wrote about last time, Pleth's move from VMWare Server to VMWare ESXi has been very successful thus far, but in the process we've discovered a couple of "neat tricks" and have proven to ourselves that the technology choices we made a few years back were indeed the right ones.
When you copy a .vmdk (vmware disk image) over from a VMWare Server machine, you have to convert it over to ESXi format. This process makes the resulting disk image the whole size that you've allocated. This isn't necessarily a bad thing, but if you had it set to thin provisioning in VMWare Server your disk usage just went up. WAY up.
VMWare ESXi 4.0 migration
As I posted last time, we decided to move over to ESXi and so far, its been pretty smooth. ThePlanet installed ESXi 3.5 on our servers, which I quickly upgraded into 4.0. When you install the vSphere Client there is an option to install the host update utility. Run it, point it to the zip file you've download from VMWare's website, and wait a bit. It works like a charm (put the machine into maintenance mode first!!). Since the servers had no clients running on them, I did it during the day (which let me sleep last night! lol!!) I've been copying over the VM's from our VMWare Server machine with good ol' scp and using the vmkfstools command on the ESXi box to convert them into ESXi format. Takes about 30-40 min per server for the whole process, which isn't exactly quick, but we're moving low-traffic boxes in very off hours. I moved the server that this website runs on during lunch today....;o)
- Login to post comments
A Day In The Life Of.....
I'm teaching at UACCB this summer, and my Microeconomics class is taking their fist test. There's not a lot of smiles in the room....(which means my work here is done...lol). Anyway, spent the morning reading about tuningVMware ESXi, which was just released in version 4.0, and supports hardware that we can get in our private shelf at ThePlanet. We ordered 2 new servers this week, both dual-processor Quad Core Intel Xeon powered Dell Poweredge models with 16gb ram and a ton of disk space. This should make things a bit faster than our current configuration. We were going to migrate everything to VMWare Server but with the release of 4.0 and ThePlanet supporting ESXi in their datacenters, this move makes much more sense.
VMware, Apache, MySQL, and PHP Performance Tuning
I posted a few weeks back that Pleth had transitioned some of their equipment over to VMware Server and for the most part it's been a very smooth process. But, as of late we've ran into some slowdowns, especially on the VPS with Plesk (which happens to host several of our websites). After doing a bunch of research and spending many a late hour digging through tons of mpstat and other sysutils data I think I found the culprit(s).
VMware Server, unlike the ESX/ESXi products, does not run in a Type 1 Hypervisor. This means that the underlying OS (in our case Red Hat Enterprise Linux was tuned out of the box for a general all-purpose server. This configuration isn't always optimal for a Type 2 Hypervisor. It works just fine as long as things are "normal," but as the new VMware server got a larger load (in terms of I/O and CPU) performance went downhill.
Mod Security is good for you!
Since I'm back, I've got a few days worth of log files to dig through. A couple of years ago an old legacy PHP script Pleth was running wasn't very secure, but was critical to the operations of a particular customer. It got hacked (well, they used it to upload a C99Shell) a couple of times before the vendor released an update. Scouring the internet for a solution, I learned of Mod Mod Security, an application firewall of sorts. It runs as a module in your Apache configuration and uses a set of user-configurable rules files to detect and prevent a number of attacks against a website. The rules list has a huge community backing, and people have written rules for about every vulnerability out there. Open Source is good no? Anyway, as I was digging through those files today it kinda shocked me to see just how much stuff mod_sec blocked. The internet is a dangerous place.....
