So this blog post slash tutorial is on how to detect if someone is messing with your blog.
This blog is a few years old now and has over 60,000 links just in the blog posts.
And then you toss in the stories and the jokes, yea, ok, supposed to be jokes and you have a lot of content.
So how can I tell if someone actually broke into the blog and changed anything?
Not so hard actually.
As with anything else you first need a baseline file. The earlier you create this the better off you’re going to be. Sure there are plugins that can audit your blog but when I was running those it was averaging four audit entries for every blog post. And even with that it didn’t post the date of the blog post so I couldn’t tell if it was from today, last week, or the very first post.
A better way to do this was needed.
And most of us are probably using phpMyAdmin to manage the MySql part of things so there has to be a way to leverage that.
And there is.
So the usual screen for phpMyAdmin without the missing sections looks like:
Don’t worry about the missing stuff. It’s not important for this.
So right above the name of the database is a box labeled SQL. This let’s you run SQL commands right on the box. Click on it and a new window opens:
So right above the red underline is the SQL box and right beneath it is the box that opens. In that box type:
select ID, post_date, post_content, post_title, post_name, post_modified, guid from wp_posts order by post_date, post_title
If you’ve changed your table prefixes then change wp_posts to whatever_your_prefix_is_posts instead. And then press the Go button to run the query.
The screen then fills in with all of the data. As you can see on the screen at the top is my very first post and then all of the other posts are sorted beneath it.
Then scroll down to the bottom of the screen and click on “Export.”
This takes you to the normal export screen. From there just set the file options and download the file:
and save the file to your computer.
Now you need two files for this to work.
You need the previous file and the current file.
And if you thought I was going to just use “diff” to find the differences in the two files you would be either psychic or a Unix/Linux type admin.
So diff needs two files to work. And then it just tells you what the difference between the two files is.
diff old_file new_file > diff_file
will tell you what the difference between the two files is and it will save the output to a file called diff_file.
Then you just use a file editor such as gedit to view the file.
So one of the fields I have you export is the date field. So if any of the dates in the difference file are before the date of the old_file, then someone’s been messing with your blog and the diff output will tell you what field has changed so you can put it back the way it was.
Then you delete the old file and rename new_file to old_file.
And then the next time you do this you save the downloaded file as new_file and repeat the process.
Then you don’t need a plugin to tell if your posts have changed.
To check your plugins against the original repository use WordFence.
To check your plugins for malicious code use 6scan
To check for changed files use WordPress File Monitor Plus or Better WordPress Security.
Better WordPress Security also does a lot more.
Backup early and often
Patch early and often
OSE Firewall and Bulletproof try to add Application Firewalling for free.
Install and configure mod-security
The WordPress guide is at: https://codex.wordpress.org/Hardening_WordPress
Nothing that contains passwords should ever be in “Document root” or below, ever. wp-config.php can be placed “ANYWHERE” and a simple line can be added to aid in that endeavor.
You do not need a web browser to browse the web.
In fact as you will see some would prefer not to.
telnet is a utility that is used to connect from one machine to another. It can also be used to see if certain ports are open or not and then you can interact with that port.
telnet’s main use is to logon to another machine. The drawback is that the username/password is sent as clear text so anyone sniffing the wire can pick up the credentials and then use them to impersonate the user.
However, you can use telnet as a cheap browser. Consider the following:
telnet www.ilkda.com 80
Connected to ilkda.com.
Escape character is ‘^]’.
GET / HTTP/1.1
HTTP/1.1 200 OK
Date: Fri, 07 Sep 2012 19:09:37 GMT
Last-Modified: Wed, 18 Jul 2012 23:51:55 GMT
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml” lang=”en” xml:lang=”en”>
The first line says to connect to my domain using port 80. The port number for web servers.
GET / HTTP/1.1 means to get the document root page using HTTP version 1.1. Host: ilkda.com tells it from whom to fetch the page. Two <enter> keys and it does as it’s told to do. You can see that it then displays the HTML page as it was written.
You can use this as a guide:
This is old stuff. Really old stuff. So what you ask.
So the / in the GET line can be used to Get ANYTHING. Any page on your site. More specifically, any file on your site.
Right. So one of the things people do with WordPress is to add plug-ins. And some of those plugins have security holes. So an attacker needs to know if you have a plug-in installed and if so then he can use the security hole to hack your blog.
And an easy way to do that is to use telnet.
So how do they know the path to insert? The same way you do.
Anyone can build a WordPress site. It’s not difficult. Anyone can install buggy plug-ins. You can and the bad guy can. Then all he has to do is to see how it normally installs on his machine and then he knows how it installs on your machine.
More than likely it’s going to be the same. You can move the wp-content directory but it’s discouraged because it breaks a lot of plug-ins. Or so they say anyways.
So most people won’t and then his setup looks exactly like your setup.
In other words, your file and directory structure are exactly the same.
And then they can use telnet and HTTP Get to see if you have the buggy plug-in installed or not.
GET /wordpress/wp-content/plugins/press-this-reloaded/readme.txt HTTP/1.1
HTTP/1.1 200 OK
Date: Fri, 07 Sep 2012 19:25:48 GMT
Last-Modified: Fri, 31 Aug 2012 01:06:12 GMT
Content-Type: text/plain; charset=UTF-8
=== Press This Reloaded ===
And I have plugins installed that don’t allow HTTP GET to get through.
So if you were wondering how you got hacked after you blocked SQL Injections and so on this may be one method that they used against you.
This happens even if you have “Open New Windows in a New Tab Instead.”
I’ve fought this battle before and forgot what I did to fix it.
As I mentioned in the last post to “Networking Tutorial” I’ve been having issues when connecting to web sites that use Akamai.
One site got so bad that I had to create a new profile to see if that fixed the issue.
And it did.
So I copied over my passwords and bookmarks and tested everything in the new profile. Everything works fine.
So I added in all of my Firefox extensions and went about the process of blogging.
Not so fast.
I use Press This Reloaded. A LOT!
And when I clicked on it in the new profile it opened a new windows instead of opening it in a tab as I’ve become quite accustomed.
And to top it all off I couldn’t remember what I did to fix this.
So I did some web searches.
Everything I hit upon says, can’t be done, user needs to use the preferences in Firefox or whatever.
So the only thing left to do was to pull up the old prefs.js file from the old profile and look through it. And it’s a pretty big file.
So I found every line that had “Extension” in it and tossed them out.
Ah. A much smaller file to work with. Perhaps 150 lines.
The first line one was:
And in the old profile it was set to 0 and in the new profile it was set to 2.
So I changed it to 0.
And tried Press This Reloaded again.
Ah, back to loading in a tab again!
If you want to look into it.
And so I got to thinking again about my issues with Akamai and was wondering if this new profile would have the same issues.
Actually what I discovered by accident is that the Oracle Self Support Forums also use Akamai.
How do I know?
Because once I hit them this afternoon my browsing came to a dead stop again.
So I pulled up netstat and took a peek and there was one connection to Akamai.
So then I pulled up snoop and watch the flood of DNS errors go by and watched the browser do nothing. I also saw a lot of lines tryng to connect to Akamai.
So luckily this location that I’m at has two wifi BSSID’s.
So I switched to the other one.
Then I went back to browsing.
How do I feel about Akamai?
- Variable ‘login && password’ of the POST method triggered the filter ‘wordpress login bruteforcing’ for the content ‘admin:admin123′.
A user with IP address 18.104.22.168 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username to try to sign in.
User IP: 22.214.171.124
User hostname: ns3.ehosting.biz
admin123 as a password. Would kind of idiot does he think I am?