REconomy site showing adverts randomly

[ed]

Load ​http://www.reconomy.org and the first time you get it, and other times at random and you get spam.

URGENT check please - on REconomy and all WP sites...

[ed]

Screengrab of REconomy site p0rned

[chris]

Yes, it's been owned, I have taken it off line but it can be accessed here for fixing it:

• ​http://recon.parrot.transitionnetwork.org/

Once I have fixed the redirect.

This holding pages is set to take all requests, it's set as the 404 page:

• ​http://reconhold.parrot.transitionnetwork.org/

I'm not going to have time to rebuild it today, Laura...?

[laura]

Hi

I've had a look through the access files which prob don't make total sense to me, but at some times of day when new files were added to the site things like this appear in the logs (Kennethgets appears lots in the logs, as well as node/add/forum and other tn.org type related things too - such as user/register drupally stuff even though is Reconomy log) -
31.204.152.238 - - [08/Apr/2014:07:33:52 +0100] "GET /resourcing-reconomy/ HTTP/1.0" 301 6159 "​http://www.reconomy.org/resourcing-reconomy/#comment-88764++++++++Result:+chosen+nickname+%22Kennethgets%22;+ReCaptcha+decoded;+script+security+decoded;+registered;+logged+in;+success+-+posted+to+first+encountered+partition+%22/node/add/forum%22;" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit?/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36" 519 6805

Various items have been inserted onto the sites/default folder on the site e.g. a new 'content' folder which is full of crud in /wp-content (last updates at 20.16 on the 10th), and the 404.php file in the main REconomy theme files was overwritten on 2nd April at 15.40 with base-64 blurbs.

I'm going through all the plugin files currently and taking a dump to scan and diff locally. Spoke with Chris earlier on phone - be good possibly to have a new WP install space set up as he mentioned being able to set up a dev space, and I can then re-upload new versions of plugins, and files etc. DB backups - I have some basic ones here (not tested yet, still taking a dump of wp-content files at the mo, will take a while!), from 25/3 and 8/4 using a basic backup plugin, but would need to test these, as I usually dump from phpmyadmin. Not sure what backups Chris has and what would need cleaning up.

Timewise I have a few hours available today that I can work around, but am out with other clients mid afternoon onwards til evening.

I'll email Chris as well to see if he can set up a clean install of WP on a dev space, and I can get things set up up there.

[laura]

One other note - a new plugin was added on 25/3 - Groupdocs-assembly - (from readme.txt - Lets you create a document template, add fields and questions and send it out to people to fill in.) will see if Fi or Shane added it somehow, as know nothing about this plugin or where it came from (doesn't appear to be on WP.org presently, but possibly was in the past, but can be downloaded from elsewhere.).

[chris]

A new WordPress site has been set up here ​http://reconomy.parrot.webarch.net/ and Laura should have the SFTP and phpMyAdmin login for this.

When it's ready to be made live we will need to follow the steps here: ​https://codex.wordpress.org/Changing_The_Site_URL

Would now be a good time to set up HTTPS for the site?

[laura]

Cheers Chris

I'm just going starting to go through my copies of the db here from the backup-plugin - and need to test fully (presume you have a backup if needed too!), and then will start adding theme files and plugins and bits on the new space.

[laura]

Just an update - I've uploaded updated wp-content and plugins, and attempted to import database via phpmyadmin - but whilst importing get blank part of screen. it's a zipped sql file 15MB.
I have to go out for a while now, but will try again later, if still no joy I'll get in touch with Chris later.

I need to reimport the db, then do some jiggling with that (obv change site url and home in wp-options table), and run through some further final checks within WP itself.

Laura

[chris]

If you upload the MySQL file with SFTP to the ~/private/ folder then I can import it using the command line.

[laura]

done. It's zipped but can unzip if helpful. It's the backup from a couple of days ago and seems okay on my local copy here that tested earlier.
Let me know when done and can tweak the wp-options.

Laura

[chris]

Replying to laura:

Let me know when done and can tweak the wp-options.

I have imported the database, if there are directories of files to copy let me know.

[laura]

All done and seems all okay on the parrot.webarch site. Am around later / tomorrow to change urls back in wp-options table if /when ready to go to live mode.
Cheers
Laura

[chris]

I'll do it now if that is OK.

[chris]

OK, that's done, I won't delete the old site just yet in case I have time to grepping of the logs to see what exactly happened.

• ​http://reconomy.org/

[laura]

Cheers Chris - I've updated the phpmyadmin to the reconomy.org links and all seems okay.
and will get in touch with Shane to re update his wordpress link account for Jetpack.

Hope conference went well!

Laura

[ed]

Good work all -

1. so this is sorted? Please confirm? Looks good to me.

2. we need to know what was the cause of this problem - Chris do you think we will be able to find out? Doesn't have to happen urgently, but it's important knowledge and worth a couple of hours investigation

[laura]

Hi Ed et al,

All seems okay on the REconomy website at present (had a rebuild on a new install of WP), be interested too to hear if Chris can suss how it happened.

[chris]

I have spent an hour looking at the logs and haven't found anything that proves anything I'm afraid.

[ed]

OK. No more log looking then! I'll tell Fi that she can sponsor more investigations from her own budget. For now we can close this ticket - so closing the ticket and saying Thank you Laura and Chris!

[ed]

Re-opening - LAURA - please add the time spent to this ticket ASAP so I can close it with your time allocated so you get paid :)

[laura]

not sure if done correctly - added as 4.5 for 4 and half hours.

[ed]

Great - thanks Laura - now closing this ticket - this will come up as billable when I do the Ttech time tally at the beginning of May :)

[chris]

Replying to laura:

not sure if done correctly - added as 4.5 for 4 and half hours.

Confusing isn't it... you have done it correctly, 0.25 is 15 mins.

[laura]

Thanks Chris!

[sam]

Hi all

Sorry meant to mention this at the time but I use: ​http://wordpress.org/plugins/wordfence/ on a few Wordpress sites I look after.

It does regular scanning for malware/ dodgy urls etc as well as naggging you to update plugins when they need it.

Not sure if you have something similar already installed but could be worth considering for Transition WP sites?

I have already installed it on the transitionculture.org archive site after we had the problem of it sending spam emails.

Thanks

Sam

[chris]

tmpreaper has been updated to reflect the new username and the old sites are about to be deleted, see wiki:ParrotServer#tmpfiles and ticket:696.

[laura]

Hi Chris

Thanks for that. I've tweaked the table in wp-options to the webarch 
address for now.
I've got all the other directories uploaded earlier.

Will login and check through things.  Looks like was a backdoor attack 
somehow -and will look further at this.
They are using a different commenting system from the older version of 
the site (Jetpacks system) which means that people can leave comments 
via logging in via social networks. Not sure if anything to do with it 
or not. May well look into awstats too at some point to see any 
oddities, access logs were interesting and may well put perishable 
press's 5G blacklist on too at some point.
And will check some settings too to see if anything changed there, as Fi 
recently asked about letting anyone comments approve without any 
moderation/authentification (noooo!)

Images won't show on the home page as expected as they are manual html 
widgets (linking to the reconomy url).

Laura

On 10/04/2014 16:45, Transiton Technology Trac wrote:
> #718: REconomy site showing adverts randomly
> -------------------------------------+-------------------------------------
>             Reporter:  ed             |                      Owner:  chris
>                 Type:  defect         |                     Status:  new
>             Priority:  blocker        |                  Milestone:
>            Component:  Parrot server  |  Maintenance
>             Keywords:                 |                 Resolution:
> Add Hours to Ticket:  0.25           |  Estimated Number of Hours:  0.0
>          Total Hours:  0.5            |                  Billable?:  1
> -------------------------------------+-------------------------------------
> Changes (by chris):
>
>   * hours:  0.0 => 0.25
>   * totalhours:  0.5 => 0.75
>
>
> Comment:
>
>   Replying to [comment:10 laura]:
>   > Let me know when done and can tweak the wp-options.
>
>   I have imported the database, if there are directories of files to copy
>   let me know.
>

[chris]

Closing this now and it's been sorted, I think it was reopened by the email that was delayed.