hours, totalhours changed

chris — Thu, 07 Jan 2016 11:23:51 GMT

hours changed from 0.0 to 0.25
totalhours changed from 0.0 to 0.25

description changed

chris — Thu, 07 Jan 2016 11:31:36 GMT

description modified (diff)

hours, totalhours changed

chris — Fri, 08 Jan 2016 11:04:25 GMT

hours changed from 0.0 to 0.8
totalhours changed from 0.25 to 1.05

Installing Stop XML-RPC Attack on all WordPress sites on ParrotServer:

sudo -i
su - conference15 -s /bin/bash
source /etc/bash_completion.d/wp
cd sites/default/
wp plugin install stop-xmlrpc-attack
  Installing Stop XML-RPC Attack (1.0.3)
  Downloading install package from https://downloads.wordpress.org/plugin/stop-xmlrpc-attack.1.0.3.zip...
  Unpacking the package...
  Installing the plugin...
  Plugin installed successfully.
wp plugin activate stop-xmlrpc-attack
  Success: Plugin 'stop-xmlrpc-attack' activated.

Then a page needs to be requested on the site, https://conference15.transitionnetwork.org/ to trigger the updating of the .htaccess file, after that has been done this has been appended to it:

# BEGIN WORDPRESS PLUGIN stop_xmlrpc_attack
<Files "xmlrpc.php">
order deny,allow
deny from all
allow from 10.0.0.0/8
allow from 64.34.206.0/24
allow from 66.135.48.128/25
allow from 66.155.38.0/24
allow from 69.174.248.128/25
allow from 76.74.248.128/25
allow from 76.74.254.0/25
allow from 76.74.255.0/25
allow from 127.0.0.0/8
allow from 172.16.0.0/12
allow from 192.0.64.0/18
allow from 192.168.0.0/16
allow from 198.181.116.0/22
allow from 207.198.101.0/25
allow from 207.198.112.0/23
allow from 209.15.21.0/24
allow from 216.151.209.64/26
allow from 216.151.210.0/25
</Files>
# END WORDPRESS PLUGIN stop_xmlrpc_attack

Adding the plugin to the other sites:

su - cop21 -s /bin/bash
source /etc/bash_completion.d/wp
cd sites/default/
wp plugin install stop-xmlrpc-attack
  Installing Stop XML-RPC Attack (1.0.3)
  Downloading install package from https://downloads.wordpress.org/plugin/stop-xmlrpc-attack.1.0.3.zip...
  Unpacking the package...
  Installing the plugin...
  Plugin installed successfully.
wp plugin activate stop-xmlrpc-attack
  Success: Plugin 'stop-xmlrpc-attack' activated.
exit
su - reconomy -s /bin/bash
source /etc/bash_completion.d/wp
cd sites/default/
wp plugin install stop-xmlrpc-attack
  PHP Fatal error:  Class 'WP_Widget' not found in /home/reconomy/sites/default/wp-content/plugins/akismet/class.akismet-widget.php on line 5
  Fatal error: Class 'WP_Widget' not found in /home/reconomy/sites/default/wp-content/plugins/akismet/class.akismet-widget.php on line 5

This is a error that lots of people have:

https://wordpress.org/support/topic/version-44-update-fatal-error-class-wp_widget-not-found

And the fix:

WP CLI - Needs to be upgraded to the latest release, otherwise it won’t work.

https://wordpress.org/support/topic/read-this-first-wordpress-44-master-list?replies=5#post-7753846

So:

which wp
/usr/local/bin/wp
ls -lah /usr/local/bin/ | grep wp
lrwxrwxrwx  1 root staff    20 Nov 20  2014 wp -> ../src/wp-cli/bin/wp
-rwxr-xr-x  1 root staff   286 Oct 24 13:03 wp-brute-force
-rwxr-xr-x  1 root staff   269 Oct 24 13:17 wp-xmlrpc-abuse
cd /usr/local/src/
wget https://raw.github.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod 755 wp-cli.phar
php wp-cli.phar --info --allow-root
  PHP binary:     /usr/bin/php5
  PHP version:    5.4.45-0+deb7u2
  php.ini used:   /etc/php5/cli/php.ini
  WP-CLI root dir:        phar://wp-cli.phar
  WP-CLI global config:
  WP-CLI project config:
  WP-CLI version: 0.22.0
rm -rf wp-cli
cd ../bin/
rm wp
ln -s ../src/wp-cli.phar wp

Try again:

su - reconomy -s /bin/bash
source /etc/bash_completion.d/wp
cd sites/default/
wp plugin install stop-xmlrpc-attack
  Installing Stop XML-RPC Attack (1.0.3)
  Downloading install package from https://downloads.wordpress.org/plugin/stop-xmlrpc-attack.1.0.3.zip...
  Unpacking the package...
  Installing the plugin...
  Plugin installed successfully.
  Success: Translations updates are not needed for the 'English (US)' locale.
wp plugin activate stop-xmlrpc-attack
  Success: Plugin 'stop-xmlrpc-attack' activated.
exit
su - tc -s /bin/bash
source /etc/bash_completion.d/wp
cd sites/default/
wp plugin install stop-xmlrpc-attack
  PHP Fatal error:  Call to a member function separator() on a non-object in /home/tc/sites/default/wp-content/plugins/contactforms/buttonsnap.php on line 433
  Fatal error: Call to a member function separator() on a non-object in /home/tc/sites/default/wp-content/plugins/contactforms/buttonsnap.php on line 433

The wp-content/plugins/contactforms directory appears to have a variety of code in it. Stop XML-RPC Attack was installed using the web interface, these pluging have updates available:

Akismet
BackWPup
Bad Behavior
jQuery Colorbox
Optimize Database after Deleting Revisions
Query Monitor
Simple Recent Comments
Spam Destroyer
Subscribe2
Subscribe To Comments
User Switching

I haven't updated these or updated WordPress itself for fear of breaking things -- Sam perhaps you might want to look at this, I think you did the last updates on the site?

su - ts -s /bin/bash
source /etc/bash_completion.d/wp
cd sites/default/
wp plugin install stop-xmlrpc-attack
wp plugin activate stop-xmlrpc-attack
exit
su - ttt -s /bin/bash
source /etc/bash_completion.d/wp
cd sites/default/
wp plugin install stop-xmlrpc-attack
wp plugin activate stop-xmlrpc-attack
exit

The http://www.transitiontowntotnes.org/ and http://www.transitionstreets.org.uk/ sites were accesses and the .htaccess files were checked.

description changed

chris — Fri, 08 Jan 2016 11:08:05 GMT

description modified (diff)

Transition Technology: Ticket #894: Brute Force Attacks Against WordPress XMLRPC

hours, totalhours changed

description changed

hours, totalhours changed

description changed