Ticket #917 (new defect)

Opened 4 months ago

Last modified 4 months ago

Any misc files in Transition Culture web root?

Reported by: sam Owned by: chris
Priority: minor Milestone: Maintenance
Component: Parrot server Keywords:
Cc: Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.1

Description

Hi Chris

Simon from Lumpy lemon has migrated Transition Culture.

We only have WP admin access & he was wondering:

"Just one small question: can you check in the webroot folder on your server and let me know if there are any non-WordPress files in there? e.g. Google verification files, that sort of thing. I don't think there should be, but best to check. If there are, can you send them over."

Thanks

Sam

Change History

comment:1 Changed 4 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.0 to 0.1

Here is a list of the files:

cd /home/tc/sites/default/
ls -lah
total 220K
drwxr-x---  5 tc tc 4.0K Jul 13 22:33 .
drwx------  3 tc tc 4.0K Dec  9  2013 ..
-rw-r--r--  1 tc tc  807 Jun 20 11:53 .htaccess
-rw-r--r--  1 tc tc   75 Dec  9  2013 .htaccess.bak
-rw-r-----  1 tc tc 1.4K Feb  5  2008 favicon.ico
-rw-r-----  1 tc tc   53 Oct 11  2012 google4ef510c6b847a9b0.html
-rw-r-----  1 tc tc  418 Sep 25  2013 index.php
-rw-r--r--  1 tc tc  20K Jul 13 22:31 license.txt
-rw-r-----  1 tc tc 1.7K Sep  3  2013 nginx.conf
-rw-r--r--  1 tc tc 7.2K Jun 21 18:35 readme.8e7c2d7e9f3ffd58f403928e7399990f.html
-rw-r--r--  1 tc tc 7.2K Jul 13 22:31 readme.html
-rw-r-----  1 tc tc    0 Dec  8  2012 robots.txt
-rw-r--r--  1 tc tc 5.0K Jul 13 22:31 wp-activate.php
drwxr-x---  9 tc tc 4.0K Jul 13 22:31 wp-admin
-rw-r--r--  1 tc tc  364 Jul 13 22:31 wp-blog-header.php
-rw-r--r--  1 tc tc 1.5K Jul 13 22:31 wp-comments-post.php
-rw-r--r--  1 tc tc 2.8K Jul 13 22:31 wp-config-sample.php
-rw-r-----  1 tc tc 1.6K Dec 10  2013 wp-config.php
drwxr-x--- 10 tc tc 4.0K Jul 13 23:57 wp-content
-rw-r--r--  1 tc tc 3.3K Jul 13 22:31 wp-cron.php
drwxr-x--- 16 tc tc  12K Jul 13 22:31 wp-includes
-rw-r-----  1 tc tc 2.4K Sep 25  2013 wp-links-opml.php
-rw-r--r--  1 tc tc 3.3K Jul 13 22:31 wp-load.php
-rw-r--r--  1 tc tc  34K Jul 13 22:31 wp-login.php
-rw-r--r--  1 tc tc 7.8K Jul 13 22:31 wp-mail.php
-rw-r--r--  1 tc tc  13K Jul 13 22:31 wp-settings.php
-rw-r--r--  1 tc tc  28K Jul 13 22:31 wp-signup.php
-rw-r--r--  1 tc tc 4.0K May 19  2015 wp-trackback.php
-rw-r--r--  1 tc tc 3.0K Jul 13 22:31 xmlrpc.php

comment:2 Changed 4 months ago by chris

This is the contants of the .htaccess file, Simon would be able to get all the other files via HTTP, of course if he would like SSH access that can also be sorted out.

Redirect /feed/ http://www.transitionnetwork.org/blogs/feed/rob-hopkins/ 

# This was being abused
<Files xmlrpc.php>
   Order deny,allow
   deny from all 
</Files>

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

# BEGIN WORDPRESS PLUGIN stop_xmlrpc_attack
<Files "xmlrpc.php">
order deny,allow
deny from all
allow from 10.0.0.0/8
allow from 64.34.206.0/24
allow from 76.74.248.128/25
allow from 76.74.255.0/25
allow from 127.0.0.0/8
allow from 172.16.0.0/12
allow from 192.0.64.0/18
allow from 192.168.0.0/16
allow from 198.181.116.0/22
allow from 207.198.101.0/25
</Files>
# END WORDPRESS PLUGIN stop_xmlrpc_attack
Version 0, edited 4 months ago by chris (next)
Note: See TracTickets for help on using tickets.