D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] website

 
Note that wordpress bots have for some time been lifting usernames via the xmlrpc api, as well as simply scraping the website to get usernames associated with each post (if displayed).Â

The point of that is so they have more than just the default admin username to target in a bruteforce attack, so it's never ok to set a simple password on a world-facing system. (But you know this now... :) )

Wordpress is good software, but that's why it's so widely used and hence, so widely targetted. The reason so many wordpress sites get hosed is through its popularity (combined with a lot of crappy plugins). Fortunately here it sounds like Simon has a good backup strategy and damage is limited.





On 3 November 2015 at 07:57, Paul Sutton <zleap@xxxxxxxxx> wrote:
Thank you for this simon

The weak passwords may have been my fault, i set simple passwords so
that users could access the site and change them, partly as anyone
involved with arranging meetings could then add the details. and maybe
write ups.

I know see there it puts in a strong password for you.

I actually suggested to jay last night about putting it in to
maintenance mode in order that we could sort everything out properly, so
there is no harm in doing this for a week or two, get the site sorted
out as people are busy then bring it back on line when ready.

i did add a meet us page and included info on who meets where, if this
can be salvaged that would be great.

I also moved some of the tutorials around so the site looked less of a
mess in that respect as some of the sub menus were too long for a
screen, those now start nearer the top.

As for who gets accounts i think we need to purge this and maybe limit
it to you, me, and a few others, and maybe give Neil W and Grant S
some sort of access so they can add meeting info.

Paul


On 03/11/15 03:20, Simon Waters wrote:
> I have concluded my initial analysis.
>
> Fairly confident I know the extent of the abuse, and have identified
> all the IP addresses used during the abuse. Does appear to originate
> with weak or compromised user password.
>
> Recreating the site will have to wait till the morning.
>
> There are a couple of parts I can't investigate easily as the files
> have been removed, or corrupted.
>
> I can restore to November 1st backup. Or we can rebuild the site from
> trusted code. I'd prefer the former, since it is safest, but either
> option will work.
>
> Paul?
>

--
http://www.zleap.net @zleap14
@zleap14Â diaspora : zleap@xxxxxxxxxxxxxxxx
Documentation lead @ ToriOS http://www.torios.net zleap@xxxxxxxxxx

htto://torbaytechjam.org.uk

--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq