My personal Wordpress blog was hacked a few weeks ago. I hadn’t checked my simple AWS micro instance in a while, and fortunately, I happened to look at the site just a day after it was compromised. Wordpress makes it easy to stand up a pretty website if you don’t want to spend time crafting a front-end yourself, but security is a major question mark. If you keep it up to date and don’t load it with tons of third party content, it’s probably OK for a personal blog. However, I had several WP plugins and themes that were a few weeks behind the last update, as was WP Core. This is likely how the attacker was able to gain write-access to my one and only post on my blog and change the links to point at some sketchy-looking foreign domain websites to improve his SEO. Interestingly enough, the attacker also made some edits in the article, including grammatical fixes and clauses that were consistent with the content (environmental regulations).
Regardless, I updated everything, removed unnecessary plugins, added a plugin to record more detailed Wordpress history, secured my active accounts, and reverted the changes (except for one grammatical improvement - thank you attacker). Good Wordpress security and statistics plugins are difficult to come by, and they most likely increase the attack surface of the website, so I decided to opt for the tool I use and develop every day: Bro IDS. The visibility provided by Bro goes beyond threat detection and can be used as a more powerful version of netflow, showing what’s running on a system in significant detail.
Monitoring a single web server instance facing external http requests behind a pretty limiting firewall (inbound tcp/80 only, or tcp/22 from my static IP address only) is not our typical deployment for Bro here at Packetsled -- limited to basic web requests, and with no honeypot, I didn’t expect a whole lot of interesting attack vectors. However, there were some takeaways after letting Bro run for a few weeks, mostly regarding how my network operates and what kind of requests my site typically sees.
The blog uses basic unverified HTTP (I’m too lazy and cheap to set it up right), so I was unsure why I had at least one ssl log entry every hour:
#fields id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status 172.31.40.119 59718 220.127.116.11 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 secp256r1 - F - - F Fb0mOL2796DAoCkRa3 (empty) - - - - - 172.31.40.119 41499 18.104.22.168 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 secp256r1 - F - http/1.1 F Fr4ISl3di8C0feHNC4,F2sfO14ZkvhwHhaNb4,F10O3d278YkNUhURTf (empty) - - - - -
Ah of course -- after opening up the corresponding x509 certificate log, it’s clear that my device is reaching out to Wordpress about twice a day, looking for updates from “CN=*.wordpress.org,OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com.” More surprisingly though, my instance periodically was reaching out to an Amazon-based address every hour on my exposed network (as opposed to the back channels AWS uses to control instances):
pi@raspberrypi:~ $ whois 22.214.171.124 NetRange: 126.96.36.199 - 188.8.131.52 CIDR: 184.108.40.206/11 ... Organization: Amazon Technologies Inc. (AT-88-Z) x509.log #fields certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len 3 07 emailAddressemail@example.com,CN=stats.bitnami.com,O=BitRock Update Services,L=Seville,ST=Seville,C=ES emailAddressfirstname.lastname@example.org,CN=BitRock Update Services,O=BitRock Update Services,L=Seville,ST=Seville,C=ES 1284478570.000000 1599838570.000000 rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - - - - - F - 3 280392F6950C4C CN=*.wordpress.org,OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\\, Inc.,L=Scottsdale,ST=Arizona,C=US 1417824798.000000 1513368681.000000 rsaEncryption sha256WithRSAEncryption rsa 2048 65537 - *.wordpress.org,wordpress.org - - - F -
Again using Bro’s x509 log to extract more information about the certificate owner, this is Bitnami, whose VM and tech stack I used to set up my Wordpress instance.