multisites exist, but no network superadmin option - potential hack

Hi
so my team used a multi-site install for several days (while I was on vacation). When I came back, they said it had broken. ok, so now when I try to go back and look at things, I can pop into the root dashboard, but there is no network admin option. 2 things are true. "multisite true" is definitely in the wp-config, and if I go to "network setup", just to make sure, I get "an existing wordpress network was detected", and I see my previous sites when I look in the appropriate _blogs table in the main DB.

I was also told that the wp-config.php had been wiped, initially, when my team was troubleshooting. The wp-config.php seems to be fine now. Where should I begin?

Additionally, I now have a ton of ...min.js files in the root dir. Is this a normal location for minified files? And when I open them in an editor I get stuff like `Error(18): Unknown parameter in Http request: 'Iota;', ''.
Error(18): Unknown parameter in Http request: '#8804;', true, 'less-than or equal to'],` That doesn't seem right.

lost. trying to find out what happened. thanks for any help.

  • Timothy Bowers

    Hey there.

    Glad you have this sorted.

    The first thing I'd usually check is the wp-config and then htaccess to make sure they're set.

    Looks like this was the case here.

    So your team say it was working?

    Those files must have been reverted somehow, impossible for me to say how. If we were considering a user error then once I made some live changes in an editor, saved them and was good. I'd left the tab open though (coda editor) and reverted the changes whilst looking at something else, I saved and thus reverted my changes.

    Maybe an old copy reuploaded?

    Maybe take a look at your servers access logs to see who accessed the server.

    Additionally, I now have a ton of ...min.js files in the root dir. Is this a normal location for minified files? And when I open them in an editor I get stuff like `Error(18): Unknown parameter in Http request: 'Iota;', ''.
    Error(18): Unknown parameter in Http request: '#8804;', true, 'less-than or equal to'],` That doesn't seem right.

    You shouldn't have any minified JS files in the root. Did this only happen whilst you were away?

    And has it stopped now?

    I would make sure everything is up to date and locked down, correct file permissions and such.

    I don't know much about your team or how experienced they might be with this stuff. but unless you have any reason to believe it was a hack, then it does seem to coincide with you being away.

    Are you seeing any other issues?

    Let me know.

  • rocannon

    thanks for your reply timothy

    as soon as I got the site back up this morning, I received a new user with a weird username, so I deleted it and disabled all new registrations, so some thing/one seems to be watching/ready to get back in there/keep using their powers.

    I wonder about the minifies though. from the code i listed above, it doesn't seem to be a minified js file-- more of some other kind of code, merely named to mimic as min.js?

    i am deleting all of these, but keeping copies for examination.
    i will go and change permissions appropriately as well.

    thanks again, and looking forward to any response re the content of the min.js's.
    oh, also, when I look at my 404 error logs in the Better WP Security dashboard, I notice one particular day I received 212, which is tons for my site. it was on the ../trackback directory. many different hosts. I'm not sure how to analyze this, but I'm guessing this is evidence of an attack, whether or not a successful one, I have no idea, but the date does coincide with the breakdown.

  • Timothy Bowers

    Those files shouldn't be there.

    What's in them?

    Usually I personally use php.php to add a function like phpinfo(); to let me know what the setup of PHP is. But still it shouldn't be there by default.

    If you've got rogue files, then ya remove them all. Upload a fresh batch.

    The question would be how?

    Review all accounts too, those that have higher permissions.

    Check the plugins and themes you have, are they up to date. Any that haven't been updated in a long time? Check for security reports of them too.

    Take a look here:

    https://premium.wpmudev.org/blog/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/

    These are some of the reasons you should be careful of free stuff on the net.

    As mentioned before, permissions. They are important, so make sure there are non writable unless absolutely 100% required.

    Take care.

  • rocannon

    I'm pretty sure now that it's a TimThumb hack. At least that's one thing that was a problem. The timthumb scripts seem to get uploaded in places like this: wp-content/uploads/avatars/21/cache/timthumb_int_bc40fe04cf46ee6f3552bb0f298c860c.timthumb.txt.

    I'm guessing that it was either the Simple Local avatars plugin or the Add Local avatar plugin. This site is pretty much finished for now, so I will just start from scratch, but I'd really like to know the best steps for hardening my sites. I have read several articles about it, but I feel like there are varying opinions about the effectiveness of plugins such as WP Better Security plugin, which I have been using for all of my sites. Do you have a an opinion as to the best howto guide for this, besides just going to the WP.org docs (which I've done, and will do again) ?

    Also, when you say "correct file permissions", I am assuming you are talking about the following:
    "0644 for all the top level files
    0755 for the three directories: wp-admin; wp-content; wp-includes
    etcetc
    exceptions: wp-content/uploads 0777"
    (from http://wordpress.org/support/topic/proper-wp-file-permissions-recovering-from-hack?replies=4)

    Are there others you would recommend, and do you agree with the above recommendation?

    thanks again

  • Timothy Bowers

    You shouldn't really have to use 777 in most environments. 755 is usually enough.

    644 - Files
    755 - Folders

    You only need the the hosting account owner to be able to write. I use those permissions on my own servers.

    Depending on the setup you could lock up the wp-admin. Add this to your htaccess, but change the IP to your own so that you can still access.

    order deny,allow
    deny from all
    allow from 192.168.0.1
    allow from 192.168.0.2

    That way only you and your staff (anyone on those restricted IPs) can access the admin area to upload, and use the editors (the theme and plugin editor in the network area) that can be used to add any code to your site.

    I've seen loads of people recommend loads of other plugins, I don't personally use those, but you can. Some have options to help prevent brute force attacks.

    Some say remove the "admin" username and don't use usernames when publishing, use an editor account instead. But the most important I think is a nice strong password, a mixture of numbers, letters and even special chars. The longer the better, it adds more combinations, makes guessing and brute force almost impossible (but not impossible)

    Be careful about what themes, plugins and code you add. Free stuff often lacks support and quick fixes when something goes wrong (not always the case, but common).

    Less code is better, less to go wrong.

    Consider something like suhosin or similar to harden PHP:

    http://www.hardened-php.net/suhosin/configuration.html

    As for Timthumb, it depends on the version. I know that any that are including in our code are custom versions that remove the security issues, especially those from a year 2 ago (maybe longer now, I forget).

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.