From users-return-119117-archive-asf-public=cust-asf.ponee.io@spamassassin.apache.org Fri Oct 19 21:36:41 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 00F77180652 for ; Fri, 19 Oct 2018 21:36:40 +0200 (CEST) Received: (qmail 57024 invoked by uid 500); 19 Oct 2018 19:36:39 -0000 Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@spamassassin.apache.org Received: (qmail 57014 invoked by uid 99); 19 Oct 2018 19:36:39 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Oct 2018 19:36:39 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id B5B53180A4A for ; Fri, 19 Oct 2018 19:36:38 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.801 X-Spam-Level: X-Spam-Status: No, score=-0.801 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=bway.net Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id NK5OKkvTcySL for ; Fri, 19 Oct 2018 19:36:37 +0000 (UTC) Received: from smtp2.bway.net (smtp2.bway.net [216.220.96.28]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 67FB25F1EA for ; Fri, 19 Oct 2018 19:36:37 +0000 (UTC) Received: from [10.3.2.40] (pool-108-53-194-153.nwrknj.fios.verizon.net [108.53.194.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: spork@bway.net) by smtp2.bway.net (Postfix) with ESMTPSA id 8837495858; Fri, 19 Oct 2018 15:36:31 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bway.net; s=mail; t=1539977791; bh=nNm+6QxITFDkgnMQrndnWtBBzLULGl8y/Qpz+ok69oA=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=FSXvI2muJvzVPiALo28VUZQYZiywOncX7ir3R/1rOahW6JWs3c69ryhT0OgU7G7vV 3GXfPDY9+I07MlXYxqxuFZJOkYWkOZQEE6D8q/pTc497FBnHSuxlS/OTePVPV9h+8B W1tAwJuKLhIFLS8uivhlAqopG+zPELqgZ2dU5ojk= Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: URI_WPADMIN fp From: Charles Sprickman In-Reply-To: Date: Fri, 19 Oct 2018 15:36:30 -0400 Cc: SA Mailing list Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Paul Stead X-Mailer: Apple Mail (2.3273) > On Oct 19, 2018, at 10:15 AM, Paul Stead = wrote: >=20 > Can't comment on the score - hacked Wordpress sites often have bits = hosted in >=20 > * wp-admin Yes. > * wp-content Yes and no. Everything that a user uploads for their site lives under wp-content, so = any rule triggering on that part of the URL would be a mistake. The tree looks like this: /wp-content/themes/ - this is where website themes (think templates) = live. You will see css and js from this directory or subdirectories, = also in some cases images (icons and the like) /wp-content/plugins/ - this is where WP plugins (gobs of code that add = some specific functionality to the site). Similar to themes, you=E2=80=99l= l generally see css and js there, and possibly some images /wp-content/uploads/ - this is where all images/media that the webmaster = uploads lives. This is where you want to be strict with any URL matching = rules. You should NOT see any files ending in .js nor .css - that=E2=80=99= s a strong sign that the installation is compromised. You should NOT see any files ending in .php in ANY of the above = directory trees. Themes and plugins contain .php files, but they are = NOT directly executed from outside, they are simply included by other WP = core code. So when you see a .php file in those directories in a URL, = something is very wrong. And you=E2=80=99re likely looking at a = compromised account, which is likely somehow involved in spamming or = phishing. A good webhost applies a few very simple rules that block about 99% of = the WP exploits: - PHP not even parsed under the uploads directory ENTIRELY, even for = includes. Since this directory is ALWAYS writable by the web user, = it=E2=80=99s where most exploits want to put their payloads. You break = nothing but exploits by disallowing php execution there. Similarly, you = block no good email by nuking any URL that ends in .php and lives under = that directory. - PHP not executed anywhere under /wp-content other than by includes - /wp-admin/ only has /wp-admin/admin-ajax.php allowed for = non-authenticated users. You should never see any URL other than that = from that directory. - Only wp-content is writable by the web user (pretty rare, but doable, = and very common with =E2=80=9Cboutique=E2=80=9D hosting) You will have a surprisingly secure WP install with just those few = simple steps above. That=E2=80=99s my WP quicky for anyone writing WP rules. If such a = person is on the list and wants to discuss, I=E2=80=99m super happy to = do so! Charles > Pages within these directories are publicly accessible, but it is very = unusual for a WP plugin to reference these URIs directly in outbound = emails >=20 >=20 > Paul >=20 > =EF=BB=BFOn 19/10/2018, 14:38, "Alex" wrote: >=20 > Hi, >=20 > Should we be adding 3 points for just this, or is there never a = reason > users should be using /wp-admin in their URLs? >=20 > Oct 19 09:33:11.561 [1299] dbg: rules: ran uri rule __URI_WPADMIN > =3D=3D=3D=3D=3D=3D> got hit: "/wp-admin/images/" >=20 > The rule description says possible phishing, but how would an = end-user > be in a position to create a public link that involves their WP = admin > directory in the first place? >=20 >=20 > -- > Paul Stead > Senior Engineer (Tools & Technology) > Zen Internet