WordPress GDPR Plugin Exploit – All You Need To Know

As of November 9, 2018, the WP GDPR Compliance plugin has been exploited by hackers. This plugin aids e-commerce site owners in compliance with European privacy standards. Since the very nature of GDPR is to protect the personal data and privacy of EU citizens, it should be tended to as soon as possible to avoid a costly cleanup. WP GDPR Compliance is also known for working in conjunction with many forms including Contact Form 7, Gravity Forms, and WordPress Comments.

The main characteristic of this hack is the addition of new users, users with admin privileges. These administrative users have full access to your WordPress site. With Admin users a hacker can alter your site without your knowledge, including making rouge pages or selling your visitor’s information.

This article shows WP GDPR users how to:

 

If you are familiar with how to log in to your WordPress backend you can easily see if you are using this plugin.

Step 1: Enter the WordPress backend by going to yourdomain.com/wp-login.php in your browser.

Step 2: Login with your WordPress username and password and navigate to Plugins and click on Installed Plugins on the left-hand side of your screen.

Step 3: Scroll down through any installed plugins to see if WP GDPR Compliance is within your list.  On this screen, you’ll be able to see the version of the plugin to the right of the plugin name. Any version less than 1.4.3 is vulnerable and should be updated.

Indentify if you are vulnerable to WP GDPR by locating the plugins menu in WordPress.

Note:
Documented evidence shows an inactive GDPR plugin is not vulnerable to the exploit.

 

Although this is a severe exploit, it is easy to patch and protect yourself by performing a simple update.

Step 1: Follow the steps above in the section “How to Identify if you use the WP GDPR plugin” to login and locate your Plugins menu.

Step 2: Afterwards, find WP GDPR Compliance, if you are running an outdated version you’ll see a message letting you know you can update. Selecting the “update now” link will automatically upgrade to the newest version.

Update the WP GDPR plugin to avoid a hacked WordPress site.

 

There is a couple of routes for identifying this hack, listed below, but you can also use the Wordfence Security Scanner or our read our blog article on the subject of exploitation.

Indicators of Compromise include the following characteristics:

  • Creation of new users with Admin privileges
  • A database user in the wp-users table named t2trollherten and t3trollherten
  • URL’s inserted into the code have seen as pornmam.com
  • Installation of the 2MB Autocode plugin, executed by WP-Cron via WooCommerce’s woocommerce_plugin_background_installer
  • The wp_options table within your database has an entry starting with 2mb_autocode or default_role  is set to anything other than “subscriber”
  • Recent edits to the wp-super-cache/wp-cache.php file
  • Creation of a backdoor file, /wp-content/uploads/…/wp-upd.php
  • Incoming IPs from:
    • 109.234.39.250
    • 109.234.37.214
    • 195.123.213.91
    • 46.39.65.176

 

If you deduced your site is compromised from previously mentioned characteristics, then you’ll want to remedy it immediately since other sites on the same server can be affected.

  • Liquid Web customer can purchase a Malware Clean Up package
  • Manually remove the code from the infected files
  • Restore from a backup dated before November 8, 2018

 

Protecting against CVE-2018-14634 (Mutagen Astronomy)

There is a new exploit, rated as 7.8 severity level,  that affects major Linux distributions of RedHat Enterprise Linux, Debian 8 and CentOS named Mutagen Astronomy. Mutagen Astronomy exploits an integer overflow vulnerability in the Linux kernel and supplies root access (admin privileges) to unauthorized users on the intended server. This exploit affects Linux kernel version dating back from July 2007 to July 2017.  Living in the kernel, the memory table can be manipulated to overflow using the create_tables_elf() function. After overwhelming the server, the hacker can then overtake the server with its malicious intents.

As mentioned this vulnerability is present in RedHat, Debian 8 (Debian 9 are not vulnerable), and CentOS 6 and 7 but its limited to affecting only 64-bit versions. The 32-bit versions do not have the address space to overwhelm the server and thus no patch is needed.  Along with 64-bit versions, the exploit is limited to Linux kernel versions 2.6.x, 3.10.x, and 4.14.x. (Read our article How To Check the Kernel Version to see which version you are running)  Proof of concept reported on August 31, 2018, and remediation from a one-year-old patch was backported to most LTS (long-term support) kernels, CentOS and Debian 8 remain vulnerable. Luckily, patches CentOS 6 /7 and RHEL 7 are below but the world waits for RHEL 6 and Debian 8 remedy.  Check back here for updates as they become available.

 

CentOS 6 and 7 Patch for Mutagen Astronomy

Step 1: Utilizing SystemTap.

Use SystemTap to extract, filter and summarize data to diagnosis performance or functional problems.

yum install systemtap systemtap-runtime

Step 2: Create a File

Using your preferred text editor create a file name mutagenastronomypatch.stp and copy and paste the following info:

// CVE-2018-14634
//
// Theory of operations: adjust the thread's # rlimit-in-effect around
// calls to the vulnerable get_arg_page() function so as to encompass
// the newly required _STK_LIM / 4 * 3 maximum.
// Complication: the rlimit is stored in a current-> structure that
// is shared across the threads of the process. They may concurrently
// invoke this operation.
function clamp_stack_rlim_cur:long ()
%{
struct rlimit *rlim = current->signal->rlim;
unsigned long rlim_cur = READ_ONCE(rlim[RLIMIT_STACK].rlim_cur);
unsigned long limit = _STK_LIM / 4 * 3;
limit *= 4; // multiply it back up, to the scale used by rlim_cur
if (rlim_cur > limit) {
WRITE_ONCE(rlim[RLIMIT_STACK].rlim_cur, limit);
STAP_RETURN(limit);
} else
STAP_RETURN(0);
%}
probe kernel.function("copy_strings").call
{
l = clamp_stack_rlim_cur()
if (l)
printf("lowered process %s(%d) STACK rlim_cur to %p\n",
execname(), pid(), l)
}
probe begin {
printf("CVE-2018-14634 mitigation loaded\n")
}
probe end {
printf("CVE-2018-14634 mitigation unloaded\n")
}
Step 3: Run the Script

Lastly, execute the newly created script:

stap -g mutagenastronomypatch.stp

RHEL 7 Patch for Mutagen Astronomy

Step 1: Log in to your CentOS server

ssh root@ip

Step 2: Yum Updates to the Kernel

yum update kernel

 

 

Liquid Web Sales and Tax FAQ

Someone doing taxes

Install Multiple PHP Versions on Ubuntu 16.04

As a default, Ubuntu 16.04 LTS servers assign the PHP 7.0 version. Though PHP 5.6 is coming to the end of life in December of 2018, some applications may not be compatible with PHP 7.0. For this tutorial, we instruct on how to switch between PHP 7.0 and PHP 5.6 for Apache and the overall default PHP version for Ubuntu.

Step 1: Update Apt-Get

As always, we update and upgrade our package manager before beginning an installation. If you are currently running PHP 7.X, after updating apt-get, continue to step 2 to downgrade to PHP 5.6.

apt-get update && apt-get upgrade

Step 2: Install PHP 5.6
Install the PHP5.6 repository with these two commands.

apt-get install -y software-properties-common
add-apt-repository ppa:ondrej/php
apt-get update
apt-get install -y php5.6

Step 3: Switch PHP 7.0 to PHP 5.6
Switch from PHP 7.0 to PHP 5.6 while restarting Apache to recognize the change:

a2dismod php7.0 ; a2enmod php5.6 ; service apache2 restart

Note
Optionally you can switch back to PHP 7.0 with the following command: a2dismod php5.6 ; a2enmod php7.0 ; service apache2 restart

Verify that PHP 5.6 is running on Apache by putting up a PHP info page. To do so, use the code below in a file named as infopage.php and upload it to the /var/www/html directory.

<? phpinfo(); ?>

By visiting http://xxx.xxx.xxx.xxx/infopage.php (replacing the x’s with your server’s IP address), you’ll see a PHP info banner similar to this one, confirming the PHP Version for Apache:

Example of PHP Info page

Continue onto the section PHP Version for Ubuntu to edit the PHP binary from the command line.

Step 4: Edit PHP Binary

Maintenance of symbolic links or the /etc/alternatives path through the update-alternatives command.

update-alternatives --config php

Output:
There are 2 choices for the alternative php (providing /usr/bin/php).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/bin/php7.0 70 auto mode
1 /usr/bin/php5.6 56 manual mode
2 /usr/bin/php7.0 70 manual mode
Press to keep the current choice[*], or type selection number:

Select php5.6 version to be set as default, in this case, its the number one option.

You can now verify that PHP 5.6 is the default by running:
php -v

Output:
PHP 5.6.37-1+ubuntu16.04.1+deb.sury.org+1 (cli)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies

Install Nginx on Ubuntu 16.04

Nginx is an open source Linux web server that accelerates content while utilizing low resources. Known for its performance and stability Nginx has many other uses such as load balancing, reverse proxy, mail proxy and HTTP cache. With all these qualities it makes a definite competitor for Apache. To install Nginx follow our straightforward tutorial.

Pre-Flight Check

  • Logged into an as root and are working on an Ubuntu 16.04 LTS server powered by Liquid Web! If using a different user with admin privileges use sudo before each command.

Step 1: Update Apt-Get

As always, we update and upgrade our package manager.

apt-get update && apt-get upgrade

Step 2: Install Nginx

One simple command to install Nginx is all that is needed:

apt-get -y install nginx

Step 3: Verify Nginx Installation

When correctly installed Nginx’s default file will appear in /var/www/html as index.nginx-debian.html . If you see the Apache default page rename index.html file. Much like Apache, by default, the port for Nginx is port 80, which means that if you already have your A record set for your server’s hostname you can visit the IP to verify the installation of Nginx. Run the following command to get the IP of your server if you don’t have it at hand.

ip addr show eth0 | grep inet | awk '{ print $2; }' | sed 's/\/.*$//'

Take the IP given by the previous command and visit via HTTP. (http://xxx.xxx.xxx.xxx) You will be greeted with a similar screen, verifying the installation of Nginx!

Nginx Default Page

Note
Nginx, by default, does not execute PHP scripts and must be configured to do so.

If you already have Apache established to port 80, you may find the Apache default page when visiting your host IP, but you can change this port to make way for Nginx to take over port 80. Change Apache’s port by visiting the Apache port configuration file:

vim /etc/apache2/ports.conf

Change “Listen 80” to any other open port number, for our example we will use port 8090.

Listen 8090

Restart Apache for the changes to be recognized:

service apache2 restart

All things Apache can now be seen using your IP in the replacement of the x’s. For example http://xxx.xxx.xxx.xxx:8090

Migration to Managed WooCommerce

Liquid Web is here to support your migration needs into our Managed WooCommerce Hosting platform. Whether you are migrating from an external or internal source, our in-house team of migration experts transforms the data migration process into a simple task. To ensure the smoothest and best possible data transfer, we have a quick overview and a few points for your consideration.

 

Our first step includes taking a copy of your live site (known as the origin site) and migrating it over to our Managed WooCommerce Hosting platform. Rest assured, when performing the migration, the only changes made to the site will be to assist in the movement. Within this timeframe, it is advised to avoid making changes or updates to the site as it will extend the migration timeline and could result in data loss. Changes and updates are included but not limited to themes, designs, contents, products, blog posts or WordPress versions. The initial sync process should result in no downtime for your live site.

Once the initial sync is complete, our Migration Specialists perform a series of basic tests to the site. During this time, our team will send information on ways to test out your new site to ensure that all aspects have carried over correctly and are in working order. Before going live, it is essential to take the time to thoroughly review your site and if at any point you do find a discrepancy our specialist is there to assist.

The third and most exciting step is the push to go live. We will coordinate the best date and time for the final sync of your site. This last sync will ensure the latest data on orders, products, and customers transfers to your new server. Upon completion of the final sync, you will be asked to update the staging domain’s name and DNS record. With a little DNS propagation time, you will begin to see the new site populate!

With the updating of DNS and the site name, you are now entirely done with the migration process. In subsequent steps, we will create a ticket with our Product Team to connect your store to our partnered applications, Glew and Jilt. Credentials to these valued applications will be sent out in an email, after which, our product team can suggest performance optimization methods to get the most out of your eCommerce store.

 

Knowing the details behind the migration process aligns us with our next step in creating a migration request from your Liquid Web control panel! Once completed, our Migration Specialists will be in touch to schedule the migration and answer any questions you may have.

 

Install Xfce Desktop Environment on Ubuntu 16.04

Since 1996, XFCE Desktop gives users the ability to have a graphical user interface (GUI) environment, visually turning your Linux server into an environment more like your desktop computer. With its no-frills look, XFCE does not weigh heavy on the server’s hardware and is faster than GNOME and KDE to boot. Once completed with this small tutorial, you’ll be able to share and connect to the XFCE GUI by continuing to the next tutorial on How To Install VNC.

Pre-flight

  • These instructions are intended for installing Xfce Desktop Environment on an Ubuntu 16.04 LTS server.
  • Logged in as a root user, but for non-root users precede all commands with the word sudo.

Step 1: Update apt-get
With best practices in mind, we will update before proceeding to install XFCE 4

apt-get update

Step 2: Install XFCE4 Desktop Environment
With one command we can install Xfce itself and some useful utilities that come with Xfce:
apt-get install -y xfce4 xfce4-goodies

Step 1:
Run each of these commands so that apt-get can utilize them during the purge of Xfce.
apt-get -f install
apt-get clean
apt-get autoclean
apt-get update

Step 2:
Purge Xfce from your Ubuntu server:
apt-get purge xfce4

As mentioned in our opening paragraph the next step is to configure VNC (virtual network computing) Installing VNC is necessary to open the recently installed Xfce interface. It’s optional but advisable to set up an SSH tunnel that connects to VNC for a secure connection.  Check out our Knowledge Base on the subject of VNC to find your choice of articles.

 

Install Memcached on Ubuntu 16.04

Memcached works to enhance performance by keeping a copy of commonly used script elements within the server’s memory in a form that is more easily read by the server thus reducing time. A bonus feature of this object cacher is its ability to decrease the number of connections to your database. In this tutorial, we instruct how to install Memcached, but it’s important to note that when using Memcache in an application, the application must be specially coded or configured to store and retrieve data this cached data.

Learn more about caching from our dedicated article or visit our series for database optimization.

Pre-flight

  • We are logged in as root on an Ubuntu 16.04 VPS powered by Liquid Web!
  • Installed and running Apache and PHP 7.

Installation of Memcached

Step 1:
Following best practices, we will do a quick package update by using the following command:
apt-get update
Step 2:
Install the Memcached daemon using
apt-get install memcached -y
Step 3:
Install the Memcache module for PHP fuctionality:
apt-get install php-memcached -y

Verify installation of Memcached

Use the php -m flag to show compiled modules while sorting through specifically looking for memcached.

php -m | grep memcached
memcached

Optional Configurations

At some point, you may find that you need to change the default settings of Memcached. These include adjusting the port number, memory for your cache, and the listening IP address.
vim /etc/memcached.conf

Adjust these configurations by keeping the same flags (-m, -p, -u, -l), adjusting the letter or number after the flag and save the file by typing :wq .
# Start with a cap of 64 megs of memory. It's reasonable, and the daemon default
# Note that the daemon will grow to this size, but does not start out holding this much
# memory
-m 64
 
# Default connection port is 11211
-p 11211
 
# Run the daemon as root. The start-memcached will default to running as root if no
# -u command is present in this config file
-u memcache
 
# Specify which IP address to listen on. The default is to listen on all IP addresses
# This parameter is one of the only security measures that memcached has, so make sure
# it's listening on a firewalled interface.
-l 127.0.0.1

 

Restart your Memcached service to recognize the changes to this file:
systemctl restart memcached

How to Remove (Delete) a User on Ubuntu 16.04

User management includes removing users who no longer need access, removing their username and any associate root privileges are necessary for securing your server. Deleting a user’s access to your Linux server is a typical operation which can easily be performed using a few commands.  

Pre-flight Check

  • We are logged in as root on an Ubuntu 16.04 VPS powered by Liquid Web!

Step 1: Remove the User

Insert the username you want to delete by placing it after the userdel command. In our example, I’ll be deleting our user, Tom.

userdel tom

Simultaneous you can delete the user and the files owned by this user with the -r flag.  Be careful these files are not needed to run any application within your server.

userdel -r tom

If the above code produces the message below, don’t be alarmed, it is not an error, but rather /home/tom existed but /var/mail/tom did not.

userdel: tom mail spool (/var/mail/tom) not found

 

Step 2: Remove Root Privileges

By removing Tom’s username from our Linux system we are halfway complete, but we still need to remove their root privileges.

visudo

Navigate to the following section:

## Allow root to run any commands anywhere
root ALL=(ALL:ALL) ALL
tom ALL=(ALL:ALL) ALL

Or:

## User privilege specification
root ALL=(ALL:ALL) ALL
tom ALL=(ALL:ALL) ALL

With either result, remove access for your user by deleting the corresponding entry:

tom ALL=(ALL:ALL) ALL

Save and exit this file by typing :wq and press the enter key.

To add a user, see our frequently used article, How to Add a User and Grant Root Privileges on Ubuntu 16.04. Are you using a different Ubuntu version? We’ve got you covered, check out our Knowledge Base to find your version.

Create a Robots.txt File

A web robot’s primary job is to scan websites and pages for information; they work tirelessly to collect data on behalf of search engines and other applications. For some, there is good reason to keep pages away from search engines.  Whether you want to fine-tune access to your site or want to work on a development site without showing up Google results, once implemented the robots.txt file lets web crawlers know which parts they can collect information.

Create a Robots.txt File

As being one of the first aspects analyzed by crawlers, the robots.txt file can be implemented on a page(s) or an entire site to discourage search engines from showing details about your site. Through this article, we will be providing insight into how to use the robots.txt file as well as syntax needed to keep these bots at bay.

User-agent: *
Disallow: /

 

Let’s break down the code below “user-agent” pertains to the web crawlers and the * sign means all web crawlers. Consequently, the first line grabs attention by saying “Listen up all web crawlers!” We move onto our second line which lets the web crawler know its direction. The forward slash (/) stops the bots from searching all the pages on your site. You can also discourage information collected for one specific page, in this case, it is a map of our building layout. Since the design of our building does not need to searchable, with the command below, I can tell all bots to leave out the index of the buildinglayout.png photo, while keeping it viewable to any guest that want to view.

User-agent: *
Disallow: /buildinglayout.png

 

Contrary, if you would like for all search engines to collect information on all the pages in your site you can leave the Disallow section blank.

User-agent: *
Disallow:

 

There are many types of web crawlers (aka user-agents) that can be specified. Below is a chart of the most popular web crawlers followed by as their associations. Furthermore, you can also instruct these bots to index a certain page by using Allow, as shown in the example below. You can implement these web crawlers within your robots.txt file like so:

User-agent:Googlebot
Allow: /parkinglotmap.png
Disallow: /buildinglayout.png

User-agent and their Association
Mostly, sites don’t automatically come with a robots.txt file (and isn’t required) so you can create one using a text editor and upload the file to your root directory or any other directory.  Luckily, if you use the popular CMS, WordPress and its helpful SEO plugin Yoast, you’ll see a section within the admin window to create a robots.txt file.

Robots.txt File In WordPress

Yoeast SEO Tool Section

 

After logging into your WordPress backend (yourdomain.com/wp-login.php) locate the SEO section and select Tools. After clicking on the file editor link, you see a page that looks similar to the code used in the first of our article.

Wordpress Robots.txt File

 

Our example keeps web bots from WordPress login page, including wp-includes directory while still allowing users and bots to see other pages of our site. Take note of the necessary ending slashes after the directory (but not needed when disallowing pages). After editing select the “save changes to robots.txt” button to activate the robots.txt file.