wordpress defaced with anonymousfox

Discussion in 'ISPConfig 3 Priority Support' started by tr909192, Jun 29, 2021.

  1. tr909192

    tr909192 Member HowtoForge Supporter


    we have seen a couple of wordpress hacked by the infamous anonymousfox defacer:


    On one of them for some reason was be able to grab the passwd file of the server, i suppose uploading and using a custom php.ini file with openbasedir disable.
    Also the configuration was already did in order to avoid the ability for the user to upload a custom php.ini file (user_ini.filename = set at empty in php.ini). Any other clue on stuff that i can verify?
    We are in deb 10.6 and php 7.4(fast-cgi) environment

  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Upgrade to latest Debian GNU/Linux 10.x, my system is at 10.10 now. Most of the updates for Debian Stable release are security fixes or fixes for serious bugs.
    On Debian 10 ISPConfig is supposed to support PHP 7.3. Are you really on 7.4? The websites can run 7.4, that is OK but the system PHP must remain the Debian 10 default.
  3. tr909192

    tr909192 Member HowtoForge Supporter

    Yes, php 7.4 is installed on the server as additional php. And the vhost hacked run on that php.
    The system php is 7.3 as deb 10 default.

    Upgrade to the latest deb is fine, but sounds a little bit generic. Due that stuff seems to be really a php related stuff.

  4. till

    till Super Moderator Staff Member ISPConfig Developer

  5. tr909192

    tr909192 Member HowtoForge Supporter

    switching from fcgi to fpm is a generic improvement, or there is specific security threat on fcgi (also if used with openbasedir as perfect server configure it)? because fcgi is used very often.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    php-fpm is the successor of php-FastCGI. Using FastCGI is generally fine and not a security issue, but it makes no sense to favor this older technology. New servers and new sites on older systems should use php-fpm today and even older sites should be switched over step by step. And you can't use the chrooting feature in FastCGI mode.
  7. tr909192

    tr909192 Member HowtoForge Supporter

    ok i'll give a try on that way.
    the only things not clear is about the opcache problem for fpm. I can set opcache.validate_root = 1 in opcache.ini in order to configure globally for any host with fpm on that server?

  8. till

    till Super Moderator Staff Member ISPConfig Developer

    That's probably ok. You should check it with phpinfo() in a website where you enabled chroot for php-fpm though. if it does not work, then try enabling it in php.ini instead.
    tr909192 and ahrasis like this.

Share This Page