Help find hole

[JohnM]

Is it possible to get db and user info by forcing some error messages etc ?

[Rarst]

You had a shell in your install and theres 20% infected sites on that server, so theres probably lots of other active shells.

10% in zone. Google safety reports on network zone (whatever that is) and that is much larger unit than single server (thousands of sites~dozens of servers).

Link I am missing here is how hacker went from another hacked site to hack mine first time. If it was hard (like running bruteforce on server for a long time) that is one story.

But if there are issues that allow to easily bypass WP login using another site on same server - I think it is considerable security risk and should be hardened.

In Cpanel, for instance, if I know the database and user/pass for another account's database, I do not have to be logged in to that account to access their database.

Some people have tried to get them to acknowledge this as a bug.

Actually that will work like that even if there is no cPanel at all. I think that's the way MySQL server works - it is configured to accept connections from local server, but it doesn't distinguish sites on it. All it cares about are correct login/password.

Is it possible to get db and user info by forcing some error messages etc ?

I don't think this is possible. Login information is only sent on initial connection and MySQL error messages are quite non-descriptive as I experienced. :) You must somehow get saved login details, in case of WP that is wp-config.php. Or bruteforce.

[chrisbliss18]

Actually that will work like that even if there is no cPanel at all. I think that's the way MySQL server works - it is configured to accept connections from local server, but it doesn't distinguish sites on it. All it cares about are correct login/password.

MySQL supports locking down database user access to specific IPs or FQDNs; however, I believe that most systems default to using % as the host parameter for the database. This means that the default allows for any host to authenticate as that user. This isn't necessarily a problem, but it becomes a problem when you consider that most software packages such as the database management tools that cPanel offers don't seem to offer a way to modify the host parameter at all. That's where the security issue comes into play.

[Rarst]

MySQL supports locking down database user access to specific IPs or FQDNs; however, I believe that most systems default to using % as the host parameter for the database. This means that the default allows for any host to authenticate as that user. This isn't necessarily a problem, but it becomes a problem when you consider that most software packages such as the database management tools that cPanel offers don't seem to offer a way to modify the host parameter at all. That's where the security issue comes into play.

As far as I can tell MySQL at my server is configured for localhost (or maybe server IP explicitly) connections with option of adding allowed remote hosts in cPanel.

By the way as hardening goes I implemented some tweaks, locked down everything admin-related to my home IP, installed plugins for more secure and bruteforce-proof login, installed plugins that log events and monitor files for changes.

Even if it won't save me next time... With this amount of tripwires it will help to reduce my reaction time. Getting hacked is bad enough, getting hacker to feel himself at home is even worse. :)