You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2018/10/19 13:37:36 UTC
URI_WPADMIN fp
Hi,
Should we be adding 3 points for just this, or is there never a reason
users should be using /wp-admin in their URLs?
Oct 19 09:33:11.561 [1299] dbg: rules: ran uri rule __URI_WPADMIN
======> got hit: "/wp-admin/images/"
The rule description says possible phishing, but how would an end-user
be in a position to create a public link that involves their WP admin
directory in the first place?
Re: URI_WPADMIN fp
Posted by John Hardin <jh...@impsec.org>.
On Fri, 19 Oct 2018, Bill Cole wrote:
> On 19 Oct 2018, at 9:37, Alex wrote:
>
>> Hi,
>>
>> Should we be adding 3 points for just this, or is there never a reason
>> users should be using /wp-admin in their URLs?
>
> The score is coming out of RuleQA, so the score is derived empirically, not
> by a logical process based in arbitrary axioms.
>
> That doesn't mean it's the one true score for everyone, just that it's a
> useful score in the context of the spam and ham corpora submitted to RuleQA.
> If it causes actual FPs (i.e. ham that is identified as spam, NOT ham
> identified as ham that happens to hit a strong spam rule but scores below the
> threshold) then it is probably a good idea to limit its score in RuleQA or to
> examine the FPs to find ways to narrow the rule. I see that John has the
> basic rigging in place to allow for narrowing via meta conditions, so
> presumably he anticipated the possibility.
Yup.
It's only hitting 80 spams and one ham in the current masscheck corpora.
If it *is* causing FPs, please report here it as such and I'll reduce the
score limit. It was hitting more when it was first created.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
One death is a tragedy; thirty is a media sensation;
a million is a statistic. -- Joseph Stalin, modernized
-----------------------------------------------------------------------
568 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: URI_WPADMIN fp
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 19 Oct 2018, at 9:37, Alex wrote:
> Hi,
>
> Should we be adding 3 points for just this, or is there never a reason
> users should be using /wp-admin in their URLs?
The score is coming out of RuleQA, so the score is derived empirically,
not by a logical process based in arbitrary axioms.
That doesn't mean it's the one true score for everyone, just that it's a
useful score in the context of the spam and ham corpora submitted to
RuleQA. If it causes actual FPs (i.e. ham that is identified as spam,
NOT ham identified as ham that happens to hit a strong spam rule but
scores below the threshold) then it is probably a good idea to limit its
score in RuleQA or to examine the FPs to find ways to narrow the rule. I
see that John has the basic rigging in place to allow for narrowing via
meta conditions, so presumably he anticipated the possibility.
> Oct 19 09:33:11.561 [1299] dbg: rules: ran uri rule __URI_WPADMIN
> ======> got hit: "/wp-admin/images/"
>
> The rule description says possible phishing, but how would an end-user
> be in a position to create a public link that involves their WP admin
> directory in the first place?
Think more carefully about that question. As written it seems much more
naive than you can actually be.
2 hints:
1. WordPress is probably the most frequently compromised server software
in the history of the web, excluding Microsoft products.
2. If a website isn't built on WordPress (as most are not) there is
nothing in any way special about a 'wp-admin' token in a functioning
URL. I'd offer to demonstrate that with my own website, but I'm not in a
mood to disable the trap that converts every request for a
WordPress-like URL into a firewall rule and DNSBL entry...
Re: URI_WPADMIN fp
Posted by Paul Stead <pa...@zeninternet.co.uk>.
Great info - I think the other WP rules I co-wrote in the rules base conforms to this convention - I'll double check
Paul
On 19/10/2018, 20:36, "Charles Sprickman" <sp...@bway.net> wrote:
> On Oct 19, 2018, at 10:15 AM, Paul Stead <pa...@zeninternet.co.uk> wrote:
>
> Can't comment on the score - hacked Wordpress sites often have bits hosted in
>
> * wp-admin
Yes.
> * wp-content
Yes and no.
Everything that a user uploads for their site lives under wp-content, so any rule triggering on that part of the URL would be a mistake.
The tree looks like this:
/wp-content/themes/ - this is where website themes (think templates) live. You will see css and js from this directory or subdirectories, also in some cases images (icons and the like)
/wp-content/plugins/ - this is where WP plugins (gobs of code that add some specific functionality to the site). Similar to themes, you’ll generally see css and js there, and possibly some images
/wp-content/uploads/ - this is where all images/media that the webmaster uploads lives. This is where you want to be strict with any URL matching rules. You should NOT see any files ending in .js nor .css - that’s a strong sign that the installation is compromised.
You should NOT see any files ending in .php in ANY of the above directory trees. Themes and plugins contain .php files, but they are NOT directly executed from outside, they are simply included by other WP core code. So when you see a .php file in those directories in a URL, something is very wrong. And you’re likely looking at a compromised account, which is likely somehow involved in spamming or phishing.
A good webhost applies a few very simple rules that block about 99% of the WP exploits:
- PHP not even parsed under the uploads directory ENTIRELY, even for includes. Since this directory is ALWAYS writable by the web user, it’s where most exploits want to put their payloads. You break nothing but exploits by disallowing php execution there. Similarly, you block no good email by nuking any URL that ends in .php and lives under that directory.
- PHP not executed anywhere under /wp-content other than by includes
- /wp-admin/ only has /wp-admin/admin-ajax.php allowed for non-authenticated users. You should never see any URL other than that from that directory.
- Only wp-content is writable by the web user (pretty rare, but doable, and very common with “boutique” hosting)
You will have a surprisingly secure WP install with just those few simple steps above.
That’s my WP quicky for anyone writing WP rules. If such a person is on the list and wants to discuss, I’m super happy to do so!
Charles
> Pages within these directories are publicly accessible, but it is very unusual for a WP plugin to reference these URIs directly in outbound emails
>
>
> Paul
>
> On 19/10/2018, 14:38, "Alex" <my...@gmail.com> wrote:
>
> Hi,
>
> Should we be adding 3 points for just this, or is there never a reason
> users should be using /wp-admin in their URLs?
>
> Oct 19 09:33:11.561 [1299] dbg: rules: ran uri rule __URI_WPADMIN
> ======> got hit: "/wp-admin/images/"
>
> The rule description says possible phishing, but how would an end-user
> be in a position to create a public link that involves their WP admin
> directory in the first place?
>
>
> --
> Paul Stead
> Senior Engineer (Tools & Technology)
> Zen Internet
--
Paul Stead
Senior Engineer (Tools & Technology)
Zen Internet
Re: URI_WPADMIN fp
Posted by Charles Sprickman <sp...@bway.net>.
> On Oct 19, 2018, at 10:15 AM, Paul Stead <pa...@zeninternet.co.uk> wrote:
>
> Can't comment on the score - hacked Wordpress sites often have bits hosted in
>
> * wp-admin
Yes.
> * wp-content
Yes and no.
Everything that a user uploads for their site lives under wp-content, so any rule triggering on that part of the URL would be a mistake.
The tree looks like this:
/wp-content/themes/ - this is where website themes (think templates) live. You will see css and js from this directory or subdirectories, also in some cases images (icons and the like)
/wp-content/plugins/ - this is where WP plugins (gobs of code that add some specific functionality to the site). Similar to themes, you’ll generally see css and js there, and possibly some images
/wp-content/uploads/ - this is where all images/media that the webmaster uploads lives. This is where you want to be strict with any URL matching rules. You should NOT see any files ending in .js nor .css - that’s a strong sign that the installation is compromised.
You should NOT see any files ending in .php in ANY of the above directory trees. Themes and plugins contain .php files, but they are NOT directly executed from outside, they are simply included by other WP core code. So when you see a .php file in those directories in a URL, something is very wrong. And you’re likely looking at a compromised account, which is likely somehow involved in spamming or phishing.
A good webhost applies a few very simple rules that block about 99% of the WP exploits:
- PHP not even parsed under the uploads directory ENTIRELY, even for includes. Since this directory is ALWAYS writable by the web user, it’s where most exploits want to put their payloads. You break nothing but exploits by disallowing php execution there. Similarly, you block no good email by nuking any URL that ends in .php and lives under that directory.
- PHP not executed anywhere under /wp-content other than by includes
- /wp-admin/ only has /wp-admin/admin-ajax.php allowed for non-authenticated users. You should never see any URL other than that from that directory.
- Only wp-content is writable by the web user (pretty rare, but doable, and very common with “boutique” hosting)
You will have a surprisingly secure WP install with just those few simple steps above.
That’s my WP quicky for anyone writing WP rules. If such a person is on the list and wants to discuss, I’m super happy to do so!
Charles
> Pages within these directories are publicly accessible, but it is very unusual for a WP plugin to reference these URIs directly in outbound emails
>
>
> Paul
>
> On 19/10/2018, 14:38, "Alex" <my...@gmail.com> wrote:
>
> Hi,
>
> Should we be adding 3 points for just this, or is there never a reason
> users should be using /wp-admin in their URLs?
>
> Oct 19 09:33:11.561 [1299] dbg: rules: ran uri rule __URI_WPADMIN
> ======> got hit: "/wp-admin/images/"
>
> The rule description says possible phishing, but how would an end-user
> be in a position to create a public link that involves their WP admin
> directory in the first place?
>
>
> --
> Paul Stead
> Senior Engineer (Tools & Technology)
> Zen Internet
Re: URI_WPADMIN fp
Posted by Paul Stead <pa...@zeninternet.co.uk>.
Can't comment on the score - hacked Wordpress sites often have bits hosted in
* wp-admin
* wp-content
Pages within these directories are publicly accessible, but it is very unusual for a WP plugin to reference these URIs directly in outbound emails
Paul
On 19/10/2018, 14:38, "Alex" <my...@gmail.com> wrote:
Hi,
Should we be adding 3 points for just this, or is there never a reason
users should be using /wp-admin in their URLs?
Oct 19 09:33:11.561 [1299] dbg: rules: ran uri rule __URI_WPADMIN
======> got hit: "/wp-admin/images/"
The rule description says possible phishing, but how would an end-user
be in a position to create a public link that involves their WP admin
directory in the first place?
--
Paul Stead
Senior Engineer (Tools & Technology)
Zen Internet
Re: URI_WPADMIN fp
Posted by John Hardin <jh...@impsec.org>.
On Fri, 19 Oct 2018, Alex wrote:
> Should we be adding 3 points for just this, or is there never a reason
> users should be using /wp-admin in their URLs?
>
> Oct 19 09:33:11.561 [1299] dbg: rules: ran uri rule __URI_WPADMIN
> ======> got hit: "/wp-admin/images/"
>
> The rule description says possible phishing, but how would an end-user
> be in a position to create a public link that involves their WP admin
> directory in the first place?
It's generally a sign of a hacked server.
However, 3 points may be extreme given it's hitting only 0.0280% of spam
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
One death is a tragedy; thirty is a media sensation;
a million is a statistic. -- Joseph Stalin, modernized
-----------------------------------------------------------------------
568 days since the first commercial re-flight of an orbital booster (SpaceX)