Category: PHP

Exploring the goal of common WordPress and PHP attack paths.

After checking the access logs for any suspicious activity on the server, I noticed some common paths that seemed to come up a lot.
Checking about them through Gemini AI and online searches provided the following information:

Here’s a breakdown of the listed paths and why some are likely attacks:

Likely Attacks:

  • /wp-content/uploads/wp-casper.php: This file is not a standard WordPress file and likely a malicious script for uploading malware or exploiting vulnerabilities.
  • /wp-content/uploads/uploads.php: Uploading functionality is typically handled by WordPress core, not a separate script in the uploads folder. This suggests a potential attempt to bypass security measures.
  • /wp-content/uploads/wso112233.php: This filename format (wsoXXXX) is commonly associated with webshell tools used for gaining unauthorized access.
  • /wp-content/uploads/2023/wp-signup.php: While a legitimate signup script could exist in this location for some plugins, it’s uncommon. The presence of a year in the path makes it more suspicious.
  • /wp-includes/css/wp-config.php: This is a highly critical configuration file storing database credentials. Accessing it via a HTTP request is a clear attack attempt.

Suspicious but require further investigation:

  • /vendor/phpunit: PHPUnit is a legitimate testing framework used by developers. However, if you are not actively running tests or expecting PHPUnit usage, unknown access to this folder could be suspicious.
  • /vendor/bin/test.php: Similar to the above, this could be a legitimate testing script but requires verification of its purpose.
  • /wp-content/uploads/2022/themes.php”: Themes are usually stored in the /wp-content/themes folder. Having a themes.php script in the uploads folder is suspicious, especially with a year in the path.
  • /wp-content/uploads/2020/09/themes.php: Similar to the above, the presence of a themes.php script in the uploads folder with a date path is suspicious.

After searching online further, I found a long list of paths that shows common paths that are attacked:

https://www.luszcz.de/widwsisw/i/i0004en.php

WordPress paths and .env paths come up a lot!

Also, the reasoning for searching for phpunit, might be answered by the following article: https://thephp.cc/articles/phpunit-a-security-risk

It seems there has been a file included in it that can be exploited.
As usual, it is best to be careful to not include development code in production and also not expose dependency areas such as vendor publicly.

Easy to miss issue with built-in PHP server – No Apache, no .htaccess.

I had an issue where I could not get the .htaccess of a PHP project I had to work.
I couldn’t understand why simple .htaccess code was not working.
After some wasted time, the obvious came to light, I was testing the project through scripts that started the built-in PHP server. Does the PHP server handle .htaccess files? A quick Bard AI request reveals the issue,

Does the in built PHP server handle .htaccess files?

No, the built-in PHP server does not handle .htaccess files. .htaccess files are specific to the Apache web server, and the built-in PHP server is not an Apache web server.

If you need to use .htaccess files, you will need to use a real web server, such as Apache or Nginx.

There are a few workarounds for using .htaccess files with the built-in PHP server. One workaround is to create a PHP script that parses the .htaccess file and handles all routing. Another workaround is to use a real web server to serve the .htaccess file, and then use the built-in PHP server to serve the rest of your website.

However, it is generally not recommended to use the built-in PHP server in production. It is intended for development and testing purposes only.

There you go. The built-in PHP server is not an Apache web server. “use a real web server, such as Apache or Nginx.” : )

How to parse the datetime format used on lines in phperror.log?

The following was returned using Bard AI. It provided a good response, so I am sharing below:

Prompt used: “For the $format argument used in DateTime::createFromFormat of PHP, what format should I use to parse “10-Sep-2023 00:13:12 UTC”?”.

The following format can be used to parse the string 10-Sep-2023 00:13:12 UTC using the DateTime::createFromFormat function in PHP:

$format = 'd-M-Y H:i:s T';

This format specifies the following:

  • d: The day of the month, as a two-digit number.
  • M: The month, as a three-letter abbreviation.
  • Y: The year, as a four-digit number.
  • H: The hour, as a two-digit number in 24-hour format.
  • i: The minute, as a two-digit number.
  • s: The second, as a two-digit number.
  • T: The time zone, as a single-letter abbreviation.

In this case, the time zone is UTC, which is the Coordinated Universal Time.

To parse the string 10-Sep-2023 00:13:12 UTC, we can use the following code:

PHP
$dateTime = DateTime::createFromFormat($format, '10-Sep-2023 00:13:12 UTC');
Use code with caution. Learn more

content_copy

This will create a DateTime object representing the specified date and time in UTC.

We can then use the DateTime object to get the individual components of the date and time, or to perform other operations, such as formatting the date and time in a different format.