App not responding
-
Getting this error in the logs:
Jun 08 11:52:20 [Mon Jun 08 10:52:20.106441 2020] [access_compat:error] [pid 69] [client 172.18.0.1:58994] AH01797: client denied by server configuration: /app/data/public/wp-includes/version.phpversion.php is a core WP file so not sure what the issue is?
I have another WordPress (Unmanaged) app that is still running fine.
-
-
@girish said in App not responding:
Could that be the case here?
No, there are no security plugins installed.
Also, it's a strangely intermittent issue. Right now the app is responding (well, I can get to https://uniteddiversity.org no problem, it still says no responding in my Cloudron dashboard). However, I get a 403 when trying to access https://uniteddiversity.org/wp-admin/
Thankfully it's not actually a production site, was just using it a staging site (and I think I just copied this app over to https://uniteddiversity.coop which has been running fine ever since).
FYI, these redirect rules are the only thing in .htaccess at present:
<IfModule mod_rewrite.c> Options +FollowSymLinks RewriteEngine on RewriteRule ^.*/(\d+)/$ customero/index\.php?id=$1&%{QUERY_STRING} [L] RewriteRule ^.*-(\d+)/$ customero/index\.php?cat=$1&%{QUERY_STRING} [L] RewriteBase / </IfModule> -
I also see this in my logs:
Jun 20 08:44:28 box:scheduler runTask: skipped task wpcron because app uniteddiversity.org has state installed / running -
@jdaviescoates The unmanaged WP app will try to access https://uniteddiversity.org/wp-includes/version.php for health checks and indeed it returns a 403. I am not sure why, because the default installation does return 200 . I have to go back to my original question - Do you have any plugins installed? (I know you said no, but can you double check?) And indeed wp-admin also as you said returns 403. We need to figure why.
(The cronjob tasks of WP are skipped because the health check is failing. The error message needs to be improved).
-
@girish said in App not responding:
Do you have any plugins installed? (I know you said no, but can you double check?)
You asked about security plugins before, which I don't have.
I do have others plugins installed... I need to check but I think I'm using exactly the same plugins at https://uniteddiversity.coop without issue...
-
@jdaviescoates said in App not responding:
I do have others plugins installed... I need to check but I think I'm using exactly the same plugins at https://uniteddiversity.coop without issue...
I am wondering why there is no issue. Atleast, https://uniteddiversity.org/wp-includes/version.php returns a 404 here. What about for you? Since it returns 404, I expect the Cloudron dashboard to show "Not responding". Is that not the case?
-
@girish said in App not responding:
I am wondering why there is no issue. Atleast, https://uniteddiversity.org/wp-includes/version.php returns a 404 here. What about for you? Since it returns 404, I expect the Cloudron dashboard to show "Not responding". Is that not the case?
Note that I'm talking about very similar but different domains here - one is .org the other .coop
https://uniteddiversity.org - is indeed shown as not responding in the Cloudron dashboard. But if you got to https://uniteddiversity.org it appear to actually be running. But yes, I get 403 forbidden for https://uniteddiversity.org/wp-includes/version.php and https://uniteddiversity.org/wp-admin/
https://uniteddiversity.coop - is exactly the same (I think I literally used the .org as a staging site whilst importing over from my shared hosting) but is running totally fine.
However, I just checked and it does look like there are differences in the plugins that are installed, so I guess that might be it...
Here were the plugins in .org
And here are the ones that were in .coop
The one that jumps out as not belonging there is WPCoreSys (I definitely didn't install anything like that and it's not in the other one, so not Cloudron installed either) and a quick search would seems to suggest that is malware
- I wonder if I never changed the default admin password and that let them in... (if so, perhaps as a small additional security measure default passwords should be something more random and harder to crack than changeme? )Anyway, I deleted that plugin (and the others that aren't also in .coop) and the problem persists, so I think I'll just delete the app (the only reason I hadn't already done so was to debug what was happening). Thankfully this wasn't ever a production app.
Annoyingly I also deleted all the plugins without first noting their dates etc. So before I do completely delete it all I wonder if there is anything in the logs that will show when this malicious plugin was installed/ or confirm that I never changed the default password?
-
Just a small advice: I use this (free) plug-in on all my Wordpress sites and even on two of them the premium version (but not really really really needed to have perfect defense):
-
@jdaviescoates said in App not responding:
perhaps as a small additional security measure default passwords should be something more random and harder to crack than changeme ?
Yeah, I agree with this. I think it would be best if we can generate a password at install time and somehow give it to the user instead of the current approach of hardcoding passwords like changeme. It's happened a few times that people forget to change the password immediately.
I have created https://git.cloudron.io/cloudron/box/-/issues/708
-
@jdaviescoates FWIW, I also recently found a mysterious plugin in my WP installation, but no logins or anything. I determined it must have snuck in on a theme I installed for testing, even though it was from the built-in theme picker. So I deleted all the extra themes, the plugins (Sorry, I forget what they were called, there were two).
-
@scooke WPcoresys is malware:
https://sarn.phamornsuwana.com/2017/01/10/wpcoresys-dolly-hack/
https://sarn.phamornsuwana.com/2017/08/23/wpcoresys-dolly-hack-revisited/
https://www.slideshare.net/SucuriSecurity/sucuri-webinar-how-to-clean-hacked-wordpress-sites@jdaviescoates I think it isn’t sufficient to only delete the plugin. Sucuri site check mentioned that the SSL certificate is wrong and look at what Brave browser says:
