Alert: WordPress core file modified: core wp-admin/includes/upgrade.php

I ported by existing website and blog over to a WordPress the other day. Concerned about security, I downloaded and installed the plugin Wordfence. Wordlfence offers a host of security feature such a Web Application Firewall (WAF), real-time defense feed, country blocking (Blacklisting), and protection from brute force attacks.

I run Wordfence of several days and receive my first alert that my WordPress “corewp-admin/includes/upgrade.php” file has been modified and differs from the original file distributed with this version of WordPress, Severity: Critical. At this point Wordfence give you a number of options. You can view the file, restore the original version of the file, see how the file has changed. I select see how the file has changed.

After closer inspection, I do see that the file has changed? But why? I did not make the change. I research the issue, and find that “@wp_mail($email, __(‘New WordPress Site’), $message);” is an email notification that WordPress sends by default when you first create your website. The change is made when you use a one an

I find that Godaddy’s Managed WordPress hosting service automated WordPress installer modified by Godaddy during installation. It seems the change is safe so I select “Ignore until the file changes” (See above).

The point here is that file integrity monitoring is a key competent in security and meeting compliance requirements. For example, PCI DSS Version 3.2 references file integrity monitoring in sections 10.5.5 and 11.5. PCI DSS states that you should install file integrity monitoring software in order to meet compliance (“Payment Card,” 2016):

PCI DSS Requirement Testing Procedure Guidance
10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)

Note: Log harvesting, parsing, and alerting tools may be used to meet this Requirement.

10.5.5 Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change-detection software on logs. File-integrity monitoring or change-detection systems check for changes to critical files, and notify when such changes are noted. For file-integrity monitoring purposes, an entity usually monitors files that don’t regularly change, but when changed indicate a possible compromise.
11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. 11.5.a Verify the use of a change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities. Examples of files that should be monitored: System executables, Application executables, Configuration and parameter files, Centrally stored, historical or archived, log and audit files, Additional critical files determined by entity (for example, through risk assessment or other means). Change-detection solutions such as file-integrity monitoring (FIM) tools check for changes, additions, and deletions to critical files, and notify when such changes are detected. If not implemented properly and the output of the change-detection solution monitored, a malicious individual could add, remove, or alter configuration file contents, operating system programs, or application executables. Unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing.
11.5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly.

In fact, file integrity monitoring is mentioned across all security standard and best practices. For instance, NIST 800-53 (Rev 4) SYSTEM AND INFORMATION INTEGRITY Control Family controls SI-1, SI-2, SI-3, SI-4, SI-5, SI-6, and SI-7 (“NIST Special,” n.d.):

  • SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
  • SI-2 FLAW REMEDIATION
  • SI-3 MALICIOUS CODE PROTECTION
  • SI-4 INFORMATION SYSTEM MONITORING
  • SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES
  • SI-6 SECURITY FUNCTION VERIFICATION
  • SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

In particular SI-7(1) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY states:

Control Description

The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information]. (“NIST Special,” n.d.)

Supplemental Guidance

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications. (“NIST Special,” n.d.)

File integrity monitoring is also registered in NIST Cybersecurity Framework Protect Function (PR), Category Data Security (PR.DS), Subcategory PR.DS.6, which states PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity. And can be furthered mapped to ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3. (“Framework,” 2014).

File Integrity Monitoring (FIM) Solutions

At the time of this post, Tripwire is the enterprise industry leader in file integrity and monitoring & change management (FIM). According to Tripwire, “The term file integrity monitoring was first used back in 2001 when VISA was working on a security specification that would eventually become the PCI standard. FIM is technology that monitors and detects changes in files that may indicate a cyber attack. Unfortunately, for many organizations, FIM mostly means noise: too many changes, no context around these changes, and very little insight into whether a change actually poses a risk. FIM is a critical security control, but it must provide sufficient insight and actionable intelligence. “True FIM” is more than change detection. It helps you determine whether those changes are good or bad.” (“File Integrity,” n.d.)

A true FIM process consists of the following steps:

1. Set policy: Start by defining your policy, identifying which files on which devices need to be monitored.

2. Baseline files: Then ensure the files you assess are in a known good state. This may involve evaluating version, creation and modification dates, or any other file attribute.

3. Monitor & Reconcile Changes: You may see hundreds of file changes on a normal day on a single system. Knowing a good change from a bad one is essential.

4. Alert: When unauthorized changes are detected, focus on the highest priority alerts and take corrective action before more damage is done.

5. Report: FIM is required for PCI compliance and most other standards. Clear reports with the ability to drill-down are important both for operational processes and audit compliance. (“File Integrity,” n.d.)

Tripwire offers on-prem or cloud-based managed services FIM solutions (See https://www.tripwire.com/solutions/.) Wordlfence is not Tripwire by any means but does provide a basic FIM solution for WordPress.

About the Author

David Zwickl, MSci., CISSP, CEH, has spent over 20 years in information assurance and cybersecurity for companies such as RSA Security and Cisco Systems in a variety of roles. Dave holds a Master’s degree in Information Assurance with a Cybersecurity Specialization from Regis University in Denver Colorado. Regis University’s School of Computer & Information Sciences, designated as a National Center of Excellence in Information Systems Security Education (CAE/IAE) by the National Security Agency (NSA) and the Department of Homeland Security (DHS). Dave is active in industry associations ISSA, OWASP, CSA, among others.

Resources

File integrity monitoring & change management.  (n.d.).  Retrieved October 18, 2017 from https://www.tripwire.com/solutions/file-integrity-and-change-monitoring/

Framework for improving critical infrastructure cybersecurity.  (2014, February, 12), p. 23.  Retrieved October 18, 2017 from https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

Payment Card Industry (PCI) Data Security Standard requirements and security assessment procedures version 3.2.  (2016, April), 92-93.  Retrieved October 18, 2017 from https://www.pcisecuritystandards.org/ documents/PCI_DSS_v3-2.pdf?agreement=true&time=1508420545758

NIST Special Publication 800-53 (Rev. 4) Security Controls and Assessment Procedures for Federal Information Systems and Organizations System And Information Integrity Control Family.  (n.d.).  Retrieved October 18, 2017 from https://nvd.nist.gov/800-53/Rev4/family/System%20and%20Information%20Integrity

1 thought on “Alert: WordPress core file modified: core wp-admin/includes/upgrade.php”

Leave a Reply

Your email address will not be published. Required fields are marked *