Yes! Many users have reported constant errors and the horrible horrible WordPress White Screen of Death.
Some background about La Prensa
- La Prensa is one of the biggest newspaper in the Nicaragua.
- It runs on Worpdress. Previously to running on WordPress it ran on a custom CMS
- It runs on AWS with EC2 instances and RDS databases.
- It uses AWS CloudFront for cache service.
Below we are going to break down more info!
La Prensa’s core: WordPress
Yes, as you can see on BuiltWith.com the site itself runs on WordPress, we do not know which version as it is hidden for security purposes. What I do know about it is that is running on a WordPress Multisite edition.
We do know it also uses Contact 7 & a Flip book plugin for image Gallery.
A good thing that I noticed is that they have XML-RPC disabled, if you have been reading my blog, on previous articles I have stated that is is an important security fix to disable this feature to avoid bruteforce attacks.
La Prensa runs on Amazon Web Services (AWS)
Yes, let’s see the facts:
Name Servers – Amazon Route 53
Run this command on your terminal:
dig laprensa.com.ni ns
and you will get this (or something similar):
laprensa.com.ni. 160353 IN NS ns-1491.awsdns-58.org.
laprensa.com.ni. 160353 IN NS ns-1654.awsdns-14.co.uk.
laprensa.com.ni. 160353 IN NS ns-229.awsdns-28.com.
laprensa.com.ni. 160353 IN NS ns-831.awsdns-39.net.
Those nameservers are AWS Route 53 Nameservers. See more about AWS Route 53.
www A records
Then the next step is to determine where the www.laprensa.com.ni is pointed at, so you go to your terminal again and run this command:
dig www.laprensa.com.ni
And you will get a similar output to the one below:
www.laprensa.com.ni. 60 IN A 54.149.215.96
www.laprensa.com.ni. 60 IN A 50.112.175.81
Now to know who that IP belongs to we can run the following command:
whois 54.149.215.96
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
#
# Query terms are ambiguous. The query is assumed to be:
# "n 54.149.215.96"
#
# Use "?" to get help.
#
#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=54.149.215.96?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange: 54.144.0.0 - 54.159.255.255
CIDR: 54.144.0.0/12
NetName: AMAZON
NetHandle: NET-54-144-0-0-1
Parent: NET54 (NET-54-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Amazon Technologies Inc. (AT-88-Z)
RegDate: 2014-10-23
Updated: 2014-11-13
Ref: https://whois.arin.net/rest/net/NET-54-144-0-0-1
OrgName: Amazon Technologies Inc.
OrgId: AT-88-Z
Address: 410 Terry Ave N.
City: Seattle
StateProv: WA
PostalCode: 98109
Country: US
RegDate: 2011-12-08
Updated: 2014-10-20
Comment: All abuse reports MUST include:
Comment: * src IP
Comment: * dest IP (your IP)
Comment: * dest port
Comment: * Accurate date/timestamp and timezone of activity
Comment: * Intensity/frequency (short log extracts)
Comment: * Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time.
Ref: https://whois.arin.net/rest/org/AT-88-Z
OrgTechHandle: ANO24-ARIN
OrgTechName: Amazon EC2 Network Operations
OrgTechPhone: +1-206-266-4064
OrgTechEmail: amzn-noc-contact@amazon.com
OrgTechRef: https://whois.arin.net/rest/poc/ANO24-ARIN
OrgNOCHandle: AANO1-ARIN
OrgNOCName: Amazon AWS Network Operations
OrgNOCPhone: +1-206-266-2187
OrgNOCEmail: amzn-noc-contact@amazon.com
OrgNOCRef: https://whois.arin.net/rest/poc/AANO1-ARIN
OrgAbuseHandle: AEA8-ARIN
OrgAbuseName: Amazon EC2 Abuse
OrgAbusePhone: +1-206-266-4064
OrgAbuseEmail: abuse@amazonaws.com
OrgAbuseRef: https://whois.arin.net/rest/poc/AEA8-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
As you can see based on the all the facts, La Prensa Nicaragua is indeed in AWS.
La Prensa is cached by AWS CloudFront
After doing a quick review of the site’s source I found that it was using CloudFront using the following CNAMEs:
- laprensa11.doap.us
- laprensa12.doap.us
- laprensa13.doap.us
- laprensa14.doap.us
- laprensa15.doap.us
- laprensa16.doap.us
- laprensa17.doap.us
- laprensa18.doap.us
- laprensa19.doap.us
They are all CNAME’s for d130eh1tuk2jcl.cloudfront.net.
But even with CloudFront enabled we (and I mean Nicaraguans) have seen the site go down several times lately. There is something fishy right there.
Suggestions
- Due to the fact that this is a site with a lot of traffic. Which means that it probably takes 2 Million hits a month, I do think that the wp-login.php should either be changed/renamed/moved or that a security plugin should be implemented to limit the login attempts. I tried to login more than 10 times without getting not even a warning. This obviously leaves the door opened for someone to do a script that does a lot of HTTP POSTS to this file to try to authenticate.Some options are:
– WordPress Limit Attempts by Johanee
– Bullet Proof Protection by AITpro
– Wordfence Security by Wordfence - Improve the UI/UX. Clearly on this El Nuevo Diario is a huge winner by far.
What do you guys think I missed ?
[…] Yesterday’s incident with La Prensa Nicaragua reminded me that I wanted to write about this 6 months ago. So I took some time and wrote this up. I really hope this helps someone. […]