Files

Mike Swanson a78fb96f95 Session log: Cloudflare Tunnel for azcomputerguru + Cox BGP diagnosis

Diagnosed azcomputerguru.com 521 errors: Cox's BGP route to specific
Cloudflare origin-pull prefixes (162.158.0.0/16, 172.64.0.0/13,
173.245.48.0/20, 141.101.64.0/18) is broken from 72.194.62.0/29.
Confirmed by TCP probe matrix from pfSense WAN, traceroute latency
comparison, and state-table showing 0 inbound CF connections while
direct-internet traffic still reached origin.

Deployed Cloudflare Tunnel 'acg-origin' on Jupiter Unraid as a
Docker container. Routes 4 proxied hostnames (azcomputerguru.com,
analytics., community., radio.) through the tunnel with HTTPS
backend to IX 172.16.3.10:443 with per-ingress SNI matching. All
4 hostnames return 200 OK through CF edge after the cutover.

Repo hygiene:
- Merged clients/ix-server/ into clients/internal-infrastructure/
  (IX is internal infra, not a paying-client account). Git detected
  the session-log files as renames so history is preserved. Updated
  4 stale path references in 2 files.
- Moved cox-bgp ticket draft out of projects/dataforth-dos/ (wrong
  project) to clients/internal-infrastructure/vendor-tickets/.
- Relocated tunnel-setup helper scripts from
  projects/dataforth-dos/datasheet-pipeline/implementation/ to
  clients/internal-infrastructure/scripts/cloudflared-tunnel-setup/.
  Deleted superseded/abandoned login attempts. Sanitized hardcoded
  Jupiter/pfSense SSH passwords to pull from SOPS vault at runtime;
  Cloudflare token reads from env var (tokens still in 1Password,
  vault entry is metadata-only).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-13 10:30:51 -07:00

6.8 KiB

Raw Blame History

IX Server Security Scan - Smart Slider 3 Pro

Date: April 11, 2026

Scan Purpose

Security audit of all WordPress installations on IX server following the Smart Slider 3 Pro supply chain attack (April 7-9, 2026).

Executive Summary

[SUCCESS] NO COMPROMISED PLUGINS FOUND

Total WordPress sites scanned: 87
Smart Slider 3 PRO installations: 0 (GOOD - this was the compromised version)
Smart Slider 3 FREE installations: 3 (SAFE - free version was not affected)

Risk Level: LOW - No exposure to the April 7-9 supply chain attack

Background: Smart Slider 3 Pro Attack

The Vulnerability

Attack Window: April 7-9, 2026
Target: Smart Slider 3 Pro WordPress plugin
Attack Type: Supply chain attack via compromised update system
Impact: Sites that updated during the 6-hour window received "fully weaponized remote access toolkit"
Scope: Potentially thousands of sites worldwide

Attack Details

Threat actors hijacked the plugin's UPDATE mechanism
Users thought they were getting security patches
Instead received remote access backdoor
Detected approximately 6 hours after deployment
WordPress powers ~43% of all websites globally

Scan Results

Scan Methodology

Server: IX (172.16.3.10)
Method: Filesystem scan of all cPanel accounts
Command: find /home/*/public_html -name "wp-config.php"
Script: /root/scan_smart_slider.sh
Scan completed: April 11, 2026 05:09 AM MST

WordPress Sites Inventory

Total sites found: 87

This confirms IX server hosts a significant number of WordPress installations (previously documented as "40+" in credentials.md).

Smart Slider Installations Found

1. ComputerGuruMe - Moran Client Site

User: computergurume
Path: /home/computergurume/public_html/clients/moran
Version: Smart Slider 3 (Free) 3.5.1.27
Status: SAFE (free version not affected by attack)

2. Photonic Apps

User: photonicapps
Path: /home/photonicapps/public_html
Version: Smart Slider 3 (Free) 3.5.1.28
Status: SAFE (free version not affected by attack)

3. Thrive

User: thrive
Path: /home/thrive/public_html
Version: Smart Slider 3 (Free) 3.5.1.28
Status: SAFE (free version not affected by attack)

Risk Assessment

Current Risk: LOW

Rationale:

No Smart Slider 3 PRO installations found
- The PRO version was the target of the supply chain attack
- Free version uses different update mechanism
- Free version was NOT compromised
Free version installations are outdated but safe
- Versions 3.5.1.27 and 3.5.1.28 are older
- Should be updated for general security/features
- But NOT urgent security risk from this specific attack
No exposure during attack window
- Since no PRO version installed, no sites could have received the backdoor
- No sites at risk from this specific compromise

Recommendations

Immediate Actions (Optional - Low Priority)

Update Smart Slider 3 Free on the 3 affected sites:
- computergurume/moran
- photonicapps
- thrive
- Latest version: Check WordPress plugin repository
- Priority: LOW (general best practice, not urgent security issue)

Monitoring Actions

Subscribe to WordPress security bulletins
- Monitor for similar supply chain attacks
- Watch for plugin compromise announcements
Implement plugin update policy
- Consider staging environment for plugin updates
- Wait 24-48 hours after updates released before applying to production
- This delay would have avoided the 6-hour attack window
Regular security scans
- Schedule quarterly plugin audits
- Check for outdated/abandoned plugins
- Remove unused plugins

Best Practices Going Forward

Minimize plugin footprint
- Only install necessary plugins
- Remove/disable unused plugins
- Fewer plugins = smaller attack surface
Plugin vetting process
- Check plugin update frequency
- Verify developer reputation
- Review number of active installations
- Check support forum activity
Backup strategy
- Ensure all 87 WordPress sites have current backups
- Test restore procedures
- Keep backups isolated from production

Technical Details

Scan Script

Location: /root/scan_smart_slider.sh on IX server

What it does:

Scans all cPanel user accounts (/home/*)
Looks for WordPress installations (wp-config.php)
Checks for Smart Slider plugin directories
Extracts version numbers
Generates summary report

Results saved to: /tmp/smart_slider_scan_1775909346.txt on IX server

Scan Output

Total WordPress sites: 87
Smart Slider 3 Pro: 0
Smart Slider 3 Free: 3

Client Notifications

Sites Requiring Notification (Low Priority)

1. Moran (computergurume client site)

Has Smart Slider 3 Free 3.5.1.27
No security risk from April attack
Optional: Recommend update to latest version
Contact: Check client records for Moran contact

2. Photonic Apps

Has Smart Slider 3 Free 3.5.1.28
No security risk from April attack
Optional: Recommend update to latest version

3. Thrive

Has Smart Slider 3 Free 3.5.1.28
No security risk from April attack
Optional: Recommend update to latest version

Notification Priority: LOW Urgency: Not urgent - no active threat Tone: Informational, proactive maintenance recommendation

Conclusion

[OK] IX Server is NOT affected by the Smart Slider 3 Pro supply chain attack (April 7-9, 2026).

Key Findings:

Zero installations of the compromised PRO version
Three installations of the FREE version (safe)
87 total WordPress sites inventoried
No immediate action required

Recommended Actions:

Optional: Update 3 Smart Slider FREE installations to latest version
Implement plugin update policy with staging/delay
Continue monitoring WordPress security advisories

Overall Security Posture: GOOD Threat Status: CLEAR

Files Created

Scan script: /root/scan_smart_slider.sh (IX server)
Results file: /tmp/smart_slider_scan_1775909346.txt (IX server)
This report: clients/internal-infrastructure/session-logs/2026-04-11-smart-slider-security-scan.md

References

Attack Information

Smart Slider 3 Pro supply chain attack: April 7-9, 2026
Detection window: Approximately 6 hours
Attack vector: Compromised plugin update system
Payload: Fully weaponized remote access toolkit

Sources

WordPress plugin ecosystem statistics
Radio show research (April 11, 2026 show prep)
IX server credentials: credentials.md
Server access: op://Infrastructure/IX Server/password

Scan performed by: Claude (AZ Computer Guru) Date: April 11, 2026 Next recommended scan: July 11, 2026 (quarterly)

6.8 KiB Raw Blame History