Your SlideShare is downloading. ×
0
Hacked
What do you do now?
• Sucuri
@sucuri_security
@sucurisupport
@sucurilabs
http://blog.sucuri.net
http://labs.sucuri.net
• Tony Perez
@perezbox
...
• Website Security Company
• Global Operations
• Platform Agnostic (i.e., WordPress, Joomla, etc..)
• Scan 2M Unique Domai...
Implications of a Hack
• Emotionally Daunting
• Brand Reputation (i.e., Blacklisting)
• Direct / Indirect Impacts to your ...
Most Common Hacks
• Malicious Redirects (i.e., abuse your traffic)
• Backdoors (i.e., Bypass Access Controls)
• Phishing (...
TIPS & TRICKS
Clearing Up the Mess
@perezbox | @sucuri_security
Tools of the Trade
• Terminal
• FileZilla
• Coda (Some IDE)
• Scanners
@perezbox | @sucuri_security
Filezilla
@perezbox | @sucuri_security
Terminal
• Example 1: Dump the content of a site
$ curl --location -D - site.com
• Example 2: Dump the content of a site, ...
Curl Example
@perezbox | @sucuri_security
Terminal, cntd…
• Grep
$ grep --include "*.php" -r example.com ./
• Diff
$ diff –qr /path/dir1 /path/dir2
• Find
$ find ./...
Online Scanners
Unmask Parasites – http://unmaskparasites.com
SiteCheck – http://sitecheck.sucuri.net
@perezbox | @sucuri_...
INFECTIONS
What do they look like?
@perezbox | @sucuri_security
Malicious Redirect
@perezbox | @sucuri_security
Malicious Redirects
• Easy / Medium to Detect
– Be mindful of conditionals
• Looking for Integrity Issues
– Has something ...
Phishing
@perezbox | @sucuri_security
Phishing, Cntd..
• Difficult to Detect Remotely
• Looking for Integrity Issues
– Is something somewhere it doesn’t belong?...
Backdoors
@perezbox | @sucuri_security
Backdoors, cntd…
• Can’t detect remotely, only locally
• Looking for Integrity Issues
– Is something somewhere it doesn’t
...
Example of Complexity
@perezbox | @sucuri_security
Search Engine Poisoning
@perezbox | @sucuri_security
Backdoors, cntd…
• Targets Search Engines (i.e., Google, Bing, Yahoo)
• Looking for Integrity Issues
– Have your posts / p...
Indicators of a Hack
Search Engines have gotten pretty good at detecting issues –
Google blacklists over 10 thousand websi...
Forensics
• What happened?
• When did it happen?
• Will it happen again?
@perezbox | @sucuri_security
POST-HACK
Let’s Talk Posture
@perezbox | @sucuri_security
Improve your Posture
Posture
Risk
You were just hacked, Posture is imperative
right now!!
@perezbox | @sucuri_security
Good Posture
Protection Auditing
Detection Sustainment
@perezbox | @sucuri_security
Protection
Website Firewalls - Stop attackers and protect your website from getting hacked:
• Denial of Service Attacks
• ...
Auditing
• Understand what is
going on at all time
– Who is logging in?
– Who is trying to log in?
– What files are changi...
Detection
• Continuous Monitoring
– Remote and Server
Scans
– Heuristic Analysis
– Signature Analysis
– Change Detection
–...
Sustainment
• Updates
• Backups
• Dev / Design Team
• Security Team
@perezbox | @sucuri_security
Reset Secret Key’s / Salts
People don’t think about this, but it’s a necessity
to clear any open states – it forces everyo...
Force Password Resets
Many people will reset their password, few will
actually reset everyone’s post-hack.
@perezbox | @su...
Sucuri Plugin
@perezbox | @sucuri_security
Clean Your House
• Least Privileged
– Reduce Unnecessary Privileges – everyone does
not have to be an admin
• Remove unuse...
Basic Hardening
 Disable PHP Execution
 /wp-includes
 /wp-content
▪ /themes
▪ /plugins
▪ /uploads << minimum
<Files *.p...
Connection Integrity – Public Wifi’s
• https://www.getcloak.com/ | @getcloak
@perezbox | @sucuri_security
Good Reading Material
Dealing with Malware http://blog.sucuri.net/2012/10/dealing-with-todays-
wordpress-malware.html
Leve...
PADS = Sucuri
• Complete Website Security with Sucuri
• WPSessions Attendees Only
– 30% off any plan for life
– Contact To...
Sucuri, Inc.
Tony Perez
http://sucuri.net
http://blog.sucuri.net
@perezbox | @sucuri_security
@perezbox | @sucuri_security
Upcoming SlideShare
Loading in...5
×

Hacked - What do you do now?

344

Published on

A step by step that allows you to think through the process during and after a Hack takes a hold of your website.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
344
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Hacked - What do you do now?"

  1. 1. Hacked What do you do now?
  2. 2. • Sucuri @sucuri_security @sucurisupport @sucurilabs http://blog.sucuri.net http://labs.sucuri.net • Tony Perez @perezbox @perezbox | @sucuri_security
  3. 3. • Website Security Company • Global Operations • Platform Agnostic (i.e., WordPress, Joomla, etc..) • Scan 2M Unique Domains a Month • Block 4M web attacks a Month • Remediate 400 – 500 websites a day • Signature / Heuristic Based • 24/7 operations @perezbox | @sucuri_security
  4. 4. Implications of a Hack • Emotionally Daunting • Brand Reputation (i.e., Blacklisting) • Direct / Indirect Impacts to your Clients • Technically Exhausting • Resource Overload • Economic Impacts To Your Business @perezbox | @sucuri_security
  5. 5. Most Common Hacks • Malicious Redirects (i.e., abuse your traffic) • Backdoors (i.e., Bypass Access Controls) • Phishing (i.e., Spear Phishing Campaigns) • Search Engine Poisoning (i.e., Pharma, etc…) @perezbox | @sucuri_security
  6. 6. TIPS & TRICKS Clearing Up the Mess @perezbox | @sucuri_security
  7. 7. Tools of the Trade • Terminal • FileZilla • Coda (Some IDE) • Scanners @perezbox | @sucuri_security
  8. 8. Filezilla @perezbox | @sucuri_security
  9. 9. Terminal • Example 1: Dump the content of a site $ curl --location -D - site.com • Example 2: Dump the content of a site, faking Googlebot user agent $ curl --location -D - -A "Googlebot" site.com • Example 3: Dump the content of a site, using Facebook's referrer $ curl --location -D - --referer "http://facebook.com" site.com Command Cheat Sheet: http://files.fosswire.com/2007/08/fwunixref.pdf@perezbox | @sucuri_security
  10. 10. Curl Example @perezbox | @sucuri_security
  11. 11. Terminal, cntd… • Grep $ grep --include "*.php" -r example.com ./ • Diff $ diff –qr /path/dir1 /path/dir2 • Find $ find ./ -name "*.php” $ find / -type f -mtime -7 (7 Days Fewer) $ find / -mmin -10 (last 10 minutes) • SED – Removing <iframe src=http://example.com></iframe> # sed -i".backup" 's#<iframe src=http://example.com></iframe>##' index.php • Combining Commands – Remove an iframe from all PHP files $ find ./ -name "*.php" -print0 | xargs -0 sed -i".backup" 's#<iframe src=http://example.com></iframe>##' @perezbox | @sucuri_security
  12. 12. Online Scanners Unmask Parasites – http://unmaskparasites.com SiteCheck – http://sitecheck.sucuri.net @perezbox | @sucuri_security
  13. 13. INFECTIONS What do they look like? @perezbox | @sucuri_security
  14. 14. Malicious Redirect @perezbox | @sucuri_security
  15. 15. Malicious Redirects • Easy / Medium to Detect – Be mindful of conditionals • Looking for Integrity Issues – Has something been modified? • Common location[s]: – .htaccess – Index.php – Footer.php – Header.php • Biggest Issue – Redirectors are becoming highly complex – Employing heavy conditional elements @perezbox | @sucuri_security
  16. 16. Phishing @perezbox | @sucuri_security
  17. 17. Phishing, Cntd.. • Difficult to Detect Remotely • Looking for Integrity Issues – Is something somewhere it doesn’t belong? • Common location[s]: – WP-Includes – Theme Directories • Biggest Issue – It can be anywhere – Fully contained @perezbox | @sucuri_security
  18. 18. Backdoors @perezbox | @sucuri_security
  19. 19. Backdoors, cntd… • Can’t detect remotely, only locally • Looking for Integrity Issues – Is something somewhere it doesn’t belong? • Common location[s]: – WP-Includes – Root Directory • Biggest Issue – Allows attacker to bypass your access controls – Provides full control of the environment @perezbox | @sucuri_security • Common terms: – Is_bot – Eval – Base64_decode – Fopen – Fclose – readfile – Edoced_46esad – Exec – System – Shell_exec – Gzuncompress – popen – FilesMan grep -RPl --include=*.{php} "(system|exec|passthru|shell_exec|base64_decode|eval|) *(" /var/www
  20. 20. Example of Complexity @perezbox | @sucuri_security
  21. 21. Search Engine Poisoning @perezbox | @sucuri_security
  22. 22. Backdoors, cntd… • Targets Search Engines (i.e., Google, Bing, Yahoo) • Looking for Integrity Issues – Have your posts / pages been modified? • Common location[s]: – Index.php (root, theme, plugins, etc..) – Header.php – Footer.php – Embedded in Database (Posts / Pages) • Biggest Issue – Continuous to evolve – Highly conditional – Not within visible range – often offscreen @perezbox | @sucuri_security
  23. 23. Indicators of a Hack Search Engines have gotten pretty good at detecting issues – Google blacklists over 10 thousand websites a day. @perezbox | @sucuri_security
  24. 24. Forensics • What happened? • When did it happen? • Will it happen again? @perezbox | @sucuri_security
  25. 25. POST-HACK Let’s Talk Posture @perezbox | @sucuri_security
  26. 26. Improve your Posture Posture Risk You were just hacked, Posture is imperative right now!! @perezbox | @sucuri_security
  27. 27. Good Posture Protection Auditing Detection Sustainment @perezbox | @sucuri_security
  28. 28. Protection Website Firewalls - Stop attackers and protect your website from getting hacked: • Denial of Service Attacks • Brute Force Attacks • Software Vulnerability Exploitation • Malware Injections • Direct Backdoor Access • Abusing Access Controls (i.e., wp-admin) @perezbox | @sucuri_security
  29. 29. Auditing • Understand what is going on at all time – Who is logging in? – Who is trying to log in? – What files are changing? – Has a post been created? – Has a page been created? – Are there any integrity issues? @perezbox | @sucuri_security
  30. 30. Detection • Continuous Monitoring – Remote and Server Scans – Heuristic Analysis – Signature Analysis – Change Detection – DNS Reporting – WHOIS Monitoring – SSL Cert Monitoring @perezbox | @sucuri_security
  31. 31. Sustainment • Updates • Backups • Dev / Design Team • Security Team @perezbox | @sucuri_security
  32. 32. Reset Secret Key’s / Salts People don’t think about this, but it’s a necessity to clear any open states – it forces everyone off their session. Source: https://api.wordpress.org/secret-key/1.1/salt/ @perezbox | @sucuri_security
  33. 33. Force Password Resets Many people will reset their password, few will actually reset everyone’s post-hack. @perezbox | @sucuri_security
  34. 34. Sucuri Plugin @perezbox | @sucuri_security
  35. 35. Clean Your House • Least Privileged – Reduce Unnecessary Privileges – everyone does not have to be an admin • Remove unused software – CMS Applications – Extensions (Themes, Plugins, etc..) @perezbox | @sucuri_security
  36. 36. Basic Hardening  Disable PHP Execution  /wp-includes  /wp-content ▪ /themes ▪ /plugins ▪ /uploads << minimum <Files *.php> Deny from all </Files> @perezbox | @sucuri_security
  37. 37. Connection Integrity – Public Wifi’s • https://www.getcloak.com/ | @getcloak @perezbox | @sucuri_security
  38. 38. Good Reading Material Dealing with Malware http://blog.sucuri.net/2012/10/dealing-with-todays- wordpress-malware.html Leveraging Google Webmaster Tools http://www.unmaskparasites.com/malware- warning-guide/ Google Webmaster Tools (Hacked) http://www.google.com/webmasters/hacked/ Understanding Google’s Blacklists http://blog.sucuri.net/2013/11/understanding- googles-blacklist-cleaning-your-hacked-website-and- removing-from-blacklist.html Clearing Your Website with Free Scanner http://blog.sucuri.net/2013/10/cleaning-up-your- wordpress-site-with-the-free-sucuri-plugin.html WordPress Tips & Tricks http://blog.sucuri.net/2012/07/website-malware- removal-wordpress-tips-tricks.html Prepared against a Hack? http://www.smashingmagazine.com/2014/05/30/ar e-you-prepared-against-a-hack/ @perezbox | @sucuri_security
  39. 39. PADS = Sucuri • Complete Website Security with Sucuri • WPSessions Attendees Only – 30% off any plan for life – Contact Tony: tony@sucuri.net – Reference: WPSESS2014 – Include: Email used in WPSessions Account @perezbox | @sucuri_security
  40. 40. Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net @perezbox | @sucuri_security @perezbox | @sucuri_security
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×