Hacked - What do you do now?

646 views
543 views

Published on

A step by step that allows you to think through the process during and after a Hack takes a hold of your website.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
646
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Hacked - What do you do now?

  1. 1. Hacked What do you do now?
  2. 2. • Sucuri @sucuri_security @sucurisupport @sucurilabs http://blog.sucuri.net http://labs.sucuri.net • Tony Perez @perezbox @perezbox | @sucuri_security
  3. 3. • Website Security Company • Global Operations • Platform Agnostic (i.e., WordPress, Joomla, etc..) • Scan 2M Unique Domains a Month • Block 4M web attacks a Month • Remediate 400 – 500 websites a day • Signature / Heuristic Based • 24/7 operations @perezbox | @sucuri_security
  4. 4. Implications of a Hack • Emotionally Daunting • Brand Reputation (i.e., Blacklisting) • Direct / Indirect Impacts to your Clients • Technically Exhausting • Resource Overload • Economic Impacts To Your Business @perezbox | @sucuri_security
  5. 5. Most Common Hacks • Malicious Redirects (i.e., abuse your traffic) • Backdoors (i.e., Bypass Access Controls) • Phishing (i.e., Spear Phishing Campaigns) • Search Engine Poisoning (i.e., Pharma, etc…) @perezbox | @sucuri_security
  6. 6. TIPS & TRICKS Clearing Up the Mess @perezbox | @sucuri_security
  7. 7. Tools of the Trade • Terminal • FileZilla • Coda (Some IDE) • Scanners @perezbox | @sucuri_security
  8. 8. Filezilla @perezbox | @sucuri_security
  9. 9. Terminal • Example 1: Dump the content of a site $ curl --location -D - site.com • Example 2: Dump the content of a site, faking Googlebot user agent $ curl --location -D - -A "Googlebot" site.com • Example 3: Dump the content of a site, using Facebook's referrer $ curl --location -D - --referer "http://facebook.com" site.com Command Cheat Sheet: http://files.fosswire.com/2007/08/fwunixref.pdf@perezbox | @sucuri_security
  10. 10. Curl Example @perezbox | @sucuri_security
  11. 11. Terminal, cntd… • Grep $ grep --include "*.php" -r example.com ./ • Diff $ diff –qr /path/dir1 /path/dir2 • Find $ find ./ -name "*.php” $ find / -type f -mtime -7 (7 Days Fewer) $ find / -mmin -10 (last 10 minutes) • SED – Removing <iframe src=http://example.com></iframe> # sed -i".backup" 's#<iframe src=http://example.com></iframe>##' index.php • Combining Commands – Remove an iframe from all PHP files $ find ./ -name "*.php" -print0 | xargs -0 sed -i".backup" 's#<iframe src=http://example.com></iframe>##' @perezbox | @sucuri_security
  12. 12. Online Scanners Unmask Parasites – http://unmaskparasites.com SiteCheck – http://sitecheck.sucuri.net @perezbox | @sucuri_security
  13. 13. INFECTIONS What do they look like? @perezbox | @sucuri_security
  14. 14. Malicious Redirect @perezbox | @sucuri_security
  15. 15. Malicious Redirects • Easy / Medium to Detect – Be mindful of conditionals • Looking for Integrity Issues – Has something been modified? • Common location[s]: – .htaccess – Index.php – Footer.php – Header.php • Biggest Issue – Redirectors are becoming highly complex – Employing heavy conditional elements @perezbox | @sucuri_security
  16. 16. Phishing @perezbox | @sucuri_security
  17. 17. Phishing, Cntd.. • Difficult to Detect Remotely • Looking for Integrity Issues – Is something somewhere it doesn’t belong? • Common location[s]: – WP-Includes – Theme Directories • Biggest Issue – It can be anywhere – Fully contained @perezbox | @sucuri_security
  18. 18. Backdoors @perezbox | @sucuri_security
  19. 19. Backdoors, cntd… • Can’t detect remotely, only locally • Looking for Integrity Issues – Is something somewhere it doesn’t belong? • Common location[s]: – WP-Includes – Root Directory • Biggest Issue – Allows attacker to bypass your access controls – Provides full control of the environment @perezbox | @sucuri_security • Common terms: – Is_bot – Eval – Base64_decode – Fopen – Fclose – readfile – Edoced_46esad – Exec – System – Shell_exec – Gzuncompress – popen – FilesMan grep -RPl --include=*.{php} "(system|exec|passthru|shell_exec|base64_decode|eval|) *(" /var/www
  20. 20. Example of Complexity @perezbox | @sucuri_security
  21. 21. Search Engine Poisoning @perezbox | @sucuri_security
  22. 22. Backdoors, cntd… • Targets Search Engines (i.e., Google, Bing, Yahoo) • Looking for Integrity Issues – Have your posts / pages been modified? • Common location[s]: – Index.php (root, theme, plugins, etc..) – Header.php – Footer.php – Embedded in Database (Posts / Pages) • Biggest Issue – Continuous to evolve – Highly conditional – Not within visible range – often offscreen @perezbox | @sucuri_security
  23. 23. Indicators of a Hack Search Engines have gotten pretty good at detecting issues – Google blacklists over 10 thousand websites a day. @perezbox | @sucuri_security
  24. 24. Forensics • What happened? • When did it happen? • Will it happen again? @perezbox | @sucuri_security
  25. 25. POST-HACK Let’s Talk Posture @perezbox | @sucuri_security
  26. 26. Improve your Posture Posture Risk You were just hacked, Posture is imperative right now!! @perezbox | @sucuri_security
  27. 27. Good Posture Protection Auditing Detection Sustainment @perezbox | @sucuri_security
  28. 28. Protection Website Firewalls - Stop attackers and protect your website from getting hacked: • Denial of Service Attacks • Brute Force Attacks • Software Vulnerability Exploitation • Malware Injections • Direct Backdoor Access • Abusing Access Controls (i.e., wp-admin) @perezbox | @sucuri_security
  29. 29. Auditing • Understand what is going on at all time – Who is logging in? – Who is trying to log in? – What files are changing? – Has a post been created? – Has a page been created? – Are there any integrity issues? @perezbox | @sucuri_security
  30. 30. Detection • Continuous Monitoring – Remote and Server Scans – Heuristic Analysis – Signature Analysis – Change Detection – DNS Reporting – WHOIS Monitoring – SSL Cert Monitoring @perezbox | @sucuri_security
  31. 31. Sustainment • Updates • Backups • Dev / Design Team • Security Team @perezbox | @sucuri_security
  32. 32. Reset Secret Key’s / Salts People don’t think about this, but it’s a necessity to clear any open states – it forces everyone off their session. Source: https://api.wordpress.org/secret-key/1.1/salt/ @perezbox | @sucuri_security
  33. 33. Force Password Resets Many people will reset their password, few will actually reset everyone’s post-hack. @perezbox | @sucuri_security
  34. 34. Sucuri Plugin @perezbox | @sucuri_security
  35. 35. Clean Your House • Least Privileged – Reduce Unnecessary Privileges – everyone does not have to be an admin • Remove unused software – CMS Applications – Extensions (Themes, Plugins, etc..) @perezbox | @sucuri_security
  36. 36. Basic Hardening  Disable PHP Execution  /wp-includes  /wp-content ▪ /themes ▪ /plugins ▪ /uploads << minimum <Files *.php> Deny from all </Files> @perezbox | @sucuri_security
  37. 37. Connection Integrity – Public Wifi’s • https://www.getcloak.com/ | @getcloak @perezbox | @sucuri_security
  38. 38. Good Reading Material Dealing with Malware http://blog.sucuri.net/2012/10/dealing-with-todays- wordpress-malware.html Leveraging Google Webmaster Tools http://www.unmaskparasites.com/malware- warning-guide/ Google Webmaster Tools (Hacked) http://www.google.com/webmasters/hacked/ Understanding Google’s Blacklists http://blog.sucuri.net/2013/11/understanding- googles-blacklist-cleaning-your-hacked-website-and- removing-from-blacklist.html Clearing Your Website with Free Scanner http://blog.sucuri.net/2013/10/cleaning-up-your- wordpress-site-with-the-free-sucuri-plugin.html WordPress Tips & Tricks http://blog.sucuri.net/2012/07/website-malware- removal-wordpress-tips-tricks.html Prepared against a Hack? http://www.smashingmagazine.com/2014/05/30/ar e-you-prepared-against-a-hack/ @perezbox | @sucuri_security
  39. 39. PADS = Sucuri • Complete Website Security with Sucuri • WPSessions Attendees Only – 30% off any plan for life – Contact Tony: tony@sucuri.net – Reference: WPSESS2014 – Include: Email used in WPSessions Account @perezbox | @sucuri_security
  40. 40. Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net @perezbox | @sucuri_security @perezbox | @sucuri_security

×