Hacked - What do you do now?
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Hacked - What do you do now?

  • 318 views
Uploaded on

A step by step that allows you to think through the process during and after a Hack takes a hold of your website.

A step by step that allows you to think through the process during and after a Hack takes a hold of your website.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
318
On Slideshare
318
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
7
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Hacked What do you do now?
  • 2. • Sucuri @sucuri_security @sucurisupport @sucurilabs http://blog.sucuri.net http://labs.sucuri.net • Tony Perez @perezbox @perezbox | @sucuri_security
  • 3. • Website Security Company • Global Operations • Platform Agnostic (i.e., WordPress, Joomla, etc..) • Scan 2M Unique Domains a Month • Block 4M web attacks a Month • Remediate 400 – 500 websites a day • Signature / Heuristic Based • 24/7 operations @perezbox | @sucuri_security
  • 4. Implications of a Hack • Emotionally Daunting • Brand Reputation (i.e., Blacklisting) • Direct / Indirect Impacts to your Clients • Technically Exhausting • Resource Overload • Economic Impacts To Your Business @perezbox | @sucuri_security
  • 5. Most Common Hacks • Malicious Redirects (i.e., abuse your traffic) • Backdoors (i.e., Bypass Access Controls) • Phishing (i.e., Spear Phishing Campaigns) • Search Engine Poisoning (i.e., Pharma, etc…) @perezbox | @sucuri_security
  • 6. TIPS & TRICKS Clearing Up the Mess @perezbox | @sucuri_security
  • 7. Tools of the Trade • Terminal • FileZilla • Coda (Some IDE) • Scanners @perezbox | @sucuri_security
  • 8. Filezilla @perezbox | @sucuri_security
  • 9. Terminal • Example 1: Dump the content of a site $ curl --location -D - site.com • Example 2: Dump the content of a site, faking Googlebot user agent $ curl --location -D - -A "Googlebot" site.com • Example 3: Dump the content of a site, using Facebook's referrer $ curl --location -D - --referer "http://facebook.com" site.com Command Cheat Sheet: http://files.fosswire.com/2007/08/fwunixref.pdf@perezbox | @sucuri_security
  • 10. Curl Example @perezbox | @sucuri_security
  • 11. Terminal, cntd… • Grep $ grep --include "*.php" -r example.com ./ • Diff $ diff –qr /path/dir1 /path/dir2 • Find $ find ./ -name "*.php” $ find / -type f -mtime -7 (7 Days Fewer) $ find / -mmin -10 (last 10 minutes) • SED – Removing <iframe src=http://example.com></iframe> # sed -i".backup" 's#<iframe src=http://example.com></iframe>##' index.php • Combining Commands – Remove an iframe from all PHP files $ find ./ -name "*.php" -print0 | xargs -0 sed -i".backup" 's#<iframe src=http://example.com></iframe>##' @perezbox | @sucuri_security
  • 12. Online Scanners Unmask Parasites – http://unmaskparasites.com SiteCheck – http://sitecheck.sucuri.net @perezbox | @sucuri_security
  • 13. INFECTIONS What do they look like? @perezbox | @sucuri_security
  • 14. Malicious Redirect @perezbox | @sucuri_security
  • 15. Malicious Redirects • Easy / Medium to Detect – Be mindful of conditionals • Looking for Integrity Issues – Has something been modified? • Common location[s]: – .htaccess – Index.php – Footer.php – Header.php • Biggest Issue – Redirectors are becoming highly complex – Employing heavy conditional elements @perezbox | @sucuri_security
  • 16. Phishing @perezbox | @sucuri_security
  • 17. Phishing, Cntd.. • Difficult to Detect Remotely • Looking for Integrity Issues – Is something somewhere it doesn’t belong? • Common location[s]: – WP-Includes – Theme Directories • Biggest Issue – It can be anywhere – Fully contained @perezbox | @sucuri_security
  • 18. Backdoors @perezbox | @sucuri_security
  • 19. Backdoors, cntd… • Can’t detect remotely, only locally • Looking for Integrity Issues – Is something somewhere it doesn’t belong? • Common location[s]: – WP-Includes – Root Directory • Biggest Issue – Allows attacker to bypass your access controls – Provides full control of the environment @perezbox | @sucuri_security • Common terms: – Is_bot – Eval – Base64_decode – Fopen – Fclose – readfile – Edoced_46esad – Exec – System – Shell_exec – Gzuncompress – popen – FilesMan grep -RPl --include=*.{php} "(system|exec|passthru|shell_exec|base64_decode|eval|) *(" /var/www
  • 20. Example of Complexity @perezbox | @sucuri_security
  • 21. Search Engine Poisoning @perezbox | @sucuri_security
  • 22. Backdoors, cntd… • Targets Search Engines (i.e., Google, Bing, Yahoo) • Looking for Integrity Issues – Have your posts / pages been modified? • Common location[s]: – Index.php (root, theme, plugins, etc..) – Header.php – Footer.php – Embedded in Database (Posts / Pages) • Biggest Issue – Continuous to evolve – Highly conditional – Not within visible range – often offscreen @perezbox | @sucuri_security
  • 23. Indicators of a Hack Search Engines have gotten pretty good at detecting issues – Google blacklists over 10 thousand websites a day. @perezbox | @sucuri_security
  • 24. Forensics • What happened? • When did it happen? • Will it happen again? @perezbox | @sucuri_security
  • 25. POST-HACK Let’s Talk Posture @perezbox | @sucuri_security
  • 26. Improve your Posture Posture Risk You were just hacked, Posture is imperative right now!! @perezbox | @sucuri_security
  • 27. Good Posture Protection Auditing Detection Sustainment @perezbox | @sucuri_security
  • 28. Protection Website Firewalls - Stop attackers and protect your website from getting hacked: • Denial of Service Attacks • Brute Force Attacks • Software Vulnerability Exploitation • Malware Injections • Direct Backdoor Access • Abusing Access Controls (i.e., wp-admin) @perezbox | @sucuri_security
  • 29. Auditing • Understand what is going on at all time – Who is logging in? – Who is trying to log in? – What files are changing? – Has a post been created? – Has a page been created? – Are there any integrity issues? @perezbox | @sucuri_security
  • 30. Detection • Continuous Monitoring – Remote and Server Scans – Heuristic Analysis – Signature Analysis – Change Detection – DNS Reporting – WHOIS Monitoring – SSL Cert Monitoring @perezbox | @sucuri_security
  • 31. Sustainment • Updates • Backups • Dev / Design Team • Security Team @perezbox | @sucuri_security
  • 32. Reset Secret Key’s / Salts People don’t think about this, but it’s a necessity to clear any open states – it forces everyone off their session. Source: https://api.wordpress.org/secret-key/1.1/salt/ @perezbox | @sucuri_security
  • 33. Force Password Resets Many people will reset their password, few will actually reset everyone’s post-hack. @perezbox | @sucuri_security
  • 34. Sucuri Plugin @perezbox | @sucuri_security
  • 35. Clean Your House • Least Privileged – Reduce Unnecessary Privileges – everyone does not have to be an admin • Remove unused software – CMS Applications – Extensions (Themes, Plugins, etc..) @perezbox | @sucuri_security
  • 36. Basic Hardening  Disable PHP Execution  /wp-includes  /wp-content ▪ /themes ▪ /plugins ▪ /uploads << minimum <Files *.php> Deny from all </Files> @perezbox | @sucuri_security
  • 37. Connection Integrity – Public Wifi’s • https://www.getcloak.com/ | @getcloak @perezbox | @sucuri_security
  • 38. Good Reading Material Dealing with Malware http://blog.sucuri.net/2012/10/dealing-with-todays- wordpress-malware.html Leveraging Google Webmaster Tools http://www.unmaskparasites.com/malware- warning-guide/ Google Webmaster Tools (Hacked) http://www.google.com/webmasters/hacked/ Understanding Google’s Blacklists http://blog.sucuri.net/2013/11/understanding- googles-blacklist-cleaning-your-hacked-website-and- removing-from-blacklist.html Clearing Your Website with Free Scanner http://blog.sucuri.net/2013/10/cleaning-up-your- wordpress-site-with-the-free-sucuri-plugin.html WordPress Tips & Tricks http://blog.sucuri.net/2012/07/website-malware- removal-wordpress-tips-tricks.html Prepared against a Hack? http://www.smashingmagazine.com/2014/05/30/ar e-you-prepared-against-a-hack/ @perezbox | @sucuri_security
  • 39. PADS = Sucuri • Complete Website Security with Sucuri • WPSessions Attendees Only – 30% off any plan for life – Contact Tony: tony@sucuri.net – Reference: WPSESS2014 – Include: Email used in WPSessions Account @perezbox | @sucuri_security
  • 40. Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net @perezbox | @sucuri_security @perezbox | @sucuri_security