The most 3 typical questions that people ask to me when they realize that I work in the cybersecurity world are: – How to know if I’ve been hacked – What to do when this (s**t) happens – How I can avoid it. By displaying a little “horror gallery” with some examples gathered during the years I’ve been working at Sucuri, I will show how a hacked site looks like, helping hopefully to train a little bit your eyes to know where to look at, and some tips to help to detect anomalies ASAP. Once something bad is detected, there is a recommended checklist of countermeasures to fight against them and avoid future re-infections. Presentation made for the WordCamp Tokyo 2019 event.

1. I’VE BEEN HACKED!
SO, NOW WHAT!!
By Néstor Angulo de Ugarte
WordCamp Tokyo 2019 #WCTOKYO

2. 2
こんにちわ!

3. WHO I AM
• Computer Science Engineer &
Technology consultant
• Photographer & Early
Adopter
• Truly curious guy
• 2015: SUCURI
Incident Response & Easy SSL
• 2019: GoDaddy Spain
Head of IT @ GoDaddy Spain
#WCTokyo 19 Néstor Angulo (@pharar) 3

4. ABOUT
• Sucuri: Anaconda
(No Securi / Security)
• Website security
• Fully remote (people from > 25 countries
around the world)
• 2008: Foundation
• 2017: Got part of the
GoDaddy family
• Free interesting scanners:
• Sitecheck (sitecheck.sucuri.net)
• Performance (performance.sucuri.net)
4

5. 5
LET’S CONNECT THE DOTS

6. INDEX
1. Concepts / Disclaimer
2. Aaaargh!!
NOOOOOOOOO!
AKA Horror gallery
3. So, now, what???
AKA reactive measures
4. Never ever again!!
AKA proactive measures
6

7. INDEX
1. Concepts / Disclaimer
2. Aaaargh!!
NOOOOOOOOO!
AKA Horror gallery
3. So, now, what???
AKA reactive measures
4. Never ever again!!
AKA proactive measures
7

8. CONCEPTS & DISCLAIMER
Some things to be aware first

9. DISCLAIMER
9
Any sensitive information has been protected/encrypted to preserve privacy.
Any similiarity with real persons or real situations is a coincidence.
I’m responsible of what I say, not what you interpret.
Always ask to an expert.

10. #WCTokyo 19 Néstor Angulo (@pharar) 10

11. #WCTokyo 19 Néstor Angulo (@pharar) 11
ハッキングされた企業と、
ハッキングされたことをま
だ知らない企業の2種類があ
ります。

12. HACKER VS CYBERTERRORIST
12
Hacker:
• Curious person who loves to go
beyond limits or convetionalisms.
Cyberterrorist / Cracker:
• Computer Hacker, whom
intentions are always aligned to enrich
himself in a zero-sum game situation.
• The bad guy / the bad hacker

13. BAD HACKER VS SECURITY ANALYST
13
THE BAD HACKER:
CYBERCRIMINAL
THE GOOD HACKER:
CRIME SCENE INVESTIGATOR
(CSI) / POLICE

14. WEB SECURITY
• Cybersecurity:
Security in the digital world
• Web Security:
Field of Cybersecurity
• Covers what happens through
port 80 / 443
14

15. FACTS
15
Site hacking
almost never
is client-oriented
(98% of cases)
Almost always
happens due to a
deficient monitoring
/ maintenance
Security never is
(nor will be)
100% effective
A SSL certificate
is not
an antihacking shield
Patches & security
updates
appear almost always
after hacking exploits
Errare Humanum
Est
(Human being fails)

16. WORDPRESS TYPICAL OBJECTIVES
16
USERS INFO DATABASE WEBSITE CONTENT INFRAESTRUCTURE BOT NET REPUTATION

17. HOW TO HACK A WORDPRESS
Exploit /
vulnerability
Injection
Final code Backdoor
Spam /
defacement
BotNode Final code
17

18. INDEX
1. Concepts / Disclaimer
2. Aaaargh!!
NOOOOOOOOO!
AKA horror gallery
3. So, now, what???
AKA reactive measures
4. Never ever again!!
AKA proactive measures
18

19. AAAARGH!!
NOOOOO!
A.K.A.
The Horror Gallery

20. DEFACEMENTS
20

21. DEFACEMENTS
21

22. 22

23. 23

24. 24

25. 25

26. 26

27. DEFACEMENTS
27
Partial / full replacement of website
frontend.
Very obvious
Easy detection:
Users (hear them!)
Scanners
Objective:
Awareness / social or political revindication

28. PHISHING
28

29. PHISHING
29
Login / checkout environment imitation
Sutile
Detection:
Scanners
Blacklists
Objective:
Steal credentials / sensitive information

30. 30

31. 31

32. 32

33. 33

34. 34

35. BLACK SEO / SPAM
35

36. 36

37. 37

38. 38

39. 39

40. BLACK HAT SEO
/ SPAM
40
Spam/unwanted content in
your site
Detection:
Scanners (Easy)
Users (hear them!)
Search Engine warnings
Objective:
Affect your SEO

41. REDIRECTIONS
41

42. REDIRECTIONS
42
Open unwanted affiliate links to
suspicious websites
Detection:
Scanners (NOT Easy)
Users (hear them!)
Search Engine warnings
Objective:
Affect your SEO or the affiliate
ones

43. 43

44. 44

45. 45

46. 46

47. CC / LOGIN STEALERS
47

48. 48

49. CC/LOGIN
STEALER
49
Sensitive information leak
Detection: File integrity
scanner
In EUROPE:
Must report to
Police
GDPR Compliance

50. DDOS ATTACKS / BOT NETS
50

51. Situación normal
51

52. 52

53. 53

54. BOTNETS,
CRYPTOMINERS,
DDOS
54
Affecting to your infraestructure
Detection:
Usually difficult
Strange use of resources
File Integrity Scanner
WAF recommended
Objective:
Your server’s resources or user’s
ones.
To make your site a zombie node

55. INDEX
1. Concepts / Disclaimer
2. Aaaargh!!
NOOOOOOOOO!
AKA horror gallery
3. So, now, what???
AKA reactive measures
4. Never ever again!!
AKA proactive measures
55

56. SO, NOW
WHAT!??
A.K.A.
reactive measures

57. HIERARCHY AND AGENTS
You
• Owner / Admins
• Developer &
Designer
• Users/clients
Hosting
Provider
• Agent / C3
• Support &
Backups
Security
Expert
• Security
department
• External
services
57

58. ACTIONS YOU CAN DO
YOURSELVES
58

59. SCAN
YOUR SITE
• Let’s try to figure out what
happened
• Free scanners:
• sitecheck.sucuri.net
• Blacklisting
• virustotal.com (blacklist)
59

60. 60

61. CRC: CHECK, REMOVE AND CHANGE
61
Check and Remove
• Unneeded admin users
• Plugins and themes which are
strictly not in use
• Outdated backups
• DEV/TEST sites in your production
server
Change Passwords
• Connections (cPanel, FTP, SSH, …)
• Database (remember to update
your wp-config.php)
• Dashboard (wp-admin)
• Hosting provider

62. 62

63. RESTORE A BACKUP
• Last option
• You can loose
information
• We not always know
when the infection
begun
63

64. RESTORE A BACKUP
Do you THINK you
have backups?
64

65. INDEX
1. Concepts / Disclaimer
2. Aaaargh!!
NOOOOOOOOO!
AKA horror gallery
3. So, now, what???
AKA reactive measures
4. Never ever again!!
AKA proactive measures
65

66. NEVER
EVER
AGAIN!!
A.K.A.
proactive measures

67. SECURITY IN LAYERS
You ( the weakest layer )
Your device ( Antivirus )
Your connection ( SSL )
Your website ( WAF )
Your credentials ( Strong Passwords / 2FA )
Your site security ( monitor / updates )
Your server security ( monitor / updates )
Your database ( monitor )
Maintenance tasks
67

68. MINIMUM
PRIVILEGE
PRINCIPLE
68
“To Caesar, what is
Caesar’s”.
Admin stuff with
admin account.The
rest, with a limited
account
The more
admins,
the more
risk
All user’s
passwords
MUST be
unique and
strong
(better with 2FA
when possible)
Applied to all
layers
(wp-admin, [S]FTP,
cPanel, dashboard,
db, …)

69. BACKUPS
• Have a backups strategy
• NEVER store the backups in your
production server
• A clean and FUNCTIONAL
backup will be your best friend a
bad day
69

70. BACKUPS
• Have a backups strategy
• NEVER store the backups in your
production server
• A clean and
backup will be your best friend a
bad day
70

71. UPDATES
• PLUGINS
• THEMES
• CORE
• PHP
• APACHE / NGINX
• SERVER
• CPANEL / PLESK
• …
71
UPDATE
...
ALWAYS!

72. REMEMBER TO INVEST IN
72
HOSTING SECURITY

73. HOSTING
FIRST LAYER OF
YOUR SITE’S DEFENSE
BALANCE BETWEEN
PRICE AND FEATURES
THEY ARE IN CHARGE OF THE
SERVER’S SERVICES, DATABASE
AND MAINTENANCE
73

74. SHARED HOSTING VS DEDICATED
#WCTokyo 19 Néstor Angulo (@pharar) 74

75. WAF
YOUR GUARD
DOG
75
Filters all your web traffic
Protects against XSS, DDoS, …
Patchs virtually well known software vulnerabilities
If it includes CDN, your site will improve its speed and
performance
Forensic analisys tool
Allows manual blocking

76. WAF
YOUR GUARD
DOG
76
Filters all your web traffic
Protects against XSS, DDoS, …
Patchs virtually well known software vulnerabilities
If it includes CDN, your site will improve its speed and
performance
Forensic analisys tool
Allows manual blocking

77. 77

78. #WCTokyo 19 Néstor Angulo (@pharar) 78

79. ご質問は？
ありがとうございました！
@pharar #WCTOKYO