Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

I've been hacked! So, now, what!?

The most 3 typical questions that people ask to me when they realize that I work in the cybersecurity world are:

– How to know if I’ve been hacked
– What to do when this (s**t) happens
– How I can avoid it.

By displaying a little “horror gallery” with some examples gathered during the years I’ve been working at Sucuri, I will show how a hacked site looks like, helping hopefully to train a little bit your eyes to know where to look at, and some tips to help to detect anomalies ASAP. Once something bad is detected, there is a recommended checklist of countermeasures to fight against them and avoid future re-infections.
Presentation made for the WordCamp Tokyo 2019 event.

  • Be the first to comment

I've been hacked! So, now, what!?

  1. 1. I’VE BEEN HACKED! SO, NOW WHAT!! By Néstor Angulo de Ugarte WordCamp Tokyo 2019 #WCTOKYO
  2. 2. 2 こんにちわ!
  3. 3. WHO I AM • Computer Science Engineer & Technology consultant • Photographer & Early Adopter • Truly curious guy • 2015: SUCURI Incident Response & Easy SSL • 2019: GoDaddy Spain Head of IT @ GoDaddy Spain #WCTokyo 19 Néstor Angulo (@pharar) 3
  4. 4. ABOUT • Sucuri: Anaconda (No Securi / Security) • Website security • Fully remote (people from > 25 countries around the world) • 2008: Foundation • 2017: Got part of the GoDaddy family • Free interesting scanners: • Sitecheck (sitecheck.sucuri.net) • Performance (performance.sucuri.net) 4
  5. 5. 5 LET’S CONNECT THE DOTS
  6. 6. INDEX 1. Concepts / Disclaimer 2. Aaaargh!! NOOOOOOOOO! AKA Horror gallery 3. So, now, what??? AKA reactive measures 4. Never ever again!! AKA proactive measures 6
  7. 7. INDEX 1. Concepts / Disclaimer 2. Aaaargh!! NOOOOOOOOO! AKA Horror gallery 3. So, now, what??? AKA reactive measures 4. Never ever again!! AKA proactive measures 7
  8. 8. CONCEPTS & DISCLAIMER Some things to be aware first
  9. 9. DISCLAIMER 9 Any sensitive information has been protected/encrypted to preserve privacy. Any similiarity with real persons or real situations is a coincidence. I’m responsible of what I say, not what you interpret. Always ask to an expert.
  10. 10. #WCTokyo 19 Néstor Angulo (@pharar) 10
  11. 11. #WCTokyo 19 Néstor Angulo (@pharar) 11 ハッキングされた企業と、 ハッキングされたことをま だ知らない企業の2種類があ ります。
  12. 12. HACKER VS CYBERTERRORIST 12 Hacker: • Curious person who loves to go beyond limits or convetionalisms. Cyberterrorist / Cracker: • Computer Hacker, whom intentions are always aligned to enrich himself in a zero-sum game situation. • The bad guy / the bad hacker
  13. 13. BAD HACKER VS SECURITY ANALYST 13 THE BAD HACKER: CYBERCRIMINAL THE GOOD HACKER: CRIME SCENE INVESTIGATOR (CSI) / POLICE
  14. 14. WEB SECURITY • Cybersecurity: Security in the digital world • Web Security: Field of Cybersecurity • Covers what happens through port 80 / 443 14
  15. 15. FACTS 15 Site hacking almost never is client-oriented (98% of cases) Almost always happens due to a deficient monitoring / maintenance Security never is (nor will be) 100% effective A SSL certificate is not an antihacking shield Patches & security updates appear almost always after hacking exploits Errare Humanum Est (Human being fails)
  16. 16. WORDPRESS TYPICAL OBJECTIVES 16 USERS INFO DATABASE WEBSITE CONTENT INFRAESTRUCTURE BOT NET REPUTATION
  17. 17. HOW TO HACK A WORDPRESS Exploit / vulnerability Injection Final code Backdoor Spam / defacement BotNode Final code 17
  18. 18. INDEX 1. Concepts / Disclaimer 2. Aaaargh!! NOOOOOOOOO! AKA horror gallery 3. So, now, what??? AKA reactive measures 4. Never ever again!! AKA proactive measures 18
  19. 19. AAAARGH!! NOOOOO! A.K.A. The Horror Gallery
  20. 20. DEFACEMENTS 20
  21. 21. DEFACEMENTS 21
  22. 22. 22
  23. 23. 23
  24. 24. 24
  25. 25. 25
  26. 26. 26
  27. 27. DEFACEMENTS 27 Partial / full replacement of website frontend. Very obvious Easy detection: Users (hear them!) Scanners Objective: Awareness / social or political revindication
  28. 28. PHISHING 28
  29. 29. PHISHING 29 Login / checkout environment imitation Sutile Detection: Scanners Blacklists Objective: Steal credentials / sensitive information
  30. 30. 30
  31. 31. 31
  32. 32. 32
  33. 33. 33
  34. 34. 34
  35. 35. BLACK SEO / SPAM 35
  36. 36. 36
  37. 37. 37
  38. 38. 38
  39. 39. 39
  40. 40. BLACK HAT SEO / SPAM 40 Spam/unwanted content in your site Detection: Scanners (Easy) Users (hear them!) Search Engine warnings Objective: Affect your SEO
  41. 41. REDIRECTIONS 41
  42. 42. REDIRECTIONS 42 Open unwanted affiliate links to suspicious websites Detection: Scanners (NOT Easy) Users (hear them!) Search Engine warnings Objective: Affect your SEO or the affiliate ones
  43. 43. 43
  44. 44. 44
  45. 45. 45
  46. 46. 46
  47. 47. CC / LOGIN STEALERS 47
  48. 48. 48
  49. 49. CC/LOGIN STEALER 49 Sensitive information leak Detection: File integrity scanner In EUROPE: Must report to Police GDPR Compliance
  50. 50. DDOS ATTACKS / BOT NETS 50
  51. 51. Situación normal 51
  52. 52. 52
  53. 53. 53
  54. 54. BOTNETS, CRYPTOMINERS, DDOS 54 Affecting to your infraestructure Detection: Usually difficult Strange use of resources File Integrity Scanner WAF recommended Objective: Your server’s resources or user’s ones. To make your site a zombie node
  55. 55. INDEX 1. Concepts / Disclaimer 2. Aaaargh!! NOOOOOOOOO! AKA horror gallery 3. So, now, what??? AKA reactive measures 4. Never ever again!! AKA proactive measures 55
  56. 56. SO, NOW WHAT!?? A.K.A. reactive measures
  57. 57. HIERARCHY AND AGENTS You • Owner / Admins • Developer & Designer • Users/clients Hosting Provider • Agent / C3 • Support & Backups Security Expert • Security department • External services 57
  58. 58. ACTIONS YOU CAN DO YOURSELVES 58
  59. 59. SCAN YOUR SITE • Let’s try to figure out what happened • Free scanners: • sitecheck.sucuri.net • Blacklisting • virustotal.com (blacklist) 59
  60. 60. 60
  61. 61. CRC: CHECK, REMOVE AND CHANGE 61 Check and Remove • Unneeded admin users • Plugins and themes which are strictly not in use • Outdated backups • DEV/TEST sites in your production server Change Passwords • Connections (cPanel, FTP, SSH, …) • Database (remember to update your wp-config.php) • Dashboard (wp-admin) • Hosting provider
  62. 62. 62
  63. 63. RESTORE A BACKUP • Last option • You can loose information • We not always know when the infection begun 63
  64. 64. RESTORE A BACKUP Do you THINK you have backups? 64
  65. 65. INDEX 1. Concepts / Disclaimer 2. Aaaargh!! NOOOOOOOOO! AKA horror gallery 3. So, now, what??? AKA reactive measures 4. Never ever again!! AKA proactive measures 65
  66. 66. NEVER EVER AGAIN!! A.K.A. proactive measures
  67. 67. SECURITY IN LAYERS You ( the weakest layer ) Your device ( Antivirus ) Your connection ( SSL ) Your website ( WAF ) Your credentials ( Strong Passwords / 2FA ) Your site security ( monitor / updates ) Your server security ( monitor / updates ) Your database ( monitor ) Maintenance tasks 67
  68. 68. MINIMUM PRIVILEGE PRINCIPLE 68 “To Caesar, what is Caesar’s”. Admin stuff with admin account.The rest, with a limited account The more admins, the more risk All user’s passwords MUST be unique and strong (better with 2FA when possible) Applied to all layers (wp-admin, [S]FTP, cPanel, dashboard, db, …)
  69. 69. BACKUPS • Have a backups strategy • NEVER store the backups in your production server • A clean and FUNCTIONAL backup will be your best friend a bad day 69
  70. 70. BACKUPS • Have a backups strategy • NEVER store the backups in your production server • A clean and backup will be your best friend a bad day 70
  71. 71. UPDATES • PLUGINS • THEMES • CORE • PHP • APACHE / NGINX • SERVER • CPANEL / PLESK • … 71 UPDATE ... ALWAYS!
  72. 72. REMEMBER TO INVEST IN 72 HOSTING SECURITY
  73. 73. HOSTING FIRST LAYER OF YOUR SITE’S DEFENSE BALANCE BETWEEN PRICE AND FEATURES THEY ARE IN CHARGE OF THE SERVER’S SERVICES, DATABASE AND MAINTENANCE 73
  74. 74. SHARED HOSTING VS DEDICATED #WCTokyo 19 Néstor Angulo (@pharar) 74
  75. 75. WAF YOUR GUARD DOG 75 Filters all your web traffic Protects against XSS, DDoS, … Patchs virtually well known software vulnerabilities If it includes CDN, your site will improve its speed and performance Forensic analisys tool Allows manual blocking
  76. 76. WAF YOUR GUARD DOG 76 Filters all your web traffic Protects against XSS, DDoS, … Patchs virtually well known software vulnerabilities If it includes CDN, your site will improve its speed and performance Forensic analisys tool Allows manual blocking
  77. 77. 77
  78. 78. #WCTokyo 19 Néstor Angulo (@pharar) 78
  79. 79. ご質問は? ありがとうございました! @pharar #WCTOKYO

×