WordPress SecurityDealing with Today‟s Hacks
SUCURI@WORDCAMP# WHOISPEREZBOX ID: Tony Perez WHO: The Hulk Username: Perezbox Process: Sucuri Services: InfoSec, Harley‟s...
@sucuri_security @perezbox #wclv   10/13/2012
Why listen to me? You don‟t have to,                 but…I am not a designer or developer, my passion is InformationSecuri...
Thoughts To Kick Things             OffInformation Security is about risk reduction.If you‟re looking for the “silver bull...
Know Your EnemyThey have more time andresourcesThey are intelligentMajority of attacks areautomatedGoal is to impact as ma...
Ok, so what‟s the problem?TODAY‟s ISSUES:  The Ecosystem /  Environment  Access Control  Software Vulnerabilities  Adminis...
Today‟s FocusEcosystem / EnvironmentAccess ControlDealing with Hacks                          @sucuri_security @perezbox #...
The EcoSystem / EnvironmentApache   Malicious module injects iFrames   http://blog.unmaskparasites.com/2012/09/10/maliciou...
Uh, what aboutWordPress?                 @sucuri_security @perezbox #wclv   10/13/2012
Logical Architecture Linux Operating System                     Apache                               MySQL           PHPWo...
The EcoSystem / Environment What can you do?    Not much… completely outside of your control if you‟re    using a shared o...
Access is KeyOn the Server:   Kill accounts that are not in use   FTP is the devil – slap yourself and switch to SFTP   Fi...
Gah!?!?!?!?!?!?!         @sucuri_security @perezbox #wclv   10/13/2012
WordPress Loving        InfectionsDefacementsBackdoorsPharma HackInjections   iFrame SpecificallyMalicious RedirectsPhishi...
Before We Dive InLINUX / UNIX:  CURL  FIND  GREP  DIFF                 @sucuri_security @perezbox #wclv   10/13/2012
Command Usage – Hunting TimThumb# grep -Eir --include "*thumb.php" define.*VERSION .                               - Then ...
Command Usage – Identify Change   Detect Recent Changesfind -type f -ctime -0 | more    - OR -        find ./ -mtime -1-ct...
DefacementsHacktivism at its finest… you now support a cause!?!?!                                   @sucuri_security @pere...
DefacementsHacktivism 101   Annoying as S*&TPlaces to look:   Index.html   Index.php      Root Directory      Wp-Content  ...
BackdoorsIt‟s ok to cry a little…                              @sucuri_security @perezbox #wclv   10/13/2012
Backdoors        Common terms:              Is_bot              Eval              Base64_decode              Fopen        ...
Pharma HackErectile Dysfunction pills are leading ads.. Who knew..                                     @sucuri_security @...
Pharma HackMulti-million $ BusinessRarely Distribute MalwareImpression based Affiliate MarketingGoogle‟s Search Engine Res...
Pharma Hack, cntd..Try using CURL to emulate Google andWindows:Curl –L –A“Googlebot/2.1(+http://www.google.com/bot.html)”h...
Pharma Hack, cntd..          @sucuri_security @perezbox #wclv   10/13/2012
InjectionsIt only hurts for a minute…                              @sucuri_security @perezbox #wclv   10/13/2012
InjectionsInvisible iFrame‟s - Executing on your browserContributing to Drive-by-Downloads, Pharma, XSS,CSRFPlaces to chec...
Injections, cntd…PHP iFrame Injection=>   Count##.php   Check all Index.php /   Theme JS files   Example below:           ...
Injections, cntd…Pharma Link Injections=>Drive-By-Downloads                         @sucuri_security @perezbox #wclv   10/...
Malicious RedirectsWTF?!?! Why don‟t I understand what it says?                                  @sucuri_security @perezbo...
Malicious RedirectsRedirects your user to a domain distributing malware,fundamentally different than an ifram injection th...
PhishingBiggest growing problem, exceptionally difficult to detect…                                    @sucuri_security @p...
PhishingGrowing at a faster pace than traditional web-malwareNo impact to readers, but tied to SPAM botssending out emails...
Phishing, cntd…        @sucuri_security @perezbox #wclv   10/13/2012
DemonstrationBringing the Point Home                          @sucuri_security @perezbox #wclv   10/13/2012
Demo ObjectiveUse good tools for bad things – wpscanEnumerate the usersBrute Force the User accounts passwordInsert an arb...
Keeping it RealRemember the risk discussion?                                @sucuri_security @perezbox #wclv   10/13/2012
Guard AccessRevisit Slide 12 – access, access, access    It always comes down to accessWe have to change the way we treat ...
Password Dilemma15 character pass      3 months to crackLong / Complex / Unique      Key to PasswordsPrefer Password Manag...
Kill PHP ExecutionKill PHP Execution   Directories:     WP-INCLUDES     WP-CONTENT     UPLOADS – At a minimum             ...
Disable Theme / Plugin Editor I‟d take it a step further and remove the ability to install, but that‟s just me.           ...
UpdateOldest version found in production – 1.5Leading cause of cross-site contamination issuesPerhaps the simplest of task...
Plugins That Help     Clients                Non-ClientsSucuri Security     Duo Two-FactorPremium             Authenticati...
Need a Hand?   Support Forums                      Online ResourcesHacked –                           Sucuri Blog: http://...
Sucuri          Tony Perez            http://sucuri.net |          http://blog.sucuri.net                  Twitter:       ...
Upcoming SlideShare
Loading in …5
×

WordPress Security - Dealing With Today's Hacks

20,432 views

Published on

WordPress Security - Dealing With Today's Hacks

  1. 1. WordPress SecurityDealing with Today‟s Hacks
  2. 2. SUCURI@WORDCAMP# WHOISPEREZBOX ID: Tony Perez WHO: The Hulk Username: Perezbox Process: Sucuri Services: InfoSec, Harley‟s, MMA, Guns GeoIP: Menifee, California @sucuri_security @perezbox #wclv 10/13/2012
  3. 3. @sucuri_security @perezbox #wclv 10/13/2012
  4. 4. Why listen to me? You don‟t have to, but…I am not a designer or developer, my passion is InformationSecurity, specifically Web SecurityNot an expert, passionate enthusiastI don‟t like people, I like packets, signatures and terminal.Seriously though, our company: Remediate 200 – 300 infected websites a day, 24/7/365 Perform 2 million + malware website scans a month Support all CMS platforms and customapplications (e.g., WordPress, Joomla, osCommerce, vBulletin, Drupal, .NET, etc… ) @sucuri_security @perezbox #wclv 10/13/2012
  5. 5. Thoughts To Kick Things OffInformation Security is about risk reduction.If you‟re looking for the “silver bullet” this is the wrongtalk for you.To think that you will never be infected or that you areimmune to hacks is like saying you will never be sick. If someone tells you the opposite you should slap them and have them pay you for wasting your time.Prevention is ideal, detection is key… bats werecreated for ________ people… @sucuri_security @perezbox #wclv 10/13/2012
  6. 6. Know Your EnemyThey have more time andresourcesThey are intelligentMajority of attacks areautomatedGoal is to impact as manypeople as possibleMindset – Own one, own themall…It‟s not personal, it‟sbusiness… @sucuri_security @perezbox #wclv 10/13/2012
  7. 7. Ok, so what‟s the problem?TODAY‟s ISSUES: The Ecosystem / Environment Access Control Software Vulnerabilities Administration Credential Management Extensibility @sucuri_security @perezbox #wclv 10/13/2012
  8. 8. Today‟s FocusEcosystem / EnvironmentAccess ControlDealing with Hacks @sucuri_security @perezbox #wclv 10/13/2012
  9. 9. The EcoSystem / EnvironmentApache Malicious module injects iFrames http://blog.unmaskparasites.com/2012/09/10/malicious-apache- module-injects-iframes/phpMyAdmin Mirror Hacked http://sourceforge.net/blog/phpmyadmin-back-door/PHP-CGI Remote Code Execution http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the- wild.htmlPlesk Vulnerable to SQLi attacks http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to- malware.html @sucuri_security @perezbox #wclv 10/13/2012
  10. 10. Uh, what aboutWordPress? @sucuri_security @perezbox #wclv 10/13/2012
  11. 11. Logical Architecture Linux Operating System Apache MySQL PHPWordPress CPANEL Plesk phpMyAdmin PHP-CGI Modules Modules @sucuri_security @perezbox #wclv 10/13/2012
  12. 12. The EcoSystem / Environment What can you do? Not much… completely outside of your control if you‟re using a shared or managed host But, you can reduce risk... Use a Dedicated / VPS Environment But recognize the responsibility that this entails, if you what I mentioned previously doesn‟t make sense, skip to next step Go with a Managed Host Doesn‟t mean you‟ll be safer, but it does mean you‟ll have resources to lean on @sucuri_security @perezbox #wclv 10/13/2012
  13. 13. Access is KeyOn the Server: Kill accounts that are not in use FTP is the devil – slap yourself and switch to SFTP Filter Shell / SFTP by IP & Keys, Keys at a minimum Disable Authentication via Passwords on serverWordPress Admin: Multi-Factor Authentication on wp-admin Apache “Basic Access Authentication” Two-Factor Authentication on wp-login.php Duo Two-Factor Authentication PluginEmploy least privileged: Users with the “administrator” are not needed for every day tasks Learn to use Editor, Author, Contributor, Subscriber @sucuri_security @perezbox #wclv 10/13/2012
  14. 14. Gah!?!?!?!?!?!?! @sucuri_security @perezbox #wclv 10/13/2012
  15. 15. WordPress Loving InfectionsDefacementsBackdoorsPharma HackInjections iFrame SpecificallyMalicious RedirectsPhishing @sucuri_security @perezbox #wclv 10/13/2012
  16. 16. Before We Dive InLINUX / UNIX: CURL FIND GREP DIFF @sucuri_security @perezbox #wclv 10/13/2012
  17. 17. Command Usage – Hunting TimThumb# grep -Eir --include "*thumb.php" define.*VERSION . - Then –# curl -D - -A "Windows"http://timthumb.googlecode.com/svn/trunk/timthumb.php>/path-to-file/timthumb.php @sucuri_security @perezbox #wclv 10/13/2012
  18. 18. Command Usage – Identify Change Detect Recent Changesfind -type f -ctime -0 | more - OR - find ./ -mtime -1-ctime = -0 (past 24 hours) | -1 (last 24 hours)-mtime = -1 (1 day) | -2 (2 days) Detect Differencesdiff –qr /path/dir1 /path/dir2 @sucuri_security @perezbox #wclv 10/13/2012
  19. 19. DefacementsHacktivism at its finest… you now support a cause!?!?! @sucuri_security @perezbox #wclv 10/13/2012
  20. 20. DefacementsHacktivism 101 Annoying as S*&TPlaces to look: Index.html Index.php Root Directory Wp-Content Theme DirectoryGREP is your friend: grep –ri „sniper399‟ . @sucuri_security @perezbox #wclv 10/13/2012
  21. 21. BackdoorsIt‟s ok to cry a little…  @sucuri_security @perezbox #wclv 10/13/2012
  22. 22. Backdoors Common terms: Is_bot Eval Base64_decode Fopen Fclose readfile Edoced_46esad Exec System Shell_exec Gzuncompress popen FilesMangrep -RPl --include=*.{php} "(system|exec|passthru|shell_exec|base64_decode|eval|) *(" /var/www @sucuri_security @perezbox #wclv 10/13/2012
  23. 23. Pharma HackErectile Dysfunction pills are leading ads.. Who knew..  @sucuri_security @perezbox #wclv 10/13/2012
  24. 24. Pharma HackMulti-million $ BusinessRarely Distribute MalwareImpression based Affiliate MarketingGoogle‟s Search Engine ResultPages (SERP)Odds of malware distribution areactually lowTricks: Embedded within core files Look for “.tmp” directories = > @sucuri_security @perezbox #wclv 10/13/2012
  25. 25. Pharma Hack, cntd..Try using CURL to emulate Google andWindows:Curl –L –A“Googlebot/2.1(+http://www.google.com/bot.html)”http://someinfectedwebsite.com Google Webmaster Tools Fetch as Google BotCheck your Theme Index.php file for things likethis: <?php $wp__theme_icon=@create_function(”,@file_get _contents(‘/public_html/wp-content/themes/my- @sucuri_security @perezbox #wclv 10/13/2012 really-good-
  26. 26. Pharma Hack, cntd.. @sucuri_security @perezbox #wclv 10/13/2012
  27. 27. InjectionsIt only hurts for a minute… @sucuri_security @perezbox #wclv 10/13/2012
  28. 28. InjectionsInvisible iFrame‟s - Executing on your browserContributing to Drive-by-Downloads, Pharma, XSS,CSRFPlaces to check – Pages that generate content: JS files, Header.php, Index.php, Function.php, Footer.php @sucuri_security @perezbox #wclv 10/13/2012
  29. 29. Injections, cntd…PHP iFrame Injection=> Count##.php Check all Index.php / Theme JS files Example below: @sucuri_security @perezbox #wclv 10/13/2012
  30. 30. Injections, cntd…Pharma Link Injections=>Drive-By-Downloads @sucuri_security @perezbox #wclv 10/13/2012
  31. 31. Malicious RedirectsWTF?!?! Why don‟t I understand what it says? @sucuri_security @perezbox #wclv 10/13/2012
  32. 32. Malicious RedirectsRedirects your user to a domain distributing malware,fundamentally different than an ifram injection thatexecutes in your browser8 out of 10 times, check your .htaccess file – all of them # find /var/www –name .htaccess –type f | wc –lCheck for backdoors also – often a sign of a bigger issue @sucuri_security @perezbox #wclv 10/13/2012
  33. 33. PhishingBiggest growing problem, exceptionally difficult to detect… @sucuri_security @perezbox #wclv 10/13/2012
  34. 34. PhishingGrowing at a faster pace than traditional web-malwareNo impact to readers, but tied to SPAM botssending out emails like this: @sucuri_security @perezbox #wclv 10/13/2012
  35. 35. Phishing, cntd… @sucuri_security @perezbox #wclv 10/13/2012
  36. 36. DemonstrationBringing the Point Home @sucuri_security @perezbox #wclv 10/13/2012
  37. 37. Demo ObjectiveUse good tools for bad things – wpscanEnumerate the usersBrute Force the User accounts passwordInsert an arbitrary Backdoor Shell for RemoteExecutionDeface the WebsiteInsert another Shell Backdoor that provides aninterface I have 5 minutes – Ready? @sucuri_security @perezbox #wclv 10/13/2012
  38. 38. Keeping it RealRemember the risk discussion? @sucuri_security @perezbox #wclv 10/13/2012
  39. 39. Guard AccessRevisit Slide 12 – access, access, access It always comes down to accessWe have to change the way we treat and think about access.All access – Server / ApplicationWe are going through the same mistakes servers anddesktops were making in the 90‟s with access.Know where you are surfing the web, do you really need tolog in as an admin at the coffee shop? @sucuri_security @perezbox #wclv 10/13/2012
  40. 40. Password Dilemma15 character pass 3 months to crackLong / Complex / Unique Key to PasswordsPrefer Password Manager You don‟t? ok.. Passphrases work too iLuvWCLVegas:2012:HrtAttckGrllCome up with a process that works, stick to it: One scheme: Remember 8 characters Write Down 8 characters Save 20 characters Second scheme: Remember 20 characters Prefix characters with site name End sequence with some date @sucuri_security @perezbox #wclv 10/13/2012
  41. 41. Kill PHP ExecutionKill PHP Execution Directories: WP-INCLUDES WP-CONTENT UPLOADS – At a minimum <Files *.php> Deny from all </Files> @sucuri_security @perezbox #wclv 10/13/2012
  42. 42. Disable Theme / Plugin Editor I‟d take it a step further and remove the ability to install, but that‟s just me. Modify WP-CONFIG.PHP With: Disable the Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true); - OR - Disable the Plugin / Theme Update and Installation Define(„DISALLOW_FILE_MODS‟,true); @sucuri_security @perezbox #wclv 10/13/2012
  43. 43. UpdateOldest version found in production – 1.5Leading cause of cross-site contamination issuesPerhaps the simplest of tasks, yet we still find this: @sucuri_security @perezbox #wclv 10/13/2012
  44. 44. Plugins That Help Clients Non-ClientsSucuri Security Duo Two-FactorPremium AuthenticationDuo Two-Factor Limit Login AttemptsAuthentication Theme-CheckTheme-Check BackupBuddyBackupBuddy AkismetAkismet @sucuri_security @perezbox #wclv 10/13/2012
  45. 45. Need a Hand? Support Forums Online ResourcesHacked – Sucuri Blog: http://blog.sucuri.nethttp://wordpress.org/tags/hacked SiteCheck Scanner: http://sitecheck.sucuri.net Unmask Parasites: http://unmaskparasites.comMalware –http://wordpress.org/tags/ma Perishable Press:lware http://perishablepress.com/category/ web-design/security/ Secunia Security Advisories: http://secunia.com/community/advisBadwareBusters – ories/search/?search=wordpresshttps://badwarebusters.org @sucuri_security @perezbox #wclv 10/13/2012
  46. 46. Sucuri Tony Perez http://sucuri.net | http://blog.sucuri.net Twitter: @sucuri_security @perezbox and @tonyonsecurity@sucuri_security @perezbox #wclv 10/13/2012

×