![CryptoPHP ~ Most Sophisticated CMS Backdoor Case
● Identified by Foxit-Security at May 2014.
● A researcher from Foxit-Security found a following HTTP request
generated by their customer server.
[08/May/2014:12:44:10 +0100] "POST http://worldcute.biz/ HTTP/1.1"
… unexpected journey has begun.](https://image.slidesharecdn.com/wordpresssecurity-160522112757/75/Wordpress-security-21-2048.jpg)
Uploaded byMehmet Ince
Wordpress security
The document presents critical insights into WordPress security by Mehmet Ince, a senior penetration tester. Key points include best practices for application and database security, the importance of disabling certain features, and the dangers of using free themes and shared hosting. It also highlights significant vulnerabilities in WordPress and discusses the Cryptophp backdoor case that affects multiple CMS platforms.
More Related Content
![[Php Camp]Owasp Php Top5+Csrf](https://cdn.slidesharecdn.com/ss_thumbnails/phpcampowasp-php-top5csrf-1222281675014347-9-thumbnail.jpg?width=640&height=640&fit=bounds)
![[UniteKorea2013] Protecting your Android content](https://cdn.slidesharecdn.com/ss_thumbnails/doneprotectingyourandroidcontenterikhemming-130522210218-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
![[OPD 2019] Side-Channels on the Web:
Attacks and Defenses](https://cdn.slidesharecdn.com/ss_thumbnails/owasp-poland-day-tom-van-goethem-191021171917-thumbnail.jpg?width=640&height=640&fit=bounds)
Wordpress security
- 1. Wordpress Security Mehmet Ince ~IstanbulPHP Meetup #011~
- 2. Who Am I Ince,Mehmet Dursun Senior Penetration Tester, @ PRODAFT / INVICTUS Ordinarily; ● Hack the app. ● Make it secure. ● Hack it again. Blogger https://www.mehmetince.net
- 3. This talk isall about SECURITY
- 4. Security engineers says;security is ● COMPLICATED ● HARD ● PAINFULL ● ENDLESS ● ...
- 5. Devs says; securityis ● XSS, HUH?! IT’S NOTHING ● MY CODE IS FLAWLESS ● YOUR ARE USELESS. ● FCUK YOU Pentester. ● BEST PROGRAMMING LANGUAGE IS BLABLA...
- 6. The truth is ●Neither “Best secure programming language is PHP.”, nor “PHP is most vulnerable language” are TRUE..! ● The truth is, programming languages are innocent. The problem is YOU..!
- 7. Getting started with “Wordpresssecurity” basics.
- 8. Run applications withleast privileges ● Do NOT run your application with root privileges. E.g; HHVM and MySQL processes should be initiated by different user, supervisord. ● CHMOD 777 is not a HTTP 403 errors solution, it will cause bigger problems. ● CHOWN apache:apache -R www/ is not a “correct” solution for HTTP 403 as well. It will cause MUCH bigger problem.
- 9. Database security ● Itis wise to consider keeping them in separate databases each managed by a different user. ● Disable remote access, use SSH Tunneling. ● Disable LOAD_FILE() etc, ● Remove anonymous users. ● If you have an external database server, enable MySQL SSL ● https://www.mehmetince.net/mysql-veri-tabani-guvenligi-checklist/
- 10. Be a “LoneWolf” ● It’s 2015…! ○ Stop using “Shared Hosting”. ○ Stop using cPanel. ○ Stop using WHMCS. ● Having a basic SSD Linux server, for just 5$/month. E.g; Digitalocean, vultr, ...
- 11. DDoS ● L3 DDoS. ●L7 DDoS. ● Varnish ?! ● Memcache ?!
- 12. Wp-admin ~ Wp-config ●2-step authentication https: //wordpress. org/plugins/authy-two-factor- authentication/ ● Captcha https://wordpress. org/plugins/no-captcha- recaptcha/ ● BasicAuth might also break some WP func., such as the AJAX handler at wp- admin/admin-ajax.php ● define( 'DISALLOW_FILE_EDIT', true ); ● define('FS_METHOD', 'direct');
- 13. Brute-force XMLRPC ● /xmlrpc.php ●Brute-force hundreds of thousands of username & password pairs within ONE HTTP request through system.multicall method of XML-RPC. ● Disable xmlrpc.php access. If you need to use it, disable system.multicall, system. listMethods, system. getCapabilities.
- 14. HTTPS HTTPS HTTPS HTTPSHTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS HTTPS
- 15. WAF ● A webapplication firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. By customizing the rules to your application, many attacks can be identified and blocked. ●
- 16. Wordpress 4.2.3 SQLInjection Commit = 70128fe7605cb963a46815cf91b0a5934f70eff5 | Date = 4 August 2015
- 17. 23.02.2014 WP < 4.1Stored XSS (Critical) vulnerability found by researcher. 31.03.2014 Issue acknowledge by Wordpress Team. 07.04.2014 Initial patch received from WP team. ... FUUUUUUUUUUUU UUUUUUUUUUUUU UUUUUUUUUUUUU 21.04.2015 Finally, WP team released patch.
- 18. WTF ● Exploit doesNOT require a logged-in user. Everyone may trigger vulnerability..! On the other hand, Stored-XSS means that anyone, who visiting the infected article, going to be HACKED! but Wordpress Team patched the issue after 14 months!
- 19.
- 20. Themes “Nothing Is FreeIn This World.” If you are using free theme, I’m sorry but YOU GOT PWNED.
- 21. CryptoPHP ~ MostSophisticated CMS Backdoor Case ● Identified by Foxit-Security at May 2014. ● A researcher from Foxit-Security found a following HTTP request generated by their customer server. [08/May/2014:12:44:10 +0100] "POST http://worldcute.biz/ HTTP/1.1" … unexpected journey has begun.
- 22. CryptoPHP ~ MostSophisticated CMS Backdoor Case ● There is no USER-AGENT ● There is no Referrals ● HTTP Post request to the .biz domain. ● and POST data contains encrypted information..! ● Upon further inspection, they found the only action that occurred before the HTTP POST request was the install of a plug-in onto a Joomla instance by the administrator of the website.
- 23. CryptoPHP ~ MostSophisticated CMS Backdoor Case ● Latest installed plug-in was JSecure. ● ZIP file of JSecure contained following information.
- 24. CryptoPHP ~ MostSophisticated CMS Backdoor Case ● All files seems normal, other than jsecure.php. It’s updated on March 26..!
- 25. CryptoPHP ~ MostSophisticated CMS Backdoor Case ● Jsecure.php codes were innocent as well. Unless last line.
- 26. CryptoPHP ~ MostSophisticated CMS Backdoor Case mince@rootlab admin $ file images/social.png images/social.png: PHP script, ASCII text, with very long lines
- 27. CryptoPHP ~ Most SophisticatedCMS Backdoor Case Obfuscated PHP codes.
- 28. CryptoPHP ~ Most SophisticatedCMS Backdoor Case CMS Detection
- 29. CryptoPHP ~ MostSophisticated CMS Backdoor Case
- 30. CryptoPHP ~ MostSophisticated CMS Backdoor Case ● One backdoor to rule them all ( Wordpress, Drupal, Joomla ) ● Public key encryption between Command & Control servers. ● Ability to update itself. ● Method hook ● ... Details : https://www.mehmetince.net/cryptophp-backdoor-analizi-ve- tespiti/
- 31.