why my website sells viagra

48

Upload: dre-armeda

Post on 29-Jan-2015

127 views

Category:

Technology


0 download

DESCRIPTION

WordPress End-User Security - WordCamp Atlanta - Dre Armeda, CISSP

TRANSCRIPT

Page 1: Why My Website Sells Viagra
Page 2: Why My Website Sells Viagra

DRE ARMEDA,CISSP

@DREMEDA

2

CO-FOUNDER AT SUCURI SECURITYORGANIZER, WORDCAMP SAN DIEGO12 YEAR NAVY VETERAN1ST WORDPRESS THEME IN 2005LOVES TACOSDIEHARD CHARGERS FANRIDES A HARLEY

SUCURI.NETDRE.IM

Page 3: Why My Website Sells Viagra

3

Page 4: Why My Website Sells Viagra

THE WEB IS GROWING

4

Over 2 Billion internet users today. 480% growth in the last 11 years. (Internet World Stats)

300 million websites were added to the internet in 2011 (Pingdom)

100,000+ domains gained weekly (Global Domain Registry)

Page 5: Why My Website Sells Viagra

INNOVATION & CREATIVITY

5

Page 6: Why My Website Sells Viagra

6

Page 7: Why My Website Sells Viagra

7

Page 8: Why My Website Sells Viagra

8

Page 9: Why My Website Sells Viagra

9

Page 10: Why My Website Sells Viagra

ITS NOT ALL PEACHY

10

Page 11: Why My Website Sells Viagra

11

Page 12: Why My Website Sells Viagra

WHAT IS MALWARE?

12

SEO spam, JavaScript & iFrame attacks, and malicious redirects are a couple web-based malware examples.

Malware, short for malicious software, is a software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems.

Page 13: Why My Website Sells Viagra
Page 14: Why My Website Sells Viagra

ATTACKERS LOVE YOU

14

Monitor your web browsing and internet usageForced advertisingRedirect affiliate marketing revenue

Page 15: Why My Website Sells Viagra

HOW BAD IS IT?

15

Over 2 million new malware strings monthly (McAfee)

Cost to US consumers alone = over $2.3 billion in 2010. (Consumer Reports)

Google Safe Browsing issues over 3 million malware warnings a day. (Google)

Page 16: Why My Website Sells Viagra

16

Page 17: Why My Website Sells Viagra

ENCODED JAVASCRIPT17

Impact: Website pages may be used to serve malicious downloads to visitors. Downloads may be used to infect desktop computers, and/or exploit FTP info.

Typical Entry Point: Outdated, known vulnerable software; exploited desktop computers; exploited FTP credentials.

JavaScript that is obfuscated(hidden) so that you can’t tell what it is. It is injected into files/pages on the site and used to serve malware.

Page 18: Why My Website Sells Viagra

ENCODED JAVASCRIPT18

/wp-admin/js/cat.js – CLEAN

Page 19: Why My Website Sells Viagra

ENCODED JAVASCRIPT19

/wp-admin/js/cat.js – INFECTED

Page 20: Why My Website Sells Viagra

ENCODED JAVASCRIPT20

/wp-admin/js/cat.js – INFECTION DECODED – Somewhat

Page 21: Why My Website Sells Viagra

ENCODED JAVASCRIPT

1. Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes). Attack stems from exploited desktop which steals FTP information.

2. Backdoor file inserted into the environment. This gives the attacker remote access into your world

3. Payload inserted into various Javascript files and/or encoded and hidden in theme, plugin files.

4. You’ve just enabled your visitors to load fake anti-virus and other cool downloads from your site

How it works:

Page 23: Why My Website Sells Viagra

CONDITIONAL REDIRECTS23

Impact: When traffic is coming from a specific referrer (i.e. Google, Bing), the site is redirected to a malicious website.Typical Entry Point: Outdated, known vulnerable software.

An attack the causes a website to redirect to a malicious website based on referrer, web browser, operating system.

Page 24: Why My Website Sells Viagra

CONDITIONAL REDIRECTS24

Infected .htaccess file:

Page 25: Why My Website Sells Viagra

CONDITIONAL REDIRECTS25

Result of conditional redirect:

Page 26: Why My Website Sells Viagra

CONDITIONAL REDIRECTS

1. Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes).

2. Backdoor file inserted into the environment. This gives the attacker remote access into your world

3. .htaccess file entries are created to load redirected. Encoded redirect code can also be added to index files.

4. You’re now redirecting to some cool malware awesomeness.

How it works:

Page 28: Why My Website Sells Viagra

PHARMA HACK28

Impact: Website page and post titles, descriptions and links are changed to display pharmaceutical ads and links back to malicious websites on search engine result pages.

Typical Entry Point: Outdated, known vulnerable software.

Pharma Hack is a type of SEO poisoning. Attackers manipulate their search engine results to make their links appear higher than legitimate results.

Page 29: Why My Website Sells Viagra

PHARMA HACK29

Results of scanning rendered source.:

Page 30: Why My Website Sells Viagra

PHARMA HACKGoogle Search Engine Results:

Page 31: Why My Website Sells Viagra

PHARMA HACK

1. Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes)

2. Backdoor file inserted into the environment. This gives the attacker remote access into your world

3. Control file is inserted into core application or plugin files. This file acts as a connection from the backdoor to the database.

4. Payload is dropped into the database and Viva Viagra!

How it works:

QUICK TIP: Check Google to see if you’re infected - site:{yourdomain.com} viagra

Page 32: Why My Website Sells Viagra

PHARMA HACK

Pharma Hack Resources:

http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-

wordpress.htmlhttp://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma-

hack.htmlhttp://www.pearsonified.com/2010/04/wordpress-

pharma-hack.phphttp://wpdude.com/refreshing-google-index-after-

pharma-hackQUICK TIP: Check Google to see if you’re infected - site:{yourdomain.com} viagra

Page 33: Why My Website Sells Viagra

33

Page 34: Why My Website Sells Viagra

WHAT IS SECURITY?

PROTECTING THINGS OF VALUE FROM HARM’S WAY.

Page 35: Why My Website Sells Viagra

HOW & WHY35

Page 36: Why My Website Sells Viagra

AM I SECURE

The percentage of risk can never be 0!

The name of the game is minimizing risk.

Page 37: Why My Website Sells Viagra
Page 38: Why My Website Sells Viagra

LOCAL MACHINE

Ensure your local machine stays updated

Use an Anti-Virus solution & enable auto-updatesMac – Sophos Anti-Virus for Mac Home EditionWindows - AVG Anti-Virus Free

Don’t store server credentials on your local machine

Page 39: Why My Website Sells Viagra

CONNECT TO YOUR SITE

Consider using sFTP or SSH instead of FTP.

If you’re stuck with FTP:

Deny anonymous loginLimit connections

Practice least privilege

Don’t store server credentials on your local machine

Page 40: Why My Website Sells Viagra

PASSWORDS

Change them oftenDon’t write them down, or share them

Passwords are like toothbrushes, you should keep them to yourself. And discard them, and get a new one, if they have been used by others.

Don’t use the same password across all your accounts

Use a password manager

KeePass Password SafeLastPass1Password

Page 41: Why My Website Sells Viagra

WHO HOSTS YOU?

CHEAP DOES NOT ALWAYS MEAN BEST, OR SAFEST!

DO YOUR RESEACH!

What software are they running? How often do they update?

How are server and support credentials stored & who has access? Are they 1 in the same?

What is their malware remediation process?How many sites have been infected?

http://www.google.com/safebrowsing/diagnostic?site=google.com

Page 42: Why My Website Sells Viagra

GARAGE CLEANING

IF YOU’RE NOT USING IT, REMOVE IT!

UPDATE UPDATE UPDATE UPDATE UPDATEOnly load what’s needed to get your job done.Check your file and directory permissions.Remove user accounts! – Practice least privilege.Have you changed your password lately?UPDATE UPDATE UPDATE UPDATE UPDATE

Page 43: Why My Website Sells Viagra

43

Page 44: Why My Website Sells Viagra

BACKUP YOUR WEBSITE

NO BACKUPS = BOOOOO!

BackupBuddy - http://pluginbuddy.com/backupbuddy/

VaultPress – http://vaultpress.com

Page 45: Why My Website Sells Viagra

MALWARE SCAN

IS YOUR SITE INFECTED?

Unmask Parasites – http://unmaskparasites.comSucuri SiteCheck – http://sitecheck.sucuri.net

Page 46: Why My Website Sells Viagra

MALWARE CLEAN UP

IS YOUR SITE INFECTED?

VaultPress – http://vaultpress.comSucuri Security – http://sucuri.net

Page 47: Why My Website Sells Viagra

WORDPRESS PLUGINS

WordPress Exploit ScannerBulletProof SecurityLogin LockdownSucuri SiteCheck Malware Scanner

Page 48: Why My Website Sells Viagra