Columbus WordCamp 2015

  • View

  • Download

Embed Size (px)

Text of Columbus WordCamp 2015

  1. 1. CLEAN UP!WHAT TO DO AFTER A WORDPRESS HACK Jason Packer @jhpacker
  2. 2. YOUVE BEEN HACKED, NOW WHAT? Stay calm - Codex FAQ
  3. 3. HOW TO CLEAN UP YOUR SITE 1. Hire someone. (,, 2. Nuke it & re-install. Get help from your host? 3. DIY forensic cleanup.
  4. 4. HOW TO HACK A WORDPRESS SITE! flickr: brianklug CC BY-NC 2.0
  5. 5. 1. Find Target Automated scans across many sites. 2. Assess Vulnerabilities Find what site runs and how to compromise. 3. Run Exploit Script Get access via vulnerability, drop backdoor. 4. Do Stuff Want to preserve access, hide your tracks.
  6. 6. AUTOMATED TARGET ACQUISITION Build a target list via Google inurl:wp-content/themes/VulnerableTheme via Code search tools (like Nerdy Data) via Software usage trackers (like BuiltWith)
  7. 7. ASSESS & COMPROMISE Does my exploit script work? Scripts can be automated, clever, sloppy, broken, non- sensical. WPScan output
  8. 8. COMPREHENSIVE CLEAN-UP It can be a lot of work to be comprehensive, but miss either the hole used to get in or what they left and theyll be back.
  9. 9. #1 - SHUT DOWN ACCESS .htaccess block for everyone but your IP. define('DISABLE_WP_CRON', true); ftp/ssh/mysql users compromised? Check your backups, make a fresh backup.
  10. 10. #2 - FIND THE COMPROMISED FILES Look for new files (find command, version control) Verify installed files (core, plugins & themes) Scan every file with scanner like Wordfence.
  11. 11. WORDFENCE SCAN $ find . -mtime -7 -name '*.php*' | xargs grep -iP "(exec|system|eval|gzinflate|md5|rot13|base64_decode)s*(" Sure beats manual grepping
  12. 12. #3 - WHEN & HOW Weve found the files, when & how did they get dropped? Three types: injection scripts backdoors do stuff scripts What do the files do? Whatever it is, its nothing good. Vulnerability by Type stats from was it plugins again? yup, probably
  13. 13. WHATS IN A BACKDOOR? FilesMan, a PHP cPanel for Hacking
  14. 14. ACCESS LOGS! grep for malicious file timestamp: $ grep 28/May/2015:15:31 access_log [28/May/2015:15:31:04 +0000] POST /wp-content/uploads/1_upload.php then grep for that IP and find their whole session.
  15. 15. What does that code do?? eval(gzinflate(base64_decode(WTF run in a safe place: a virtual environment OBFUSCATION IS A DIRTY WORD
  16. 16. FOUND EM! (OR NOT) Track IP back to initial break-in? Search for most likely candidate otherwise (,, Could be something outside of WP altogether: phpMyAdmin, phpBB, Magento, system level
  17. 17. #4 - REMOVE COMPROMISED FILES Delete the files, move them off of your server. If something is missed, reinfection is possible.
  18. 18. #5 - RESTORE CLEAN FILES Dont just restore from backup, re-install! If it was touched (theme, plugins, core) it should be re-installed. Sucuri Scanner can do bulk-reinstall
  19. 19. #6 SCAN & CLEAN DATABASE Content-oriented hacks might hit file AND database or even just database. Cleanup your content (Wordfence + manual again).
  20. 20. #7 RESET KEYS & PASSWORDS Salts/keys (in wp-config.php) Users, do it for them (Sucuri Scanner) Other exposures?
  21. 21. #8 HARDEN YOUR SITE Update, update, update Security Plugin (iThemes Security) Brute force login protection Strong passwords No admin user No PHP under uploads dir File permissions
  22. 22. FILE PERMISSIONS + PHP EXECUTION If wp-content/uploads is only place writable by webserver user and it doesnt allow PHP to be run then theres no place for malicious code to run.
  23. 23. #9 RE-LAUNCH Remove your .htaccess block Notify host and/or Google Queue up pat-on-the-back
  24. 24. #10 MONITOR Keep a close eye on any site changes. Especially file changes! Also user logins, access/error logs.
  25. 25. THANKS, WERE DONE! Best scanning tools: Wordfence Best post-hack tools: Sucuri Scanner Best hardening tools: iThemes Security