WordPress Security - Dealing With Today's Hacks

WordPress Security
Dealing with Today‟s Hacks

SUCURI@WORDCAMP# WHOIS
PEREZBOX

ID: Tony Perez
WHO: The Hulk
Username: Perezbox
Process: Sucuri
Services: InfoSec,
Harley‟s, MMA, Guns
GeoIP: Menifee,
California

@sucuri_security @perezbox #wclv 10/13/2012

Why listen to me? You don‟t have to,
but…
I am not a designer or developer, my passion is Information
Security, specifically Web Security
Not an expert, passionate enthusiast
I don‟t like people, I like packets, signatures and terminal.
Seriously though, our company:
Remediate 200 – 300 infected websites a day,
24/7/365
Perform 2 million + malware website scans a month
Support all CMS platforms and customapplications (e.g.,
WordPress, Joomla, osCommerce, vBulletin, Drupal, .NET,
etc… )


Thoughts To Kick Things
Off
Information Security is about risk reduction.
If you‟re looking for the “silver bullet” this is the wrong
talk for you.
To think that you will never be infected or that you are
immune to hacks is like saying you will never be sick.
If someone tells you the opposite you should slap them
and have them pay you for wasting your time.

Prevention is ideal, detection is key… bats were
created for ________ people…


Know Your Enemy
They have more time and
resources

They are intelligent

Majority of attacks are
automated

Goal is to impact as many
people as possible

Mindset – Own one, own them
all…

It‟s not personal, it‟s
business… @sucuri_security @perezbox #wclv 10/13/2012

Ok, so what‟s the problem?
TODAY‟s ISSUES:
The Ecosystem /
Environment
Access Control
Software Vulnerabilities
Administration
Credential Management
Extensibility


Today‟s Focus
Ecosystem / Environment

Access Control

Dealing with Hacks


The EcoSystem / Environment
Apache
Malicious module injects iFrames
http://blog.unmaskparasites.com/2012/09/10/malicious-apache-
module-injects-iframes/

phpMyAdmin
Mirror Hacked
http://sourceforge.net/blog/phpmyadmin-back-door/

PHP-CGI
Remote Code Execution
http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-
wild.html

Plesk
Vulnerable to SQLi attacks
http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-
malware.html

Uh, what about
WordPress?


Logical Architecture

Linux Operating System
Apache MySQL PHP

WordPress CPANEL Plesk phpMyAdmin PHP-CGI Modules Modules


The EcoSystem / Environment
What can you do?
Not much… completely outside of your control if you‟re
using a shared or managed host

But, you can reduce risk...
Use a Dedicated / VPS Environment
But recognize the responsibility that this entails, if you
what I mentioned previously doesn‟t make sense, skip
to next step
Go with a Managed Host
Doesn‟t mean you‟ll be safer, but it does mean you‟ll
have resources to lean on

Access is Key
On the Server:
Kill accounts that are not in use
FTP is the devil – slap yourself and switch to SFTP
Filter Shell / SFTP by IP & Keys, Keys at a minimum
Disable Authentication via Passwords on server

WordPress Admin:
Multi-Factor Authentication on wp-admin
Apache “Basic Access Authentication”
Two-Factor Authentication on wp-login.php
Duo Two-Factor Authentication Plugin

Employ least privileged:
Users with the “administrator” are not needed for every day
tasks
Learn to use Editor, Author, Contributor, Subscriber

Gah!?!?!?!?!?!?!


WordPress Loving
Infections
Defacements

Backdoors

Pharma Hack

Injections
iFrame Specifically

Malicious Redirects

Phishing


Before We Dive In
LINUX / UNIX:
CURL
FIND
GREP
DIFF


Command Usage – Hunting TimThumb

# grep -Eir --include "*thumb.php" 'define.*VERSION' .

- Then –
# curl -D - -A "Windows"
http://timthumb.googlecode.com/svn/trunk/timthumb.php>/path-to-
file/timthumb.php


Command Usage – Identify Change

Detect Recent Changes

find -type f -ctime -0 | more - OR - find ./ -mtime -1

-ctime = -0 (past 24 hours) | -1 (last 24 hours)

-mtime = -1 (1 day) | -2 (2 days)

Detect Differences

diff –qr /path/dir1 /path/dir2


Defacements
Hacktivism at its finest… you now support a cause!?!?!


Defacements
Hacktivism 101
Annoying as S*&T

Places to look:
Index.html
Index.php
Root Directory
Wp-Content
Theme Directory

GREP is your friend:
grep –ri „sniper399‟ .


Backdoors
It‟s ok to cry a little… 


Backdoors
Common terms:
Is_bot
Eval
Base64_decode
Fopen
Fclose
readfile
Edoced_46esad
Exec
System
Shell_exec
Gzuncompress
popen
FilesMan

grep -RPl --include=*.{php} "(system|exec|passthru|shell_exec|base64_decode|eval|) *(" /var/www

Pharma Hack
Erectile Dysfunction pills are leading ads.. Who knew.. 


Pharma Hack
Multi-million $ Business
Rarely Distribute Malware
Impression based Affiliate Marketing
Google‟s Search Engine Result
Pages (SERP)
Odds of malware distribution are
actually low
Tricks:
Embedded within core files
Look for “.tmp” directories = >


Pharma Hack, cntd..
Try using CURL to emulate Google and
Windows:
Curl –L –A
“Googlebot/2.1(+http://www.google.com/bot.html)”
http://someinfectedwebsite.com
Google Webmaster Tools
Fetch as Google Bot

Check your Theme Index.php file for things like
this:
<?php
$wp__theme_icon=@create_function(”,@file_get
_contents(‘/public_html/wp-content/themes/my-
really-good-

Pharma Hack, cntd..


Injections
It only hurts for a minute…


Injections
Invisible iFrame‟s - Executing on your browser
Contributing to Drive-by-Downloads, Pharma, XSS,
CSRF
Places to check – Pages that generate content:
JS files, Header.php, Index.php, Function.php,
Footer.php


Injections, cntd…
PHP iFrame Injection
=>
Count##.php
Check all Index.php /
Theme JS files
Example below:


Injections, cntd…
Pharma Link Injections
=>

Drive-By-Downloads


Malicious Redirects
WTF?!?! Why don‟t I understand what it says?


Malicious Redirects
Redirects your user to a domain distributing malware,
fundamentally different than an ifram injection that
executes in your browser
8 out of 10 times, check your .htaccess file – all of them
# find /var/www –name .htaccess –type f | wc –l

Check for backdoors also – often a sign of a bigger issue


Phishing
Biggest growing problem, exceptionally difficult to detect…


Phishing
Growing at a faster pace than traditional web-
malware

No impact to readers, but tied to SPAM bots
sending out emails like this:


Phishing, cntd…


Demonstration
Bringing the Point Home


Demo Objective
Use good tools for bad things – wpscan
Enumerate the users
Brute Force the User accounts password
Insert an arbitrary Backdoor Shell for Remote
Execution
Deface the Website
Insert another Shell Backdoor that provides an
interface

I have 5 minutes – Ready?

Keeping it Real
Remember the risk discussion?


Guard Access
Revisit Slide 12 – access, access, access
It always comes down to access

We have to change the way we treat and think about access.
All access – Server / Application

We are going through the same mistakes servers and
desktops were making in the 90‟s with access.

Know where you are surfing the web, do you really need to
log in as an admin at the coffee shop?


Password Dilemma
15 character pass
3 months to crack

Long / Complex / Unique
Key to Passwords

Prefer Password Manager
You don‟t? ok..
Passphrases work too
iLuvWCLVegas:2012:HrtAttckGrll

Come up with a process that works, stick to it:
One scheme:
Remember 8 characters
Write Down 8 characters
Save 20 characters
Second scheme:
Remember 20 characters
Prefix characters with site name
End sequence with some date


Kill PHP Execution
Kill PHP Execution
Directories:
WP-INCLUDES
WP-CONTENT
UPLOADS – At a minimum

<Files *.php>
Deny from all
</Files>


Disable Theme / Plugin Editor
I‟d take it a step further and remove the ability to
install, but that‟s just me.
Modify WP-CONFIG.PHP With:
Disable the Plugin / Theme Editor
Define(„DISALLOW_FILE_EDIT‟,true);

- OR -

Disable the Plugin / Theme Update and Installation
Define(„DISALLOW_FILE_MODS‟,true);


Update
Oldest version found in production – 1.5
Leading cause of cross-site contamination issues
Perhaps the simplest of tasks, yet we still find this:


Plugins That Help
Clients Non-Clients

Sucuri Security Duo Two-Factor
Premium Authentication

Duo Two-Factor Limit Login Attempts
Authentication
Theme-Check
Theme-Check
BackupBuddy
BackupBuddy
Akismet
Akismet


Need a Hand?
Support Forums Online Resources

Hacked – Sucuri Blog: http://blog.sucuri.net
http://wordpress.org/tags/ha
cked SiteCheck Scanner:
http://sitecheck.sucuri.net

Unmask Parasites:
http://unmaskparasites.com
Malware –
http://wordpress.org/tags/ma Perishable Press:
lware http://perishablepress.com/category/
web-design/security/

Secunia Security Advisories:
http://secunia.com/community/advis
BadwareBusters – ories/search/?search=wordpress
https://badwarebusters.org


Sucuri
Tony Perez
http://sucuri.net |
http://blog.sucuri.net

Twitter:

@sucuri_security

@perezbox and @tonyonsecurity


WordPress Security - Dealing With Today's Hacks

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to WordPress Security - Dealing With Today's Hacks

Similar to WordPress Security - Dealing With Today's Hacks (20)

More from Tony Perez

More from Tony Perez (19)

WordPress Security - Dealing With Today's Hacks