Michigan DGS 2015 Presentation - You'Ve Been Hacked Now What - Michael Ashton
Hacked - What do you do now?
-
Upload
tony-perez -
Category
Technology
-
view
303 -
download
0
description
Transcript of Hacked - What do you do now?
Hacked
What do you do now?
• Sucuri@sucuri_security@sucurisupport@sucurilabshttp://blog.sucuri.nethttp://labs.sucuri.net
• Tony Perez@perezbox
@perezbox | @sucuri_security
• Website Security Company
• Global Operations
• Platform Agnostic (i.e., WordPress, Joomla, etc..)
• Scan 2M Unique Domains a Month
• Block 4M web attacks a Month
• Remediate 400 – 500 websites a day
• Signature / Heuristic Based
• 24/7 operations
@perezbox | @sucuri_security
@perezbox | @sucuri_security
Implications of a Hack
• Emotionally Daunting• Brand Reputation (i.e., Blacklisting)• Direct / Indirect Impacts to your Clients• Technically Exhausting• Resource Overload• Economic Impacts To Your Business
@perezbox | @sucuri_security
Most Common Hacks
• Malicious Redirects (i.e., abuse your traffic)• Backdoors (i.e., Bypass Access Controls)• Phishing (i.e., Spear Phishing Campaigns)• Search Engine Poisoning (i.e., Pharma, etc…)
@perezbox | @sucuri_security
TIPS & TRICKSClearing Up the Mess
@perezbox | @sucuri_security
Tools of the Trade
• Terminal• FileZilla• Coda (Some IDE)• Scanners
@perezbox | @sucuri_security
Filezilla
@perezbox | @sucuri_security
Terminal
• Example 1: Dump the content of a site
$ curl --location -D - site.com
• Example 2: Dump the content of a site, faking Googlebot user agent
$ curl --location -D - -A "Googlebot" site.com
• Example 3: Dump the content of a site, using Facebook's referrer
$ curl --location -D - --referer "http://facebook.com" site.com
Command Cheat Sheet: http://files.fosswire.com/2007/08/fwunixref.pdf
@perezbox | @sucuri_security
Curl Example
@perezbox | @sucuri_security
Terminal, cntd…• Grep
$ grep --include "*.php" -r example.com ./
• Diff$ diff –qr /path/dir1 /path/dir2
• Find$ find ./ -name "*.php” $ find / -type f -mtime -7 (7 Days Fewer)$ find / -mmin -10 (last 10 minutes)
• SED– Removing <iframe src=http://example.com></iframe># sed -i".backup" 's#<iframe src=http://example.com></iframe>##' index.php
• Combining Commands– Remove an iframe from all PHP files$ find ./ -name "*.php" -print0 | xargs -0 sed -i".backup" 's#<iframe src=http://example.com></iframe>##'
@perezbox | @sucuri_security
Online Scanners
Unmask Parasites – http://unmaskparasites.com
SiteCheck – http://sitecheck.sucuri.net
@perezbox | @sucuri_security
INFECTIONSWhat do they look like?
@perezbox | @sucuri_security
Malicious Redirect
@perezbox | @sucuri_security
Malicious Redirects• Easy / Medium to Detect
– Be mindful of conditionals• Looking for Integrity Issues
– Has something been modified?
• Common location[s]:– .htaccess– Index.php– Footer.php– Header.php
• Biggest Issue– Redirectors are becoming highly complex– Employing heavy conditional elements
@perezbox | @sucuri_security
Phishing
@perezbox | @sucuri_security
Phishing, Cntd..
• Difficult to Detect Remotely• Looking for Integrity Issues
– Is something somewhere it doesn’t belong?
• Common location[s]:– WP-Includes– Theme Directories
• Biggest Issue– It can be anywhere– Fully contained
@perezbox | @sucuri_security
Backdoors
@perezbox | @sucuri_security
Backdoors, cntd…• Can’t detect remotely, only locally
• Looking for Integrity Issues – Is something somewhere it doesn’t
belong?
• Common location[s]:– WP-Includes– Root Directory
• Biggest Issue– Allows attacker to bypass your
access controls– Provides full control of the
environment
• Common terms:– Is_bot– Eval– Base64_decode– Fopen– Fclose– readfile– Edoced_46esad– Exec– System– Shell_exec– Gzuncompress– popen– FilesMan
grep -RPl --include=*.{php} "(system|exec|passthru|shell_exec|base64_decode|eval|) *\(" /var/www
@perezbox | @sucuri_security
Example of Complexity
@perezbox | @sucuri_security
Search Engine Poisoning
@perezbox | @sucuri_security
Backdoors, cntd…• Targets Search Engines (i.e., Google, Bing, Yahoo)
• Looking for Integrity Issues – Have your posts / pages been modified?
• Common location[s]:– Index.php (root, theme, plugins, etc..)– Header.php– Footer.php– Embedded in Database (Posts / Pages)
• Biggest Issue– Continuous to evolve– Highly conditional– Not within visible range – often offscreen
@perezbox | @sucuri_security
Indicators of a HackSearch Engines have gotten pretty good at detecting issues –
Google blacklists over 10 thousand websites a day.
@perezbox | @sucuri_security
Forensics
• What happened?• When did it happen?• Will it happen again?
@perezbox | @sucuri_security
POST-HACKLet’s Talk Posture
@perezbox | @sucuri_security
Improve your Posture
Posture
Risk
You were just hacked, Posture is imperative right now!!
@perezbox | @sucuri_security
Good Posture
Protection Auditing
Detection Sustainment
@perezbox | @sucuri_security
ProtectionWebsite Firewalls - Stop attackers and protect your website from getting hacked:
• Denial of Service Attacks• Brute Force Attacks• Software Vulnerability Exploitation• Malware Injections• Direct Backdoor Access• Abusing Access Controls (i.e., wp-admin)
@perezbox | @sucuri_security
Auditing
• Understand what is going on at all time– Who is logging in?– Who is trying to log in?– What files are changing?– Has a post been
created?– Has a page been
created?– Are there any integrity
issues?
@perezbox | @sucuri_security
Detection
• Continuous Monitoring– Remote and Server
Scans – Heuristic Analysis– Signature Analysis– Change Detection– DNS Reporting– WHOIS Monitoring– SSL Cert Monitoring
@perezbox | @sucuri_security
Sustainment
• Updates• Backups• Dev / Design Team• Security Team
@perezbox | @sucuri_security
Reset Secret Key’s / Salts
People don’t think about this, but it’s a necessity to clear any open states – it forces everyone off
their session.
Source: https://api.wordpress.org/secret-key/1.1/salt/
@perezbox | @sucuri_security
Force Password Resets
Many people will reset their password, few will actually reset everyone’s post-hack.
@perezbox | @sucuri_security
Sucuri Plugin
@perezbox | @sucuri_security
Clean Your House
• Least Privileged– Reduce Unnecessary Privileges – everyone does
not have to be an admin
• Remove unused software– CMS Applications– Extensions (Themes, Plugins, etc..)
@perezbox | @sucuri_security
Basic Hardening
Disable PHP Execution
/wp-includes /wp-content▪ /themes▪ /plugins▪ /uploads << minimum
<Files *.php>Deny from all</Files>
@perezbox | @sucuri_security
Connection Integrity – Public Wifi’s• https://www.getcloak.com/ | @getcloak
@perezbox | @sucuri_security
Good Reading Material
Dealing with Malware http://blog.sucuri.net/2012/10/dealing-with-todays-wordpress-malware.html
Leveraging Google Webmaster Tools http://www.unmaskparasites.com/malware-warning-guide/
Google Webmaster Tools (Hacked) http://www.google.com/webmasters/hacked/
Understanding Google’s Blacklists http://blog.sucuri.net/2013/11/understanding-googles-blacklist-cleaning-your-hacked-website-and-removing-from-blacklist.html Clearing Your Website with Free
Scannerhttp://blog.sucuri.net/2013/10/cleaning-up-your-wordpress-site-with-the-free-sucuri-plugin.html
WordPress Tips & Tricks http://blog.sucuri.net/2012/07/website-malware-removal-wordpress-tips-tricks.html
Prepared against a Hack? http://www.smashingmagazine.com/2014/05/30/are-you-prepared-against-a-hack/
@perezbox | @sucuri_security
PADS = Sucuri
• Complete Website Security with Sucuri
• WPSessions Attendees Only– 30% off any plan for life– Contact Tony: [email protected]– Reference: WPSESS2014– Include: Email used in WPSessions Account
@perezbox | @sucuri_security
Sucuri, Inc.
Tony Perez
http://sucuri.nethttp://blog.sucuri.net
@perezbox | @sucuri_security