4. Why listen to me? You don‟t have to,
but…
I am not a designer or developer, my passion is Information
Security, specifically Web Security
Not an expert, passionate enthusiast
I don‟t like people, I like packets, signatures and terminal.
Seriously though, our company:
Remediate 200 – 300 infected websites a day,
24/7/365
Perform 2 million + malware website scans a month
Support all CMS platforms and customapplications (e.g.,
WordPress, Joomla, osCommerce, vBulletin, Drupal, .NET,
etc… )
@sucuri_security @perezbox #wclv 10/13/2012
5. Thoughts To Kick Things
Off
Information Security is about risk reduction.
If you‟re looking for the “silver bullet” this is the wrong
talk for you.
To think that you will never be infected or that you are
immune to hacks is like saying you will never be sick.
If someone tells you the opposite you should slap them
and have them pay you for wasting your time.
Prevention is ideal, detection is key… bats were
created for ________ people…
@sucuri_security @perezbox #wclv 10/13/2012
6. Know Your Enemy
They have more time and
resources
They are intelligent
Majority of attacks are
automated
Goal is to impact as many
people as possible
Mindset – Own one, own them
all…
It‟s not personal, it‟s
business… @sucuri_security @perezbox #wclv 10/13/2012
7. Ok, so what‟s the problem?
TODAY‟s ISSUES:
The Ecosystem /
Environment
Access Control
Software Vulnerabilities
Administration
Credential Management
Extensibility
@sucuri_security @perezbox #wclv 10/13/2012
8. Today‟s Focus
Ecosystem / Environment
Access Control
Dealing with Hacks
@sucuri_security @perezbox #wclv 10/13/2012
11. Logical Architecture
Linux Operating System
Apache MySQL PHP
WordPress CPANEL Plesk phpMyAdmin PHP-CGI Modules Modules
@sucuri_security @perezbox #wclv 10/13/2012
12. The EcoSystem / Environment
What can you do?
Not much… completely outside of your control if you‟re
using a shared or managed host
But, you can reduce risk...
Use a Dedicated / VPS Environment
But recognize the responsibility that this entails, if you
what I mentioned previously doesn‟t make sense, skip
to next step
Go with a Managed Host
Doesn‟t mean you‟ll be safer, but it does mean you‟ll
have resources to lean on
@sucuri_security @perezbox #wclv 10/13/2012
13. Access is Key
On the Server:
Kill accounts that are not in use
FTP is the devil – slap yourself and switch to SFTP
Filter Shell / SFTP by IP & Keys, Keys at a minimum
Disable Authentication via Passwords on server
WordPress Admin:
Multi-Factor Authentication on wp-admin
Apache “Basic Access Authentication”
Two-Factor Authentication on wp-login.php
Duo Two-Factor Authentication Plugin
Employ least privileged:
Users with the “administrator” are not needed for every day
tasks
Learn to use Editor, Author, Contributor, Subscriber
@sucuri_security @perezbox #wclv 10/13/2012
24. Pharma Hack
Multi-million $ Business
Rarely Distribute Malware
Impression based Affiliate Marketing
Google‟s Search Engine Result
Pages (SERP)
Odds of malware distribution are
actually low
Tricks:
Embedded within core files
Look for “.tmp” directories = >
@sucuri_security @perezbox #wclv 10/13/2012
25. Pharma Hack, cntd..
Try using CURL to emulate Google and
Windows:
Curl –L –A
“Googlebot/2.1(+http://www.google.com/bot.html)”
http://someinfectedwebsite.com
Google Webmaster Tools
Fetch as Google Bot
Check your Theme Index.php file for things like
this:
<?php
$wp__theme_icon=@create_function(”,@file_get
_contents(‘/public_html/wp-content/themes/my-
@sucuri_security @perezbox #wclv 10/13/2012
really-good-
32. Malicious Redirects
Redirects your user to a domain distributing malware,
fundamentally different than an ifram injection that
executes in your browser
8 out of 10 times, check your .htaccess file – all of them
# find /var/www –name .htaccess –type f | wc –l
Check for backdoors also – often a sign of a bigger issue
@sucuri_security @perezbox #wclv 10/13/2012
34. Phishing
Growing at a faster pace than traditional web-
malware
No impact to readers, but tied to SPAM bots
sending out emails like this:
@sucuri_security @perezbox #wclv 10/13/2012
37. Demo Objective
Use good tools for bad things – wpscan
Enumerate the users
Brute Force the User accounts password
Insert an arbitrary Backdoor Shell for Remote
Execution
Deface the Website
Insert another Shell Backdoor that provides an
interface
I have 5 minutes – Ready?
@sucuri_security @perezbox #wclv 10/13/2012
39. Guard Access
Revisit Slide 12 – access, access, access
It always comes down to access
We have to change the way we treat and think about access.
All access – Server / Application
We are going through the same mistakes servers and
desktops were making in the 90‟s with access.
Know where you are surfing the web, do you really need to
log in as an admin at the coffee shop?
@sucuri_security @perezbox #wclv 10/13/2012
40. Password Dilemma
15 character pass
3 months to crack
Long / Complex / Unique
Key to Passwords
Prefer Password Manager
You don‟t? ok..
Passphrases work too
iLuvWCLVegas:2012:HrtAttckGrll
Come up with a process that works, stick to it:
One scheme:
Remember 8 characters
Write Down 8 characters
Save 20 characters
Second scheme:
Remember 20 characters
Prefix characters with site name
End sequence with some date
@sucuri_security @perezbox #wclv 10/13/2012
41. Kill PHP Execution
Kill PHP Execution
Directories:
WP-INCLUDES
WP-CONTENT
UPLOADS – At a minimum
<Files *.php>
Deny from all
</Files>
@sucuri_security @perezbox #wclv 10/13/2012
42. Disable Theme / Plugin Editor
I‟d take it a step further and remove the ability to
install, but that‟s just me.
Modify WP-CONFIG.PHP With:
Disable the Plugin / Theme Editor
Define(„DISALLOW_FILE_EDIT‟,true);
- OR -
Disable the Plugin / Theme Update and Installation
Define(„DISALLOW_FILE_MODS‟,true);
@sucuri_security @perezbox #wclv 10/13/2012
43. Update
Oldest version found in production – 1.5
Leading cause of cross-site contamination issues
Perhaps the simplest of tasks, yet we still find this:
@sucuri_security @perezbox #wclv 10/13/2012
44. Plugins That Help
Clients Non-Clients
Sucuri Security Duo Two-Factor
Premium Authentication
Duo Two-Factor Limit Login Attempts
Authentication
Theme-Check
Theme-Check
BackupBuddy
BackupBuddy
Akismet
Akismet
@sucuri_security @perezbox #wclv 10/13/2012