How to investigate and recover from a security breach in WordPress
0 likes2,049 views
This document summarizes Otto Kekäläinen's talk about investigating and recovering from a WordPress security breach at his company Seravo. On November 9th, 2018 four WordPress sites hosted by Seravo were compromised due to a vulnerability in the WP GDPR Compliance plugin. Seravo's security team launched an investigation that uncovered malicious user accounts, identified the vulnerable plugin as the entry point, and cleaned up the sites. The experience highlighted the importance of having an incident response plan even when security best practices are followed.
![The entry
109.234.37.214 - - [08/Nov/2018:15:36:02 +0200] "GET / HTTP/1.1" 200 19027 "-" 0.301
109.234.37.214 - - [08/Nov/2018:15:36:02 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 36 "-" 0.220
109.234.37.214 - - [08/Nov/2018:15:36:03 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 36 "-" 0.258
109.234.37.214 - - [08/Nov/2018:15:36:04 +0200] "POST /wp-login.php?action=register HTTP/1.1" 302 5 "-" 0.648
109.234.37.214 - - [08/Nov/2018:15:36:04 +0200] "GET /wp-login.php?checkemail=registered HTTP/1.1" 200 1463
"https://<redacted>/wp-login.php?action=register" 0.129
109.234.37.214 - - [08/Nov/2018:15:36:04 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 36 "-" 0.163
109.234.37.214 - - [08/Nov/2018:15:36:04 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 36 "-" 0.167
$ host 109.234.37.214
214.37.234.109.in-addr.arpa domain name pointer host-109-234-37-214.hosted-by-vdsina.ru.
User agent was:
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"](https://image.slidesharecdn.com/wordcampnordic2019howtoinvestigateandrecoverfromasecuritybreach1-190308133255/85/How-to-investigate-and-recover-from-a-security-breach-in-WordPress-21-320.jpg)
How to investigate and recover from a security breach in WordPress
- 1. How to Investigate and Recover from a Security Breach Real-life Experiences with WordPress Otto Kekäläinen @ottokekalainen WordCamp Nordic March 8, 2019
- 2. ● A CEO who codes at Seravo.com ● Written WP themes and plugins, contributed to WordPress Core, MySQL, MariaDB, Debian, Ubuntu, Linux kernel, AppArmor… ● Linux and open source advocate Otto Kekäläinen
- 3. I’ve spoken many times about what WordPress site owners should focus on to keep their site secure... wordpress.tv/?s=otto+kekäläinen
- 4. ...but not today. This talk is different.
- 5. This talk is about Friday, November 9th 2018.
- 6. Premium hosting and upkeep for WordPress HTTP/2 TESTED UPDATES 24/7 UPKEEP
- 7. Upkeep: If a site goes down, we bring it up again. Covers security incidents.
- 8. 2018-11-09 11:37:48 <redacted>.seravo.com ALERT ! ! ! 2018-11-09 11:40:26 <redacted>.seravo.com ALERT ! ! ! 2018-11-09 11:40:42 <redacted>.seravo.com ALERT ! ! ! 2018-11-09 11:42:37 <redacted>.seravo.com ALERT ! ! ! Just one ordinary Friday (not even 13th!)
- 9. Weird siteurl – on all 4 sites! Mistake by site admin? – No way Targeted attack on one and same company? – Plausible, but weird modus of operandi Security breach? – Definitely! $ wp option get siteurl http://erealitatea.net
- 10. High alert – 4 sites down for investigation 1. First responder notifies security officer on-call 2. Process list saved and further PHP execution frozen 3. Customer notified about on-going security incident 4. Response escalation: 3 investigators working in parallel
- 11. 11:55
- 12. Security breach investigation questions ● What is happening? Is it stopped? ● What happened before? When did this start? ● Is there malicious code somewhere? Backdoors planted? ● What files or database contents has changed? Which changes are malicious? ● Who did what? What IP addresses and other identifiers are linked to what actions?
- 13. Security breach investigation questions ● How did they get in? ● What level of access did they gain? ● What data could have leaked? ● What was their motive? ● What damage was caused?
- 14. Investigation and recovery steps 1. Make a new backup 2. Compare backups wp-backup-list-changes diff -ur wordpress backup/wordpress 3. Check last WP and SSH logins Store current state Reveal file and database changes Detect unauthorized use based on anomalies in timestamps or IP geolocation
- 15. Investigation and recovery steps 4. wp core verify-checksums wp plugin verify-checksums --all wp package install seravo/wp-checksum wp checksum all --details Compare WordPress core, plugin and theme files to their original versions as downloaded from wp.org
- 16. Modified plugin code found ..but was a false alert, modification most likely a mistake by real plugin author who released two plugin variants published with same version number. $ wp checksum diff plugin entry-views inc/widget-entry-views.php Executing diff /tmp/1541763665-4CBDYu.tmp wordpress/htdocs/wp-content/plugins/entry-views/inc/widget-entry-views.php 49c49 < $this->WP_Widget( --- > parent::__construct(
- 17. 13:31
- 18. Investigation and recovery steps 5. wp user list 6. wp db query 'SELECT post_modified, id, post_title, post_name, post_type FROM wp_posts ORDER BY id DESC LIMIT 50;' View recent new users View recent new contents
- 19. Two suspected attacker user accounts Variants of trollherten and different .ru email addresses found on multiple of the investigated sites. $ wp user list +----+---------------+--------------+----------------------+---------------------+---------------+ | ID | user_login | display_name | user_email | user_registered | roles | +----+---------------+--------------+----------------------+---------------------+---------------+ | 12 | t2trollherten | | trollherten@mail.com | 2018-11-08 13:36:03 | administrator | | 13 | t3trollherten | | t3trollherten@bk.ru | 2018-11-08 14:42:09 | administrator | +----+---------------+--------------+----------------------+---------------------+---------------+
- 20. Bingo! usernames, timestamps, IP addresses, email +----+---------------+--------------+----------------------+---------------------+---------------+ | ID | user_login | display_name | user_email | user_registered | roles | +----+---------------+--------------+----------------------+---------------------+---------------+ | 12 | t2trollherten | | trollherten@mail.com | 2018-11-08 13:36:03 | administrator | | 13 | t3trollherten | | t3trollherten@bk.ru | 2018-11-08 14:42:09 | administrator | +----+---------------+--------------+----------------------+---------------------+---------------+ These can be given to grep /data/log for log data mining
- 21. The entry 109.234.37.214 - - [08/Nov/2018:15:36:02 +0200] "GET / HTTP/1.1" 200 19027 "-" 0.301 109.234.37.214 - - [08/Nov/2018:15:36:02 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 36 "-" 0.220 109.234.37.214 - - [08/Nov/2018:15:36:03 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 36 "-" 0.258 109.234.37.214 - - [08/Nov/2018:15:36:04 +0200] "POST /wp-login.php?action=register HTTP/1.1" 302 5 "-" 0.648 109.234.37.214 - - [08/Nov/2018:15:36:04 +0200] "GET /wp-login.php?checkemail=registered HTTP/1.1" 200 1463 "https://<redacted>/wp-login.php?action=register" 0.129 109.234.37.214 - - [08/Nov/2018:15:36:04 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 36 "-" 0.163 109.234.37.214 - - [08/Nov/2018:15:36:04 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 36 "-" 0.167 $ host 109.234.37.214 214.37.234.109.in-addr.arpa domain name pointer host-109-234-37-214.hosted-by-vdsina.ru. User agent was: "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
- 22. POST /wp-admin/admin-ajax.php ● Seravo does not log POST requests for good reasons ● So what was the payload that granted magic powers to the attacker? ● Luckily we have other PHP and database logs...
- 23. Anomalies in database use ● Weird empty WordPress options value updates ● Unusual requests to database table wpgdprc_access_requests ● What plugin does that belong to? $ grep -rF wpgdprc_access_requests wp-gdpr-compliance/ wp-gdpr-compliance/Includes/AccessRequest.php: return $wpdb->base_prefix . 'wpgdprc_access_requests'; wp-gdpr-compliance/uninstall.php: $wpdb->query("DROP TABLE IF EXISTS `{$wpdb->base_prefix}wpgdprc_access_requests`");
- 24. 14:03
- 25. Hmm.. Recent wp-gdpr-compliance plugin code changes smell like SQL injection fixes
- 26. Point of entry known ● The plugin WP GDPR Compliance Plugin most likely route ● Fix: remove it from all 4 sites $ wp plugin deactivate --uninstall wp-gdpr-compliance
- 27. 14:35
- 28. More information started coming in ● When the US woke up (in European afternoon) and published blogs the Sucuri RSS feed we subscribe showed interesting stuff: blog.sucuri.net/2018/11/erealitatea-net-hack-corrupts-websites-wit h-wp-gdpr-compliance-plugin-vulnerability.html ● Then more and more other reports were found: a. www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in- wp-gdpr-compliance-plugin-exploited-in-the-wild/ b. vitalisec.blogspot.com/2018/11/wp-gdpr-plugin-attack.html c. wpvulndb.com/vulnerabilities/9144
- 29. Vulnerability details ● A SQL injection flaw in WP GDPR Compliance allowed a remote attacker to set arbitrary WP option values a. First allow anybody to register with users_can_register=1 b. Then set default_role=”administrator” for all new users c. Register an account, log in and do whatever an admin can do ● Reported to wpvulndb.com by Adrian Mörchen / moewe.io ● Fixed in WP GDPR Compliance version 1.4.3
- 30. Fix issue globally for all our customers commit 2ffb891415628ead16263e1fa09d78dac9e5dcdd Author: Ville Korhonen Date: Fri Nov 9 14:51:18 2018 +0200 Add WP GDPR Compliance plugin to urgent updates WP GDPR Compliance < 1.4.3 has critical SQL injection flaw which allows simple privilege escalation. <https://plugins.trac.wordpress.org/changeset/1970313> Added to Seravo’s update systems as an urgent update
- 31. 14:51
- 32. Investigation and recovery steps 7. Based on findings, clean up the site a. Recover clean version from backups b. Remove malicious code and content manually 8. As a precaution, reset all WordPress user sessions and passwords wp-reset-all-passwords In this case option A was not possible, but luckily option B was quite easy as backups showed only one potential malware file was injected.
- 33. Investigation and recovery steps 9. As extra precaution, scan the site for malware one more time when it is otherwise deemed to be clean Using Seravo’s custom made WordPress/PHP malware scanner
- 34. 2018-11-09 15:26:22 <redacted>.seravo.com RESOLVED 2018-11-09 15:17:49 <redacted>.seravo.com RESOLVED 2018-11-09 15:29:03 <redacted>.seravo.com RESOLVED 2018-11-09 15:20:24 <redacted>.seravo.com RESOLVED All sites clean and finally back online
- 35. Investigation and recovery steps 10. Elevated monitoring and follow-up for site once it has been re-opened, just in case there was more attack avenues not discovered during the investigation. During the investigation Seravo sent 8 status update e-mails to the site owner and the customer mobilized their own team to support the effort and they also sent us valuable additional information. A few additional emails from Seravo to the customer followed over the weekend and next week to confirm all necessary measures had been completed.
- 36. Notification e-mail from new registration of ‘trollherten’ users ● Later we found out the site owner did get an email notification from WordPress about the new user named “trollherten” but since the e-mail was vague and did not contain any alarming information, the person who read the e-mail ignored it.
- 37. Luckily this was not a targeted attack ● Most likely the attacker just wanted to own the site and use it to redirect traffic, spam, mount more attacks against other sites etc. ● The site itself or the data it had was not the target and most likely not used.
- 38. Be prepared: no security is perfect ● No plugin author makes perfect code. ● All plugins on the site were updated a week earlier, the vulnerability was used close to zero-day. ● Unreasonable for site admin to read deeply all notification e-mails. ● Fact: sometimes even good security isn’t enough. One also needs to have a security incident response plan. ● We do. Do you?