WordPress Security - WordCamp phoenix 2013

WordPress Security

Dealing with Today’s Hacks

If you don’t ask, you don’t get!

• Dre Armeda, CISSP
• CEO, Co-Founder at Sucuri Inc.
• @dremeda
• Dre.im

I'm a Harley enthusiast, and a Chargers
fan. I wear many hats, and love tacos. I'm
infatuated with WordPress, web design,
and web security. I work at Sucuri
Security. I hope to help make the web a
safer place!

1/19/2013 Dre Armeda - @dremeda #wcphx

Why listen to me? You don’t have to, but…

• 12 years running IT, IS, Crypto, InfoSec & PhySec for the US Navy.
– Managed security awareness for Sempra Energy
– Deployed security suite for 1-800-Flowers.
– Cleaned Martha Steward web properties of malware
• Not an expert, passionate enthusiast.
• Seriously though – Quick Sucuri stats:
– Remediate 200 – 300 infected websites a day,
• 24/7/365
– Perform 2 million + malware website scans a month
– Support all CMS platforms and custom applications (e.g., WordPress,
Joomla, osCommerce, vBulletin, Drupal, .NET, etc… )

My goal in life is to make the web a safer place!


Thoughts To Kick Things Off
• Information Security is about risk reduction.
– If you’re looking for the “silver bullet” this is the
wrong talk for you.
• To think that you will never be infected is like
saying you will never be sick.
– Someone tells you different – Percussion calibration
time
• Prevention is ideal, but not realistic.
– Risk will never be 0%
– Detection is key.


Know Your Enemy
• They have time & resources
• They are intelligent
• Attacks are automated
• Goal is to impact quantity
• Own one, own them all…
• It’s not personal


Ok, so what’s the problem?
TODAY’S ISSUES:
• The Ecosystem /
Environment
• Access Control
• Software Vulnerabilities
• Administration
• Credential Management
• Extensibility


Today’s Focus

• Ecosystem / Environment
• Access Control
• Dealing with Hacks


Logical Architecture

Linux Operating System
Apache MySQL PHP

WordPress CPANEL Plesk phpMyAdmin PHP-CGI Modules Modules


The EcoSystem / Environment
• Apache
– Malicious module injects iFrames
– http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-
injects-iframes/
• phpMyAdmin
– Mirror Hacked
– http://sourceforge.net/blog/phpmyadmin-back-door/
• PHP-CGI
– Remote Code Execution
– http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-
wild.html
• Plesk
– Vulnerable to SQLi attacks
– http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-
malware.html


The EcoSystem / Environment
• What can you do?
– Not much… completely outside of your control if
you’re using a shared or managed host

• But, you can reduce risk...
– Use a Dedicated / VPS Environment
• But recognize the responsibility that this entails, if you
what I mentioned previously doesn’t make sense, skip to
next step
– Go with a Managed Host
• Doesn’t mean you’ll be safer, but it does mean you’ll have
resources to lean on


Access is Key
• We have to change the way we treat and think
about access. All access – Server / Application

• We are going through the same mistakes servers
and desktops were making in the 90’s with
access.

• Know where you are surfing the web, do you
really need to log in as an admin at the coffee
shop?


Before We Dive In


WordPress Loving Infections
• Defacements
• Backdoors
• Pharma Hack
• Injections
– iFrame Specifically
• Malicious Redirects
• Phishing


Hacktivism at its finest… you now support a cause!?!?!

DEFACEMENTS

Defacements
• Hacktivism 101
– Annoying as S*&T
• Places to look:
– Index.html
– Index.php
• Root Directory
• Wp-Content
• Theme Directory
• GREP is your friend:
– grep –ri ‘sniper399’ .


It’s ok to cry a little… 

BACKDOORS

Backdoors
• Common terms:
– Is_bot
– Eval
– Base64_decode
– Fopen
– Fclose
– readfile
– Edoced_46esad
– Exec
– System
– Shell_exec
– Gzuncompress
– popen
– FilesMan


Erectile Dysfunction pills are leading ads.. Who knew.. 

PHARMA HACK

Pharma Hack
• Multi-million $ Business
• Rarely Distribute Malware
• Impression based Affiliate
Marketing
• Google’s Search Engine Result
Pages (SERP)
• Odds of malware distribution are
actually low
• Tricks:
– Embedded within core files
– Look for “.tmp” directories = >


Pharma Hack, cntd..
• Try using CURL to emulate Google and Windows:
Curl –L –A
“Googlebot/2.1(+http://www.google.com/bot.html)”
http://someinfectedwebsite.com
– Google Webmaster Tools
• Fetch as Google Bot
• Check your Theme Index.php file for things like
this:
– <?php
$wp__theme_icon=@create_function(”,@file_get_co
ntents(‘/public_html/wp-content/themes/my-really-
good-theme/images/s.jpg’));$wp__theme_icon(); ?>

Pharma Hack, cntd..


It only hurts for a minute…

INJECTIONS

Injections
• Invisible iFrame’s - Executing on your browser
• Contributing to Drive-by-Downloads, Pharma, XSS, CSRF
• Places to check – Pages that generate content:
– JS files, Header.php, Index.php, Function.php, Footer.php


Injections, cntd…
• PHP iFrame Injection =>
– Count##.php
– Check all Index.php /
Theme JS files
– Example below:


Injections, cntd…

• Pharma Link
Injections =>
• Drive-By-
Downloads


WTF?!?! Why don’t I understand what it says?

MALICIOUS REDIRECTS

Malicious Redirects
• Redirects your user to a domain distributing malware,
fundamentally different than an iframe injection that
executes in your browser
• 8 out of 10 times, check your .htaccess file – all of them
– # find /var/www –name .htaccess –type f | wc –l
• Check for backdoors also – often a sign of a bigger issue


Biggest growing problem, exceptionally difficult to detect…

PHISHING

Phishing
• Growing at a faster pace than traditional web-
malware
• No impact to readers, but tied to SPAM bots
sending out emails like this:


Phishing, cntd…


Bringing the Point Home

DEMONSTRATION

Demo Objective
• Use good tools for bad things – wpscan
• Enumerate the users
• Enumrate Passwords
• Own target WordPress site
• Deface the Website

I have 5 minutes – Ready?


Remember the risk discussion?

KEEPING IT REAL

Update
• Oldest version found in production – 1.5
• Leading cause of cross-site contamination issues
• Perhaps the simplest of tasks, yet we still find this:


Access is Key
• On the Server:
– Kill accounts that are not in use
– FTP is the devil – slap yourself and switch to SFTP
– Disable password auth & use key pairs
• WordPress Admin:
– Multi-Factor Authentication on wp-admin
– Two-Factor Authentication on wp-login.php
• Employ least privileged:
– Only use admin accounts for admin tasks
– Learn to use Editor, Author, Contributor, Subscriber


Password Dilemma
• 15 character pass
– 3 months to crack
• Long / Complex / Unique
– Key to Passwords
• Prefer Password Manager
– You don’t? ok..
– Passphrases work too
• iLuvWCLpHX:2013:S@nT@N b@By
• Come up with a process & stick to it:
– One scheme:
• Remember 8 characters
• Write Down 8 characters
• Save 20 characters
– Second scheme:
• Remember 20 characters
• Prefix characters with site name
• End sequence with some date


Kill PHP Execution
• Kill PHP Execution
– Directories:
• WP-INCLUDES
• WP-CONTENT
• UPLOADS – At a minimum

<Files *.php>
Deny from all
</Files>

Disable Theme / Plugin Editor
I’d take it a step further and remove the ability to install, but
that’s just me.

Modify WP-CONFIG.PHP With:

• Disable the Plugin / Theme Editor
– Define(‘DISALLOW_FILE_EDIT’,true);

- OR -

• Disable the Plugin / Theme Update and Installation
– Define(‘DISALLOW_FILE_MODS’,true);


Plugins That Help
Sucuri Clients Non-Clients
• Sucuri Security Plugin • Limit Login Attempts
• Theme-Check • Theme-Check
• BackupBuddy • BackupBuddy
• Akismet • Akismet


Need a Hand?
Support Forums Online Resources

• Hacked – • Sucuri Blog:
http://wordpress.org/tags/ http://blog.sucuri.net
hacked • SiteCheck Scanner:
http://sitecheck.sucuri.net
• Unmask Parasites:
• Malware – http://unmaskparasites.com
http://wordpress.org/tags/ • Perishable Press:
malware http://perishablepress.com/ca
tegory/web-design/security/
• Secunia Security Advisories:
• BadwareBusters – http://secunia.com/communit
https://badwarebusters.org y/advisories/search/?search=
wordpress


Dre Armeda, CISSP
Dre.im
@dremeda

Sucuri Inc.
http://sucuri.net
http://blog.sucuri.net
@sucuri_security

Thanks to Tony Perez @perezbox for allowing me to cannibalize his slide deck.


WordPress Security - WordCamp phoenix 2013

More Related Content

Similar to WordPress Security - WordCamp phoenix 2013 (20)

WordPress Security - WordCamp phoenix 2013