Embed Size (px)
Citation preview
YOU’VE BEEN HACKED, NOW WHAT?
“Stay calm” - WordPress.org Codex FAQ
HOW TO CLEAN UP YOUR SITE
1. Hire someone.(sucuri.com, unhack.us, wpsecuritylock.com)
2. Nuke it & re-install. Get help from your host?
3. DIY forensic cleanup.
HOW TO HACK A WORDPRESS SITE!
flickr: brianklugCC BY-NC 2.0
1. Find TargetAutomated scans across many sites.
2. Assess VulnerabilitiesFind what site runs and how to compromise.
3. Run Exploit ScriptGet access via vulnerability, drop backdoor.
4. “Do Stuff”Want to preserve access, hide your tracks.
AUTOMATED TARGET ACQUISITION
Build a target list…
via Googleinurl:wp-content/themes/VulnerableTheme
via Code search tools (like Nerdy Data)
via Software usage trackers (like BuiltWith)
ASSESS & COMPROMISE
• Does my exploit script work?
• Scripts can be automated, clever, sloppy, broken, non-sensical.
WPScan output
COMPREHENSIVE CLEAN-UP
It can be a lot of work to be comprehensive, but miss either the hole used to get in or what they left and they’ll be back.
#1 - SHUT DOWN ACCESS
• .htaccess block for everyone but your IP.
• define('DISABLE_WP_CRON', ‘true’);
• ftp/ssh/mysql users compromised?
• Check your backups, make a fresh backup.
#2 - FIND THE COMPROMISED FILES
• Look for new files (find command, version control)
• Verify installed files(core, plugins & themes)
• Scan every file with scanner like Wordfence.
WORDFENCE SCAN
$ find . -mtime -7 -name '*.php*' | xargs grep -iP "(exec|system|eval|gzinflate|md5|rot13|base64_decode)\s*\("
Sure beats manual grepping…
#3 - WHEN & HOW
• We’ve found the files, when & how did they get dropped?
• Three types: injection scriptsbackdoors“do stuff” scripts
• What do the files do? Whatever it is, it’s nothing good.
Vulnerability by Type
stats from wpvulndb.com
was it plugins again? yup, probably…
WHAT’S IN A BACKDOOR?
FilesMan, a PHP cPanel for Hacking
ACCESS LOGS!
grep for malicious file timestamp:$ grep 28/May/2015:15:31 access_log
172.16.0.59 – – [28/May/2015:15:31:04 +0000] “POST /wp-content/uploads/1_upload.php
then grep for that IP and find their whole session.
What does that code do??
eval(gzinflate(base64_decode(‘WTF…
run in a safe place:unphp.netddecode.coma virtual environment
OBFUSCATION IS A DIRTY WORD
FOUND ‘EM! (OR NOT…)
• Track IP back to initial break-in?
• Search for most likely candidate otherwise (wpvulndb.com, exploit-db.com, cvedetails.com)
• Could be something outside of WP altogether: phpMyAdmin, phpBB, Magento, system level…
#4 - REMOVE COMPROMISED FILES
• Delete the files, move them off of your server.
• If something is missed, reinfection is possible.
#5 - RESTORE CLEAN FILES
• Don’t just restore from backup, re-install!
• If it was touched (theme, plugins, core) it should be re-installed.
• Sucuri Scanner can do bulk-reinstall
#6 SCAN & CLEAN DATABASE
• Content-oriented hacks might hit file AND database or even just database.
• Cleanup your content (Wordfence + manual again).
#7 RESET KEYS & PASSWORDS
• Salts/keys (in wp-config.php)
• Users, do it for them (Sucuri Scanner)
• Other exposures?
#8 HARDEN YOUR SITE
• Update, update, update
• Security Plugin (iThemes Security)
• Brute force login protection
• Strong passwords
• No admin user
• No PHP under uploads dir
• File permissions
FILE PERMISSIONS + PHP EXECUTION
• If wp-content/uploads is only place writable by webserver user and it doesn’t allow PHP to be run then there’s no place for malicious code to run.
#9 RE-LAUNCH
• Remove your .htaccess block
• Notify host and/or Google
• Queue up pat-on-the-back
#10 MONITOR
• Keep a close eye on any site changes.
• Especially file changes!
• Also user logins, access/error logs.
THANKS, WE’RE DONE!
Best scanning tools: WordfenceBest post-hack tools: Sucuri Scanner
Best hardening tools: iThemes Security
