10. Malicious Redirects
• Easy / Medium to Detect
– Be mindful of conditionals
• Looking for Integrity Issues
– Has something been modified?
• Common location[s]:
– .htaccess
– Index.php
– Footer.php
– Header.php
• Biggest Issue
– Redirectors are becoming highly complex
– Employing heavy conditional elements
@perezbox | @sucuri_security
17. Search Engine Poisoning, cntd..
• Targets Search Engines (i.e., Google, Bing, Yahoo)
• Looking for Integrity Issues
– Have your posts / pages been modified?
• Common location[s]:
– Index.php (root, theme, plugins, etc..)
– Header.php
– Footer.php
– Embedded in Database (Posts / Pages)
• Biggest Issue
– Continuous to evolve
– Highly conditional
– Not within visible range – often offscreen
@perezbox | @sucuri_security
18. Indicators of a Hack
Search Engines have gotten pretty good at detecting issues –
Google blacklists over 10 thousand websites a day.
@perezbox | @sucuri_security
20. Phase of an Attack
6/9/2014
Tony Perez | @perezbox |
@sucuri_security
20
Use for malware?
Pat of a zombie network?
Data breach?
What kind of website do you have?
23. There’s a Tool for that
• Malware as a Service
(MaaS)
– Yes, pay someone to
hack for you
• Different tools to break
in and generate
payloads
– Brute force and
vulnerability exploits
Malware Payloads
6/9/2014
Tony Perez | @perezbox |
@sucuri_security
23
30. Defense in Depth
“…a concept in which multiple layers of security
controls (defenses) are placed throughout an
information technology (IT) system. Its intent is
to provide redundancy in the event a security
control fails or a vulnerability is exploited…”
6/9/2014
Tony Perez | @perezbox |
@sucuri_security
30
31. Access – P@ssw0rd
• Passwords
6/9/2014
Tony Perez | @perezbox |
@sucuri_security
31
Complex – Long - Unique
34. Auditing Questions
6/9/2014
Tony Perez | @perezbox |
@sucuri_security | #JoomlaDayAtlanta
34
• Understand what is going on at all time
– Who is logging in?
– Who is trying to log in?
– What files are changing?
– Has a post been created?
– Has a page been created?
– Are there any integrity issues?
35. Principle of Least Privileged
“requires that in a particular abstraction layer
of a computing environment, every module
(such as a process, a user or a program
depending on the subject) must be able to
access only the information and resources that
are necessary for its legitimate purpose.”
6/9/2014
Tony Perez | @perezbox |
@sucuri_security
35
46. Simple Steps to Reduce Risk
1. Employ Website Firewall
2. Don’t let WordPress write to
itself
3. Filter Access by IP
4. Use a dedicated server / VPS
5. Monitor all Activity (Logging)
6. Enable SSL for transactions
7. Keep environment current
(patched)
8. No Soup Kitchen Servers
6/9/2014
Tony Perez | @perezbox |
@sucuri_security
46
1. Connect Securely – SFTP /
SSH
2. Authentication Keys / wp-
config
3. Use Trusted Sources
4. Use a local Antivirus – MAC
too
5. Permissions - D 755 | F 644
6. Least Privileged Principles
7. Accountability
8. Backups – Include Database
Ideal implementations:The Bare Minimum:
47. Notable Resources
Name Tool
Sucuri Blog http://blog.sucuri.net
Sucuri TV http://sucuri.tv
Malware Scanner http://sitecheck.sucuri.net
Malware Scanner http://unmaskparasites.com
Badware Busters https://badwarebusters.org
Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-
sites
Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633
Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress
Exploit-DB http://www.exploit-
db.com/search/?action=search&filter_description=Wordpress&filter_platform=31
WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked
WordPress Hardening http://codex.wordpress.org/Hardening_WordPress
6/9/2014
Tony Perez | @perezbox |
@sucuri_security
47
48. Dealing with a Hack
6/9/2014
Tony Perez | @perezbox |
@sucuri_security
48
Dealing with Malware http://blog.sucuri.net/2012/10/dealing-with-todays-
wordpress-malware.html
Leveraging Google Webmaster Tools http://www.unmaskparasites.com/malware-
warning-guide/
Google Webmaster Tools (Hacked) http://www.google.com/webmasters/hacked/
Understanding Google’s Blacklists http://blog.sucuri.net/2013/11/understanding-
googles-blacklist-cleaning-your-hacked-website-and-
removing-from-blacklist.html
Clearing Your Website with Free
Scanner
http://blog.sucuri.net/2013/10/cleaning-up-your-
wordpress-site-with-the-free-sucuri-plugin.html
WordPress Tips & Tricks http://blog.sucuri.net/2012/07/website-malware-
removal-wordpress-tips-tricks.html