identifying a compromised wordpress site
Post on 15-Apr-2017
2.452 Views
Preview:
TRANSCRIPT
Identifying a Compromised WordPress Site
@chrisburgess #wpmelb
Prevention is the holy grail, however it’s not the topic of this
talk.
You can’t always prevent, so you must detect.
Even if we’re doing everything possible to harden and maintain our
installations, we should still care about security to monitor our high
value sites.
Is Penetration Testing Worth it? There are two reasons why you might want to conduct a penetration test. One, you want to know whether a certain vulnerability is present because you're going to fix it if it is. And two, you need a big, scary report to persuade your boss to spend more money. If neither is true, I'm going to save you a lot of money by giving you this free penetration test: You're vulnerable. Now, go do something useful about it. -- Bruce Schneier
http://www.schneier.com/blog/archives/2007/05/is_penetration.html
The following examples are often the first signs of a
successful attack.
Ahrefs and Google Search Console
Real example of anchor text from Ahrefs
Real example of a malicious plugin.
Real example of a malicious plugin.
This shouldn’t be the first sign of a compromised site. There
are usually plenty of early warning signs.
But first…
Links to the Quora Article
• https://www.quora.com/I-am-powering-a-banks-website-using-WordPress-What-security-measures-should-I-take
• https://ma.tt/2015/04/a-bank-website-on-wordpress/
• https://wptavern.com/banking-on-wordpress-matt-mullenweg-weighs-in-on-security-concerns
h"ps://www.quora.com/I-am-powering-a-banks-website-using-WordPress-What-security-measures-should-I-take/answer/Karol-Krol?srid=uD68
Let’s ask another question. Is Linux secure? Is Django secure? Is iOS
secure? Is MySQL secure? Is Drupal secure? Is Node.JS secure? Is <insert browser> secure? Is
Android secure? Is Rails secure? Is Windows Server secure? Is Shopify
secure? You get the idea…
This can get subjective, since some have a much better track record than others, and
some are designed with security as a priority.
So.. banks aside, what would constitute as a high value
target?
High traffic sites, anything with Personally Identifiable
Information (PII), software vendors, service providers?
Credit card numbers aren’t the only form of sensitive
information.
It’s really easy to say “something isn’t secure”.
It’s much harder to actually build something that is secure (knowing that there’s no such
thing as absolute security).
The best answer is that if security is important, you need
“people” working on it.
The Internet is a hostile environment. We need to have a healthy respect for this fact.
The current dilemma…
Hosting Providers
Plugins
Systems and Services
Users
Good Developers
Good Support, Ops and SysAdmins
A high value business needs good people, from all of these disciplines, working together.
h"p://www.sentrillion.com/images/img_defense-in-depth.jpg
Real example of a malicious file
You can’t rely only on tools, they won’t always detect a
compromise.
Most WordPress security tools work by using signatures.
For context, Kaspersky AV for Windows currently has around
500,000 signatures.
Scanning your site with online tools work only if your site has active malware, is defaced or
blacklisted.
If a site has been compromised, it cannot be trusted.
example.com/index.php
example.com/otherapp/
example.com/*
example.com/*
Isolation
Look out for a shared web root, addon domains in cPanel, or other web apps in
subfolders.
We’re going to assume a fresh WordPress install, or restoration from a clean backup is needed
Places/things to check… • Content/files (htaccess, index.php, sitemap.xml, anything
custom) • Running processes • Running scripts, open files (look at full paths in processes) • Memory • Cron jobs • Database • Date and timestamps • Suspicious plugins • Suspicious directories/files • Sitemaps/SERPs • WordPress Admin Users • Other users in GSC/WMT • Code audit
Checking Content
• grep • Screaming Frog (useful for finding JS) • Sucuri SiteCheck • UnmaskParasites.com • Safe Browsing Site Status (Google)
Once the server has been compromised, it cannot be
trusted.
Tools for Detection
• System Monitoring • Integrity Monitoring • Firewalls • IDS/IPS • Malware Scanners • Logging
System Monitoring
• Resources (Bandwidth/CPU/RAM/IO) • Logins • Processes
Integrity Monitoring
• git • wp-cli • Any diff tools • Plugins • Tripwire (and similar)
wp-cli’s Verify Checksums
$ wp core verify-checksums Success: WordPress install verifies against checksums.
Thanksto@davemacforthisKp!
Firewalls
• Network Firewalls • Web Application Firewalls • Security Services
IDS/IPS
• Typically at the host level • OSSEC
Malware Detection
• Security Plugins • Commercial AV • Public Site Scanning • Google Search Console • ConfigServer eXpliot Scanner (for WHM/
cPanel) • Maldet/ClamAV
Logging
• /var/log (access, error, php) • Centralised Logging or Log Shipping
(Papertrail, Loggly, Splunk, Logstash etc.) • Audit trails (Stream/WP Audit Trail etc.)
WPScan WordPress Scanner
WPSecurityBloggers.com
Use a security plugin (or manually harden)
https://www.wordfence.com/
https://sucuri.net/
https://ithemes.com/security/
Final Words… Security issues typically occur because of certain patterns. Cleaning, restoring or rebuilding doesn’t address that. Compromised sites are much more likely to become compromised again. Get everyone on board to take security seriously.
Prevention and Response
Hardening/Prevention: • https://codex.wordpress.org/
Hardening_WordPress Post-hack/Response: • https://sucuri.net/website-security/what-
to-do-after-a-website-hack/
• WordPress.org – wordpress.org/about/security – wordpress.org/news/category/security
• Verizon DBIR http://www.verizonenterprise.com/
• verizon-insights-lab/dbir/ • Sucuri https://sucuri.net/ • WP White Security
https://www.wpwhitesecurity.com/ • OWASP http://owasp.org/
wpmelb.org/slack
Thanks and stay safe!
@chrisburgess #wpmelb
top related