the moment my site got hacked

45
Marko Heijnen CODEKITCHEN The moment my site got hacked WordCamp Switerland, Zurich 2015

Upload: marko-heijnen

Post on 23-Jan-2018

1.617 views

Category:

Technology


0 download

TRANSCRIPT

Page 1: The moment my site got hacked

Marko Heijnen CODEKITCHEN

The moment my site got hackedWordCamp Switerland, Zurich 2015

Page 2: The moment my site got hacked
Page 3: The moment my site got hacked

0. The Story

Page 4: The moment my site got hacked

I have set things up

Page 5: The moment my site got hacked

Hardening WordPress• Difficult password

• VPN access to home is required to login as super admin

• Files can’t be changed by PHP

• define('DISALLOW_FILE_MODS', true);

• Renamed wp-content folder

Page 6: The moment my site got hacked

Other positive effects • A lot of functionality is custom written

• PHP FPM with Opcache requires restart for changes to be effected

• WordPress Network install

Page 7: The moment my site got hacked

And then it’s all for having things up-to-date

Page 8: The moment my site got hacked

Normally I keep everything up-to-date

Page 9: The moment my site got hacked

But one plugin slipped my attention

Page 10: The moment my site got hacked

It all started with an internal e-mail at my job

Page 11: The moment my site got hacked

I start checking to see if I can reproduce it

Page 12: The moment my site got hacked

😱😱😱

Page 13: The moment my site got hacked

1. Shock & Denial

Page 14: The moment my site got hacked
Page 15: The moment my site got hacked
Page 16: The moment my site got hacked

Checking the log files showed how they managed it

Page 17: The moment my site got hacked

Checking the log files showed the failed

Page 18: The moment my site got hacked

• 202.69.240.177 - - [20/Feb/2015:14:34:51 +0200] "POST //?var=upload HTTP/1.1" 200 116 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"

• 202.69.240.177 - - [20/Feb/2015:14:34:51 +0200] "GET /wp-content/file.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"

• 202.69.240.177 - - [20/Feb/2015:14:34:52 +0200] "GET /content/file.php HTTP/1.1" 404 11767 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"

Page 19: The moment my site got hacked

2. Anger

Page 20: The moment my site got hacked

Having that stupid rewrite

Page 21: The moment my site got hacked

Why didn’t I updated my plugins?

Page 22: The moment my site got hacked

Why didn’t I had any protecting for this in place

Page 23: The moment my site got hacked

3. Working Through

Page 24: The moment my site got hacked

Start fixing things

Page 25: The moment my site got hacked

Start fixing things• Update all plugins

• Check the upload directory for more PHP files and delete them all

• Don’t allow PHP to be ever executed inside uploads

• See if everything still is untouched

Page 26: The moment my site got hacked

I was lucky I have git but what about you?

Page 27: The moment my site got hacked

Checksum checker• Checks the hash of your files with hashes of the

original

• Not for WordPress core but for your plugins and themes

• wpcentral.io/api/checksums/plugin/tabify-edit-screen/0.8.3

Page 28: The moment my site got hacked

How to prevent things like this happening again?

Page 29: The moment my site got hacked

Application firewall• Something that actively protects you against

vulnerabilities such as cross-site scripting (XSS) and SQL injection

• Sucuri or CloudFlare as a service

• NinjaFirewall as a plugin

• Currently I’m using modSecurity

• Now looking at the rule sets of owasp.org

Page 30: The moment my site got hacked

How to detect if it happens

Page 31: The moment my site got hacked

Builded a custom tool

Page 32: The moment my site got hacked

List of all sites

Page 33: The moment my site got hacked

General overview of a site

Page 34: The moment my site got hacked

Security checks for the site

Page 35: The moment my site got hacked

Security checks for the site

Page 36: The moment my site got hacked

Security checks for the site

Page 37: The moment my site got hacked

List of all servers

Page 38: The moment my site got hacked

4. Acceptance & Hope

Page 39: The moment my site got hacked

Things I learnedfrom this

Page 40: The moment my site got hacked

Things I learned• Don’t expect plugin developer to announce

publicly that they have or had security issues

• Read the log files more often

• Work pro active on securing my site

• Check out the latest and greatest tools for securing and checking your sites

Page 41: The moment my site got hacked

Last but not least: Some questions for you

Page 42: The moment my site got hacked

Some questions for you• What does your host do to protect you?

• What do you do yourself?

• How good is your wp-login.php protected?

• Did you hardening your site?

• How secure are your backups?

• Do you know what people trying to do to your site?

Page 43: The moment my site got hacked

Marko Heijnen• Founder of CodeKitchen

• Lead developer of GlotPress

• Core contributor for WordPress

• Organizer for WordCamp Belgrade

Page 44: The moment my site got hacked

Marko [email protected]

@markoheijnen

Page 45: The moment my site got hacked

Thank you for listening

@markoheijnen markoheijnen.com

codekitchen.eu