Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

The moment my site got hacked

1.756 Aufrufe

Veröffentlicht am

You always think it will never happen to you but when it does, it’s all hands on deck. My personal site was almost hacked and since then I actively looked at what I could improve. During this talk I will talk what I had before and show all the improvements I made since then. It will be a mixed of using using the existing tools and my own creation in managing my sites.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

The moment my site got hacked

  1. 1. Marko Heijnen CODEKITCHEN The moment my site got hacked WordCamp Switerland, Zurich 2015
  2. 2. 0. The Story
  3. 3. I have set things up
  4. 4. Hardening WordPress • Difficult password • VPN access to home is required to login as super admin • Files can’t be changed by PHP • define('DISALLOW_FILE_MODS', true); • Renamed wp-content folder
  5. 5. Other positive effects • A lot of functionality is custom written • PHP FPM with Opcache requires restart for changes to be effected • WordPress Network install
  6. 6. And then it’s all for having things up-to-date
  7. 7. Normally I keep everything up-to-date
  8. 8. But one plugin slipped my attention
  9. 9. It all started with an internal e-mail at my job
  10. 10. I start checking to see if I can reproduce it
  11. 11. 😱😱😱
  12. 12. 1. Shock & Denial
  13. 13. Checking the log files showed how they managed it
  14. 14. Checking the log files showed the failed
  15. 15. • 202.69.240.177 - - [20/Feb/2015:14:34:51 +0200] "POST //?var=upload HTTP/1.1" 200 116 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-" • 202.69.240.177 - - [20/Feb/2015:14:34:51 +0200] "GET / wp-content/file.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-" • 202.69.240.177 - - [20/Feb/2015:14:34:52 +0200] "GET / content/file.php HTTP/1.1" 404 11767 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"
  16. 16. 2. Anger
  17. 17. Having that stupid rewrite
  18. 18. Why didn’t I updated my plugins?
  19. 19. Why didn’t I had any protecting for this in place
  20. 20. 3. Working Through
  21. 21. Start fixing things
  22. 22. Start fixing things • Update all plugins • Check the upload directory for more PHP files and delete them all • Don’t allow PHP to be ever executed inside uploads • See if everything still is untouched
  23. 23. I was lucky I have git but what about you?
  24. 24. Checksum checker • Checks the hash of your files with hashes of the original • Not for WordPress core but for your plugins and themes • wpcentral.io/api/checksums/plugin/tabify-edit- screen/0.8.3
  25. 25. How to prevent things like this happening again?
  26. 26. Application firewall • Something that actively protects you against vulnerabilities such as cross-site scripting (XSS) and SQL injection • Sucuri or CloudFlare as a service • NinjaFirewall as a plugin • Currently I’m using modSecurity • Now looking at the rule sets of owasp.org
  27. 27. How to detect if it happens
  28. 28. Builded a custom tool
  29. 29. List of all sites
  30. 30. General overview of a site
  31. 31. Security checks for the site
  32. 32. Security checks for the site
  33. 33. Security checks for the site
  34. 34. List of all servers
  35. 35. 4. Acceptance & Hope
  36. 36. Things I learned
 from this
  37. 37. Things I learned • Don’t expect plugin developer to announce publicly that they have or had security issues • Read the log files more often • Work pro active on securing my site • Check out the latest and greatest tools for securing and checking your sites
  38. 38. Last but not least: Some questions for you
  39. 39. Some questions for you • What does your host do to protect you? • What do you do yourself? • How good is your wp-login.php protected? • Did you hardening your site? • How secure are your backups? • Do you know what people trying to do to your site?
  40. 40. Marko Heijnen • Founder of CodeKitchen • Lead developer of GlotPress • Core contributor for WordPress • Organizer for WordCamp Belgrade
  41. 41. Marko Heijnen info@markoheijnen.com @markoheijnen
  42. 42. Thank you for listening @markoheijnen markoheijnen.com
 
 codekitchen.eu

×