1 of 21

Хакнаха ми сайта! Ами сега какво да правя?

2 of 21

Здравейте

Петър Николов�Peter Nikolow

Можете да ме намерите:

twitter.com/peternikolow

facebook.com/peter.nikolow

linkedin.com/in/peternikolow�plus.google.com/+peternikolow

3 of 21

4 of 21

WordPress

Какво може да бъде заразено?

5 of 21

WordPress Architecture

WebServer

PHP

WordPress

Plugins

MySQL

Themes

Static files

DB

6 of 21

WordPress Architecture

WebServer

PHP

WordPress

Plugins

MySQL

Themes

Static files

DB

7 of 21

1.

Archives

План Б ако нещо се случи

8 of 21

Archives

  • WordPress plugin
  • Web hosting panel
  • SVN/GIT/HG�
  • Scheduled - daily, weekly, monthly�
  • Updates

9 of 21

2.

I Got Hacked

Don’t Panic!

10 of 21

I Got Hacked - how

  • vulnerable themes
  • vulnerable plugins
  • WordPress exploit - rare
  • other sites in same hosting
  • infected themes/plugins
  • Password stealers - WP, FTP
  • Weak or bruteforce passwords - WP, FTP

11 of 21

I Got Hacked - why

  • DDoS attacks
  • SEO - links, content
  • Email sending
  • Drive-by-download malware
  • Get user WordPress data
  • Attack other WordPress sites
  • Phishing - PayPal
  • Ransomware

12 of 21

3.

Cleaning

Don’t Panic!

13 of 21

Cleaning - plan A

  • Restore from backups
  • Update to latest versions - WP, themes, plugins
  • Change passwords - WP, FTP, MySQL, Hosting
  • Change WordPress keys
  • Read security bulletins - theme, plugins

14 of 21

Cleaning - plan B

  • Download all files locally
  • Create WordPress folder structure
  • Download latest versions of WordPress, themes, plugins to that folder
  • Copy all files from wp-content/uploads w/o PHP
  • Delete server files
  • Upload everything to server

15 of 21

Cleaning - plan C

  • Download all files locally
  • Find hacked content
    • base64Decode
    • eval()
    • curl_init
    • wp_create_user
    • include other PHPs
  • Tools - grep, egrep, WinMerge, FileMerge, KDiff, NotePad++, Coda
  • Upload only clean files

16 of 21

Cleaning - plan C

  • Watchout web server log files for suspicious PHP calls

17 of 21

4.

Hardening

Don’t Panic!

18 of 21

Hardening

  • Secure wp-login.php with username/password
  • Secure xmlrpc.php with username/password
  • Perishable 6G firewall
  • Apache ModSecurity WAF
  • Sucuri, Wordfence, iThemes Security, BulletProof Security
  • Inspect web log files for suspricious PHP access

19 of 21

Hardening

  • Tightening wp-login.php - Limit Login Attempts, reCaptchaSecurity
  • Cleanup unused themes/plugins
  • Watch out for unupgradable themes/plugins
  • Watch out for vulnerable techniques - TimThumb, AJAX

20 of 21

Gifts

  • Redirect 410 /folder
  • RewriteEngine On

RewriteBase /

RewriteRule ^folder/ - [G]

  • Redirect 404 /folder
  • RewriteEngine On

RewriteBase /

RewriteRule ^folder/ - [L,R=404]

21 of 21

Благодаря!

Въпроси?

Можете да ме намерите на:

@peternikolow

peter@mobiliodevelopment.com