My year on the front line - cleaning infected sites

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello again welcome back to the second half of the second part of three of the security identity and privacy mini conf right now we have Steven reece.carter here with us he's a he's been a PHP developer for many long years and still loves working with PHP each day you joined the security industry back in 2012 he was actually poached at a Christmas party apparently yep he has spent some time Keeney infected WordPress websites he's working at wordfence now and in this talk he wants to share stories from the more memorable sites that he's cleaned with names changed I'm informed including revealing his all-time wordpress all-time favorite wordpress malware so without any further ado please a big warm welcome for Stephen thanks thank you so back in 2017 I started working part-time as a security analyst at wordfence last year I moved into the development team as a senior developer full-time but for the next half hour so take some stories of some of the things that I saw and learned my laptop just go to sleep okay wake up okay so I'm tell you some of the stories and some of the things that I learned while working as a security analyst so the first thing to cover I guess is what is wordfence cuz last one did this talk he was at a word press conference but I'm assuming all of you know WordPress or know what word offense is so it's the most popular WordPress security plug-in we do my endpoint firewall and a malware scanner and most importantly and we do Incident Response and we clean infected WordPress science so the security analysts which is the job I was doing we clean the sites that have been affected people submit on the site for us to clean for them and so the case the question is why cycling why was i spending my spare time cleaning infected websites and it all comes down to curiosity so I don't know how many people work in the screen industry but I'm assuming quite a few given that this is a security mini conf but there's a lot of security it's fun there's lots of fun things to do with the things that pull you in and SCI cleaning is no it's no different in for in I think it was 2015 at the PHP Australia conference so watch bends to wasn't running viruses for fun not profit I think yeah he's Thursday right yeah he's doing that on Thursday I'm so great to go see it and so I saw that talk and it really sparked my love of not just you know the basic stuff but new and malware and viruses and web application security and that sort of thing cuz I don't really considered it before and from that point onwards I wanted to see you more malware more infections that sort of thing you just it was something that I was curious about and so when I was looking for a part-time job and I came across the job at wordfence I thought this sounds like so much fun you know looking at real malware looking at things in the wild why not you know what else could I do it's you know it really pulled me in so I applied for the job but applying for this job wasn't like a normal job application it wasn't simply just sending a CV and to some questions do an interview when you get the job or not but there was a second part and that was cleaning an effective site so they sent me SSH credentials an IP address username and password gave me a week and told me to clean the site so I should say at this point however there and up until then I had never actually used WordPress for anything apart from simply installing it via the the wizard and as for any WordPress development all I'd done was hacked together a basic thing so I really had no idea what I was doing and the only malware I'd ever seen was the stuff that mount Ben wrote during his talk so the first thing I did was a step that probably everyone would do it was google it so how to clean up a hacked WordPress site there is heaps and heaps of stuff on there so a lot of the security vendors including weren't fans ourselves have user guides and things for cleaning up sites odds information there and there's plenty of independent researchers and analysts that also clean up sites and have information online as well so I spend a couple of hours looking through that trying to wrap my head around what I could do all the things there that you know I could learn and try and take in that I could do for cleaning a science once I'd gathered as much information as I possibly could I went I logged into the server and I backed up absolutely everything so I did this for two reasons the first one was that if I accidentally deleted a file that wasn't infected and it broke the site I didn't want to have to go back to wordfence ago sorry I kind of broke the test site can you fix it so I can keep cleaning that just what instant fail I would have been out the other reason is back to curiosity in that if I didn't pass if I missed something big I wanted to know what it was I wanted to go back in and look at the code again look at see what they mail where was that I didn't find the first time around because again I was curious I wanted to see what was going on there so backed up all the files I backed up the databases and once I was happy with that I started looking for anything strange and unusual so if you're cleaning an application an own application like WordPress you'll generally find things should be where they're supposed to be and so you can look at a directory listing for example like this is the WordPress defaults directory listing and you can look in here and you can try and see if there's anything strange or unusual that shouldn't be there so can anyone notice watching me there just shout out yep everyone's getting out hello so no EP hello sitting in there haven't found it yet he's unusual for three reasons the first of all and if you know WordPress you'll know that WP hello is not a core file should not be there and the fact that it's got dopey - in front of it says it's trying to hide as a WordPress core file so immediately that's a red flag secondly the date now every other files directory was modified on the 30th of May this one was the 25th of September why why was that changed on a different day now it could be an update of some form that's only changed that file but again it's suspicious and it needs to be looked at oops I forgot our whole out of the way and finally the file size that 26 the start says it's only 26 bytes everything else in here is hundreds thousands or even tens of thousands of bytes big that's only 26 and from memory that file was a PHP open tag eval and then and get parameter so it was a remote code execution nice and simple and so I spend a bit of time looking through WordPress looking for all the different bits that shouldn't be there that were a bit unusual and odd and removed a bunch of stuff once I've done that I thought what the hell I'm gonna install wet vents so I installed one fence the company I was trying to applied it for the job app installed it in the thing and ran through the high sensitivity scanner and it found a bunch of things to delete things to clean up and revert and I went through it until it said the site was clean and the next thing was to work on the database so when you're cleaning databases you're generally looking for injections in the post and page content because that's that's the biggest payoff so they're trying to get you know SEO spam links in the pages or they're trying to get code to run in the browser saying crypto mining and so for example if you look at this you can see you've got the page content so it's a blurb about emergency services chief from Springfield and there are two different spam links in there and what they're trying to do is get the search engine rankings for that link up high for when you're searching for cheap Pharmacy or generic pharmacy online and they're using different tricks the top ones throwing off the link to the top as far left as I can and the second ones just display nothing so they're trying to hide it so that the user when they're visiting the site and slightly who is at the site they don't see the links but the search engine should see it and finding this sort of thing is quite easy when you know the keywords to look for so you've got you know viagra porn Calais weight-loss casino et cetera it goes on there's a huge list of terms that you generally only find on a website when you're asked you looking for SEO spam links the exception however a pharmacy sites because all that sort of stuff shows them on a function and it's hell it is really hell to clean a pharmacy so it when it's got SEO injection because you don't know what's supposed to be there what isn't supposed to be there yeah bad memories of those ones they take hours manually cleaning and SQL dump and then uploading is not fun especially when you miss a Khayyam quote somewhere anyway so these are the basic steps that I followed to clean the site and I submitted it and waited and waited wait and eventually heard back I got the job and I managed to get a hundred percent on the test which I was quite amazed at given I'd never done it before I mean clearly my steps work probably the first one more than anything else so I got the job all rights all right this bit so I lost over in there a bit but how did I get admin access into WordPress does anyone know much about getting into WordPress admin accounts any ideas you know all the answers I changed the patterns that is the method I used so WordPress passwords by default WordPress saves it as a salted hash and the top three up there it's the same password hash three times and so salting means it seeds different each generation I can explain that more later if anyone wants to know about salting but the bottom one is a md5 hash it's the same password hash three times it's come out exactly the same and so what I did was I set up my own password md5 hash that threw into the database log straight into the admin account and I was in give me what I needed does anyone have a clue what that bottom password is just a damn interest should be fairly easy it's easier than that come on if I not heard it that's word someone over there said password yes password that's an easy okay so the first thing that had to deal with when I started working as an analyst was this vulnerability so an authenticated page post content modification by the REST API and what this allowed you to do was send an API request to any WordPress site running these versions and you can modify the page and post content without any authentication whatsoever it was quietly fixed in WordPress seven-four-zero no seven four two on the twenty six close enough it's on the slide anyway it's 26 of January and then six days later they disclosed it doing okay though they disclose it so they waited for automatic updates to to propagate out across the WordPress network for it to you know pate the sites we didn't want to wait too long in case someone else discovered what was going on the thing about this vulnerability was absolutely trivial to automate as I just mentioned it's an API request so you have to do is hit every WordPress site you can find with an API request and see if it happens and plenty of WordPress sites have automatic updates disabled or broken and the sites that have them to assemble them broken generally often don't actually check for updates every day which is bad so if you run WordPress enable automatic updates please there's usually very little reason to not allow automatic updates and there are ways around most of the reasons for not and if you do really can't have got to make updates then just check it every day or every hour because you know this stuff is bad luckily it was trivial clean because those attacking it we're doing the same thing on every site they found and so we had a couple of scripts running around internally we could just update to the update to the server run the script and it would go through the database and clean it out you know those SEO spam links from the start that sort of thing which are trivial to find using a reg acts in a global finer place so easy enough to deal with but we saw a heap of stuff from that one and on the subject of accessing database it can actually be quite trivial so shared hosting providers if they get permissions wrong you can read all the files and everyone else's accounts if you read someone else's WP config file you have access to their database once you've got access to that Abad database it's basically game over you can do whatever you want with there's a couple of hosts that have had permissions set up wrong configuration problems that we've worked with in about five or six now and they've all been really responsive so the good news is shared hosts are generally very responsive this what a problem they sometimes they just don't know about it and as part of our site cleaning process we actually check for this on sites on time with hosting providers and we chat them to directly to help fix the problem so one thing when I was cleaning a site I found this lot and it's a bit hard to see on that screen what we've got here is basically the patient zero for that for that permissions problem whether inject they've infected this WordPress account and they've gone through all the other counts they could find on the server and sim link to the config files in all those other accounts into a single directory which they then enable who have indexes and so then that control server all it has to do is hit this one page go through all the different config files listed there harvest the database credentials then go through all the different databases on the hosting account or across the hosting fleet when you've got network file share setup and permissions along in there and then you can infect the entire host you know server a hosting provider and change other databases that you want so that was an interesting one a lot of cleans came through that so I mentioned that start back up so important and I think backups are essential especially when you're cleaning sites so it's cleaning us like one day and the FTP was really slow and was kept disconnecting the main control panel was a custom job and it was kind of slow and painful and the web web manager it was terrible and the customer had 80 gig of photos in on their site so I tried moving them and then copied the the site files over to acts like us cleaning server and left the photos on the on the account and then tried to move everything back again at the end and somehow managed to delete about 15 gig of their file are there pictures that wasn't fun um so in that situation what I should have done was made sure I had a back of everything it was gonna take hours and hours but you know when you're cleaning a site doing that sort of thing you've got to take the time customer wouldn't would much rather in hindsight know that you're talking an extra five or ten hours cleaning their site then you know if you do it quickly but then lose half their stuff so on the subject of things being essential we have access logs and a lot of hosting providers ever don't provide them or they have access logs and rubbish and that makes it a problem because if you don't have exercise you don't know what happened and so my suggestion is if you're a husband writer doesn't have access logs then finally a hosting provider because if they don't have it then if you get infected or something happens you've got nothing so we're looking at something arm access logs now so we've got here is a fake theme upload so I was cleaning this site I found that picture DB PHP fake theme in the files as I'm out as a malicious file when I was cleaning and so look in the logs and found this so you can see at the top that the attacker has logged in to the logging admin panel so they're somehow had the credentials by whatever method they used once they were logged in it's trivial they just went to the theme install they uploaded their new theme themes in there they've got their back door they're happy look what what they need happens on plugins all the times to so again they've logged in at the top then I mean uploaded then you plug in they've activated and then the bottom they're testing it and so it's worth pointing out the plug-in name a kid's met here you're probably not familiar with that unless you're a web press person but kismet is a default plug-in that comes installed on WordPress and it does spam comment filtering and you often see fake plugins called a kismet and like a kids mate version of us like his ministry is meant to point to I think one side I was cleaning it had five different copies of Akismet and I'll often use those well-known plugins usually a kismet to hide the fake plug-in because a user doesn't know any better he's gonna look at their plugin let's see a kid's map and going well that's fine keep moving they'll even see a kids met at kismet kismet and go meh who cares we keep going oh really it's you know kismet Wow plug-in fake plug-in and what they've done here once they've activated their plug-in they're checking that it's going to work and they keep going so then they ask their fake plug-in here download code from this page and save it as that with the update then they request that and what they've got here is as a way to bypass firewalls and scanners they're fake plug-in is very minimal all it's doing is providing a method to download code from another site and save it as a file and then the payload that they're getting from that other site is the one that actually has the malware does all the work but they don't need to get all of that through so there's a whole big lot of stuff that is going to be doing but they don't need to get that through the scanners because to download that one they're making an external request out from the account and the firewall know a scanner isn't checking that it's checking for incoming requests from users hitting your site which their bypassed because all they're doing is all their code does is grab something from over there and save it which is a lot simpler than all of the other malware functions they need to do I mean you can see from the bad log at the bottom that there's no author likes to update their stuff and multiple times a day and they kept doing it multiple times a day for a couple of weeks which makes this app now it gets updated a lot more than a normal WordPress plug-in which is kind of entertaining and this one is it's a bit of a different one so what they've done here is that the attacker has found I set up a original WordPress that hasn't been set up yet and they've worked through the setup on their own probably using their own external database somewhere they don't really care at the database are after the files so they set up WordPress they create their own admin account they log in to their Anatomy account and they upload their own malware and now they're into the fresh version of WordPress they have their files on the server what they can do is delete the config file clean it all up again and when the user that uploaded this copy of WordPress finally gets around to installing WordPress it's too late it's already infected but they don't know it because they're going to come back to the fresh install screen and so anytime you're doing a web application install or some sort be ready don't upload the files then go off and talk to spot for an hour to try and get database credentials or any of that some nonsense and then go back to your site and install it at that point it could already be infected if you check the timestamps here it's what we've got 1450 for up to 14 58 so there's what four or five minutes in there it took them to do all that and they could automate a lot faster if they wanted to as well so it's quite trivial if you find a fresh version of WordPress to infect it and then clean it up so that you didn't look at you look so it doesn't look like you're there oh yeah so we move on to my favorite malware so I started off as a normal site clean we'd installed and set up WordPress we're defense sorry not even the salt is already there set up wordfence and enable the high sensitivity scanner so which looks for anything unusual more than the normal scans and then we know results found which happens it usually means that there's something you know where or something in there and that's one of the reasons we clean sides is to find new malware so we can harvest it so I copied all the site files over to our cleaning server which runs the all the things that word finn's does but also knows a whole bunch of advanced heuristics as well extra things that we don't put into the plug-in and it found three changed files now these aren't files that Xaro something and these are files that word prevents should have told us about because these are files that it knows are there it knows what they are it knows what they should look like and they're different and the question is why did wordfence miss these changes why didn't it find about why did our cleaning server look at it so I looked at the WUF scan engine file and discovered this so at the very top we have it's telling and Seldovia scan engine file is a wordfence file it powers it our scanner which is the bit that should be finding files and at the very top there telling wordfence ignore these files there's nothing to do with them you don't want to know about them anymore and then it says for the class so if you upgrade a file he generate a fresh hash on the current version that you have shoved that in turn own files and then use that skin it's what they're telling wordfence is these files haven't this file hasn't change and the other two just forget they even exist and so wordfence didn't see any problems didn't report anything everything came back clean because it was hiding from itself so what were they hiding so this is in the dopey blog header file which again if you know WordPress you probably don't um is the file that gets called basically first after you get three index.php and so when the request comes in this file basically handles things first and so what they're doing here if you pass through the conditions of the top which basically strips our request for images and other such like that is it grabs the full request and it sends it off to their server and then at their server they generate the page they sent it back to the site and the site renders it and finishes or if there's a make a redirect does the redirect and finishes so the site is now a proxy their site is doing all the work it's rendering the pages this customer site isn't doing anything it's just rendering what it's told to render and when I found this one what they were doing with it was cleverly updating them site menu to inject SEO spam links but in such a way that they were really hard to spot because it was done very well and something that would be quite tricky to do on the site itself and when I was looking through the code I couldn't find it anywhere in the code for the terms and strings that were using in air links because it wasn't there it was on the server that they're running and all this is doing us proxying the data I've seen the the page through this is quite sophisticated and the the and the infrastructure they would need to have setup it's quite impressive too if you think about all the sites they infect our proxies now for their service so that server is needing to rechannel request from every single site they've infected so they have a pretty decent set up running to handle all of this but it gives them full control over everything that the user access and the site can see and they can redirect them to however they want so it's quite clever and it still has minimum impact on the actual site itself and what's four files are there and as you sort was hiding from web fence and the third file was the class that would be upgraded file which is the file that handles updates in WordPress so the top there it was looking for any WordPress updates and if you're trying to update WordPress it was stripping out the two files that have changed out of the update so they wouldn't get updated which would persist their changes in those files the second bit is looking for any updates or installations of wordfence and it's looking for the WF scan engine filing it's injecting their changes into that so unlike simply ignoring the file apparently we change WordPress more than call wordfence more than called WordPress gets changed their re infecting it based on a line that they knew was in that file and this was how they made sure that all through updates and things it still remained infected there now I was fine and it's worth pointing out that a lot of malware does get damaged and wiped out during updates if it happens to be in the files that getting updated at the time so it's a legitimate concern they had for why they did this and it shows as I said a high levels of sophistication well it's pretty nifty what they were doing and it continues to evolve so clearly so as part of our job as I said before we collect malware we haven't seen before we write signatures for it and when we came across this one we updated wordfence to how to detect it using cylinders and also change the way that we handles uknown files and made our changes so that we could probably detect the malware on the site but they're running wordfence and probably premium wordfence on their test site so they updated their malware to bypass our new box and made changes which of course we found and yeah it just keeps going so in the current status when I wrote decided when the last time I checked was that we're winning that last time we found it in the wild we detect it that may change tomorrow and I don't know if the guy doing this is still doing it or not I don't know if it's becoming too expensive for them up given we keep we keep blocking them but anyway we'll see how that goes yeah we use yeah we do hash the file so what we do yeah sorry the question was do we use md5 sums or something like that and what we do for all the WordPress core files and all of the far the plugins and themes everything in the WordPress repositories is we grab a copy of all the files and we hash them up using a couple of different hash methods and we have a database of every single version that's been there and all the different hashes for that and so when the scanner runs it reports to our server and says I'm running this configuration these version numbers there's plugins and it sends all the hashes through to the plug-in the plug-in then runs through the hashes that it generates then of the file versions with the hashes from our server and it tells what mishima mismatches are and that's how we figure out the change files so that's what should have picked up those three changed files to start with so sometimes you find code that looks like this so can anyone tell me what's going on in here I saw your hand go up with anyone else because I have a feeling you know web press I yep nice I like you so I did this at a word press conference and they had it we're trying to analyze the code for what I did but they miss the obvious and you should color is quite good to have to say it but I make a bit clearer we stripped out all of the comments that's the code they've got that's actually running and we just condensed it down a bit more MuNet with that so what they're doing here is they're trying to hide basic function names that they use in their malware within comments and obfuscation to make it harder to detect very basic string search so basic 6040 code it's pretty basic it decodes base64 strings that gets used a lot for payloads and things pumping it through through URLs or sending it to the site there's a way to try and bypass firewalls and scanners and such and assert which if you know PHP is basically the same as eval from thought everything eval does and for some reason malware authors seem to think we don't know about asserts they use it instead of eval which is stupid because we know about both so why bother anyway so yeah that's what they're trying to do is had them through there but when you don't have code formatting it's a lot harder to see if you see that you know unless you know what you're looking for you're not going to spot the bits but if you go here it's immediately obvious cause you've got code formatting and sometimes Mara is just weird or funny so this one we find a lot and every time we find it there is a different block of Harry Potter coil in it the Mara itself doesn't change metal instructors are the same and it's a trivial to find the scanners pick it up instantly but the block of Harry Potter is always different we've collectively we're probably got at least one or two of the books in our database you know we'll probably get a copyright infringement from Pottermore soon ok so now the epic tale of the persistent attacker that almost swatted us completely so it's not enough as usual customer site was infected we clean the site they didn't have access logs enabled so we enabled access logs as we do and we sent the report anyway I think I want to change the password customer was happy they changed the password week later they were reinfected now this is fine because this does happen sometimes and we actually have a 90 day guarantee so if your site's reinfected in 90 days after cleaning we will wreak lien it for you so we clean the site again and we also keep a copy of the original files originally infected files for about 30 days after a clean so that we can compare any reinfection so we checked in the original copy we had with the new malware that we found and we confirmed that it was indeed every infection it wasn't simply files that we've missed the first time for whatever reason so we check the access locks because you remember I Nate we enabled those how and we can see the new Mau it was being accessed on the site but it wasn't being created so it wasn't there wasn't anything obvious in there as to how that was being created we looked in the database look for anything strange or unusual you know md5 hash passwords that sort of thing no injections so it looks like the database was safe and they weren't using slang through that we checked in plugins because plugins can set up Crohn's and automated things and there could be something in there that may be creating the malware nothing in there and we check to see panel because cPanel is really good in its logging it has access logs which are great you also FTP logging and it logs logs the log into the cPanel itself so you can see who logs into your cPanel and we checked that and all we could see was our IP address and the customer's IP and there was an active FTP activity at all since we'd last touch the side so we didn't really know what was going on at that point so as I said we clean the site and we decided to watch it closely and see what would happen it was reinfected within minutes which was which was a odd we weren't sure what was going on but we had a hunch that the problem wasn't the site that he was something to do with server maybe the server's being compromised or something so he deleted everything from that public HTML we told the customer obviously what's going on they were happy because their site was infected quite badly so they let us do what we needed to do we watched it and there was an email was created pretty pretty quickly in that file so we confirmed that were getting environmental other than the site itself and we changed all the passwords at this point as well so they weren't your logging into FTP or saying which we have logs for I also mentioned so we didn't lead in that malware again and watched it very very closely this time and managed to spot that for a second so theme so file and suddenly we realized this host support SSH now some hosting providers don't tell you they do SSH but they actually do and they hide their port numbers on some of them skewer help page somewhere in the middle of nowhere that it's really hard to find and so when eventually figured out the port number and logged in we found a whole bunch of assistant connections from the attacker over tor and so persisting a whole bunch of connections so that didn't matter how many times we changed the passwords deleted a public key did anything else like that they could reconnect because they had multiple connections running in so the solution for that one was to jump through all the different required hoops to talk to the hosting provider and convince them that yes we are working with the customer and got them to kick everyone out of the server virus on ssh well we changed Parsons and things and managed to get them out and the site's been clean ever since that one felt good when we finally got that done okay so coincidences are unlikely when you're dealing with security and especially in site cleaning so we have a select channel that we we talked about what we're working on when we're cleaning sites and the different things that we can see and so one day in October so I should point out that this story I wasn't involved in directly but it's a good story so I added it in here so in October one of the site analysts said in the channel this seems to be a script to brute force remote sites from the infected one and posted a snippet of the malware that they found on the site and you know we get that all the time so just an interesting curiosity but we kind of move done a little while later a month later we had this one come in so if I'm not wrong this malware sample is a wordpress brute force ax it takes a few word lists hosted on the same server and poked and some post args and attempts to log in via XML RPC so again we have this as an iteration of what we saw the first time because I posted the code as well and we could see it was similar and so suddenly you're looking at something bigger than just a one source sort of thing and then I was checking chatting to Mikey who is a threat analyst that did the report he said that it happened to be discussed in channel like 15 minutes after Brad let me know about some interesting user agents we saw in the logs that day so Mikey Mikey and Brad were investigating something in a log some user agents in the logs when that second message came through in the cycling channel and it all joined together because what they were singing the logs were a whole bunch of failed logins for a bunch of user agents that didn't make sense so I've down here you know got the box the user agency commonly see for the WordPress mobile apps now the things about mobile apps is you install it you log into it then you use it and then you come back in your user and you use it you don't log in again and so it is very unusual to see failed logins from mobile apps because users aren't constantly typing in their passwords screwing it up and then figure out the right password and type in in there using their thing and so they were seeing a whole bunch of failed logins not not an insane amount to raise alarm bells but a lot across our network which was quite unusual and couple that with finding malware that was brute-forcing WordPress sites they realize this is part of the big picture and it was all connected and so we analyzed the the malware sample here and you can see at the top that where I'm it's grabbing word list so it's getting the word list from the control server and it's getting the domains that it needs to brute force and it's building a brute force request so a bunch of different API requests to send to WordPress to try and see if we can get out the password and interestingly enough it's using the WordPress API rather than login page because people rename the login page and thinks that stops brute-force attempts which is rubbish because you just use the API it's simpler and quicker and faster so anyway so that yes so that neared the Maui and started joining the dots there we go okay so and figured out what was going on here is that they were compromising a wordpress account installing their brute force script using that to brute force all the other accounts they they could find till they got valid credentials then installing their bread file script on those accounts and continuing to go so Mikey was investigating and managed to get an IP address and visited it and found a login screen but because he's a bit crazy he was looking at the raw request and realized that yes it's redirecting to the login screen but it's also has the full content of the page at the bottom as well so the forgotten to die or it's a login pages masquerade or something but the point is he wrote a little script ripped out the redirect I had full access to their control server and from that we're able to figure out exactly what was going on to publish the details on our blog they're linked up there if you're interested well after we published it the botnet went silent so either we stopping how to detect it why they changed some things or they gave up and we got dosed for a couple of weeks oh we're still online so you know it wasn't too bad but it was entertaining and clearly we pissed them off so that was fun okay and so I just like to leave with something fun so I'm Becky malware so when you're unpacking malware you generally get to it come on here we go I can load thank you and you'll find anything kind of saying hey Biff a 64 so you're going to code it and this is more encoding under it so it's when you're wrapped in another layer and you unwrap it again and again and by this point you're kind of getting a bit annoyed having to go through all these different layers until eventually as you keep going you get to something so utterly insignificant it's completely pointless thank you checking is this microphone working yes I've got a couple minutes for questions anyway Eddie blue shirt just walked past him hi thanks for the awesome talk have you ever seen the targeted to talk on some company not in the site cleaning so much because generally we're reacting to sites that have been attacked but as in some of those logged cases there were no evidence of how they got the users password so it's possible that the user the same in was targeted to harvest their credentials and then they were use to log into the account but because we're mainly cleaning sites on demand we don't see that side of things as much thank you wonderful talk does law enforcement ever you know get involved like if you see coming from one IP and it's recurring and stuff like that yes so for the the site cleaning where the customer sign up through the site for example we don't generally deal with law enforcement unless the customer wants to get them involved but we also work with with a number of clients who've had big hacks and big companies and things where we will work with law enforcement new things of that so I get it depends on hands on the situation as you know as to what we do and in what the customer wants to do but we've definitely worked Florida possible before in order to provide the information that we've gathered from an investigations yeah and that's part of the innocent response that we do what's your recommendation you get customers sources run things like trip wire at the host level that's re your recommendation also get customers to run things like trip wire as well just pick up on change the files yes the question was what's the recommendation for anything like trip wire and um yeah definitely if you've got the facilities to run that and manage it then go for it one of the things about wordfence and I don't want to see your sales pitch but just want to say that as we look for change files and things and so even if you can't go down the head the trip wire route or whatever their security plugins can look for changed files and things and be modified and so you can use other tools like that have a wordpress plugins to help look for things but definitely run run tools that can identify changes cuz you know to start when I showed the Adobe hello for example the farm modification was an important factor in there and so looking for change files is very important yeah that answer the question layered security defense yeah so layering lots of different yeah exactly so just for the for the recording yes so layering security things like you fail to ban and using scanners and files and a lots of different things to try and pick up as many as possible rather than just relying on a single solution thank you for an excellent talk I do ever work with national certs and other organizations that try and help people get help for compromised sites and in particular really good security communities around like sands and other people who are constantly seeing threat actors and constantly seeing organized campaigns and across the world and interactions and knock-on effects and all that kind of thing the question is do we work with our new large security organizations like sans and government and national search independent organizations national search um I'm not sure if we do too much of that that's kind of outside of my area at the moment I mean I was I clean again it was just kind of reacting to the sites who are given to set to work Ruth but we're definitely open to working with any security bodies and things that want to work with us and if there ways that we can we work with them then we'll look into it definitely and yeah we published the research on our blog so that you know to encourage other other vendors to use the information that we can provide so yeah we were definitely open to it I just don't know if we do much of it at the moment without the typical financial motivations you see from where it occurs like search engine optimization was one but did you see any other ways the attackers benefit from making the attacks um are there heaps of if the ways that a curse can benefit from making attacks wanna yeah SEO search engine optimization sorry yes iam objection he's a big one when you're modifying the database and so you accidentally and that all you've got like crypto mining and so often they'll throw a script tags in and run crypto miners so they can make money you know cryptocurrencies through that and so they'll inject you know so when a visitor accesses the infected website it's gonna be running a crypto minor which is then you're getting them cryptic Oien and you also you say your phishing phishing pages so you'll get sites where the sub directory is set up to look like say a Google login page and then they can redirect the user to that which acting log in the Google credentials and a couple of times I've found text files that have got a list of Google credentials and had to delete those ones nice and safely cause a whole bunch of you know cran shells that sort of thing and so that's that's quite common as well the botnet at the end if you can you know compromise enough sites build a button and a wordpress things you can control and get it to do whatever you want not just brief us over size but you could get it to you know to started dos for example or do things like that you know ultimately if you can can you can compromise the WordPress account you can do with it anything else you've got access to signing a city on the Internet and yeah it's in PHP it's got limitations but you can still do quite a lot from that and if you've got enough sites you know it gives you a lot of scale to play with ok I have a question which is what proportion of compromises do you see that are coming in through WordPress versus coming in through the operating system so you had an anecdote of people having persistent SSH connections in yeah and I got the impression that that was the odd one out that's not nearly as common as compromises through WordPress one way or another through plugins or anything yeah sorry for that for the SSH connection there what they would have needed to do is get the cPanel password because that would have allowed them I seem like that's all they could have got and yeah an SSH key on there as well I think would be half way to get it in so the cPanel password means I would have had to compromise the users security somehow maybe they used a dodgy password I don't know if they used an SSH key managed to inject that through the web application if if the cPanel can permissions let them do it then that would have been a compromised through WordPress and I mean WordPress core itself it has very little in the way of compromised vector unless you talk about one of the vulnerabilities which as I mentioned the start there was that one off the API but often you'll find compromise has happened through in to vulnerable plugins and themes things that have been updated and so we're still seeing things like Tim thumb and Rev slider and a few others that are vulnerabilities that existed years and years ago and they're still around because people have an update of their science and so the biggest cause of wordpress sites being infected is they haven't updated their site and they're still running an old or something and dodgy passwords I don't I don't know which is more which is high dodgy passwords I haven't updated the side it's kind of yeah the interesting to actually study the statistics of that sort of thing I don't know if we really collect it yeah we probably should it's a good question thank you very much Steven I have to say that whenever I hear anything to do with hacking and vulnerabilities and how bad people think I get really excited those fantastic tool thank you thank you [Applause]

Info

Channel: linux.conf.au

Views: 4,343

Rating: 4.8441558 out of 5

Keywords: lca, lca2019, #linux.conf.au#linux#foss#opensource, StephenRees-Carter

Id: dzuQYV-diZg

Channel Id: undefined

Length: 41min 28sec (2488 seconds)

Published: Tue Jan 22 2019