Sucuri Webinar Q&A HOW TO CLEAN A HACKED MAGENTO WEBSITE. with Cesar Anjos

Transcription

1 Sucuri Webinar Q&A HOW TO CLEAN A HACKED MAGENTO WEBSITE with Cesar Anjos 1

2 Question #1: What security plugins do you recommend for Magento? Answer: Most important is a two-factor authentication plugin, most magento attacks have a starting point on the backend so if that area is fully locked down this simple step will go a long way to keep the website secure. On sites with big stagg it may be also useful to get admin actions log plugin. A good external firewall should have all that s necessary. Question #2: If we check our Magento version, it says security patch 8788 does not exist. How can we check if our website is secure? Answer: Best way is to rely on magereport.com as they will analyze your site for any missing patch or vulnerable areas that the attackers exploit. Question #3: Where are the most common places to find malware in Magento? Answer: As most magento sites are used to steal private information from your clients a quick look at the footer, header, and miscellaneous HTML area through the backend areas such as blocks and design configuration should that alone be a big step on finding the malware. It can also be spread through javascript files that belong to magento s Core as well as some of the files that handle the checkout process directly. Question #4: If I cannot patch my Magento website in time, how does the firewall help? Answer: The firewall has virtual-patching that automatically protects your site against all the vulnerabilities that a patch would fix, so even if you don t apply the patches your site will already be protected. Here s an overview as well as more info:

3 Question #5: Is changing the checkout name a reasonable prophylactic measure? If attackers are looking for checkout or firecheckout, would naming the page something else like /makeyourpurchase/ make it so the malware might not work? Answer: It may work, but only to a very limited degree. It s just very easy for the attackers to find out what you changed it to so the attackers can just adjust the malware. Question #6: Does PCI offer any guidance for incidents? Answer: There s several good information that can be obtained from pcisecuritystandards.org, such as Sucuri also has a few great articles worth checking out on PCI subject: Question #7: How often is Magento targeted by hackers? Is there a report about it? Answer: Magento is not a big target when compared with Wordpress for example but that may be mainly due to the fact that wordpress holds a larger percentage of websites using that CMS. Although Magento is a much more attractive target for attacks due to the fact that large volumes of valuable data make it through Magento websites everyday. Hacked Website Trend Report 2016-Q3: 3

4 Question #8: Some problems come from badly coded themes or extensions. Can you give some suggestions on checking for code that would allow vulnerabilities? Answer: Unfortunately this matter can be very subjective, some kinds of codes can be easily recognized as vulnerable even by a developer, but in most cases you need an actual vulnerability analysis on the code which is very expensive and not worth it. It s usually better to go straight to having a firewall that protects from any vulnerabilities that may be present. Question #9: How can Sucuri WAF help to prevent malware? Answer: See point 4. Question #10: Cesar, Willem de Groot recently wrote about a relatively new type of self-healing malware out in the wild that appears to be infecting the cms functionality of the database (skirting around the core_config_data table stuff that used to be more common) using triggers to re-install itself even if you manage to remove the infected javascript code...are you guys seeing this as well? Answer: We haven t seen any case of this actually, this may be because it can be considered the same as a backdoor but it s much more complex for the attackers to implement it on the website and the results are not reliable for the attacker. Question #11: If I use the Sucuri firewall does that affect an interface I have with another service that whitelists IPs? Answer: It shouldn t, you just have to ensure that you whitelist the firewall s IP so that the firewall doesn t get blocked. Question #12: Isn t it quite easy for a hacker to fake the file timestamp? Answer: Yes it is, that s why the timestamp alone is not enough for a proper investigation, timestamp does help in some cases as the attackers sometimes fix the timestamp on the file to be the same on the other files but the one on the folder above shows the modification. 4

5 Question #13: Hi, maybe a stupid question, but how come the Sucuri scan recognizes my Magento website as a WordPress website? Answer: Oh really? Maybe you have some WordPress files there, feel free to reach out to us so we can check. Question #14: Is there something similar for WordPress? For site protection/server protection? Answer: Best here is the firewall as well, see point 4 for further info. Question #15: What s the best way to find when the attack happened? Answer: Most effective way is data correlation between behaviour that is happening, the reports received, blacklists and information that comes from the logs. Although checking the logs can require some technical knowledge. Question #16: Most local, state and federal jurisdictions (as well as credit card processing gateway providers) have very strict regulations about how hardware & software systems and supporting network infrastructure are preserved for the criminal and civil investigations that are required by law and your contracts with merchant gateway and clearing providers. Do you have any recommendations on how to specifically use the tools or processes you discussed here so that you don t accidentally wind up committing a felony by destroying evidence by cleaning up a site? Answer: Usually the authorities will only require the files of the site, databases and all the logs from the server, but in some cases usually very severe ones they may require that absolutely nothing is touched, in such cases if you want to cooperate but still want the site online its best if you check with your services provider about making a complete cloning of your server onto another one, so you can bring the other one back online and lock down the first one. Alternatively you can also just point your domain to a different server and restore some backup you may have of your website there to get it working or just put a maintenance page there, this will keep all evidences intact while prevent the attacker from going back into it and tampering with the evidences. For further info on this just check EVIDENCE PRESERVATION on org/documents/pci_ssc_pfi_guidance.pdf 5