The festival of WordPress
January 22, 2021

This is an archive of the January 2021 event

How to… Know if I’ve Been Hacked

The most 3 typical questions that people ask me when they realize that I work in the cybersecurity world are:

  • How to know if I’ve been hacked
  • What to do when this (s**t) happens
  • How I can avoid it

By displaying a little horror gallery with some examples gathered during the years I’ve been working at Sucuri and GoDaddy Web Security, I will show what a hacked site looks like, helping, hopefully, to train a little bit your eyes to know where to look, and some tips to help detect anomalies ASAP.

Once something bad is detected, there is a recommended checklist of countermeasures to fight against them and avoid future re-infections.

Time: 6:00am UTC
Region: Asia
Stage: GoDaddy Pro Stage


hello hello to everyone thank you very

much for

attending to this session

this is gonna be

a security session not very technical i


and it’s it’s title is how to know

if i’ve been hacked i’m nestor angulo a

security analyst from godaddy

i’ve been working as a security analyst

in the last

six years and pretty much everything i’m

gonna tell you

in this presentation is based in my own


i wanna i would like to to use the

occasion to thanks

a lot the organization

team of this event they are doing a

pretty pretty

beautiful work not only with the event

but also with their

initiatives they are taking so thank you

very much and thank you very much to all

of you

again so let’s get into

uh well um normally i start my

sessions with this slide you know it’s

one of my favorite quotes that reflects

very well how we feel in this this

security war you know so there are two

types of company those

uh who has have been hacked and those

who don’t yet know

they have been hacked so this is uh

uh a quote uh applied to john chambers

the ceo of

cisco also i use this

image in pretty a lot of my sessions

because i really know what you are


when you are using internet nowadays

because there are something like a cyber

strat don’t click hit there

don’t open that email don’t open that

email attachment be careful with the

malware with the virus with the run

somewhere so

this talk is intended to help you guys

um and i want to to share with you some


uh and i hope the they will be useful

for you

to understand this uh war and

the things that that should be done in

order to reduce

the probability of being hacked or to

suffer any

issue related with it with security

so i decided this session

in a sort of way of

questions and answers so the main

question you may

have in your mind is what hack means

and in the website environment

it means that your site has been

attacked that attack

could be successfully so

everything of these bad things could

happen to you that the bridge reputation


run somewhere etc

or it could fail and this is the vast

majority of the

the situation of failing not a failing

attack is the vast majority of the


we normally face in in

day by day so it’s uh maybe

a website suffer thousands of attacks

every day but only one is needed to

to to suffer or to make you a lot of

or suffer a lot of pain like this

but keep in mind that the hacking

attempt are

always uh happening it’s something like


every every second every single second


in probably the

the whole internet right so who is

uh who who’s who are the guys who hacks

maybe if you think about hackers you

have this image of this tv show in your

mind if

you have seen it uh you have a pretty

clear image of what a hacker a computer


leaf looks like and if you don’t

just take a look mr robot is a very nice

tv show about

about this about this war of security


and how it will eat it or what

it involves

but it’s important for to me to uh

to clear the fly to clarify this um

different it’s not the same hacker than

a cyber terrorist a hacker

is a curious person who loves to go

beyond limits and conventionalism

so a curious guy

an assemblatory is a computer hacker a

alliance to enrich himself

to do bad things right

keep in mind that if you are sleepy

and you want to study a little bit more

or to work a little bit more and you

take a coffee you are hacking yourself

so the process of hacking is is

something so close to humanity to human


and so older like the human being is

so in order to this uh to different

um the computer hackers

intentions we normally classify in hot

colors right they are

black hat grey hat and white hat

hackers the black hat hacker is a

bad guy and the white hat hacker is the

security animal the ethical

hacker the good one right and the great

heart hacker is that one that normally

is a good guy but it’s using illegal


uh well but how would this happen how a

hacking process

happened he always start with a

vulnerability this

is the key the code has to be

abnormality then there is

somebody who creates a software piece

to elaborate that gravity it’s called


and using the exploit you can insert or


any piece of code that could be the

final code or in the worst

scenario a backdoor

using the back door you can gain regain

access to the website

even if the the owner uh start to

protect it

after the the injection so

the worst scenario is to have a hide and


somewhere in your site and using it

we can or hackers can span

the face it add to a board net or

inject any other kind of code

but what they what these guys

will want from our site because it’s a

typical question hey i have a

kitten food store why they want to

to to to hack my say my site

so in wordpress this is the most common

objectives the users list

because you know it’s a list of emails

usernames and so on on more sensible

information sensitive information sorry

there is a database with information as

well with

with data you are storing there there is

content if you are selling you know

uh presets for

lightroom for photographers or something

like that if you

i gain access to your site and you have

those presets there i can

get them for free i can use your

infrastructures yes

keep in mind that a website

is just a collection of files that runs

in a

pc in out there in an internet in the

data center so there is a cpu there are


there there is a

bandwidth for communications

and so on so the infrastructure is also

something valuable for these guys

and also i might want to add this uh

a website or a server to a botnet and


it and roll like a uh enroll in my army


use it later for for something like a

ddos attack or something like that

but also the reputation of your of your

website or your business represented by

the website is

is a valuable available coin

for these guys let me share with you

some facts that is

that are very important to give a little

bit of

context and


about security right so it’s important


uh understand that this site hacking

almost never is client oriented so i


if you’ve been hacked normally it’s not


who you are or the content you have in

your website normally they are just

automatic algorithms out there scanning


and the websites and

infecting injecting or adding to botnets

the website they find

no matter no matter the content they


this normal normally happens so because


uh deficiency monitoring and maintenance

maintenance is important

this is a very common error just to

think that

you have a website you put there out

there in internet and that’s all

all the customers just gonna start

coming to my business

and i don’t need to to take a look of to


site continuously so maintenance is very


this one is blow my mind

in when some people come to me and say

hey why i’ve been hacked

if i have a social certificate i use the


protocol in the url so i’m protecting

and to explain this i i usually use this


uh to make it to to help you to

understand that ssl certificate is not

it’s not an anti-hacking shield so

uh keep in mind that the ssl certificate

will ensure that the channel between you

and the web server uh

is secure so if you communicate with the

server or server with you

all the information uh running in this


gonna be secure and nobody can hear that


i will if somebody just reads something

that is

being communicating in this channel

is not going to be understable so that’s

the ssl certificate and the https

uh protocol uh mission right

to make this channel communication


so if instead of that user

is communicating with a with a server is

a hacker so the hacker will be hacking

your website

securely so it’s

is the way i i used to to explain this

so this is important

but it’s not an anti-hacking shield okay

so i hope you

understood this

this part uh keep in mind also that the

security updates and parts

are normally appear after

the somewhere um

abundantly is being exploited so if you

see that there is an

update it’s because there are computer

hackers out there

exploiting it so run

and this this one is also one of my


human being fails so no matter how proud

you are about your code

no matter if you uh

think that the code is perfect and is

fully protected

it will be hacked maybe in the future

sooner or later but

it’ll be it’ll be hack we are human we

fail so

keep this in mind and it explains

why i say that security never is and nor

will be

ever 100 effective so

how to detect a hacking attempt this is

more or less the core of the

of the talk uh this is very difficult to

explain how to detect

because you know hackers you used to


more creative ways of hacking

servers and websites every day

so my very two first

recommendation is stay vigilant always

monitor your site

review it very often and hear your users

set and appropriates all the channels

you might you might want to establish


you your users because they gonna be

your best hears

and eyes out there to to check if your

site is doing something wrong so

hear your users facilitate channels to

communicate with them

and to let them communicate with you

in an early stage detection normally i

just put the hosting because you know

they are

supporting our website so they have

access to

uh their resources they monitor them so


they can share with you some warnings

and also

if you have plugins or services in your

website for monitoring

it will help a lot we can’t

have services like sukuri monitors you

can install ser

appliance or security clients inside

your website like warframes all in one

security items

etc and if you have a firewall also it’s

very useful

because every firewall has a

monitor uh

dashboard so you can see in real time

and also a log of

about which ips has

have have hit your site

the country they were this ip comes and

so on

and face-to-band is applying also that


or protect your login

against multiple


attempts so

if someone just failed more than three

times or five times you could you can

set it up uh it get banned for a certain

time so you can be protected

from brute force attack but also you

heard you will get a monitor of who is

and how many attempts

are trying to get inside of your website

dashboard the detection

is of course if there is time between

between the hack and your detection it


or it could might happen that some

vendors out there can add your website

to a blog list

like search engines like google yandex

and bin

any uh some of the antivirus

vendors have some blog lists and some

other specialized companies like mx

toolbox for

phishing or for spam spreading

bi by via email

and so on and also if you

one day decide to scan your site

these are my favorites i check

from sukuri it’s very nice it will

show you how the site looks like a

front outside virustotal on

uh match your website to the most

to the least of the most common uh

security vendors out there blog list

security vendors out there so

you will see in a in a page if your site

has been

blocked in any of them and bp scan is a

plugin you can install

your server so it will

scan your site from inside

so let’s that’s more or less how to


it’s a little debug very but you know

those are

tips and tools to help you and i would

like to

to show you some examples uh

of the of how hack side looks like keep

in mind that there are a lot of kind of


so i just uh took somebody

some examples to you to let you see

the most typical and visual is the face

man family if you

if you take this slide as uh

as my website and in the morning you

find like this for

probably someone has access to the


and changing it because it’s funny or

something like that

okay so the defacement is like that it’s

just changing

uh the visual the front end of the

uh displaying of your website

um in a hack attempt right

for example uh the photographer gallery


always use in my sessions this is a part

of the website i

just wanted to to focus in this part

to to protect the

uh the identity of this

page so maybe this photographer has this


who had this gallery and then he

went to sleep in the night and in the


he awake with a lot of messages in the

in his

social network saying hey you’ve been

hacking when

he load his website

finds this so this is a

a defacement this is another example you

more political claim or social claiming

and this is a turkish one

i like it i like it a lot so

at the end the face means a partial full

replacement of the website the front end

is very obvious normally is easy to


and probably your users will detect

will detect it faster but the scanners

also detect it very easily at the end is


the goals is used to be

awareness or social political claim

fishing we are a little bit

tired of hitting about hiding uh him

hearing about phishing about the email

fishing and so on

and then at the end it’s a long check

out environment imitation

it’s very subtle and

this you will detect it because of the


or because your site appears in some

block list

and the goal is to steal credentials

sensitive information

this is an example dropbox

fake login webpage is not very actual


you will surprise uh

you see how many people just get cheated

with this uh so maybe you and your

website you have a login

button that when you click you go to the


the common login form

and a hacker inject into

your website that they’ve instead of

that and the login button goes to

this fake dropbox login page so maybe

your users could understand that you

have changed it

and now you you do the

the logging process through dropbox and

then they put the credentials here but

if we let me

do this a little bit bigger if you

go to them to the code you will see that


there are some indications some

clues to detect that this is a fake one

as you can see this uh it says dropbox

business so it’s

pale spelt right and the form

uh just send a mail and password to an


file which looks like this

and you can you can see here that there

is an email

address here and takes the email and the


and sent to this guy an email with those


those variables the email and the

password we’re saying something like

dropbox login from the ip of the website

the hack website

in the country uh whatever i would say


this guy is receiving every time someone

uh gets it with a with this

fake login page

receiving the credentials in his email

black ceo is spam for example imagine

that you have a

inc design inc in the contact

form uh when you click in the contact


you get this one this is a normal uh

contact form but in the header you can

see free shipping by viagra now you can


the impact in the ceo of this guy

and also in the reputation of this


this is another example of professional

janitorial services which is

which has in the here in the header some

some fake text about a dark

android market and as a result of this

if the

search engines scroll down like the


when they are being they have been

hacked with these

black spam ceo infections is

is in the wrestled gonna be like this

you’re gonna be

you’re gonna get your website

in the blog list and every

every user that wants to enter in your

website will

get first a web page like this

or attack in the in the

search results like this this

is this site might be hack or

even maybe a lot of spam

crawled from your side and display

in the search result page so

you can’t imagine the impact

be any spam or unwanted content in your


the detection is easy for scanners

sometimes for users it’s not that easy


those we the those examples we have seen

are very

very obvious but sometimes it’s hidden

in the code

so it’s not that obvious to for us

for for regular users uh to see these

things but it’s in the code and for

search engines warnings and the scanners

yes it is

very easy to detect effects to your ceo

maybe it’s inside of a link building

a campaign or whatever

redirection reaction is something that

happens a lot

recently at the end it consists

in a situation where unwanted affiliate

links is open to suspicious website


any any intention and those suspicious


are totally uh different and

not wanted the detections is

not that easy it’s a little bit tricky

but the users will detect it most easily

and certain giants as well will affect

your ceo and affiliate also the

affiliate ceo

will be in a campaign of link building

as well and so on this is an example


i phoned in the wordpress url

settings instead of the

website we roll it’s a new different

url hello from something like


so it will cause that when you get into


into the website just putting the url in


browser you will start loading the

website and then

immediately you will be redirected to a


uh different one born one or drag one or

you know

span one or maybe a

page like this that offers you a price

don’t click ever and this kind of

pop-ups they are all fi

fakes or maybe ask for your permissions


uh access the information from your

browser or

or or send you a notification

ddos attacks and botnets these attacks

are not very easy to be detected by


maybe you can feel that your site is


loading very slow so this one of the

symptoms if you take this like a normal

traffic in the world

uh this happened

in 2016. it was

the infamous attack

first first iot ddos

attack so the internet of things at the

end it was uh

it was um caused because a lot of

cameras uh cctv you know for civilians

around the world uh were infected with a

third day

and and

and they start to load a website

suddenly so the service get down

and as a result of that i think i

don’t remember if whatsapp

netflix and some other twitter some


services just get down because that’s a

specific service got a

denial of service attacked

so effects to instructure

is difficult to

to detect normally you detect that

because of the strange use of resources

you have a peak of bandwidth or

something like that and you can use a

file integrity scanner

in order to see if something has been


and a professional tip here is to have a


in place i mean a firewall for web


so if you still doesn’t

if you still don’t understand what a

ddos attack is

is looks like this if you demand

with the net or the website is the

website server and the codes are

hits from users so you can manage some

of them

but it’s at the moment they overflowed

it’s self-explanatory right so

what can i do if this happens so the

items involved is something that happens

first is you and yours and your side

your clients

so keep calm analyze

scan your site inform yourself your guys

about this then

inform megaware the hosting provider

about this

the eighty percent of the security

issues can be fixed

uh directly through the support

from hosting provider and if this is not


or you don’t have backups or you don’t

want to restore a backup because you

want to

lose information you can just check out

a security expert

external or internal and to avoid it

normally i share with you some measures

but i want to

uh separate them in reactive and


reactive measures are those when bad

things have

already happened so you have to mitigate

the pain you have to mitigate

the uh

the lose right and proactive ones are

before anything but happens so

it’s a risk mitigation you want to lower

the possibilities of being

a hack

the reactive ones are scan your site

when something happens

scan your site check everything files

admin users

plugins and so on remove them if you


recognize them update and that is

interesting because

you overwrite the code so if the code is

infected you will override with a fresh

from from the trusting

repository so this is a good measure as


or restore a backup you don’t mind to

lose information from

when you took the snapshot to this


and the practice one is to reduce the

surface of the attack

so you reduce the admins appliance and

the themes to those

strictly needed to to make your site

run do backups have a good

strategy of backups update regularly

invest in hosting and security instagram

install a web application firewall

because this is gonna rise

dramatically your security level

as a takeaway i would like to repeat

remember to invest in

a good hosting because a good hosting is

the first layer

of protection they are monitoring your

resources they are conducting

scanning scanners very often

and if you have a good one it is

half of the way uh

dawn and also invest in security you do

in the real

in the real life use higher

uh alarms or

a good lock for your house so do the

same in the digital world

so that’s all guys i always say

everybody needs a hacker so we need


to make uh our future as a human

as human being to to run

and to discover new things and that’s

for me the spirit of a hacker

thank you very much this is the end for

now thanks

again for the organization thanks again

to all of you

and i hope that you found this lecture

useful for you have a very nice 2021

and stay safe thank you

Share this session

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on email