5/26/2013

Some security ideas on dealing with a hacked website -- pharma hacks, WSO backdoor

Just some random notes on dealing with a hacked LAMP site ....

Some of this requires Telnet access to the Linux shell.
  1. DON'T INSTALL WORDPRESS.
  2. IF YOU HAVE TO INSTALL WORDPRESS, READ ALL THE SECURITY DOCUMENTATION YOU CAN FIND. Start with "Hardening Word Press."
  3. Avoid using default installation settings -- Change passwords immediately, don't use an "admin" account name, change the database prefix names, change the name of the login file.
  4. Use as few third-party plug-ins as possible.
  5. Update your software regularly.
  6. Learn all about "pharma hacks"
  7. Learn all about "WSO backdoor" and look at example code.
  8. Learn more.
  9. Delete all your test files, test installations.
  10. Delete any unused templates and plug-ins.
  11. Understand that hackers will make many, many files that mimic the names and dates of your existing files.
  12. Understand that it is possible, and easy, to alter the timestamp of a file  
  13. Understand that hackers will alter your existing html, php and other files -- often by inserting <iframe> tags and Javascript code that is obscured with weird character sets, weird spacing and concatenation, and base64 encoding.
  14. Consider using a reputable service to monitor your site for known hacks and changes to your files. (Truth is, I haven't done this yet, but am looking for one.)

Ways to find infected files

Search for files that have been recently changed or accessed

The modify date is used in FTP programs like Filezilla, but that can be misleading.
If you find an infected file, run a stat command on it to get more information about when your hackers are coming around. Note the difference here between Modify date and actual Change/creation date and Access date:
stat myFolder/myFolder.php  
Access: 2013-05-14 07:13:18.000000000 -0400
Modify: 2013-02-21 15:19:00.000000000 -0500
Change: 2013-05-14 07:13:18.000000000 -0400
Then you may want to use "find" to locate files that are of similar time periods.
It may be of use to set up a shell script and cronjob that check for changed files once a day, and have the results saved for you to check for oddities.
find . -ctime -1

Search all www directories for uncommon words.

Not every file will be an infected file, but doing this will help to point you in the right direction.
ex. 
cd /var/www/ 
grep -rl "auth_pass" *

Words to look for

  • auth_pass 
  • wsoLogin
  • eval 
  • gzinflate 
  • base64

Search all www directories for weird files that don't belong.

There may be lots of cleverly disguised files on your server that don't belong there. They may have names similar to the files you do want. Unfortunately, they may be buried in your PHPMyAdmin or other complicated, third-party file systems.

You will likely have to go through all of your directories if you want to be truly thorough.

Downloading some of these files to your PC hard drive ought to set off your virus software. SAFELY examine any hacked files that you do find using:
cat theFileName | more
Look for references in the code that point to other hacker files.

Some filenames to look for:
ex.
find ./ -name *.url
*.url
*.time
.d (one letter filenames)
.f
.l
.s
ip.txt

Reinstall third-party packages from fresh downloads

If you can wipe out software packages without any loss of important data or multimedia files, it may be advantageous to wipe out the complicated subdirectories and download a fress copy.

For example, PHPMyAdmin is a favorite program for most MySQL users.
Hackers know this, right?
So, they like to dump extra files in the middle of all of the folders and files.
And guess what ... you'll likely never notice them.
So, go to PHPMyAdmin.net and download the latest version, and then wipe out the directory where it is installed on your server, and then upload the new files.
Remember to edit the config.inc.php file in this case to include a "Blowfish" secret.

In other software cases, you may be in jeopardy of losing lots of important data, image files, etc.
So, be careful when you do this.

No comments :

Post a Comment