Today when I checked the site of one of my clients I noticed that it was hacked, a big note was on the index page, I changed the index page and changed the password to access the cpanel (server) and everything looks fine now but I started wondering what if they left some malicious scripts or some code in the server that I’m not seeing.
What are the steps I should follow to make sure there is no malware in the server and to ensure the my files don’t contain malicious code?
Any good books on web security for future reference?
Hmm, good question. I would probably use Dreamweaver to compare the local and remote files. That would possibly indicate if there was anything on the server that I didn’t expect to be there. [Replace Dreamweaver with whatever program you use to design and/or upload.]
First, I suggest checking all of the file and folder permissions. It’s generally recommended that folders be set to nothing higher than 755 and files nothing higher than 644. We frequently see permissions modified after a website infection.
Second, check all .php files for the following strings:
touch
chmod
passthru
system
base64
eval
rot13
gzinflate
You can’t just assume files with the above strings are bad, but those files should be investigated more thoroughly.
Keep in mind that looking only at files with a recent datetime stamp is not very secure. Many of the backdoors we’re seeing on infected websites have the ability to change/modify the datetime stamp of any file on the website. We’ve also been seeing backdoors that have valid comments in them. For instance, on one osCommerce based site, the backdoor had the exact same osCommerce comments/header as other valid files.
As a good measure, assume that all passwords stored on the site have been stolen. Change all passwords: MySQL, cPanel, FTP - everything.
Also there is a lot of info in thread that is mentioned in my signature (~;
Bear in mind though that it takes time and expertise to be able to secure everything properly and you have to reiterate all process: Protection->Detection->Action on regular basis.