What to do after your site has been hacked

fs_tigre · September 27, 2010, 1:51am

Hi,

Today when I checked the site of one of my clients I noticed that it was hacked, a big note was on the index page, I changed the index page and changed the password to access the cpanel (server) and everything looks fine now but I started wondering what if they left some malicious scripts or some code in the server that I’m not seeing.

What are the steps I should follow to make sure there is no malware in the server and to ensure the my files don’t contain malicious code?

Any good books on web security for future reference?

Any suggestions?

As always thanks a lot!

Aleksejs · September 27, 2010, 12:29pm

I’ve summarized here:

ralphm · September 27, 2010, 2:46am

Hmm, good question. I would probably use Dreamweaver to compare the local and remote files. That would possibly indicate if there was anything on the server that I didn’t expect to be there. [Replace Dreamweaver with whatever program you use to design and/or upload.]

fs_tigre · October 3, 2010, 1:35am

I found this helpful!

Thanks

WeWatch · September 29, 2010, 9:00am

First, I suggest checking all of the file and folder permissions. It’s generally recommended that folders be set to nothing higher than 755 and files nothing higher than 644. We frequently see permissions modified after a website infection.

Second, check all .php files for the following strings:

touch
chmod
passthru
system
base64
eval
rot13
gzinflate

You can’t just assume files with the above strings are bad, but those files should be investigated more thoroughly.

Keep in mind that looking only at files with a recent datetime stamp is not very secure. Many of the backdoors we’re seeing on infected websites have the ability to change/modify the datetime stamp of any file on the website. We’ve also been seeing backdoors that have valid comments in them. For instance, on one osCommerce based site, the backdoor had the exact same osCommerce comments/header as other valid files.

As a good measure, assume that all passwords stored on the site have been stolen. Change all passwords: MySQL, cPanel, FTP - everything.

fs_tigre · September 29, 2010, 3:12pm

Thanks lot for the good information, I wish I could learn more about this type of things.

I just ordered a book called Apache Security, will this help to learn about web security?

http://www.amazon.com/Apache-Security-Ivan-Ristic/dp/0596007248/ref=sr_1_1?s=gateway&ie=UTF8&qid=1285773193&sr=8-1

Thanks a lot

fs_tigre · September 27, 2010, 4:56pm

Wow! great info, thanks a lot.

fs_tigre · September 30, 2010, 2:41pm

Thanks a lot!

Aleksejs · September 30, 2010, 8:14am

Also there is a lot of info in thread that is mentioned in my signature (~;
Bear in mind though that it takes time and expertise to be able to secure everything properly and you have to reiterate all process: Protection->Detection->Action on regular basis.

fs_tigre · September 29, 2010, 6:40pm

Wow! those are the books I was looking for, thank a lot.

Any questions you have, just ask! There are many good responders in this forum.

I have said this so many times… I LOVE THIS FORUM, I honestly don’t know what I would do without it.

WeWatch · September 29, 2010, 4:18pm

It’s a good book and full of great information. However, unless you’re on a dedicated server, much of it won’t apply to you.

Some other good books are: Hardening Apache, Preventing Web Attacks with Apache, Pro PHP Security, ModSecurity 2.5 and Essential PHP Security.

Obviously the PHP books are more toward programmers, but the information is still relevant for anyone with a website - I think.

Any questions you have, just ask! There are many good responders in this forum.

fs_tigre · September 27, 2010, 10:41am

Thanks a lot!