Cleaning up a hacked website
Posted on 2015-01-15
I've been assigned to clean up a website that's been hacked somehow.
If I understand it correctly, the website runs ASP code (suspect it's not ASP.NET but not sure how to check) connecting to several Access databases. It also has a section of the site using the PHP CodeIgniter framework. It's suspected that the attacker initially gained access through a weak FTP password.
After an initial clean up and a change of the FTP password, more malicious activity was detected. I suppose it's possible the avenue for this attack may have been different to the initial one.
I've found 9 ASP files that are clearly malicious. However, I'm not particularly familiar with the code on the site and am very aware that I'm unlikely to find them all, so I'm trying to get hold of a backup prior to the initial hack, for comparison purposes. If available, I will try to restore the programming files to what was there prior to the hack.
Are there any tools I can use that might detect malicious files with reasonable accuracy? Are there any neat tricks I can use to at least detect malicious behaviour? Is there anything else that would be useful to know or try?