Author Topic: [INFO] My website has been hacked, what do I do?  (Read 40746 times)

0 Members and 1 Guest are viewing this topic.

July 12, 2009, 08:15:44 pm
Read 40746 times

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
My website has been hacked, what do I do?

Unfortunately, websites being compromised are all too common. The most common methods we're seeing are;

1. Via stolen FTP credentials
2. Via SQL injection
3. Via stolen/brute forced, administration areas (e.g. domain.com/admin)

1. Via stolen FTP credentials

The recent Gumblar/martuz infection, occured because FTP credentials were obtained for the sites that the infections were placed on. This usually occured either via Brute force, or because the machines that the owners of the websites used, were also compromised.

2. Via SQL injection

Much has already been written about SQL injection, so I'll keep this simple - SQL injection works because sites do not properly sanitize GET or POST data. For example;

domain.com/page.php?id=33+select+fldpass,fldusers+from+tblusers+where+fldid='1'

Sanitizing user input, whether from querystrings, or post data, would have helped mitigate this. The most obvious method of sanitization, is to remove ANYTHING that is not expected, from the data, prior to posting it. For example (and note, this is only a quick example, nothing more);

Code: [Select]
function sanitizeme($sdata){
  // Check for hex encoding or Base64
  if(strpos($return, '0x')==true || strpos($return, '==')==true){die('Hex or base64 found ....');}
  // Remove apostrophe's and the =
  $return = str_replace("'", '', $data);
  $return = str_replace("=", '', $data);
  // If we can use mysql_real_escape_string, USE IT!
  if(function_exists('mysql_real_escape_string')==true){
$return = mysql_real_escape_string($return);
  }
  return $return;
}

The above function is only an example and should NOT be used. You can find information on how to protect against SQL injection at;

http://www.owasp.org/index.php/SQL_injection
http://us2.php.net/manual/en/security.database.sql-injection.php
http://www.webmaster-talk.com/php-forum/47578-tip-protect-yourself-against-sql-injection.html

3. Via stolen/brute forced, administration areas (e.g. domain.com/admin)

Stolen account information usually occurs in the same manner as stolen FTP credentials - keyloggers on the machine usually used to connect to the site. This can also occur however, via phishing attacks. Brute forcing is a different ball game however, and involves continually attempting to login until the correct combination of user/pass is found (evidently there's more to it than this, but I'm trying to keep it simple).

So what can I do to prevent these?

Prevention is always better than a cure after the fact, and though there are no 100% effective methods of prevention, there are a few things you can do. First and foremost, if your server support sFTP (Secure FTP), USE IT, this helps protect against sniffers/keyloggers by encrypting the login information. Second, be VERY careful about where you surf to online, and what you download/open (and this is especially the case for those of you randomly opening attachments in e-mails, or using HTML e-mail instead of plain text).

The vast majority of infections occur because of an infection arriving in e-mail and you're opening it (NEVER a good idea), or via other compromised websites or via "fake" websites (i.e. those offering videos, that actually lead to infections). Disabling ActiveX and scripting, for ALL websites is always a good idea. If there are websites you require these for, put them into the Trusted Zone.

As far as SQL injection, first and foremost, check, check again, then check again. Your sites codes are very important, and if you're processing data without checking it, this will lead to your sites being compromised. Sanitize user input, NEVER send query data directly to the SQL string you're using to query the database. Again, there are many resources out there that will help you lock down your site.

How can I clean my site if it's been compromised?

If your site has already been compromised, the first things you need to do are;

1. TAKE THE SITE OFFLINE!
2. Change ALL passwords (FTP, HTTP and any others you have) (see #4)
3. Check the files on your FTP, for any files that should not be there (shells are commonly uploaded by the attacker, to allow them to get back in, even after the FTP etc passwords have been changed)
4. Most importantly, CHECK THE MACHINE YOU NORMALLY USE TO CONNECT TO THE WEBSITE. Compromised machines were the major cause of the Gumblar infection being successful, as this is how the FTP credentials were obtained. You MUST ensure you check the machine is clean.

a-Squared
www.emsisoft.com

Malwarebytes AntiMalware
www.malwarebytes.org

NOD32
www.eset.com

Kaspersky
www.kaspersky.com

Avira AntiVir
www.free-av.com

Avast
www.avast.com

If you need help doing this, please ASK;

http://temerc.com/forums/viewtopic.php?f=12&t=18

Passwords should be changed from a second machine, and NOT from the machine you normally use to connect to the sites FTP etc account.

If you aren't regularly backing up your sites files, you are making the job of restoring it, virtually impossible without taking forever to manual check everything. You should ALWAYS backup your files either weekly, or in the case of those of you manually updating the sites (i.e. not using a database or whatnot), EVERY time you make a change to the site. Backups should NEVER be stored on the same machine you use to connect to it, but should be placed in a passworded zip, on either a flash drive, second machine, or CD/DVD.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 28, 2009, 07:20:25 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
The AWPG have written a paper on what to do if your website is compromised.

http://www.antiphishing.org/reports/APWG_WTD_HackedWebsite.pdf
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 11, 2010, 11:15:37 pm
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net