Hacked Sites: Difference between revisions

From My Wiki
Jump to navigation Jump to search
← Older editNewer edit →
Scanning: more tricks
MySQL
Line 27: Line 27:
Stat them:
Stat them:
  for file in $(cat /root/badphp_$user_filelist); do stat $file >> badphp_$user.stats; done
  for file in $(cat /root/badphp_$user_filelist); do stat $file >> badphp_$user.stats; done
==Hacked DB?==
Check the most recently changed tables:
ls -lahtr /var/lib/mysql/database_name/ | tail
If it's bad, it should be restored from a known-clean backup, or the site's dev needs to look at it. Sometimes though, you can get away with this:
#Dump the site DBs
#Grep the .sql dumps for the malicious URLs/code. Don't change anything.
#Remove the bad content in MySQL or phpMyAdmin.
#Update the MySQL login info, since the user and password were compromised.
Also, in phpMyAdmin, you can search all tables in the site database for the known-bad string, wildcards before and after:
%sillyhackername%

Revision as of 08:32, January 12, 2021

Scanning

1. If symlink protection isn't compiled in, check for cross-account symlinks. 

find /home*/*/public_html -type l -exec ls -l {} \; > /root/symlinks &

2. Start scans in a screen.

3. Check for ModSec. 

grep -i modsec /var/log/apache2/error_log | tail

If there are no recent errors, check to see if the rules RPM is installed. If it is installed, check these on cPanel servers: 

cat /etc/apache2/conf.d/modsec/modsec2.cpanel.conf

If it's empty, WHM > Security Center > ModSecurity configuration. Change a radio button, then change it back to its original position, then save again to re-populate the file. If it's properly populated, check whitelists: 

cat /etc/apache2/conf.d/modsec2/whitelist.conf
find /usr/local/apache/conf/userdata -type f -name "*.conf"

4. Check PHP version and handler for the site in WHM > MultiPHP Manager. 5. Check back on scans.

Symlinks

Since you scanned using the above command, you can check for the potentially hacked account with: 

grep HACKEDACCOUNT /root/symlinks

Weed out the symlinks to files that don't exist: 

 for i in $(grep HACKEDACCOUNT /root/symlinks | rev | cut -d ' '  -f1 | rev); do ls -1 $i 2>/dev/null; done

This will list what is in the last column and suppress the error output for ls, so you only get the files that actually exist in that account.

Manual bad code search

If the scanners don't find anything, but if you also have a bad code snippet or URL, you can search for it with: 

find /home/*/public_html -type f -exec grep -H "horriblehackersite.ru" {} \;

or: 

grep -R <badcodesnippet> /home/$user/public_html/* | grep php > /root/badphp

Get a list of files from the results: 

cat /root/badphp | cut -d':' -f1 > /root/badphp_$user_filelist

Stat them: 

for file in $(cat /root/badphp_$user_filelist); do stat $file >> badphp_$user.stats; done

Hacked DB?

Check the most recently changed tables: 

ls -lahtr /var/lib/mysql/database_name/ | tail

If it's bad, it should be restored from a known-clean backup, or the site's dev needs to look at it. Sometimes though, you can get away with this:

  1. Dump the site DBs
  2. Grep the .sql dumps for the malicious URLs/code. Don't change anything.
  3. Remove the bad content in MySQL or phpMyAdmin.
  4. Update the MySQL login info, since the user and password were compromised.

Also, in phpMyAdmin, you can search all tables in the site database for the known-bad string, wildcards before and after: 

%sillyhackername%
Retrieved from "https://wiki.whatplanetisthis.net/index.php?title=Hacked_Sites&oldid=28"