Hacked Sites

From My Wiki
Jump to navigation Jump to search

Scanning

1. If symlink protection isn't compiled in, check for cross-account symlinks. 

find /home*/*/public_html -type l -exec ls -l {} \; > /root/symlinks &

2. Start scans in a screen.

3. Check for ModSec. 

grep -i modsec /var/log/apache2/error_log | tail

If there are no recent errors, check to see if the rules RPM is installed. If it is installed, check these on cPanel servers: 

cat /etc/apache2/conf.d/modsec/modsec2.cpanel.conf

If it's empty, WHM > Security Center > ModSecurity configuration. Change a radio button, then change it back to its original position, then save again to re-populate the file. If it's properly populated, check whitelists: 

cat /etc/apache2/conf.d/modsec2/whitelist.conf
find /usr/local/apache/conf/userdata -type f -name "*.conf"

4. Check PHP version and handler for the site in WHM > MultiPHP Manager. 5. Check back on scans.

Symlinks

Since you scanned using the above command, you can check for the potentially hacked account with: 

grep HACKEDACCOUNT /root/symlinks

Weed out the symlinks to files that don't exist: 

 for i in $(grep HACKEDACCOUNT /root/symlinks | rev | cut -d ' '  -f1 | rev); do ls -1 $i 2>/dev/null; done

This will list what is in the last column and suppress the error output for ls, so you only get the files that actually exist in that account.

Manual bad code search

If the scanners don't find anything, but if you also have a bad code snippet or URL, you can search for it with: 

find /home/*/public_html -type f -exec grep -H "horriblehackersite.ru" {} \;

or: 

grep -R <badcodesnippet> /home/$user/public_html/* | grep php > /root/badphp

Get a list of files from the results: 

cat /root/badphp | cut -d':' -f1 > /root/badphp_$user_filelist

Stat them: 

for file in $(cat /root/badphp_$user_filelist); do stat $file >> badphp_$user.stats; done

Hacked DB?

Check the most recently changed tables: 

ls -lahtr /var/lib/mysql/database_name/ | tail

If it's bad, it should be restored from a known-clean backup, or the site's dev needs to look at it. Sometimes though, you can get away with this:

  1. Dump the site DBs
  2. Grep the .sql dumps for the malicious URLs/code. Don't change anything.
  3. Remove the bad content in MySQL or phpMyAdmin.
  4. Update the MySQL login info, since the user and password were compromised.

Also, in phpMyAdmin, you can search all tables in the site database for the known-bad string, wildcards before and after: 

%sillyhackername%

Maldet + clamscan separately (old)

Update them both, make sure maldet's quarantine is off, and Clamscan integration is on: 

maldet -d
maldet -u
if [ -e /usr/local/cpanel/3rdparty/bin/clamscan ]
then
ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/bin/clamscan 
ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/bin/freshclam
if [ ! -d /var/lib/clamav ]
then mkdir /var/lib/clamav
fi
ln -s /usr/local/cpanel/3rdparty/share/clamav/main.cld /var/lib/clamav/main.cld
ln -s /usr/local/cpanel/3rdparty/share/clamav/daily.cld /var/lib/clamav/daily.cld
ln -s /usr/local/cpanel/3rdparty/share/clamav/bytecode.cld /var/lib/clamav/bytecode.cld 
else
echo -e "\n\e[31mClamAV does not appear to be installed through cPanel.\nThe ClamAV definitions will not be used.\e[39m\n"
fi
grep 'clam\|quar' /usr/local/maldetect/conf.maldet | grep -v '#'

If it's all good, do your maldet: 

maldet -a /home/oldjoomlasite/public_html/

If you really want to do a clamscan too, you can use this - but if maldet integration with clamscan is on, it's not needed: 

clamscan -ir /home/oldjoomlasite/public_html > /root/clamscan.log.`date +%F.%H.%M` &

Parse the reports: 

grep home /usr/local/maldetect/sess/session.151103-1157.3554 | grep -v "PATH:" | awk '{print $3}'

Multiple maldets? Tweak the cut: 

grep 'home' /usr/local/maldetect/sess/sample_maldet_report1  /usr/local/maldetect/sess/sample_maldet_report2 | grep -v "PATH:" | cut -d':' -f3 | cut -d ' ' -f2

Put both Clam and Maldet results together: 

grep home clamscan.log | cut -d':' -f1 >> all_results.log
grep home /usr/local/maldetect/sess/sample_maldet_report | grep -v "PATH:" | cut -d':' -f2 | cut -d ' ' -f2 >> all_results.log
cat all_results.log | sort | uniq > all_results.txt
cat all_results.txt

Stat it: 

for file in $(cat /root/all_results.txt); do stat $file >> /root/all_results.stats; done

Too many results? Sort by date: 

grep Change all_results.stats | sort

Imunify

ImunifyAV is free. Imunify360 has a free trial but requires a license.

ImunifyAV

Control panel install docs:

Interworx: https://appendix.interworx.com/7.9/nodeworx/plugins/install-use-immunify-plugin-interworx.html

Plesk: https://docs.imunifyav.com/imunifyav_for_plesk/

cPanel: https://docs.cpanel.net/knowledge-base/third-party/how-to-install-imunifyav/

Usage:

imunify-antivirus malware malicious list --limit -1 | awk '{print $8,$(NF-1)}'

https://docs.imunifyav.com/imunifyav/

https://docs.imunifyav.com/cli/

Imunify360

imunify360-agent malware on-demand list

imunify360-agent malware on-demand --by-scan-id $IDWITHMANYRANDOMCHARS

External Scanning Sites

https://sitecheck.sucuri.net

https://transparencyreport.google.com/safe-browsing/search?hl=en

Log Diving

FTP

ls -lah /var/log/messages*
grep $username /var/log/messages* | grep uploaded

If compressed: 

zgrep $username /var/log/messages*.gz | grep uploaded

SFTP/SSH

ls -lah /var/log/secure*
grep $username /var/log/secure | grep Accept

If compressed: 

zgrep $username /var/log/secure*.gz | grep Accept

cPanel

The greps at the end weed out false positives, you're looking for 200 codes not 400 codes. 

grep $username /usr/local/cpanel/logs/access_log | grep -i 'upload\|fileman\|phpmyadmin' | grep -v " 401 " | grep -v " 403 "
Retrieved from "https://wiki.whatplanetisthis.net/index.php?title=Hacked_Sites&oldid=99"