Even a company as famous and strong in security as Google, they have been hacked. So one fine day when your competitors hire an IT guy to visit your Web site, are you sure the security system will keep you from harm? Let’s learn the signs of a hacked website and how to handle it effectively and with the least damage.
I. Signs Website is hacked
The home page or subpage has changed its interface (Deface).
There are banana lines that every hacker writes like “Hack by…”, “You have been hacked” and some old-fashioned satirical sentences…
Website source code is inserted with strange scipt code.
When accessing, the browser warns.
Website automatically publishes unauthorized content and news.
Web server appeared strange files, shells, files with encrypted content.
Website automatically sends requests to strange websites often.
When accessing the website through Google search results, there is a warning.
Access to the website is redirected to malicious and advertising websites.
Website was posted on hacker forums, websites that statistics websites hacked by hackers.
II. Methods to handle when the website is hacked
1. Temporary fix
Initially, the administrator should isolate / backup the website state for investigation. Notice “Upgrading/Maintenance” at the homepage so as not to affect the image of the business or agency.
Check and delete strange accounts on the system, change passwords for FTP, SSH, phpmyadmin, database, website admin accounts…
2. Review and handle
To check for modified files on the website can be done by comparing with the backup, use the following command: # diff -qr . Or command: # md5sum. Based on the above information, the administrator will easily see which files are modified or newly created and perform some more checks on these files (diff and md5sum commands are performed on Linux operating systems). .
In case you don’t have a complete backup, you can use the following commands to find files modified by hackers:
- Command to find and sort files by modified time: $ find /var/www/html -type f -printf ‘%TY-%Tm-%Td %TT %p ; ‘ | sort -r
- Command to find modified files within 60 minutes: $ find /var/www/html -type f -mmin -60
- Command to find files modified in the last 7 days: $find /var/www/html -type f -mtime -7
- Command to find modified files within 60 minutes and display file attributes for investigation: $ find /var/www/html -type f -mmin -60 | xargs ls –al
Once the changed files have been identified in the source code, it is necessary to double-check these files using editors to search for dangerous functions commonly used in web shells (Some functions common to php source code: preg_replace, passthru, stripslashes, shell_exec, exec, base64_decode, eval, system, proc_open, gzuncompress, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source).
In addition, you can use some additional tools such as Web Shell Detector to scan more complex shell formats (using name encoding, source code encoding …)
- Check database : Hacker can store backdoor in database, you need to open database and search tables for spam keywords or php functions. Note that you remember to backup the database before doing so.
- Site Analysis : Once the shell file has been examined, conduct an investigation by the shell name in the web logs file to determine the exact shell uploaded via the web vulnerability, and its behavior. Search for malicious code, components of malicious code in the system (if any).
3. Analysis and treatment of hazardous ingredients
After analyzing the scene and obtaining malicious file samples (if any). Conduct behavioral analysis of malicious code to localize and monitor connections to the server. Then remove the malicious code from the infected server by removing the process, deleting the shell file, removing the startup key.
Analyze the behavior of malicious files:
- Can read the shell’s source code to analyze the behavior, for general-purpose webshells can access the webshell’s interface to see the shell’s functions.
- Decompile malicious code to analyze behavior, in addition, you can use tools to monitor file writing or external access.
4. Identify and patch website vulnerabilities:
This is a step that requires the performer to have good professional knowledge and experience to be able to find and fix the vulnerabilities.
First, you need to check in the access log or error log to find all the information related to the hacked website: like the hacked website detects the password, there are some invalid logins from strange IPs, some files Strangely uploaded by FTP. Based on the above information, it is possible to determine whether the website is attacked by revealing passwords or hackers by exploiting other security holes on the website.
Through the strange access logs, find out how to exploit the hacker’s vulnerability. As usual, to upload a file to the website, you must use the POST method, from which you can rely on this information to shorten the search scope to determine exactly how to exploit.
The administrator should check the source code in use, whether there are any security holes, whether the modules and plugins installed on the website are safe.
To determine which module the hacker used to upload malicious files to the server, it is necessary to analyze the log file and find out which module the shell file was uploaded through, which can be investigated by shell name or content. of the uploaded shell file. Read the source to find the code that causes the error and find a way to fix it.
Manually review or use some vulnerability scanning tools such as Acunetix, Burp Suite, etc. to review all the website’s modules to make sure the website has no other vulnerabilities allowing hackers to attack again. again.
After identifying the vulnerabilities, coordinate with relevant departments to patch vulnerabilities, update new versions for source code (for websites using open source such as WordPress, Joomla…) modules, plugins.
5. Investigate the source of the attack
After analyzing the shell and malicious code (if any), find out detailed information about the control server, the address to download the malicious code. Then send a request for help with the investigation to the authorities. Send warnings to other relevant agencies and units to raise vigilance.
6. Get the website back up and running
After completing the review and processing steps, it is necessary to quickly bring the website back to operation to avoid interrupting the operation of the agency or organization for too long.
During the operation and exploitation process, it is necessary to regularly monitor, backup data, and check the security of the website to avoid unfortunate incidents.
Conclusion
No matter how good we are, we are already human, there are always likes and haters. No matter how secure a website is, it must have holes, if a hacker is talented and committed to hacking your website, he will do it. Hopefully, through this article, you can calm down and thoroughly solve the security holes present on your website and have the right solution when attacked by hackers.
