Re: hi, need help

[pinowudi <pinowudi () gmail com>]

Backend doesn't much matter.  If it's the turks, they likely did a
manual hand-jam on the SQL backend through a discovered parameter.  They
like CFM, ASP, PHP, CGI... doesnot much matter.  I would document, take
a copy of your server's web logs, script pages, and sql backend, and
provide to your law enforcement representatives.  Most internet-enabled
countries now have teams for this sort of thing.

As for recovery, injecting attackers like to add tables to your database
and weave them into your pagecode headers/footers/redirects in the
production sql tables.  Either a) know your application so well you can
spot evil code and tables and remove them (with help from your logs) or
b) restore from that backup you took last week.  You did take one, no?

If neither of these is the case and you're stuck, try this hail mary
pass...  You will likely find the compromise event in your web logs
after a google.tr search referencing your backend technology, e.g.
google.tr/q=someterm&inurl=.cfm.  After that will be a series of
attempts to determine how vulnerable you are with some 300 or 500 return
codes.  Then look for an inject pumping a variable with a CAST & EXEC
statement and a large block of hex-encoded text.  If you decode it, it
will end up being SQL commands to add code/tables to your SQL server.
that will be where you look in the database to remove the bad code.  Not
a certain fix, but might save your production if you haven't backed up
recently.  Also, do a thorough search as there may be multiple injects
over time and several places in the DB to cleanse.  Not the recommended
fix, but sometimes you gotta.

BTW, if you find you are hosting evil binaries, please throw them at AV
vendors.  For example, scan it at virustotal.com to submit to many of
the known AV vendors.  Help the rest of us out and stick it to those
that put you in this position!

Tim Clewlow wrote:
> We still don't know what kind of website this is. Is it a CMS, ie
> joomla or plone or something else, are their any known
> vulnerabilities for this, if there are then it should be patched
> (upgraded to fixed version) immediately and then restore from
> backups. Also, do you have a forum on your site? There have been
> vulnerabilities found in many of those. What other add-ons are there
> in your website? Do any of those have known vulnerabilities? Have
> you made any custom additions involving CGI to your site? Are you
> certain this is secure?
>
> Next you need to find out what, if any, other damage was done. Did
> the attacker compromise the web server (probably apache), or, look
> further down to see if the operating system has been compromised.
> This will involve running your file integrity checking system to
> make sure nothing has been altered in the system.
>
> If you don't have a file integrity checking system, then make sure
> your backups are good, nuke the affected system and reinstall
> everything, including a file integrity checking system, eg tripwire.
> Set the integrity checker up to a known good state, then plug in the
> network cable and resurrect the site. And make sure you do regular
> backups.
>
> Congratulations, you are now in a much better position to work out
> what to do if anything like this ever happens again.
>
> Cheers, Tim.
>
> PS - it never hurts to read lots and lots about system security, you
> will learn a ton of stuff about the system in general as well.
>
> > Guys,
> > Hold on ... Seems like from Dhiraj's chat he don't know much about
> > security. Everyone is suggesting vuln. assessment, log file analysis
> > and other techniques which might be new for this guy. Since this guy
> > don't know much about these things so shouldn't he be simply upgrade
> > all the software web server etc .. and carry forward to restore from
> > the backup? I do encourage him to read about security related stuff
> > but that's another go. IMHO provider might not be able to do
> > anything
> > as this sounds like script kiddie attack where they simply change
> > the
> > index page and get a screen shot for their *achievement*.
> >
> > Dhiraj, since you have asked for method to get your original website
> > back, the best way would be to restore from the backups or take a
> > look
> > into your directory structure of website. Most of the times, if you
> > are lucky enough, the hacker simply renames the index (.html, php,
> > jsp, asp) file to something else and upload some relative images.
> > Puts
> > on the new index file and moves on. I don't know what platform your
> > web server was or which OS you were using, but I would go for a full
> > OS reload after such incident because you never know what the hacker
> > did, don't forget to update for software regularly. It may save you
> > to
> > some extent from these sort of things. Also, get a paid security
> > professional if you want an analysis of this incident.
> >
> > Regards,
> > Muhammad
> >
> >
> > On Thu, Nov 13, 2008 at 6:44 PM, Adam Pal <pal_adam () gmx net> wrote:
> > > Hi Mahajan
> > >
> > > 1) take all evidence you can access yourself
> > > 2) contact the provider
> > > 3) ask the provider for saving logfiles related to the incident
> > > 4) ask the provider for a backup (if you dont have a backup
> > > yourself) of your original page
> > > 5) ask the provider to escalate the issue to its security dept.
> > > 6) take legal steps having logs as piece of evidence
> > >
> > >
> > > additional you can inspect the logfiles to determine how the
> > > security breach occured and get way to fix it, otherwise you will
> > > face the same issue again and again.
> > > From this point of view, the information you give is pretty poor
> > > because:
> > > - you dont tell how it is hosted
> > > - you dont tell where it is hosted
> > > - you dont mention what type of service, version etc...
> > > - you dont mention the URL
> > > - you dont mention the timeline
> > > - ...
> > >
> > >
> > > good luck!
> > > Adam Pal
> > >
> > > -------- Original-Nachricht --------
> > > > Datum: Thu, 13 Nov 2008 14:20:48 +0530
> > > > Von: "Dhiraj Mahajan" <dhirajsmahajan () gmail com>
> > > > An: security-basics () securityfocus com
> > > > Betreff: hi, need help
> > > > some hacker has hacked my website. (displaying hacked by turkish
> > > > hacker), now wht shld i do to retrieve my
> > > > original website. so please guide me how to get rid of tht