A quick processing of an intrusion site

Analysis of 1.1.1 intrusion situation

1 o'clock in the morning, received a friend's help, the site was hacked, visit the homepage of the site will automatically directed to a XXX, this time is the time to go to sleep, but the country is meeting, this time point of things are more sensitive, no way, directly open dry bar.

1. View Home Code

By viewing the home page (index.html/index.php) source Code discovery site There are three coded code, 1, respectively, in the title, Meta attribute added code, the code file in the other code to view, no exception was found.

Figure 1 Suspicious code in the first page

2. Unicode Encoding Conversion

The code that is inserted from the home page is Unicode encoding, which is copied to the Unicode encoded online decoded web site (http://tool.chinaz.com/tools/ unicode.aspx), and select Unicode to ascii,2 as shown, after decoding the content for spinach propaganda, in other words, black chain propaganda, the site was inserted into the black chain.

Figure 2 Analysis site is inserted link

3. Server Status

The company's website found the situation, the server pre-OPS personnel have left, the site is hosted on a standalone server, currently only Administrator account, can not directly enter the server. In this case, the following work is carried out expeditiously:

(1) Log in to the foreground and background through a known administrator account. Login foreground can be used, the background cannot be used, suspect that the file has been modified or deleted, can not be viewed through the background to see how the intrusion.

(2) scan the target website for vulnerability.

(3) View other websites with IP. By looking at the IP address and other Web sites on the server, found that there are 4 other sites on the server, after the inquiry four sites are not erected by the company. Suspected hackers on the server set up a site for the SEO black chain services.

4. Website Vulnerability Analysis

(1) Confirmation of website system

Manual through Robots.txt file confirmation site is by Qibo CMS V7 version, this system a lot of loopholes, a look at the heart is cool.

(2) Discovery of a column directory vulnerability

By hand and scan to determine the server configuration does not prohibit directory browsing, resulting in the server all directories can be accessed, 3, through the upload_files can see a lot of 447 bytes of PHP files, the first feeling is hanging horse, black chain to create a file or a backdoor file, Back through the analysis of a word back door size, a word back door <?php @eval ($_post[' cmd ');? > File size of 30 bytes, with 447 bytes is too far, directly exclude a word back door, of course, there may be an encrypted word back door.

Figure 3 Column Directory Vulnerability

(3) Local file Download vulnerability found

By understanding the vulnerability of the Qibo cmsv7 version, a file download vulnerability was found with the following vulnerability: HTTP://WWW.*******.ORG.CN/DO/JOB.PHP?JOB=DOWNLOAD&URL=BASE64 encoded file address, Base64 encoded file address, for example data/config.php need to change the last p to "<", for example, to read data/config.php, data/uc_config.php, Data/mysql_ config.php file, the corresponding URL of the non-encoded address should be data/config.ph<, data/uc_config.ph<, DATA/MYSQL_CONFIG.PH<, using the following:

http://www. . Org.cn/do/job.php?job=download&url=zgf0ys9jb25mawcucgg8

Http://www.****.org.cn/do/job.php?job=download&url=zgf0ys91y19jb25mawcucgg8

Http://www.****.org.cn/do/job.php?job=download&url=zgf0ys9texnxbf9jb25mawcucgg8

Access in the browser to download these files, open in the local to view the code, 4, read to the database configuration is the root account.

Figure 4 Getting site-sensitive file content

The same way to read the upload_files/kongzhipin.php file, its contents 5, the typical SEO techniques.

Figure 5 website SEO black Chain code source file

(4) Get the local physical address

Through the access to the search.php file in the Cache/hack directory, the successful acquisition of the real physical path of the site, 6, currently has a MySQL root account and password, there is a real path, from the acquisition of Webshell is very close.

Figure 6 Getting the real physical path

(5) File upload and IIS parsing vulnerability

As shown in 7, 1.asp and 1.php directories can be created in their upload directory via ckfinder.html, and Webshell can be obtained directly if there is a parsing vulnerability on the server.

Figure 7 File parsing and uploading vulnerability

(6) Database Import Vulnerability

8, through the file directory vulnerability found in the database backup directory has a database backup file, the earlier through the file download vulnerability to obtain the database user name and password, where entered, you can use the old data to overwrite the new data. In the actual test must be careful, once the vulnerability to test, the database will be devastating, the database import is generally drop first, then insert, so after doing this, the likelihood of successful recovery of data is very low, it is recommended that the site management staff to back up the database and code files regularly!

Figure 8 Database Import Vulnerability

1.1.2 Server first-time security processing

1. Back up the current site code and database

The most important thing is to backup, back up the database and its code files to the local , attention is to back up the current database and source code, if you want to report, it is best to use a backup server to restore the site and data, the compromised server left good data, easy to attack and forensics, Backup source code and database can be used for analysis, to track and locate hackers.

2. Use Webshellkill to find backdoor files

(1) Avira Backdoor

Personally think Webshellkill this tool is good, can automatically detect many known backdoor files and some virus files, the latest version is 2.0.9, its: Http://www.d99net.net/down/WebShellKill_ V2.0.9.zip, downloaded after the selection needs to scan the directory can start Avira, 9, found in the site hundreds of black chain and backdoor files, do not see, a look scare, intruders really ruthless! View and delete these suspicious files.

Figure 9 Avira Backdoor file

(2) Website Big Horse

As shown in 10, a large number of Webshell are found on the server, and the Webshell can operate on files, databases, and so on.

Figure 10 Website Big Horse

3. Not the most black, only darker

Through the size of the site to view, an ordinary site unexpectedly more than 20G, obviously not normal, 11, in Data_cache, hackers used to do seo up to 218,552 pages, a total of 15.3G.

Figure 11 hackers using cache files up to 15G in size

4. Delete server add account and backdoor file

(1) Through Computer Management-"Local Users and Groups"-"users", to see all the users on the computer, after the confirmation of friends, red box users all add accounts for hackers, 12, a total of 7 accounts, delete them.

Figure 12 Hack Add account

(2) View the Administrator group and the folder to which the corresponding user belongs

13, through the command to view the administrator and user accounts, and view the current user's profile, in their configuration file contains some hacker attack tools, the files are packaged compressed, and then delete the user and their configuration files.

Figure 13 Viewing the Administrator account and its hacker account configuration file

5. Clean up the server backdoor file

For the server backdoor file cleanup relies on personal experience and technology, on the one hand can be installed 360 and other anti-virus software to carry out automatic killing, 14, the system disk under a bunch of viruses. Through the anti-virus software avira can clean up the first batch, for the compromised server, the recommendation is to redo the system!

Figure 14 Virus removal using antivirus software

There is really no way to manually clean up the virus. Follow the tools such as Autoruns and Processxp to see the Startup items, services, processes, and so on, found no signature, you can take the following methods:

(1) Suspicious files directly reported to the anti-virus website for the engine Avira. You can escalate the sample directly to Kaspersky and 360 (https://virusdesk.kaspersky.com/, http://sampleup.sd.360.cn/) for more escalation addresses, see http://www.stormcn.cn/ Post/782.html.

(2) Search by Baidu and other search engine name, see if there is any relevant information on the Internet.

(3) After the suspicious program is backed up, delete it.

(4) The stubborn virus needs to be forced to end the process through tools such as ice blades and process management, and then deleted.

(5) View current network connection program and its related situation through CurrPorts (Http://www.nirsoft.net/utils/cports.zip).

(6) Really do not trust is to use the packet capture program to the server to grasp the package, to view the external connection.

(7) Remember to clear the shift back door and magnifier, etc. can be used to start the Remote Desktop back door, it is recommended that the shift, Magnifier and other programs directly cleaned or disabled.

6. Change all accounts and passwords

At this point, the first paragraph of the site has been cleared, the use of all Web sites to change the account and password, change all passwords, including Remote Desktop, FTP, SSH, background management, database account password, etc., as a result of hacking, may have downloaded the database and get all the relevant password, so need to make all changes.

7. Restore the site to normal operation

Restore the site to normal operation, while opening the firewall, external only open 80 port and remote management port.

1.1.3 Server second-time security processing

1. The server again hangs black chain phenomenon

After two days the server again problems, found that the site again black chain phenomenon, Baidu search the site domain name, the results of a visit to the XXX.

2. Manually clean the backdoor files

(1) Use the Webshellkill tool again to view the site.

(2) Manually view all PHP files on the website. All the PHP files on the site to search, the installation file size to sort, more than 20K files need to be viewed, 15, to locate the large file directory, a look at the file is mostly webshell,16, open after sure is Webshell, took the encryption, So Webshellkill can not be avira, the file's hash value directly to the Webshellkill tool.

Figure 15 Locating a large file location

Figure 16 Viewing the contents of a file

(3) Hand-killing cunning backdoor

To the site of the file view, the file has encrypted characters, garbled, mostly webshell,17, also found that there is a File upload page, this tool is difficult to check out.

Figure 17 Additional encrypted Webshell

(4) Locate the backdoor file by analyzing the log file. The PHP files in the log file to search, one after the verification, this can be done by the anti-fire log analysis software, followed by the introduction.

3. Find home black chain source code files

For the homepage of the black Chain source code files, search Baidu and so on have not found a valuable treatment opinion, after analysis, its code must be loaded, for each JS file Source view, Finally get an editor to load the node. js file, which is shown in content 18, which is obviously the implementation of this, delete it!

Figure 18 Getting the black chain source code file

After the processing of the second paragraph, the site resumed its normal operation, while repairing the discovered vulnerabilities, as well as some obvious program vulnerabilities.

1.1.4 Log analysis and tracking

1. Manual analysis of IIS logs

(1) Generate a file from the IIS log file that can be implemented with commands: Cat *.log>alllog.txt

(2) The backdoor files in the source code are combed, sorting out the file names.

(3) in the log with the file name as the key to view, 19, you can get the IP address of the file has been accessed, these addresses can be used for tracking and case attack.

Figure 19 Manually tracing the hacker IP address

2. Hacker account configuration file analysis and tracking

(1) Get the hacker's QQ number

By looking at the profiles added by hackers, you can get information about what tools hackers have used, what sites they have visited, and 20 that hackers have logged on to that server.

Figure 20 Getting the QQ number of a hacker's visit

(2) Get hacker attacks on university source code

Under the current account of the hacker, also found three university site Compression pack, 21 shows.

Figure 21 hacker attacks other targets

2. Analysis and processing of website logs using inverse fire

(1) Analysis of hacker attack IP address

Install the anti-fire log analysis software on the virtual machine (the software has stopped updating), 22, after installation, you need to set the site URL, home page file and log file name and location, after completion can be analyzed, note If you need to locate the hacker, you need to configure in the options, Add the hacker's backdoor file name to file tracking and hacker attacks.

Figure 22 Analyzing the hacker IP address and its related behavior through logs

(2) Analysis of the vulnerability of the website

If the log file is large enough, you can use statistical analysis, access to resources, errors and other content to identify the existing vulnerabilities and attacks, these analyses will help to patch the vulnerability and identify the attack behavior, the existence of a problem to repair.

1.1.5 Summary and Analysis

Review the entire process, seemingly simple, but very time-consuming, through with friends in the circle, with the hacker attack target website SEO black chain to deal with, is a war, the server will have all kinds of trojans and Webshell, for the first time thought oneself clean up, The result is an encrypted webshell and an upload type of back door, which is very time-consuming to clean, especially under Windows. The whole process has the following experience to share with you:

1. Back up the database and code files to local or other servers.

2. Use Webshellkill to automatically clean the first pass, the first occurrence of the shell back door to register or grab a map, especially to statistical file time.

3. Use the file time to search the file, the same point in time to make a special view of the file.

4. Search all relevant file types, and make sure to manually view the big headers.

5. Windows operating system load Class Linux system to scan the contents of the file, do not let go of the file contains backdoor.

6. On the home page hanging horse js file can be verified to find the source.

7. The IIS log files are analyzed and processed using the inverse fire log analysis software to find vulnerabilities and hacker IPs.

8. Install anti-virus software, open the firewall, the server for security cleanup and reinforcement, upgrade system patches.

A quick processing of an intrusion site