Website repair and prevention after intrusion

Question:

A long time ago, I used CMS to build a site and collected some content, so I didn't take care of it and became a garbage station that nobody maintained. Yesterday, I occasionally found that my website was hacked once without knowing when it was hacked. As a result, the whole site data was downloaded and templates were sold...
In the past, I always shared how to conduct Intrusion Detection on other people's websites. This time my website was also infiltrated. Haha, I would like to take this opportunity to share with you the repair and prevention measures after the website is infiltrated, and seek breakthroughs in the unity of confrontation between attack and defense.

1. Discover Problems

Although it is a small station that does not take care of, it will occasionally open for a look. Look at the websites connected to each other and clear up the links. This time, when we cleared the links, we found that there was another section in the Code:

Black link code found on the homepage

It can be determined that the website has been intruded and controlled.

2. Search for tampered files and determine the intrusion time

Find the tampered file. You can determine the intrusion time based on the file modification time, and reverse push the time to find the access logs within the time break. To locate the hacker intrusion source.

Locate the tampered File

The intruded website uses a template I wrote, so I found the location of the tampered homepage template directly. And found that the last modification time of the file is, you can determine the last time when the chain was hacked.

3. Search logs based on the intrusion time

Currently, CMS generates HTML for access from the entire site, so it is easier to troubleshoot logs. Obtaining WebShell during website intrusion is often the first step. You can directly find the dynamic file access logs before and after page tampering.

Go to WebShell

This requires a certain degree of judgment, because intruders will surely pretend the location and name of the WebShell. Screening based on several principles: files that are not supposed to appear at the wrong location and files that are not supposed to be accessed are accessed. After locating common. php, I found it was a PHP pony.

4. Fix website vulnerabilities andTampered content

Because the CMS is a published version, you can find the vulnerabilities on the Internet. Fix the issue as prompted. Control directory write access and dynamic File Execution permissions; modify the website database and background password; repair the tampered page and replace the original page.

5. troubleshoot PHP Trojans

Download a PHP Trojan search code from the Internet for scanning. Or use the following command to search for a file:

Find/site/*-type f-name "*. php" | xargs grep "eval ("
Find/site/*-type f-name "*. php" | xargs grep "base64_decode"
Find/site-name "*. php" | xargs egrep "phpspy | c99sh | milw0rm | eval \ (gunerpress | eval \ (base64_decoolcode | spider_bc"

Analyze the search results to troubleshoot and delete backdoors.

6. Check intruders Based on IP addresses

Self-check involves too many factors and it is difficult to find real attackers. For example, fake IP addresses, dynamic IP addresses of ADSL, and public IP addresses shared by broadband are not easy to track. If the attack is serious, contact the public security authority directly to retain information and evidence.

Let's take a look at the IP address obtained in the search engine to search for logs. It may be a result. Unexpectedly, the search results are exactly the same as those of the compromised IP address.

Search for IP addresses in search engines

After opening the page, you can find that the IP address is from a user, but this does not actually indicate anything. If it is broken at the same time as the intrusion, it will be convincing. If you are interested, you can analyze the user's social engineering to check whether the user is an intruder.

7. Summary

Network security is the perfect embodiment of the barrel effect. A vulnerability and a permission security configuration problem will all be an important cause of intrusion. In the daily O & M process, you must carefully take every step of security measures to prevent problems before they happen.

About intrusion: After the intrusion, the most important step is to clean all kinds of log information, so as not to leave a problem for yourself. In addition, if you need to leave a backdoor, you can hide it more deeply for future use. If you do not need a backdoor, you must clear the relevant files to avoid future risks.

By the way, file tampering by intruders is already in violation of the law. Please do not imitate it unless necessary.