If your site has been hacked-- things to check

[bj]

I've had two clients in the last few months who have reported disturbing activity. One had a whole phishing site hidden deep within her site, and the other had hidden links put into his wordpress footer template file.

In both these cases the person who did the hacking had to have some sort of access. In the first case ftp access was required, in the second it could have happened through either ftp/cpanel or wordpress admin.

In the first case the culprit was a trojan keylogger on the client's computer. I'm waiting to hear back from the second.

I just told him to change ALL his passwords to every damn thing, his site, his wordpress installation, his email, his online banking, his paypal and ebay accounts, etc. Then to run the online scan here:
a-squared Web Malware Scanner - Scan and clean your computer from Trojans, Worms, Dialers, Keyloggers and Spyware/Adware for free! (IE/activex required for scan)

Then, if the box comes up dirty, and I'm having a feeling it will, since I know he's an IE user, I told him to get the box cleaned and then change all passwords AGAIN.

I've also suggested monitoring the urls accessed in stats to check for anomalies.

Keeping your site safe also means keeping your computer safe as well.

If anyone else has any suggestions, I'd appreciate hearing them.

[wige]

Just to add a couple of suggestions:

First, after your computer is compromised by a virus or other malware, replace your antivirus. This means uninstall, redownload, and reinstall. Some viruses today have a routine that removes the scanning component of the antivirus software, but leaves everything else intact, so it looks like the software is running when it is no longer functional.

Second, get Nessus (nessus.org - registration required but free to use). This is a very popular vulnerability assessment tool. Running this software on your internal network from a computer on that network does a good job of simulating an attack as if that local computer was compromised. The Nessus report will give you a list of security vulnerabilities for all the devices on your network. It is important to keep the individual computers as secure as possible, as well as your internet connection. No matter how good your firewall is, there is still some chance of a compromise, so securing the individual workstations is almost as important as securing your firewall.

[bj]

Most of my clients are experts in everything BUT computers. So I just tell them to take the box to their computer tech and get it cleaned, figuring a tech SHOULD know what to look for once he's told the box has been owned by hackers, or at least that is the theory. I've also suggested that if their current AV didn't catch this problem they've had, it's probably not a very good AV. I've been recommending Kaspersky AV/Firewall combo, since it's been fairly bulletproof for me (***knock on wood***).

[NetProwler]

As they say in Perl - there are many ways to get the job done.
Run TCPView from Sysinternals which will let you see what kind of connections your computer has and the processes which initiated them. If you are reasonably familiar with the processes running in your computer, you should spot any undue process accessing any outside servers.

If you have no browser/Outlook open, your residual internet activity should dwindle down to almost nothing.

This checking should be routine for a computer used for any serious activity.

It is only a beginning.

[rmtagg]

Quote:

Originally Posted by NetProwler

As they say in Perl - there are many ways to get the job done.
Run TCPView from Sysinternals which will let you see what kind of connections your computer has and the processes which initiated them. If you are reasonably familiar with the processes running in your computer, you should spot any undue process accessing any outside servers.

If you have no browser/Outlook open, your residual internet activity should dwindle down to almost nothing.

This checking should be routine for a computer used for any serious activity.

It is only a beginning.

How does one do this?? Sorry not very computer savvy

[wige]

TCPView can be downloaded from Microsoft TechNet at TCPView for Windows v2.4, instructions to use the program are included on that page.

[bj]

Very cool tool! However, I doubt my gaggle of weblings will understand this. They're more on this level:
Active Security Monitor - AOL Internet Security Central

[bj]

I just got into an email discussion with someone on this topic. She's on a Mac. Her website was hacked. We speculated as to how that could have happened since Apple keeps insisting that there's little risk of viruses or trojans on Apple machines.

My speculation?

She may have used open wifi access points to access ftp or her admin area of her website and the un/pw may have been snarked off the connection.

So maybe we also need to open up the discussion to that aspect. I know that there are anonymizers for windows and linux machines, which will encrypt two way traffic when using open networks. Anyone else have any ideas?

I also suggested she might have a less than optimal sysadmin at her hosting.

Slashdot has been reporting an uptick in Mac Worms and security vulnerabilities, so maybe with the advent of Vista (resulting in larger popularity for Mac!) it's possible that destructive hackers may turn their sights on Macs now, as well as Windows.

[wige]

FTP should never be used, because the passwords are transmitted in plain text and can be intercepted anywhere along the line. You should run FTP over your SSH connection, which automatically encrypts the communication with 256-512bit encryption. Almost all current FTP software supports SFTP and you use it the same way as normal FTP.

As far as Macs being more secure... this is based on the fact that less vulnerabilities have been discovered. Note, this doesn't mean that less vulnerabilities exist, just less time is spent looking for them since the Mac OS has such a small market share. The more popular the OS becomes, the more it will be targeted and the more vulnerabilities will come to light.

[wige]

I should also point out, because of the amount of wireless traffic around some hotspots, wireless encryption should not be trusted. There is software available capable of decrypting WEP encryption in about 2 hours, and capturing all the packets during the decryption process to allow all those messages to be decoded. Properly implemented SSL or SSH should give you the greatest protection against eavesdropping.

[bj]

Quote:

Properly implemented SSL or SSH should give you the greatest protection against eavesdropping.

Do you have any links to articles that might explain this better?

[wige]

There are a few different implementation of FTPS or FTP over SSH. The most common is to use the server's SSH port (typically port 23, which is more or less and encrypted version of the telnet port 21) to establish the control connection over which the FTP username and password, as well as the file commands, are transmitted. This method does not encrypt the actual files, only the commands, but the primary purpose is to keep the username and password secure. Wikipedia has an article about this subject with a good selection of links to software apps (FTP servers and clients) that support the various methods at FTPS - Wikipedia, the free encyclopedia.

If your question was about using SSL/SSH to further secure WEP, I don't have a specific article, but I can give a very basic example. Most people know how to encode speech into pig latin - that is more or less a weak, easily broken cipher like WEP. Knowing how pig latin works, you can easily decode any message encoded in that way. However, if I am talking to someone in Spanish (think SSL or SSH) and then encoding it in pig latin, when you decode the pig latin, you are left with the Spanish conversation. If you don't know Spanish, you won't be able to understand the conversation despite having broken the first level of encryption.

Granted, WEP is used less and less, but people are rapidly finding ways of decoding wireless communications. SSL and SSH however have not yet been broken in any practical way.

[NetProwler]

SSH port is usually set at 22, but many admins set it to any arbitrary port under the premise - Security by Obscurity. While at the topic of SSH, you can use tunnels - encrypted virtual private network between your computer and the remote computer using the same Secured Shell (SSH). For a quick start try this - Bitvise Tunnelier. It does a lot of things - SFTP is one of them.

[LD]

Quote:

Originally Posted by wige

Just to add a couple of suggestions:

First, after your computer is compromised by a virus or other malware, replace your antivirus. This means uninstall, redownload, and reinstall. Some viruses today have a routine that removes the scanning component of the antivirus software, but leaves everything else intact, so it looks like the software is running when it is no longer functional.

Just curious - if a person has their AV prog set to to do a full scan at regular intervals or chooses to do a manual scan and this virus has disabled the ability of the prog to scan, one would be able to detect (at least visually) that the scan isn't working - correct?

[deepsand]

Quote:

Originally Posted by LD

Just curious - if a person has their AV prog set to to do a full scan at regular intervals or chooses to do a manual scan and this virus has disabled the ability of the prog to scan, one would be able to detect (at least visually) that the scan isn't working - correct?

Actually, the scanner is not removed. Rather, it is modified by the virus to not recognize the infection, thereby giving the appearance that all is well.

A well developed AV application will, in the course of its regular updates, correct such modifications. However, not all AV products are either so well developed and/or so nimble as to be able to avoid being re-modified.

As removing & re-installing some AV products, particularly Norton Anti-Virus, can be exceedingly problematic, yielding a "busted" machine, to the point that the hard drive may need to be completely re-imaged, a better route is to use one or more different AV products to scan the machine before resorting to removing the existing AV application.

[wige]

Some of the more sophisticated viruses I have seen will delete the entire antivirus application, and replace it with icons and user interface elements written into the virus. I think an experimental MyDoom variant did this. These are mostly proof of concept viruses. The other thing I see happening is that the virus will place a script in the root (rootkit) that monitors known antivirus definition files, and replace them with a blank file. Each time the antivirus program downloads an update, the virus simply replaces the definitions with an empty or partial file, set up so the antivirus software can't tell the difference. This is a lot more common, and is usually used by viruses that are trying to turn your computer into a zombie for spam, needing to avoid detection as long as possible.

[bj]

I've long been in the habit of running an online scan a few times a month to "doublecheck" my AV for this reason, and I use different ones in rotation.

F-Secure Support pages: F-Secure Online Virus Scanner
Free online antivirus. Download ActiveScan and clean your PC. Panda Security
Free Virus Scan - Kaspersky Lab
Trend Micro HouseCall - Free Online Virus and Spyware Scan

[deepsand]

Yes; given that an AV application provider's local files are far less likely to be compromised than are those stored remotely on a user's machine, using remote or "on-line" scans in additional to those of your loaclly installed AV application is definitely a good idea.

Trust; but, verify.

[LD]

I'm just curious - In this "time", when being a little paranoid is a good thing, how does everyone feel about online services scanning your workstations? I realize we have our software reaching out to HQ for updates and such, but that is a little different than having someone else scan your complete system from another location. Again, I'm just curious.

[bj]

Well, I wouldn't let AT&T scan my files (at least not knowingly . . . )