Bài liên quan
Note: This is NOT a tutorial for webmasters this is for the hackers who are interested in restoring a site :)
1. GET BEHIND A VPN
Yes its true that your just trying to help but that does not mean that you should expose yourself
The site admin is not gonna care who you are ,if they are gonna complain to the cyber police they are gonna give them ALL THE LOGS.,and they will put the blame YOU cause you will be easier to arrest than a person from an another country
This is the sad truth ACCEPT it , DO NOT expect fame and glory for what your gonna do
1. GET BEHIND A VPN
Yes its true that your just trying to help but that does not mean that you should expose yourself
The site admin is not gonna care who you are ,if they are gonna complain to the cyber police they are gonna give them ALL THE LOGS.,and they will put the blame YOU cause you will be easier to arrest than a person from an another country
This is the sad truth ACCEPT it , DO NOT expect fame and glory for what your gonna do
2. Know what you are dealing with Before you start there are a few questions you should ask yourself
Is this site worth my time ?
Always give priority to the major sites first,only go to the smaller sites when your done with the the major ones. Is it a Index deface or just http://www.site.com/hackpage.html ?
If its the second one then its a low priority hack Is the site in a dedicated or shared server ?
Knowing which type makes all the difference Does it look like the hacker rooted it ?
When its shared hosting and mass defacing has been done then its probable that the server has been rooted
3. Gain access
First thing to do is to see if the hacker had left behind any shells
places to look are
/image/
/admin/
etc
If you cant find manually
Here is a good plugin for Uniscanner --> http://uniscan.sourceforge.net/?p=161 Cant Find shell ? its ok ,proceed to next step
Now look into all the application level vulnerabilities
i.e XSS, RFI , LFI , SQLi --> most common
Figure out how the hacker got in and exploit the site using the same method Still NOTHING?
If this does not work ,look on all the ports and see if the server is running a outdated/vulnerable service
And gain system privileges through exploiting the service
Somehow get a shell or a backdoor up
Don't forget that if the attacker found a way to get in YOU CAN TOO !! Removing Backdoor's
First before you restore you have to make sure that you remove ALL backdoor's left by the hacker.
Same as last time you can make sure that you remove all the shells using multiple methods
http://uniscan.sourceforge.net/?p=161
http://25yearsofprogramming.com/blog/2010/20100315.htm
http://ketan.lithiumfox.com/doku.php?id=...ll_scanner
http://25yearsofprogramming.com/php/find...uscode.htm
https://github.com/Neohapsis/NeoPI
Note: some of these need you to install a few dependencies
If you have access to terminal you can use this
grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" /var/www/
The above command says:
Check files with extensions php or txt or asp only. You can add in more. The pattern matching strings would be "passthru", shell_exec and so on. You can add/remove patterns. The directory from where a recursive search has to be started. In this case it is /var/www/
4. The actual Restoring
See if the hacker has renamed the original index file as index1.php or indexold.php etc ..
If you cant see the original files then will have to use data recovery methods (need escalated privileges) http://www.linuxforu.com/2011/09/recover...-in-linux
If all these methods fail then replace the index with a blank white page or a "Maintenance" page
5. Prevent future attacks on the server
Now that you know the method the attacker used to gain access you should start to fill up the security holes
A few tips:
If the server was rooted then update kernel and change the root user password and remove all new added accounts
Firewall:
If it is a shared server and lots of sites are vulnerable to sql injection then I suggest installing an upto date WAF to keep away the skids (there is still a possibility that it can be bypassed )
Some of recommended WAF's
http://www.modsecurity.org/download/
http://www.aqtronix.com/?PageID=167 --> IIS
Admin Page's:
If the admin page is vulnerable to shell upload then rename the admin login file to something like "randomtextadminpage1231ew8712.php/.html" to stop the attacker from entering the site again
Trolling the hacker:
Most of the times Index files are like this
IIS: default.asp/.aspx
Apache:Index.php/.html
But this is easily changeable in Apache by editing the .htaccess file
http://www.javascriptkit.com/howto/htaccess6.shtml
So you can make the index file as something like 12d9au.html so when the attacker replaces the index.php/.html file the site will still load our 12d9au.html as the default file :D
99% of attackers will go mad trying to figure it out XD ROFL
Dont forget to leave a .txt file with all the vulnerabilities so that the site admin can read it (he/she is the only one who can fix it permanently)
And if you ever fail in restoring a site then dont worry it is not a shame to you or your country ... ALL THE BLAME GOES TO THE ADMIN
------------------------------------------------------------------------------------------------------------------------------------------------------------
Thats all folks! Have a gr8 day :)
Post a Comment