What to do after your site has been hacked

[fs_tigre]

Hi,

Today when I checked the site of one of my clients I noticed that it was hacked, a big note was on the index page, I changed the index page and changed the password to access the cpanel (server) and everything looks fine now but I started wondering what if they left some malicious scripts or some code in the server that I’m not seeing.

What are the steps I should follow to make sure there is no malware in the server and to ensure the my files don't contain malicious code?

Any good books on web security for future reference?

Any suggestions?

As always thanks a lot!

[ralph.m]

Hmm, good question. I would probably use Dreamweaver to compare the local and remote files. That would possibly indicate if there was anything on the server that I didn't expect to be there. [Replace Dreamweaver with whatever program you use to design and/or upload.]

[fs_tigre]

Thanks a lot!

[Aleksejs]

I've summarized here:
http://www.sitepoint.com/forums/show...37&postcount=2

[fs_tigre]

Wow! great info, thanks a lot.

[WeWatch]

First, I suggest checking all of the file and folder permissions. It's generally recommended that folders be set to nothing higher than 755 and files nothing higher than 644. We frequently see permissions modified after a website infection.

Second, check all .php files for the following strings:

touch
chmod
passthru
system
base64
eval
rot13
gzinflate

You can't just assume files with the above strings are bad, but those files should be investigated more thoroughly.

Keep in mind that looking only at files with a recent datetime stamp is not very secure. Many of the backdoors we're seeing on infected websites have the ability to change/modify the datetime stamp of any file on the website. We've also been seeing backdoors that have valid comments in them. For instance, on one osCommerce based site, the backdoor had the exact same osCommerce comments/header as other valid files.

As a good measure, assume that all passwords stored on the site have been stolen. Change all passwords: MySQL, cPanel, FTP - everything.

[fs_tigre]

Thanks lot for the good information, I wish I could learn more about this type of things.

I just ordered a book called Apache Security, will this help to learn about web security?

http://www.amazon.com/Apache-Securit...5773193&sr=8-1

Thanks a lot

[WeWatch]

It's a good book and full of great information. However, unless you're on a dedicated server, much of it won't apply to you.

Some other good books are: Hardening Apache, Preventing Web Attacks with Apache, Pro PHP Security, ModSecurity 2.5 and Essential PHP Security.

Obviously the PHP books are more toward programmers, but the information is still relevant for anyone with a website - I think.

Any questions you have, just ask! There are many good responders in this forum.

[fs_tigre]

Wow! those are the books I was looking for, thank a lot.

Any questions you have, just ask! There are many good responders in this forum.

I have said this so many times... I LOVE THIS FORUM, I honestly don't know what I would do without it.

[Aleksejs]

Also there is a lot of info in thread that is mentioned in my signature (~;
Bear in mind though that it takes time and expertise to be able to secure everything properly and you have to reiterate all process: Protection->Detection->Action on regular basis.

[fs_tigre]

Thanks a lot!

[fs_tigre]

I found this helpful!

http://25yearsofprogramming.com/blog/20070705.htm

Thanks