Resources on web application security

Server Config
31

I had responded to a member’s request for steps to combat and recover from a “Hack Attack” and it seemed better to add it to this sticky thread:

  1. Immediatly delete all FTP access except one (master for the account).

  2. Change the master password (cPanel and FTP) to a VERY STRONG one using an http://strongpasswordgenerator.com password of sufficient length.

  3. Use maldet scans (on an Apache server) which find and report all forms of malware (viruses, worms and SCRIPTS which can cause problems). This will enable you to find and remove scripts which can be embedded in html, php and js scripts. Repeat the maldet scans until there are no files detected then add a CRON to run maldet scans on a regular basis. Be aware that recovery will primarily consist of DELETING all html, php and js files and replacing them with originals (from your master copies).

  4. Additionally, I use a CRON to SHA1 hash verify that files have remain unchanged over the last xx hours for “peace of mind.” I created and use the script shown at http://www.sitepoint.com/detect-hacked-files-via-cronphp/ but would recommend that NO file extensions be listed so that, if a hacker were to inject a file with an extension you don’t use, it’ll be picked up in the scan, too. Just heed the advice about keeping your hackscan.php file out of the webspace and note the regular intervals in the e-mails provided to you.

  5. Database: If you are running WordPress or the like (database verification for admin accounts), create a new admin and delete all other admin records.

  6. Uploaded files: Be sure to do a thorough check of any file uploaded to your website (I limit uploaded files to images and they are recreated and resized by GD before being saved to my “webspace”).

  7. Update all “canned scripts” (e.g., WP, Zencart, etc.) AND their plug-ins and be sure that they’re kept updated in order to prevent further attacks via security problems discovered in those scripts.

There is a place for penetration testing (with a tool like BackTrack) but it is something best left to the sysadmins of your host (or a security professional if you own your server). In fact, you must not use those tools or techniques on others’ servers because you will be identified as a hacker, your IP address will be blocked and you will be reported to authorities for prosecution. The anti-hacking laws are beginning to be enforced and you will (and should) be harshly punished.

Regards,

DK