Problem/Summary
Your website has been hacked; defaced or is displaying foreign content
Symptoms
Default Page
Some of the most common defacements are as simple and often limited to
the default document of a site being replaced. Often these pages will
contain one or two lines of text and some times images.
Example: "HACKED BY TURKISH HACKER ENO7"
Images Replaced
Almost as common as default page replacements, images are over written
with a custom image normally containing text and occasionally a flash
animation.
Foreign Content
Often the content of a site, most often text is replaced whilst the
basic elements of the site remains intact.
Recovery
Default Page
The first thing to do would be to establish if the hacker has replaced
your default page (index.htm default.asp etc) with their own file or if
the user has simply inserted a page that is being called before yours as
a default document.
1) Firstly make a backup of the default document in question then upload
a baked up copy of your default page and check that no other pages have
been compromised.
2) Make sure that your default document is the first document served, is
you are using index.html be sure that this is at the top of the default
documents list.
3) Contact support and have the problem investigated.
Foreign Content / Replaced Images
Browse over your site to ascertain what content has been compromised and
where is this contact stored, for example if you are using a CMS and all
of the text has been replaced the two most common places to check would
be the Database or the Administration interface for the CMS.
1) Again make a backup of any compromised files or Database"s and
restore your backup files.
2) Change your database and Administrator passwords and confirm that
there are no new admin users that have been created.
3) If using an upload script please confirm that the script does not
allow uploading to directories other than the uploads directory.
4) Update any Third party script; Plugins or CMS systems being used.
Exploits are commonly discovered in publicly available code.
5) Contact support and have the problem investigated.
Prevention
Passwords
Never use weak passwords, steer clear of dictionary words. Try to use
passwords that do not relate to you in any obvious way. See for further
reading:
http://security.fnal.gov/UserGuide/password.htm
http://www.newsforge.com/software/03/02/26/1639212.shtml?tid=2
Frequent Updates
If you are using a pre-built CMS such as Joomla; PHPnuke or DotNetNuke please
be sure that you are always using the most up-to-date stable version.
Make a habit of reading the security and news forums specific to the CMS you
are using as patches and hotfix"s for exploits will be announced often long
before your site is at risk.
Third Party Script
Before using and deploying third party scripts or application on your
site check to see if there are any known security flaws or exploits.
Make a habit of regularly checking to see if the script or application
has been updated due to a security issue.
Custom Scripts
Should you be using your own scripts to preform functions such as upload
file or insert and retrieve information from a database please be sure
that you have sanitized your input fields.
The recourse below deals with the most common web application attacks.
http://searchappsecurity.techtarget.com/generic/0,295582,sid92_gci1157415,00.html
In the case where you are using any form of sql back end it is vitally
important that you understand how to harden your code against SQL
injection.
Please take a look at the links below which deal with preventing SQL
injection:
http://searchsqlserver.techtarget.com/tip/0,289483,sid87_gci1207766,00.html
http://searchappsecurity.techtarget.com/tip/0,289483,sid92_gci1219890,00.html
http://portal.acm.org/citation.cfm?id=1108496&dl=ACM&coll=&CFID=15151515&CFTOKEN=6184618
Backups
Keep regular backups of all your files; databases and content, these can save you hours of trying to correct the damage that has been done.
- 0 Users Found This Useful