Ads 468x60px

Sunday, October 21, 2012

Site Restoration Tutorial



 As all you might already know Independence day is just a few days away.
And we know for a fact that certain people will be attacking and defacing Indian sites .And this tutorial is aimed at helping you in restoring a hacked site.I am not gonna explain everything fully cause it will become TOO BIG ,I will just point you in the right direction :) )
Note: This is NOT a tutorial for webadmins this is for the hackers who are interested in restoring a site (As this TUT considers the reader had 0 permission when they start )
Also some the methods I would be suggesting will be fairly aggressive so if you don't agree with me your free to close this page :D

1. GET BEHIND A FREAKING VPN !!

Yes its true that your just trying to help but that does not mean that you should expose yourself
The site admin is not gonna care who you are ,if they are gonna complain to the cyber police they are gonna give them ALL THE LOGS. And all you know that India's "Cyber Police" are mostly skids and noobs ,and they will put the blame YOU cause you will be easier to arrest than a person from an another country
This is the sad truth ACCEPT it , DO NOT expect fame and glory for what your gonna do

2. Know what you are dealing with 

 Before you start there are a few questions you should ask yourself

Is this site worth my time ?

Always give priority to the major sites first,only go to the smaller sites when your done with the the major ones.
Is it a Index deface or just www.site.com/hackpage.html ?If its the second one then its a low priority hack

Is the site in a dedicated or shared server ?

Knowing which type makes all the difference

Does it look like the hacker rooted it ?

When its shared hosting and mass defacing has been done then its probable that the server has been rooted

 

3. Gain access 

First thing to do is to see if the hacker had left behind any shells

places to look are
/image /admin/ /themes/  /cgi/ etc... If you cant find manually
Here is a good plugin for Uniscanner --> http://uniscan.sourceforge.net/?p=161

Cant Find shell ? its ok ,proceed to next step

Now look into all the application level vulnerabilities
i.e  XSS, RFI , LFI , SQLi --> most common
Figure out how the hacker got in and exploit the site using the same method

Still NOTHING?

If this does not work ,look on all the ports and see if the server is running a outdated/vulnerable service
And gain system privileges through exploiting the service
Somehow get a shell or a backdoor up
Don't forget that if the attacker found a way to get in YOU CAN TOO !! :D

4. Removing Backdoor's 

First before you restore you have to make sure that you remove ALL backdoor's left by the hacker.
Same as last time you can make sure that you remove all the shells using multiple methods
Note: some of these need you to install a few dependencies
If you have access to terminal you can use this
 grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" /var/www/
The above command says:
  1.  Check files with extensions php or txt or asp only. You can add in more.
  2. The pattern matching strings would be "passthru", shell_exec and so on. You can add/remove patterns.
  3. The directory from where a recursive search has to be started. In this case it is /var/www/

5. The actual Restoring 

See if the hacker has renamed the original index file as index1.php or indexold.php etc
 
Then its just a matter of removing the deface file and renaming the original (also make a backup to be safe)
 
If you cant see the original files then will have to use data recovery methods (need escalated privileges)
 
If all these methods fail then replace the index with a blank white page or a "Maintenance" page
 

6.Prevent future attacks on the server

 Now that you know the method the attacker used to gain access you should start to fill up the security holes
A few tips:
If the server was rooted then update kernel and change the root user password and remove all new added accounts 
Firewall:
If it is a shared server and lots of sites are vulnerable to sql injection then I suggest installing an uptodate WAF to keep away the skids (there is still a possibility that it can be bypassed )

Admin Page's:

If the admin page is vulnerable to shell upload then rename the admin login file to something like "randomtextadminpage1231ew8712.php/.html"  to stop the attacker from entering the site again

Trolling the hacker:

Most of the times Index files are like this
IIS: default.asp/.aspx
Apache:Index.php/.html
But this is easily changeable in Apache by editing the .htaccess file
http://www.javascriptkit.com/howto/htaccess6.shtml
So you can make the index file as something like 12d9au.html so when the attacker replaces the index.php/.html file the site will still load our 12d9au.html as the default file :D
99% of attackers will go mad trying to figure it out XD ROFL
Dont forget to leave a .txt file with all the vulnerabilities so that the site admin can read it (he/she is the only one who can fix it permanently)
 And if you ever fail in restoring a site then dont worry it is not a shame to you or your country ... ALL THE BLAME GOES TO THE ADMIN 
------------------------------------------------------------------------------------------------------------
PS: Please point out in the comments if you think something needs to be corrected or added to this tutorial (it would be awesome if you provide exact text) as we should all work together to protect OUT cyber space 
Posted by at

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Related Posts Plugin for WordPress, Blogger...
 

Sample text

Sample Text