Hi Guys, I have downloaded all my websites to my windows pc. Is there any software that can scan them all locally, and check for backdoors in my php code. Or .gif files that have code in them, and any other bad stuff that may be in my sites -- like shell scripts. My sites have been hacked. And i need to get all the holes fixed fast! Cheers.
A regular antivirus should be able to find many of the malware, if any. But it would not help you with the vulnerabilities that might exist (not sanitized variables, cross site scripting, etc) For that you can try the free edition of Acunnetix WVS (http://www.acunetix.com/) ! You are saying your sites have been hacked. What actually happened? What were the problems?
My sites have been hacked --- there are strange .php files everywhere. New code has been added into my other php pages. My host says backdoor shell scripts are on the sites. I need some software that can scan php files for shell scripts that could give people access back to my sites, once i've changed all the passwords. I've tried acunetix -- but i dont think that would find "test.php" which is just in a directory with no links to it, but it is a shell script that could give someone access back to my site
You can also try looking for some trojans onto your pc, because a couple of months ago I've seen a trojan that was stealing ftp accounts from computers. Then, another module of the cracker's application was altering the website's files by conntecting by FTP and adding a malicious iframe to some of the php/html files. My advice would be to also scan you computer and change the FTP passwords using a safe computer!
worst advice ive heard in some time.... Abi - We need to get you cleaned up asap, Don't want your google ranking messed. - identify vulnerability - code investigation, application breach investigation - patch vulnerability - locate & clean infected files - review permissions/ownerships - update PHP scripts, implement additional PHP security - monitor for further attack attempts i highly recommend that you get nod32 installed onto your workstation computer(s) asap, as a D.P member said earlier - virii/bot has spread around stealing logins for FTP accounts and later using them to modify web content within the ftp account - injecting iframes etc. I hope we can get you all cleaned up Best Regards, Logan @ SSANZ
Hi ssanz, Thanks for your reply. I am looking to buy some software that offers what you say -- but i could never afford to pay a person/company such as yourself to scan my sites. I have far too many -- and it would just cost too much. $100 or $200 for some software that i could use on all my sites, that runs on my pc locally would be amazing -- but a service that charges $100 or even $20 per site would just cost me $1000's!! Thanks for your help though! Abi.
There is a website vulnerability scanner called w3af that will help you find any security holes in your PHP code. It's free and available from SourceForge: http://w3af.sourceforge.net/ It scans your live site rather than a local copy but if you install Apache on your home computer then you can scan the website there. If you do install Apache and your website at home then you will be all professional-looking with a development environment and a production environment. Cool. I have also used WatchFire AppScan in the past but it's far from free. From memory, the cheapest version is £25,000. The "server" edition is 10 times that much. As a free alternative to £25,000 software, w3af deserves as much support as we can give it. Another useful tool for finding vulnerabilities would be Nessus or OpenVAS. OpenVAS is the open source fork of Nessus from the point when they went closed source. http://www.nessus.org/nessus/ http://www.openvas.org/ Although both are still free, some parts of Nessus such as the vulnerability feed are now paid updates. OpenVAS requires no money at all but doesn't get the vulnerabilities from Nessus until they are months old. On the other hand, they find their own vulnerabilities so this may not matter. In either case, both of these programs will scan your entire server, not just the PHP scripts, for vulnerabilities so it is useful to run one of them in addition to w3af. This will help you with step 1. from SSANZ's post and will partly help you with step 2. Sometimes the software will tell you that you need to upgrade Apache or WordPress to a particular version but sometimes it won't be able to tell you that. When this happens, you will need to search for solutions on Google or modify the PHP code yourself until the tool doesn't find the vulnerability any more. Looking through the Apache log files can be very helpful too. You can find the time you were hacked by looking at the last-modified timestamp on one of the files that the hackers modified. Then you can look at your Apache log files just before that time to see which files the hackers used to get access to your server. Hopefully the logfile entries of the hackers will stand out as being different from normal users. Look for lots of extra parameters that a PHP file doesn't normally use or a single file being requested several times in a row by a single IP addresss when it is normally only requested once. Once you find the IP address that the hackers were using at the time, grep through all your log files for that IP address to see what else they did. They will likely have installed a PHP Shell file which they will have accessed a lot after the hack. Step 3. is a bit tricky. If you have an older backup of your site from before the hacking took place, you can run a command that will automatically compare every file with the backed up version and list all the ones that are different. If you don't have an older backup (and why the hell not?) then I can't think of any way to find infected files other than manually reviewing each and every file by hand. That would suck. Let's hope SSANZ has a better idea than mine if you don't have a backup. My favourite method for avoiding this is to put my entire website in subversion (or any other version control system). If you have done this before you get hacked, finding the files that the hacker modified is as easy as typing svn status Code (markup): on the command line and reverting them all back to their pre-hacked versions is as easy as typing svn revert Code (markup): on the command line. Step 4. (the permissions and ownership) are only really important if you are on a shared host. If you have a VPS or a dedicated server then permissions and ownership will not significantly affect your security. If you have a shared server then one of the other users who gets hacked will provide access to your files to the hackers. If this is what happened then you will need to either talk to the other user or move to a VPS. Step 5. is simply acting on the results from Step 2. Upgrade what needs upgrading and patch what needs patching. You can also install something like mod_security or Snort at this stage if you want to be more proactive about security and detect hackers before they get in and deface your site. Although it isn't strictly a security step, setting up an automatic, offsite backup script is a very good idea that can help you recover from a security breach much more quickly. Step 6. means reading your daily Snort and mod_security reports every day and looking through your Apache logfiles from time to time for any suspicious activity. I would also set up a cron job to automatically run "svn status" every day and email you the results. Some hackers modify your pages in ways that aren't visible in a normal browser but subversion will pick them up. I'm no expert on Windows security but SSANZ's recommendation of installing anti-virus software on your home computer seems very smart to me. It's possible that the hackers got in through installing a keylogger on your home computer and learning your password. If this is the case, it won't matter what security you add and how many passwords you change, they will always know them and will be able to hack your site until you get them off your home computer.
i have some software which will fit what you are talking about which i bought and am willing to resell to you cheap pm me
A basic: http://yehg.net/lab/pr0js/view.php/Hunting For Backdoor Scripts.pdf Second -> Base64-encode string -> base64_encode third -> http://sourceforge.net/projects/securityscanner/ Most important -> Patch your codes. There is no patch for ignorance.