#NoHacked: eliminating the effects of hacking with loading URLs containing meaningless text
Hi, Habrahabr! Today, as part of the #nohacked campaign, we would like to talk about how to solve the problem of unauthorized introduction of content to the site. Even if you have not been subjected to such an attack, do not neglect our recommendations - they will help protect your resource from other hacking methods. Follow the discussion on Twitter and Google+ with the hashtag #nohacked (see part 1 , part 2 , part 3 , part 4 ).
Hacks are completely different. Someone just hooligans and “defacesists” of the site (post provocative or offensive information on it, spoils the layout, turns the site of a large corporation into the world's most expensive fan club My Little Pony). Often, damages of this type are treated by restoring the last backup and removing all unwanted information, however, without a subsequent security audit of the site, no one is immune from the repetition of such outrage.
It is much more dangerous when a website is hacked with data theft, substitution of information, or is carried out with the aim of spreading any malware. In this case, the most important thing is to protect potential visitors (users or clients) from communication with similar content.
')
The first and main thing that needs to be done is to “close” the site for repairs. Here we are guided only by security considerations: in the metro, when repairing an escalator, do they block the entrance to it? So we close the site temporarily. Users will not be able to get on the hacked pages, and you can safely work on the restoration of the site.
In addition, if the hacking was carried out through one of the “holes” in the working files, if you do not close the site for maintenance, you run the risk of being confronted by hackers again while you eliminate the consequences of hacking.
The simplest recovery is to find the latest backup and deploy it. Unfortunately, backups in the same way can be rubbed by attackers, or backups can concern only the content part, or ... yes a million or. In general, if the magic solution in one button "restore" we can not help, you have to do everything yourself.
Of course, we all know that before starting work it is worth making a backup of everything that is possible. But an article can be reposted somewhere else, so reminding will not be superfluous. Yes, the new (and this time full) backup will contain the hacked content, so you can use it only if you do something wrong during the restoration of the working version and the site breaks completely. When performing further instructions, be sure to make a copy of each file that you will delete, isn’t it? Delete copies always have time.
One of the most popular ways of hacking: hackers create or change the contents of the .htaccess file to add their own pages or redirect users to a phishing clone site.
Check for suspicious lines in the .htaccess file. If you do not know how to analyze its content, read the relevant materials on Apache.org , ask questions in the help forum or consult a specialist. An example of a .htaccess file modified by hackers:
# Visitors navigating to the Google Search site will be redirected
# Visitors are redirected to the malicious PHP file happypuppy.php
Remove all detected elements of malicious code. If there is a lot of them in the .htaccess file, it will be easier to create a new .htaccess than repair the existing one. It may also turn out that it contains a malicious PHP file (we called it happypuppy.php, but often these names use a random combination of two words). This is important to consider when searching for other malicious files.
Most often, hackers work with JavaScript and PHP files. Two main methods are used: the addition of malicious files and the modification of existing ones. In the first case, new .php or .js files are added to the server, and their names can be very similar to the standard names, for example, wp-cache.php is disguised as a safe wp_cache.php file. The second option provides that malicious content is added to files already existing on the server. For example, if your site has JavaScript templates or plugins, hackers can change their code.
Let's look at an example. A malicious file happypuppy.php, previously found in the .htaccess file, was added to one of the folders on www.example.com . In addition, hackers injected a malicious code into a JavaScript file called json2.min.js, which already exists on the server. In the screenshot below, this code added to the very end of the file is highlighted in red. As a result, the contents of the file will look like this:
To effectively detect malicious code, you need to understand how the site uses JavaScript and PHP files. If you are engaged in the layout, design, content or administration of the portal, but did not look under the hood, you may need to examine the documentation on the content management system.
In addition, find and check on the site all the files that have recently been changed, especially if they relate to templates. The "Application" section lists the tools that will help you detect disguised PHP files.
As mentioned earlier, before deleting or changing any files, you need to create backup copies of the site. And if you do it regularly, then to fix the problems on the site, it will be enough to restore its archive version, which was preceded by hacking.
But even if you are not backing up, other solutions are available to you. First, remove the malicious content added by the hackers. For example, on the site www.example.com this will be the file happypuppy.php. If the attacker has modified the existing PHP and JavaScript files, such as json2.min.js, download their secure versions. Try to re-add key plug-in files and content management system to the site, if you use it.
After deleting the malicious file, you need to find and fix the vulnerability that led to the hacking of the site, otherwise it may be subjected to repeated hacker attacks. This can be anything from a stolen password to an outdated site software. Read how to find and fix a vulnerability in our Help Center . If you cannot understand how the hacking was carried out, change all the passwords, completely update the software on the website and, if possible, contact the specialists.
By eliminating problem content, make sure Googlebot no longer sees the hacked pages. Use the " View as Googlebot " tool for this. Do not forget to check for hacked content and the main page. If nothing is found, then you are all right. If “View as Googlebot” still finds hacked content, you have a lot of work to do. You probably missed any malicious PHP or JavaScript file. Keep searching.
Before you start the site again, make sure to eliminate all vulnerabilities and the consequences of hacking. If manual measures are taken with respect to your resource , log in to your Search Console account and send a request for rescanning . Also consider how to protect your site from new attacks. Some tips on this topic can be found in our Help Center .
Of course, part of the advice seems fairly obvious, but we are all strong with our back mind, and when confronted with such a thing for the first time, you can also break wood. We hope that this article will help you eliminate the consequences of unauthorized content injection on the site. Look for us on social networks using the hashtag #nohacked and do not forget to share your personal experiences and techniques of safe work on the Internet.
If you have any questions, you can ask them on the webmaster help forum and in our community on Google+ . And, you can also watch our security video call on August 27th.
There are tools to which Google has no direct relationship, but they may come in handy.
For example, utilities for deobfuscating PHP Decoder and UnPHP . An attacker could distort PHP files to make them harder to analyze. However, they can be cleaned using the above tools and understand what they are for. Write here about your favorite service or tool with a description of its work and how it can help in the restoration of the site, and we will add to this list.
Hacks are completely different. Someone just hooligans and “defacesists” of the site (post provocative or offensive information on it, spoils the layout, turns the site of a large corporation into the world's most expensive fan club My Little Pony). Often, damages of this type are treated by restoring the last backup and removing all unwanted information, however, without a subsequent security audit of the site, no one is immune from the repetition of such outrage.
It is much more dangerous when a website is hacked with data theft, substitution of information, or is carried out with the aim of spreading any malware. In this case, the most important thing is to protect potential visitors (users or clients) from communication with similar content.
')
Temporary site shutdown for maintenance
The first and main thing that needs to be done is to “close” the site for repairs. Here we are guided only by security considerations: in the metro, when repairing an escalator, do they block the entrance to it? So we close the site temporarily. Users will not be able to get on the hacked pages, and you can safely work on the restoration of the site.
In addition, if the hacking was carried out through one of the “holes” in the working files, if you do not close the site for maintenance, you run the risk of being confronted by hackers again while you eliminate the consequences of hacking.
Site recovery
The simplest recovery is to find the latest backup and deploy it. Unfortunately, backups in the same way can be rubbed by attackers, or backups can concern only the content part, or ... yes a million or. In general, if the magic solution in one button "restore" we can not help, you have to do everything yourself.
Of course, we all know that before starting work it is worth making a backup of everything that is possible. But an article can be reposted somewhere else, so reminding will not be superfluous. Yes, the new (and this time full) backup will contain the hacked content, so you can use it only if you do something wrong during the restoration of the working version and the site breaks completely. When performing further instructions, be sure to make a copy of each file that you will delete, isn’t it? Delete copies always have time.
Step 1: Verify the .htaccess file
One of the most popular ways of hacking: hackers create or change the contents of the .htaccess file to add their own pages or redirect users to a phishing clone site.
Check for suspicious lines in the .htaccess file. If you do not know how to analyze its content, read the relevant materials on Apache.org , ask questions in the help forum or consult a specialist. An example of a .htaccess file modified by hackers:
<IfModule mod_rewrite.c>RewriteEngine On# Visitors navigating to the Google Search site will be redirected
RewriteCond %{HTTP_REFERER} google\.com# Visitors are redirected to the malicious PHP file happypuppy.php
RewriteRule (.*pf.*) /happypuppy.php?q=$1 [L]Remove all detected elements of malicious code. If there is a lot of them in the .htaccess file, it will be easier to create a new .htaccess than repair the existing one. It may also turn out that it contains a malicious PHP file (we called it happypuppy.php, but often these names use a random combination of two words). This is important to consider when searching for other malicious files.
Step 2: Search for other malicious files
Most often, hackers work with JavaScript and PHP files. Two main methods are used: the addition of malicious files and the modification of existing ones. In the first case, new .php or .js files are added to the server, and their names can be very similar to the standard names, for example, wp-cache.php is disguised as a safe wp_cache.php file. The second option provides that malicious content is added to files already existing on the server. For example, if your site has JavaScript templates or plugins, hackers can change their code.
Let's look at an example. A malicious file happypuppy.php, previously found in the .htaccess file, was added to one of the folders on www.example.com . In addition, hackers injected a malicious code into a JavaScript file called json2.min.js, which already exists on the server. In the screenshot below, this code added to the very end of the file is highlighted in red. As a result, the contents of the file will look like this:
To effectively detect malicious code, you need to understand how the site uses JavaScript and PHP files. If you are engaged in the layout, design, content or administration of the portal, but did not look under the hood, you may need to examine the documentation on the content management system.
In addition, find and check on the site all the files that have recently been changed, especially if they relate to templates. The "Application" section lists the tools that will help you detect disguised PHP files.
Step 3: Remove Malicious Content
As mentioned earlier, before deleting or changing any files, you need to create backup copies of the site. And if you do it regularly, then to fix the problems on the site, it will be enough to restore its archive version, which was preceded by hacking.
But even if you are not backing up, other solutions are available to you. First, remove the malicious content added by the hackers. For example, on the site www.example.com this will be the file happypuppy.php. If the attacker has modified the existing PHP and JavaScript files, such as json2.min.js, download their secure versions. Try to re-add key plug-in files and content management system to the site, if you use it.
Step 4: Search for vulnerabilities
After deleting the malicious file, you need to find and fix the vulnerability that led to the hacking of the site, otherwise it may be subjected to repeated hacker attacks. This can be anything from a stolen password to an outdated site software. Read how to find and fix a vulnerability in our Help Center . If you cannot understand how the hacking was carried out, change all the passwords, completely update the software on the website and, if possible, contact the specialists.
Next steps
By eliminating problem content, make sure Googlebot no longer sees the hacked pages. Use the " View as Googlebot " tool for this. Do not forget to check for hacked content and the main page. If nothing is found, then you are all right. If “View as Googlebot” still finds hacked content, you have a lot of work to do. You probably missed any malicious PHP or JavaScript file. Keep searching.
Before you start the site again, make sure to eliminate all vulnerabilities and the consequences of hacking. If manual measures are taken with respect to your resource , log in to your Search Console account and send a request for rescanning . Also consider how to protect your site from new attacks. Some tips on this topic can be found in our Help Center .
Of course, part of the advice seems fairly obvious, but we are all strong with our back mind, and when confronted with such a thing for the first time, you can also break wood. We hope that this article will help you eliminate the consequences of unauthorized content injection on the site. Look for us on social networks using the hashtag #nohacked and do not forget to share your personal experiences and techniques of safe work on the Internet.
If you have any questions, you can ask them on the webmaster help forum and in our community on Google+ . And, you can also watch our security video call on August 27th.
application
There are tools to which Google has no direct relationship, but they may come in handy.
For example, utilities for deobfuscating PHP Decoder and UnPHP . An attacker could distort PHP files to make them harder to analyze. However, they can be cleaned using the above tools and understand what they are for. Write here about your favorite service or tool with a description of its work and how it can help in the restoration of the site, and we will add to this list.
Source: https://habr.com/ru/post/266027/
All Articles