I thought it'd be useful to list out some common things a Web Developer could look for that could indicate their site has been compromised by an attacker.
- Modified Logon Page (Why? Credentials are extremely valuable, so they may have tried to modify your code to save off every user's password)
- Odd File Extensions (Why? Your site may always run .jsp files but it may be easier for the attacker to do perform his evilness with .php)
- Multiple Copies of Files (Why? Attacker may modify a file but will 1st rename the original like login.php.bak so he can put it back later)
- New Database Tables (Why? Attacker may have used sql injection to dump data or log data he wanted)
- Database Errors with xp_cmdshell in it (Why? This is 1 way an attacker goes from sql injection to full Operating System compromise)
- Web Shells (Why? These are hidden pages that provide Remote Access for the attacker to do things like upload/download files or run commands)
- Unexpected Connections (Why? Run a netstat command and look for connections to remote ips, could be the attackers reverse shell)
- Unexpected Logins (Why? Log who logged in, when, and from where. If you have off-hour logins from countries you don't support...)
- Event Logs Missing (Why? An attacker will cover his tracks & clear event logs. Make sure you log to a remote server so he can't clear them
- New Accounts (Why? An attacker will give himself multiple options to return, in case you disable one he'll just use the other)
- Files that Trigger Anti-Virus (Why? Many times for performance reasons you have Anti-Virus set with exceptions for your web content folders. This means they don't actually get scanned. Thus copy those files out to a folder that will get scanned. Then watch. Anti-Virus is actually pretty good at picking up those common Web Shells that attackers setup).
You never want to be in that scenario. But if you are, hopefully some of the above tips can help you come to a conclusion quicker. And remember, if you find the bad things. Don't think you can clean them up. It's a mistake. An attacker doesn't just leave 1 backdoor, probably not even 2. They're going to drop a bunch of web shells, create a bunch of accounts, grab a bunch of passwords, and leave many windows open. Why do they do that? Well, they are anticipating you will eventually spot something and disable some accounts, delete some files, etc. but they're banking on the fact that you won't be able to find everything, and whichever one you miss they'll use to get right back in and drop a bunch more backdoors. When the bad things happen, revert back to a pristine copy such as a Fresh Server build and code directly from source control.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.