Does My Website Have a Database?

 
One way a website can be compromised
is by way of SQL Injection.
SQL injection is malware code that
is injected into your website database.

However, it makes no sense to even
consider the possibility of SQL
Injection if your website has no database.

Here's some simple steps to help you
decide whether or not your website
has a database.

The steps are based on a simple idea.
If there is no select statement
in any of the files, it seems unlikely
(impossible?) that the website could have
a database.

The select statement is how databases
are read. Would anyone ever build a website
that has no select statement? Probably not.
It makes no sense to have a database that you
never read. The reading of files (or database
tables in this case) is the most basic file
operation there is. Data is read far more often
than it is written.

Here's are the steps for discovering select
statements under Linux. Translate these steps
to your favorite operating system as best you
can.

1. Mirror the entire website to your hard
   drive.
2. Go to the topmost directory of the
   mirror.
3. Prepare to use the grep command
   to find select statements.
4. Use the grep command to search
   for select statements in every directory
   and sub-directory until you run out of
   directories (folders).
5. If you find no select statements,
   assume the website has no database.

Here's a possible sequence of grep commands
you may wish to try:

grep -ic select * | grep -v "0$"
grep -ic select */* | grep -v "0$"
grep -ic select */*/* | grep -v "0$"
grep -ic select */*/*/* | grep -v "0$"

Do you see a pattern? Starting with the
topmost directory, we go through each
subdirectory level until the shell comes
back with an error message saying that
file pattern matching is no longer finding
files. The error message tells us we are
done.

What about the zero followed by a dollar
sign at the end of the second grep? This
is a regular expression that, in this
case, says don't give me any noise.
In this case, noise is files that contain
no select statements. More precisely,
this regular expression filters out files
that match zero occurrences of select.

What about the -i option?. This means
ignore case since select statements are
case insensitive. Select can be all caps or
all lowercase or any mixture of the two.

What about the -c option?. This is
there to provide a count of the number of
lines that select appears in. The -ic
is the -i in combination with the
-c.

It's by using simple techniques that you
find answers quick.

Ed Abbott

Compromised WebsiteWhere to Look First

 
Here's a simple hierarchy that I
find helpful when looking into a
website that may have been compromised
for the purpose of spreading malware.

The first step, of course, is to
download an FTP copy of the website
to look at all the code. I'm writing
here as if you've already done that.
What next?

Once you have the entire file hierarchy
for the website on your hard drive, I'd
look for malware following these steps:

1. Look for .htaccess files in the root
   directory of the website and in all the
   sub-directories
2. Study the .htaccess files. Make sure
   there is no evidence of the bad guys in
   these files.
3. Make a study of timestamps for the
   website's files and directories. Under
   Unix (Linux), the ls -lt command
   is very useful for this purpose. Look
   for recently altered files.
4. Study the contents of recently altered
   files for evidence of the bad guys
5. Dump the website database and read
   through it for evidence of the bad guys

Using these steps, you may have some luck
and discover very quickly how the bad guys
have compromised your website.

Here's why this is helpful:

Looking randomly for something in a large
field of possibilities is extremely time-
consuming and often brings no results.

Instead of looking randomly, use a little
imagination. Imagine how your website
might have been compromised and look in
the high-suspicion places first.

I often find it helpful to take a little
time off and let my intuition kick in.
Usually I'm better off if I have some idea
what I'm looking for when I'm trying to find
out how a website was compromised.

In other words, a highly directed search is
so much better than a totally random search.

Ed Abbott

More Malware Removal Tips

Here's a great article with more
Malware removal tips:

Malware removal tips

More later.

Ed Abbott

Wonderful Article on SQL Injection

Here's a wonderful article on
SQL injection:

SQL Injection Article

Wonderful clear explanation.

Ed Abbott

Finding the Status of Your Badware Appeal to Google

Here's something that is easy to overlook.

Google's gives you a status when you ask
them to look at a site where you have
removed all the badware.

It reads like this:

Status of the last badware appeal
for this site: A review for this
site is still being processed.
Please check back later.

But where do you find this?

Here are the steps to finding the
status for your site:

1. Log into your Google account
2. Click Webmaster Tools
3. You should find yourself taken
   to the Webmaster Tools home
   page.
   
4. On the Webmaster Tools
   page, click on www.yoursite.com.
   I'm assuming you've already verified
   www.yoursite.com as belonging to
   you.
5. Look for This site may be
   distributing malware in red.
6. Also in red, you will see
   More Details.
7. Click on More Details.
8. Observe that several paragraphs
   of detail appear
9. Note that the first paragraph
   has the badware status message.

Here's that badware status message
again:

Status of the last badware appeal
for this site: A review for this
site is still being processed.
Please check back later.

Here's how the message will appear
once the badware status has become
a good status:

Status of the latest badware review
for this site: A review for this site
has finished. The site was found clean.
The badware warnings from web search
are being removed. Please note that
it can take some time for this change
to propagate.

All of the above is likely to change.
This post is current as of November
14, 2009.

Hope this helps.

Ed Abbott

document.write() and the Bad Guys

In the past, I've written about how
the bad guys use document.write() to
write code into your HTML files.

I've written about this here:

Using a Hex Decoder

There's a variation on this approach
that I'm writing about today.

Yes, the argument to document.write()
can be encoded in hexidecimal.

However, another bad-guy strategy is to
use the Javascript concatenation operator
instead.

document.write() is Javascript.

In Javascript, the plus sign is the
concatentation operator. In
mathematics, the plus sign is the
addition operator.

Basically, Javascript allows you
to add two strings together to make
a longer string.

The bad guys will obfuscate the URL
by breaking it up into a lot of little
strings that are concatenated into one
string.

To do this, they may use 25 or more plus
operators like this:

"string1" + "string2" + "string3"

Here are 2 key differences between their
strings and my strings.

1. Their strings are much shorter than
   mine. In some cases, just one character
   long.
2. Their strings concatenated together
   spell out a URL (web address), a bad
   guy web address

All this in the name of obfuscation.

Basically, they are trying to make it
hard for you to distinguish their code
from the code that belongs on your website.

Here's an oversimplification of what they
do:

document.write("a" + "b" + "c") ;

I've just given you an oversimplified example.
Now, here's a oversimplified solution.

Start looking for document.write() commands
in your code.

Be careful, though. Some document.write()
commands are legitimate and some are not.

You don't want to remove the legitimate ones.

More later.

Ed Abbott

Google's Safe Browsing Diagnotics Page

Has your website been hacked? Is your
website marked by Google as one that
may harm your computer?

How do you get started cleaning up and
removing malware code that has been
inserted into a website that has been
compromised?

There's a page that is frequently recommended
by people who write about website malware
cleanup.

This page is the safe browsing page and
can be found here:

Safe Browsing Page

Note that this page refers to my website,
not your website.

Here is how to make it refer to your website
instead:

1. Click on the above safe browsing link
2. Look for the address of this page at
   the top of the browser
3. Notice the domain websiterepairguy.com
   is part of the address to this page.
4. Replace websiterepairguy.com with
   your domain name.
5. Hit enter on your keyboard
6. The safe browsing page now refers to
   your website, not mine

There's an even easier way to get to the
safe browsing page for your site.

Here are the steps:

1. Do a Google search on your site
2. Look for the "may harm your computer"
   
link.
3. Look for the link above this link.
   The link above is what would be the
   normal search result for your page.
4. Click the search result that would
   normally take you to your website
5. Notice that this link does not take
   you to your site as it would normally.
   Instead, the page that comes up
   offers you a link to the safe browing
   page.
6. Click on the link to the safe
   browsing page

Hope this helps.

I've just given you two different techniques
for reaching the safe browsing page for your
website. All information on the safe browsing
page is compiled by Google.

Ed Abbott

Malware Reading List

Has your website been hacked or
compromised for the purpose of
installing malware on other people's
computers?

Here's a malware reading list for you:

Malware Reading #1

Malware Reading #2

Malware Reading #3

Malware Reading #4

Malware Reading #5

Malware Reading #6

Malware Reading #7

Malware Reading #8

Malware Reading #9

Malware Reading #10

Steps to Removing Malware From a Website

OK. In general terms, I'm going to
give some of the steps to remove malware
from a website.

Here are some steps to get you started:

1. Do a Google search on the website
   that has been compromised.
2. Look for the This site may harm
   your computer message.
3. Click on This site may harm your
   computer to get more information.

This will get your started. Basically,
Google knows your site has been compromised
and is very helpful in providing basic information
about the problem.

Here's how I might do these same steps using my
own website as an example:

1. Use google to search on websiterepairguy.com
2. Look for websiterepairguy.com in the search
   results. Typically, it will come up number one since
   you are searching specifically on this site.
3. We're assuming the site has been compromised.
   Therefore, Google should provide you with a
   This site may harm your computer message.
4. Click on This site may harm your computer
5. Google will send you to a web page on their
   website that gives more information.

My website has not been compromised. Therefore, my
specific example will not work. However, it gives you the
idea.

More later.

Ed Abbott

Using a Hex Decoder

On my last post, I mentioned that
some malware distributors use hex
encoding to install software on
other people's computers.

That is to say, they hide what
they've done to compromise your
web page by hiding their intrusion
as hex encoding.

Hex is hexadecimal. It is a base
16 number system.

You can read more about hexadecimal here:

Wikipedia hexadecimal article

In order to make the hexadecimal
readable, you need to decode the
hexadecimal somehow.

Decoding the hexadecimal can be
helpful as malware URLs are often
encoded in hexadecimal. Not always,
but often.

A malware URL is simply an address.
It is the address of a bad, very bad,
website. It's bad because it does
bad things to your computer.

One way to read the hexadecimal is
with a hexadecimal decoder. Here's
a decoder I've used:

Hexadecimal decoder

Note that hexadecimal decoders are
also called hexadecimal translators
or just hex translators.

To use one, you place your hexadecimal
encoded URL in the hexadecimal window.

Next, you press the button.

Last, you look to see what the hexadecimal
encoded URL looks like in the text window.

Here are the steps again:

1. Find yourself a hex decoder on the web.
2. Copy and paste the hexadecimal into the hex window.
3. Press the decode button.
4. Look for the text window.
5. Read the web address of the bad guys in the text
   window. There's where you will find their web address decoded.

Let me take a step backward here. Here's
the code the hexacdecimal is likely to appear
inside of:

<script language="javascript">
document.write( unescape( 'Note: This part is fake! Hex appears here!' ) );
</script>

See the single quotes? The hexadecimal would
appear between the single quotes where my
fake message is.

Look for the above code, or something similar, if
you feel that your website has been compromised by
someone trying to install malware on other people's
computers.

A good place to start looking for hex encoded URLs is
the bottom of the web page.

Be aware that this is not the only way to do this. I'm
just showing you one example, one way, of mis-directing
your web visitors to a bad-guy website.

Unfortunately, the bad guys are endlessly clever. Tricky
people are tricky for a reason. They spend a lot of
wasted time thinking and scheming and trying to do evil.

To me, this is a wasted life. If not totally wasted,
pretty close.

More later.

Ed Abbott

Rid Yourself of Spyware and Viruses

This is the first post of a new blog.

I'm writing because I'm sometimes asked
to rid someone of malware on their website.

Also, I like to keep my own personal computer
malware free.

Malware can be a virus or it can be spyware.
Malware is software that is evil.

Recently, I was sent an inquiry by someone
whose website was hacked and malware installed.

Or more precisely, the website was hacked so
that the website would serve as a vehicle to
install malware on other people's computers.

The strategy?

Take an innocent website and use it to install
malware on the computers of web visitors that
happen to visit this site.

In many many cases, the website owner is as much
an innocent and injured victim as his web visitors
are.

Website owners contact me asking for help with this
problem.

In one recent case, the website was hacked and the
.htaccess file was compromised.

In another case, the compromised website has a javascript
document.write() function that has a hexidecimal encoded
URL in it.

The strategy in both cases?

Set up a frame or iframe URL that addresses a website
that installs malware.

The advantage of this approach, from the bad guys point
of view, is that the website that has been hacked and
compromised appears innocent.

There are no indicators that you are visiting a hacked
and compromised site.

Google to the rescue!

Google now identifies sites that have been compromised.

Google identifies these sites as sites that may damage
your computer. In some cases, Google goes so far as
to suggest that you visit another site.

Google makes this identification via its search results.
That is to say, on any give search, Google will possibly
identify certain sites as being malware sites.

I don't consider myself an expert on malware. One of
my primary motives for starting this blog is to educate
myself further.

As I learn more, I'll write more.

Ed Abbott