Jump to content

How to clean your site from infection 3.x


Recommended Posts

There are many ways for a site to get compromised however most are the same result, hackers either try to use your site to serve malicious files, or try to redirect your users to infected sites.

Here are some things that are common that hackers do that you should look our for.

1. They will always try to leave behind a file or two as aback door into your system, it's a good idea to understand what files are good files and what files are bad. To do this you can compare the file set of your site to a fresh file set from a download. 

2. Look for files with odd or random .php extensions, here are some examples, these are not exact names, but examples of a typical naming structure, they will either be short and sweet like sh.php or a random string followed my .php

zx.php
sh.php
123482379874hjsdf8734.php
dsfjklsadjfklasdjfklads.php
ipbfirewall.php

When inspecting any files and you see any reference to ipbfirewall, this is not a real product or item, it's bad code left behind made to look like it belongs, so you can safely delete it.

Example of IPB_Firewall code that IS NOT FROM IPSif ( ! defined( 'IPB_FIREWALL' ) )
{
define('IPB_FIREWALL', 1);

/**
* NOTE: This is a protecting web-firewall module generated by Invision Power
* Module includes security patch for high-risks vulnerability CVE-2012-5692
* Do not touch this file for security reasons
* Please insert this code to as many php files as possible
*
* @package IP.Firewall
* @version $Revision: 9544 $
* @md5 e66e6cadd6e13efea54ed50c0eb2d32b
* @sha1 6966286d64352840245f5b2248545450
* @crc32 5f51554f5445225d293d3d2463732965
*/

These are most commonly placed in the root directory, /cache, /public /uploads or other areas.

3. Another thing to look for are odd folder names, you can again compare your folder structure from a fresh download of files to compare them, they will often create odd names directories or try to mimic an existing name as well. 

Here is what a standard folder/file structure looks like for the forum directory

-_FileZilla-20130122-173207.jpg

Here is what a typical /cache folder looks like as well

cache_-_FileZilla-20130122-173347.jpg

4. If you see any odd files in those folders that do not belong, odds are they do not belong there, you can open the file to inspect the code as well to see if it looks like a legit file or not. Keep in mind if you have third party add ons or other apps installed, these can often also require other files. 

5. After you have cleaned up any bad files, the next step is a fresh file upload of the board and all apps that you have installed. You can download these from the client area, upload them via FTP, making sure to over write any and all existing files.

6. After that is done, log into your admincp, and you will see a "Furl cache out of date error" please click the option to "Rebuild Furl Cache" to correct that error. This is normal and due to the new files that were just uploaded.

7. Rebuilding HTML & CSS and Recaching your skins. Often times there will be an infection deep inside of your templates or code left behind, this is done via a direct file edit to your skin files, rebuilding and recaching will often clear this out. 


To do this select "Look & Feel" from the tabs, then select "Manage Skins and Languages" Then on the left side you want to select "Template Tools

IP.Board__System_%3E_Look___Feel-2013012


You will then see an option to Rebuild Master Skin Data, select HTML & CSS from this and also all of your apps as below.

IP.Board__System_%3E_Look___Feel-2013012


After that is completed, then select the Template tools again and now at the top select "Re-Cache Skin Set's"

IP.Board__System_%3E_Look___Feel-2013012


8. Often times a offender will also dig into your language files and infect them as well, to correct this, select "Look & Feel" > Manage Languages, on the language pack effected, select the drop down menu to the right and then "Rebuild from XML" This will rebuild your language files for you. If you are using a third party or custom language file, please re-import the language pack to correct any issues.

IP.Board__System_%3E_Manage_Languages-20

9. Another common issue that I have seen is offenders modifying your .htaccess, conf_global.php, initdata.phpor index.php files and adding extra code to them for re-directs or other purposes, please inspect all of your .htaccess index.php and conf_global.php files for proper code. Over writing the new file set for the board files will correct the index.php and initdata.php files, however not the .htaccess or conf_global.php

10. The last thing you want to make sure of is that you have changed all of your admins passwords on your forum, your FTP access details, and any control panel access as well. In most cases I even recommend updating your mysql database password too. See your host for details on that if you are not sure how to update the mysql password.

11. Reimporting your hooks is another item that should be done as well, from the admincp > manage hooks > re-import all hooks

12. The last step is to run the tools from the system security area Admincp > System > System > Security Center


IP.Board__System_%3E_System-20130122-175

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...