[rschmitty]

Rather than trying to undo the damage (will you ever be 100% sure you caught everything?) why not create a new site (edit: as in a new VM/box/image from scratch) and import your data fresh.

If I was hacked and files were placed on my server, including a 'web shell' I would be very afraid I don't catch everything and it just gets re-hacked.

Unless this is just a pure curiosity adventure in deobfuscation... then nevermind :)

[mixedbit]

One problem is that a truly full cleanup of a hacked website should in theory include manual cleanup of all clients' caches (not really practical). Otherwise, malicious index.html (for example with JavaScript that sends cookies to an attacker) could remain cached by the clients forever.

[sgentle]

That's a really interesting point, I'd never thought of that. Worse still, you could do some trickery with app cache manifests to prevent cache cleans/page refreshes from fixing it, maybe even forever.

I spent a bit of time messing around with that approach, and came up with this: https://github.com/sgentle/hackcache

[alandarev]

That is assuming the cracker did not go further than the website's folder.

From my own experience, when one of my sites with username www-data was hacked (default apache installation), the client-side malware JS was injected into .htaccess file and added to ALL folders www-data had write access to.

What I am saying is, assume the worst, what other data could the cracked unix account do on the system.

[rschmitty]

Sorry, I should have clarified. A new VPS/image/machine. I would not simply create a "new site" on the box that got hacked as I too would assume evil is lurking outside of apache.

Douse it with gasoline and toast some marshmallows as I spin up a new instance imo :)

[dageshi]

After dealing with quite a few hacked wordpress sites. My general advice is to install something like afick on site creation.

http://afick.sourceforge.net/

Then you do have a reasonable idea of what's actually been modified after the fact.

[arethuza]

Aren't tool like that vulnerable to being replaced with a version that runs the real afick and simply removes all references to anything that the attacker wants to hide?

The attacker could then arrange for any activity during the time they were active to be filtered - including the change to afick itself...

Do attackers ever try a double bluff and make an attack look like a "standard" script-kiddie attack - which might be regarded as something that can be recovered from without scrubbing the server and starting again, leaving the more sophisticated main attack in place?

[NB Been reading a lot of John le Carré recently, which probably explains the paranoia].

[dageshi]

Oh all that is certainly possible. As a rule most of these attackers don't really know what afick is or if they do they simply don't care, most wordpress attacks are for the purposes of malware/SEO spam, so it's really a numbers game, figuring out how to quietly subvert afick is a waste of time for them.

More to the point I don't use afick as a detection system but more as a cleanup tool. Typically in most wordpress hacks (I've probably dealt with about 8-10) you'll find that the attackers will target the theme because typically if you "replace all the files on the site" you can't replace the theme, it's unique, unless you've got a clean copy from a backup (assuming you know when the hack took place) then you can't easily replace it with known good code.

But the theme is also the part of the site that changes least, so even an afick database from the first day of the site is sufficiently useful in seeing what files (php, js) have been altered.

Typically, I end up installing afick after I get called in to clean up an existing hack. If it's been hacked once, it may well get hacked again, so I install afick to make the cleanup job easier the second time around.

[jqueryin]

In all honesty, I'm not particularly sure most of the script kiddie type hackers attacking Wordpress and Drupal have the skillset to figure this out. They're picking off low hanging fruit IMO. This doesn't ring true for all of them, i.e. those expanding a global botnet, but most of them are skilled in the art of running a script and uploading files to a web directory with basic `chown` and `chmod` perms.

[woutersf]

[indiana jones whip gif] http://www.abc.net.au/news/linkableblob/5057546/data/indiana... in it for the adventure :)