清除没有可用干净版本的被黑客入侵的网站的最佳方法? [英] Best methods to clean up a hacked site with no clean version available?
问题描述
有人要求我修复一个在生产服务器上使用osCommerce构建的被黑站点.
I have been asked to fix a hacked site that was built using osCommerce on a production server.
该站点始终存在于远程主机上.没有离线的 clean 版本.让我们暂时忘记这有多么愚蠢,并处理它是什么.
The site has always existed on the remote host. There is no offline clean version. Let's forget how stupid this is for a moment and deal with what it is.
它已被黑客入侵多次,另一个人通过删除Web Shell文件/上传脚本对其进行了修复.
It has been hacked multiple times and another person fixed it by removing the web shell files/upload scripts.
它经常被黑客入侵.
我该怎么办?
推荐答案
因为您不能信任Web主机上的任何内容(它可能具有 rootkit 已安装),最安全的方法是从头开始重建新的Web服务器;不要忘记在 之前进行更新的所有外部软件在线.在draconian防火墙的快乐方面进行所有更新.
Because you cannot trust anything on the web host (it might have had a rootkit installed), the safest approach is to rebuild a new web server from scratch; don't forget to update all the external-facing software before bringing it online. Do all the updating on the happy side of a draconian firewall.
重建系统时,请务必特别注意正确的配置.如果 Web内容由与 Web服务器的用户标识不同的Unix用户拥有,并且文件的权限设置为禁止写入,则Web服务器无法修改程序文件.
When you rebuild the system, be sure to pay special attention to proper configuration. If the web content is owned by a different Unix user than the web server's userid and the permissions on the files are set to forbid writing, then the web server cannot modify the program files.
配置Web服务器的Unix用户帐户,以便它仅对其日志文件和数据库套接字(如果它们在文件系统中)具有写访问权限.被黑的Web服务器仍可以将被黑的页面提供给客户端,但是重新启动将撤消"实时黑名".当然,您的数据库内容可能会发送到Yakuza或被认为您的数据应包含独角兽图片的人破坏. 最低权限原则将是一个很好的指南-确切地说,您的Web服务器是什么?是否需要以完成其工作?只允许这样做.
Configure your web server's Unix user account so it has write access to only its log files and database sockets, if they are in the filesystem. A hacked web server could still serve hacked pages to clients, but a restart would 'undo' the 'live hack'. Of course, your database contents could be sent to the Yakuza or corrupted by people who think your data should include pictures of unicorns. The Principle of Least Privilege will be a good guideline -- what, exactly, does your web server need to access in order to do its job? Grant only that.
还考虑部署强制性访问控制系统,例如 SELinux , TOMOYO 或
Also consider deploying a mandatory access control system such as AppArmor, SELinux, TOMOYO, or SMACK. Any of these systems, properly configured, can control the scope of what can be damaged or leaked when a system is hacked. (I've worked on AppArmor for ten years, and I'm confident most system administrators can learn how to deploy a workable security policy on their systems in a day or two of study. No tool is applicable to all situations, so be sure to read about all of your choices.)
The second time around, be sure to keep your configuration managed through tools such as as puppet, chef, or at the very least in a revision control system.
更新
还有其他与重新上网无关的东西,但可能具有相同的教育意义:将硬盘驱动器从受感染的系统中保存下来,以便您可以挂载它并从另一个系统中检查其内容.也许通过对泄露的数据进行取证可以学到一些东西:您可能会发现泄露发生在几个月前,并且一直在窃取密码或ssh密钥.您可能会找到rootkit或其他利用工具.您可能会找到表明攻击源的信息-也许 网站的管理员尚未意识到他们已被黑客入侵.
Something else, a little unrelated to coming back online, but potentially educational all the same: save the hard drive from the compromised system, so you can mount it and inspect its contents from another system. Maybe there's something that can be learned by doing forensics on the compromised data: you might find that the compromise happened months earlier and had been stealing passwords or ssh keys. You might find a rootkit or further exploit tools. You might find information to show the source of the attack -- perhaps the admin of that site doesn't yet realize they've been hacked.
注意在检查被黑客入侵的数据时-您可能不认识到的.jpg可能是首先破解系统的漏洞,并以已知的方式"进行查看系统也可能会破解它.使用硬盘驱动器完成工作,完成后即可对其进行格式化. (虚拟化或具有强制性的访问控制系统可能足以限制被动"基于数据的黑客攻击,但没有什么比一次性系统更让您省心了.)
Be careful when inspecting hacked data -- that .jpg you don't recognize might very well be the exploit that cracked the system in the first place, and viewing it on a 'known good' system might crack it, too. Do the work with a hard drive you can format when you're done. (Virtualized or with a mandatory access control system might be sufficient to confine "passive" data-based hacks, but there's nothing quite like throwaway systems for peace of mind.)
这篇关于清除没有可用干净版本的被黑客入侵的网站的最佳方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
