Incident response gone Wild
Today a friend of mine called me and asked for help. His website apparently was hacked, but he did not know how, why… when… Ok, so I open up my browser, and see… “This site has been reported of malware” red screen of death, the Firefox one. If you try to Google for this page, same thing happens – Google had forbidden access to his site, although he was ranked №1 there. Strange? Not really. But it was devastating to his business, and a solution had to be found asap. His Twitter account got suspended for the same reason, too..
Ok… our next steps? Source code audit. A quick browse through the source code revealed a home-grown CMS, where NONE of the variables were protected, and a few files were infected with a known chinese web worm. Clean the worm? Not so fast security-boy! The CMS apparently was written in such a way, that if you try to strip out JS functionality, the whole system breaks up. If you try to clean the JS file, the whole system breaks up. In the end, I ended up manully modifying the core code of the CMS just to prevent future infections and clean it up. Not nice… not your regular virus/worm infection.
A quick remote check on his computer revealed trojans too – so who knows where the infection originated from. A complete reinstall was suggested, as well as thorough follow-up on the videos on this site in order to prevent the same thing from happening agian.
Update: his site is restored in Google and Firefox rankings after the clean-up, just 24 hours later.