Greg Freeman has posted the second part of his "hacked PHP application" series (part one is here). In this new post he looks at the aftermath - what to do and check to do cleanup and fixes so it doesn't happen again.
This is a follow up post from my previous post “How to Tell if Your PHP Site has been Hacked or Compromised“. This post will discuss some the first steps you should take when you have identified that your site has been compromised. The first sections discuss a few points that are not relevant to everyone, the later sections will discuss how to fix the exploits.
He includes a list of things to think about including:
- What kind of hosting you use (and if that contributed)
- The option to redirect all requests for your site to one page
- Get a list of all PHP files to locate something malicious
- Locating "non-PHP PHP files"
- Finding files with possible malicious content
He also includes a few suggestions to help prevent issues in the future - update to the latest versions, patch your code, rethinking your permissions and monitoring for potential repeat attacks.