PCI Compliant Web Hosting and Managed Service Provider
Hosting Solutions since 1995

Your site is hacked, now what?

Author: ; Published: May 14, 2012; Category: Security, Small Business, WordPress; Tags: , ; 11 Comments

For almost seventeen years now, we’ve been helping individuals as well as hosting providers with hacker clean up.

Please allow me to share with you some of that experience in terms of what you should do should you find your site is hacked.

First, backup your site. Even though the site is hacked, you want to have a backup should you have to undo any of the clean up steps, and have a fresh start at cleaning up.

If your site is based on WordPress, Joomla, Drupla, or any other database-driven method, be sure to include a backup of the database as well as the files in your HTML directory structure.

Second, If any of the hacked areas include defaces or other visible clues (or even in your face writings), then take screen shots of those areas. Basically, you want to document what you know about your site being hacked.

Third, contact your hosting provider technical support giving them as much information as you know along with any screen shots and notes you’ve taken to date.

If your hosting provider cares about you as a person, and cares about your site, they will do what they can to help you clean up from the hack(s) on your site. Depending on how quickly they are told, they might be able to review server log files to identify how the hacker(s) gained access and when such access was gained.

Some hosting providers do have the right to charge for clean up per their terms of service; prior to asking them to do any work, ask them if their help in the case you are facing will be done freely. If yes, move forward; if not, then find out the charges involved and make a decision as to how much you need their help.

In any event, you should still notify your hosting provider so they know you know; AND, that the intent is to clean up the site as quickly as possible.

The main reason you want this notification (even if you are going to clean up the site yourself, or use another party) to the hosting provider is to ease any effort the hosting provider might make against you if they receive pressure to shut down your site.

Fourth, if you are unsure of how long the cleanup will take, put your site in maintenance mode so your site is not infecting others (or has less of a chance to infect others).

Fifth, scan any device (mobile, PC, etc.) you or any authorized person who has access to the site for virus AND malware / spyware. Anti-virus software will often not find any malware, and anti-malware software will often not find any virus. You need to run two different scans — one for viruses using an anti-virus program; and another for malware using an anti-malware program.

I recommend NOD32 for anti-virus and malwarebytes.org for anti-malware.

Sixth, change your passwords — FTP, SSH, control panel, WordPress, etc.

Read Revealing the secret of creating secure passwords that are easy to remember and hard for hackers to crack if you want to learn about using pass phrases as a means to create relatively secure passwords.

Seventh, now you are ready to go through your site and database (if database driven) to find and remove the hacks / defacement.

FTP / SFTP to the site and grab the .htaccess file along with all php and html to start the review.

While there, make sure the .htaccess file and .php files are chmod 644 (most FTP clients allow you to see / set permissions. 644 = _rw_r__r__ where r=read and w=write).

If you see any file with 777 — _rwxrwxrwx (the preceding _ will be a “d” for directories), then note the file name and that file will have a higher priority for being checked for hacks / malware.

Review the .htaccess file (it is a text file) for any redirects that should not be present; it there are redirects, check if the redirect is local (i.e. on the same server your site is on) or external (pointing to a site off the server).

If internal, then the directory and files that the redirect is pointing to need to be reviewed.

i.e. you might see a redirect like “includes/ice/ice.js” and then go to the includes/ice directory and see a number of .php and .htm[l] files present you didn’t put there (but the hacker did). Then that entire directory tree can be backed up (play safe), and deleted.

Then check for all files you grabbed for (in the above example) stuff like

Or you might see in the HTML a php encode base 64 statement…

Now, based on what you see, clean up might be as (relatively speaking) editing the various files to remove what was injected.

Lastly, once the site is backup and running clean (no more hacks, malware, defacement present), then (if you are running WordPress) review http://codex.wordpress.org/Hardening_WordPress and http://blog.softlayer.com/2012/tips-and-tricks-how-to-secure-wordpress/ to see what additional security you can put into place for your site.

If you are running WordPress, two of the better plugins we’ve found for security are Better WP Security and WordFence Security.

Now, you might find yourself on the find malware, hacks, defacement step and be lost. If that’s the case, you might want to reconsider either having your hosting provider get involved in the clean up, or contracting a person or firm to do the clean up for you.

If it comes down to getting outside help, please review our Site Security page for options.

Contact us if you have any questions.

Peter Abraham
Former CEO of Dynamic Net, Inc. Will be transitioning to a new career in the near future.
Peter Abraham

@

Peter Abraham

11 Responses to “Your site is hacked, now what?”

  1. Sammy Moshe says:

    There’s been this nasty rash of back door trojans going around hitting wordpress sites lately. The actual tool they use is actually pretty powerful, and can do a lot of damage to pretty much any area of your site (or anything else on the server) if you’re not careful. One of the best things you can do if you find yourself the victim of such an attack, is download the bullet proof security plugin, and follow the directions it gives you.There are also modules that will disable the version number in your wordpress. It’s important that you do that too. Good luck!

  2. Eljon Curry says:

    The odd thing about the malware I have run into this month (June) is the way it behaves. With the release of wordpress 3.4 comes malware for some reason. Now, I know it sounds strange, odd and werid, but hear me out. If your domain is the target of malware of injection it’s being probed with curl (at least this site I’m working on is). Now, if I completely wipe the site and database, a rewritten or injected .htaccess file will not be written. If you upload wordpress 3.4 (and yes, I tried this one 3 different machines and 5 different hdd to make sure malware is not local), within minutes a nice little, redirecting .htaccess file will be written to the root. sucuri.net shows the malware and base64 string, but searching both files and .htaccess show’s nothing. Not malware scans, not putting the entire site on another domain and having sucuri scan that domain. BUT, if you change the .htaccess file on the original domains root, it’s rewritten, given new permissions (444) and will redirect on referral, IF wordpress 3.4 is installed. If you delete all files in the root and leave it sit for a week, it will never write an .htaccess file. If you create one and leave it for a week, it won’t be injected. If you upload wordpress and install, withing minutes (or even seconds), it’s injected. Any ideas?

  3. Good day, Eljon Curry:

    Prior to any upgrade, it is best to make sure a site is perfectly clean — no malware or hacks. Upgrades do not remove any existing malware or hacks.

    Please visit http://www.dynamicnet.net/managed-services/site-security/ and consider having Sucuri Security do the clean up.

    Thank you.

  4. Shatil Ahmed says:

    my site has been hacked by Myanmar hacker group http://www.knowledgefair.net , have any solution? 6/7/2012

  5. Yes. Shatil Ahmed you should contact your hosting provider. If your hosting provider is good, they will help you find out what happened, and help you get your site back in working order.

    Another alternative is http://www.dynamicnet.net/managed-services/site-security/

    Thank you.

  6. Shatil Ahmed says:

    Thank you for your response

  7. Hi

    This is all good stuff, but how do you monitor a site for a similar intrusion after the clean up.

    I had a painful experience last year, when one of my sites was hacked, and couldn’t find anything on the net that would protect against this type of intrusion. However, I have written my own script which will detect any file changes on a web site (including file permissions) and send an email notification on detection.

    Although it won’t prevent a site from being hacked, it will act as an early warning system.

    It’s intended to be used as a scheduled task or cron job, run, say, once an hour, and can be set up to monitor 1 or many sites, all remotely. A hacker won’t even suspect that the site is being monitored. I call it SimpleSiteAudit – it can be downloaded from http://simplesiteaudit.terryheffernan.net

    I’m an amateur programmer, so it’s freeware – although you are free to donate if you find it useful :o)

    Cheers

  8. Terry, thank you for taking the time to comment and share.

    WordFence Security, a free WordPress plugin that also has a premium set, will scan and do such reporting as well as let you know about out of date areas (core, plugins, and themes).

    See http://www.dynamicnet.net/2012/06/wordfence-security-plugin/ for my review of WordFence.

    Mark, the author, and his team do a fantastic job with support issues.

    Thank you again, Terry, for your comments and sharing your script.

  9. Thanks Peter, I’ll check out wordfence, it looks interesting.

    Cheers

  10. One thing you didn’t address was how to get back into your WordPress website if you’ve been locked out of wp-admin. We covered that (and everything else) in our tutorial on how to fix your own hacked WP blog:
    http://www.jtpratt.com/how-to-fix-a-hacked-wordpress-blog/

  11. Hi John:

    Thank you very much for sharing that information.

Leave a Comment