Help! My site is hacked – where to begin?

One day you go to your site that you’ve worked hours, days and weeks to build and your browser shows a security warning – malware has been found on your site! What are you going to do? Here some background and suggested steps to take.

web development vulnerability attack

Site is blocked as a result of compromise resulting in malware on site

There are two easy ways to hack into your site:
1. Steal your ftp log in credentials.
2. Web app vulnerability, such as SQL injection.

First, rule out it wasn’t the ftp – check the ftp logs. If there are any log in’s form IP addresses that you don’t recognize, that’s a red flag. Steps to take:
1. Block access from these IP’s.
2. Scan your PC for trojans/keyloggers – remove anything that is found.
3. Check ftp accounts on your server. Remove all but yours.
4. Scan/check for trojans/backdoors in your hosting account – remove.
5. Change passwords – ftp, database, host.

Log into Google Webmaster Tools. Click on Diagnostics->Malware. You’ll get a list of infected pages. Ideally restore from uninfected backups, or remove offending code.

From Google Webmaster Tools request site review to remove the browser warning.

Ok, so you’ve determined it wasn’t FTP that was used to get into your site.

Chances are someone exploited a vulnerability found in your site, possibly managed to log in, and uploaded a web shell.
Web shell, of course, is just like a shell on your host except it’s accessible from the web and usually has an easy to use GUI. And it pretty much gives access to everything on your hosting account.

So what to do?

In general, here’s what to do:

1. Find out where the web shell is located, get the file name. Delete the shell.
2. In the access logs, find IP addresses that accessed this file.
3. By analyzing the logs, get an understanding what pages the attacker visited.
This will usually point to where the entry point was.

If the entry point was third party software (WordPress, Joomla, etc), make sure you’re upgraded to the latest release (that fixes the vulnerability), and that the upgrade/install directory is deleted. Depending on your situation, this might be enough.

If the entry point was your own script, then take a look at the code.

Is SQL injection possible? Make sure you’re filtering and escaping all input parameters that go into queries. Are you using prepared statements? You should.

Are you letting users (including logged in ones) to upload files? If yes, do you check for file types? Can you execute a script in the file upload directory?

Once you make the fixes, remove the infected files, and ask Google to re-evaluate your site for malware.

Obviously, every case is different and requires analysis that might lead you down different paths, but I hope that this post gives some general ideas of how to deal with a hacked site.

If your site is hacked, let me know if you need help!

RSS feed for comments on this post. TrackBack URI

Leave a Reply