My ecomm Site got hacked-Now what?

by Chas22
24 replies
My ecomm site was hacked about 5 days ago and since then it has been down more than it has been up.

Of course my hosting provider suggests don't clean it yourself hire Sitelock to clean and secure it for you.

Of course when you call site lock, they want you to sign a 1 year contract, because sites that get hacked often have issues again.

So I signed-up, after I signed up and supposedly cleaned it:

1) my NON Adult site started redirecting everybody to a porn site (only if viewed on mobile).
2) Now today, my site is shut down from the hosting provider as they state my site continues to send out large amounts of SPAM.

So my questions for this forum:

How do I resecure my site?

1) Do I need to move everything to a new hosting provider?
2) I am not confident my backup are not corrupted as well. Anyway to scan my back ups?

Please advise.
#ecomm #hackednow #site
  • Profile picture of the author KelpS
    Who are you hosted with?
    {{ DiscussionBoard.errors[11334998].message }}
    • Profile picture of the author Chas22
      Originally Posted by KelpS View Post

      Who are you hosted with?
      It is hosted with Hostgator.
      {{ DiscussionBoard.errors[11335256].message }}
  • Profile picture of the author jduck1979
    Poke around in the files via FTP, check for any offending htaccess files likely causing any re-directs (had that happen before, taken me 2yrs to get near to the Alexa ranking I was at before, not that they really count for anything)..... you'll probably find an htaccess file with the offending web address in it causing the re-direct.

    You probably may want to consider changing passwords.... and if that fails a different hosting provider (1&1 seems to have good security features, been using them for years).
    {{ DiscussionBoard.errors[11335025].message }}
    • Profile picture of the author Chas22
      Originally Posted by jduck1979 View Post

      Poke around in the files via FTP, check for any offending htaccess files likely causing any re-directs (had that happen before, taken me 2yrs to get near to the Alexa ranking I was at before, not that they really count for anything)..... you'll probably find an htaccess file with the offending web address in it causing the re-direct.

      You probably may want to consider changing passwords.... and if that fails a different hosting provider (1&1 seems to have good security features, been using them for years).
      Thanks for the updates. I will check. I am disappointd with Site lock as I thought this was the stuff they were to do, but the site has had issues 2 times since they "cleaned" it.

      Passwords on all of the sites including the FTP/Cpanel were changed, as soon as Sitelock said the site was clean and virus free. It has since been flagged by hostgator as a malicous site sending out excessive SPAM, now. When I changed the passwords it was done from a computer that I know has not been compromised from any of these issues.
      {{ DiscussionBoard.errors[11335257].message }}
  • Profile picture of the author DWolfe
    Check you plugins and put something in strong like Wordfence. A while back that was thread about the same problem. It seems that is a trick by the hosting company to get you to pay for sitelock year round. Switch to a better host.
    {{ DiscussionBoard.errors[11335270].message }}
  • Profile picture of the author KelpS
    I left hostgator simply because I was hacked all the time.
    You can hire someone on fiverr to clean up your files for you.
    {{ DiscussionBoard.errors[11335299].message }}
  • Profile picture of the author Kingfish85
    It is likely the the site has either vulnerable themes/plugins installed which allowed it to become compromised. Unfortunately, the best course of action is to have a developer review the code to either find & fix the vulnerabilities OR locate them so you know what to replace with something different (ie a plugin, module or theme).

    SiteLock is not really going to do anything here though.
    {{ DiscussionBoard.errors[11336260].message }}
  • Profile picture of the author ryanbiddulph
    Hi Chas,

    I know it's tough to experience this - my blog was down for 13 days recently with issues - but having your developer review code line by line seems the way to go, like Kingfish said. With a fine toothed comb. No one cares about your site like you, and your developer is likely in the same boat as it's his site too in a way.

    Tweeted to my 50K followers to spread the word. All the best dude.

    Ryan
    Signature
    Ryan Biddulph, Blogger, Author, World Traveling Digital Nomad at Blogging From Paradise
    {{ DiscussionBoard.errors[11336882].message }}
  • Profile picture of the author Chas22
    Thanks everybody for all the help and insights. I have move mysite to a different hosting provider as I believe hostgator has gotten way to big to help us little guys out. Nor do they seem to care.
    {{ DiscussionBoard.errors[11338317].message }}
    • Profile picture of the author Kingfish85
      Originally Posted by Chas22 View Post

      Thanks everybody for all the help and insights. I have move mysite to a different hosting provider as I believe hostgator has gotten way to big to help us little guys out. Nor do they seem to care.
      This wouldn't really be a responsibility of the hosting provider as most hosting plans do not include coding related support. That said, you should still have a developer review the site (a competent one that knows what they're doing) because unless the issue was properly resolved, it'll likely come back.

      1) my NON Adult site started redirecting everybody to a porn site (only if viewed on mobile).
      2) Now today, my site is shut down from the hosting provider as they state my site continues to send out large amounts of SPAM.
      These two issues here above are almost spitting images of compromised plugins due to bad coding allowing for vulnerabilities. The redirects will likely be related to some sort of mobile themes/plugins and the SPAM related issues will end up being random encoded scripts with file names similar to this: vbhdj48sk.php - both of these are indicative of exploits.
      {{ DiscussionBoard.errors[11338337].message }}
    • Profile picture of the author KelpS
      They get money when you buy their security and backup packages. No incentive to help you out if you aren't paying extra.
      {{ DiscussionBoard.errors[11338660].message }}
  • Profile picture of the author Chas22
    So besides wordfence what is everybody using to keep their site secure? I was religous about doing Wordpress updates and plugin updates.
    {{ DiscussionBoard.errors[11338800].message }}
    • Profile picture of the author KelpS
      it doesn't matter if you keep up your updates - on a shared server anyone can be accessed. I use a mor expensive hosting with securri and backups included.
      {{ DiscussionBoard.errors[11338814].message }}
      • Profile picture of the author Kingfish85
        Originally Posted by KelpS View Post

        it doesn't matter if you keep up your updates - on a shared server anyone can be accessed. I use a mor expensive hosting with securri and backups included.
        This is not exactly true - it depends on how each account is isolated. If the server itself is properly secured, one account cannot access another. CloudLinux achieves this with CageFS. The issue is almost never with other accounts on the same server.
        {{ DiscussionBoard.errors[11338830].message }}
    • Profile picture of the author Kingfish85
      Originally Posted by Chas22 View Post

      So besides wordfence what is everybody using to keep their site secure? I was religous about doing Wordpress updates and plugin updates.
      Monitoring the code itself, file changes etc. The biggest issue is with plugins not being secured properly - the code itself is vulnerable to exploits.
      {{ DiscussionBoard.errors[11338815].message }}
  • If you are using WordPress ,then go with Malcare: I can say it is most pro-active WordPress Malware protection service.

    I would not recommended you go with itheme security because their plugins is great but after cleaning malware from Hack website it come back. Wordfence is great too but it slow down the website a lot .

    You can check out proper review of Malcare if you want: ] It is 1 and Half hour live video made by Adam Presier from WPCrafter.com
    Check the video out, But don't worry about your Hack website Malcare will recover it for you
    {{ DiscussionBoard.errors[11338942].message }}
  • Profile picture of the author Tony Marriott
    How much money does your ecom site make?


    You don't have to answer just consider.


    If it is a lot then simply pay someone to fix your site.
    You will need a specialist.


    Also don't think that a single fix will always be the end. Missing one bit of malware code can have the whole thing in trouble again pretty swiftly. Some codes will simply replicate themselves into multiple files so if you don't get them all they just re-replicate.


    If your website doesn't make much them maybe you can "learn" what is needed to be done. There are plenty of tutorials on removing malware from websites.




    If you don't know how they original hack happened then you need to remove all possible hackers access to start with. i.e.


    Update all plugin themes if it is WordPress.
    Check for any know vulnerabilities not yet fixed by updates.
    Remove xmlrp.php to remote access
    change all passwords (Wordpress/cpanel/whm/ftp etc.)
    Install and configure security plugin i.e. ithemes (needs proper configuration not just default).


    Scan your site front end using things like https://sitecheck.sucuri.net/. Look around there are others. This wont fix anything but will start to give you some info as to the malware.


    Install internal (backend) malware scanning plugins temporarily like Wordfence (will scan/fix system files for irruption/malware).
    Securi also have a plugin
    Anti-Malware by ELI is a malware scanner that can identify known malware by their signatures.


    Run all the above, fix issues.


    Re-run everything again including front end sites.


    This should fix your WordPress related issues. If you have other or custom files/code then you may also need to check and fix those separately.


    This is often a manual trawl through the files.


    Use a search application like php-grep.php to find the malware files or signatures (that may have been identified from scans or from Googling your symptoms/errors/malware activities etc.)


    If you have backups you could install a backup to anew location and run scans etc. on the backup. You may even find a clean backup


    Moving hosts will not fix your malware issue. In fact if you move an infected site from one host that has already blocked your account, the new host might be well peeved when they have to block you for the same reason.




    Redirects and spam.


    Check htaccess files for redirects but could also be new files created by the malware. Also index.html or index.php files should all be checked as these are common ones to initially infect.


    Look for "base64". Not a malware in itself but is used to hide code. So if it is followed day a long string of hexadecimal character copy and paste them into an online base64 decoder. i.e. https://www.base64decode.org/ (or Google there are loads of them).


    Look for unknown URLs (adult sites?) or file names. Find those files and check them for URLs.


    It's not easy and it's not quick and you will need to keep going round and round until all is fixed.


    This is why they can charge large or monthly fees. You just need to think of it as a business expense at this point and decide what you will lose by not having your site up and what you are prepared to do or pay to get it back.


    Good luck. Been there once before and learned all this the hard way.
    {{ DiscussionBoard.errors[11339506].message }}
    • Originally Posted by Tony Marriott View Post

      How much money does your ecom site make?


      You don't have to answer just consider.


      If it is a lot then simply pay someone to fix your site.
      You will need a specialist.


      Also don't think that a single fix will always be the end. Missing one bit of malware code can have the whole thing in trouble again pretty swiftly. Some codes will simply replicate themselves into multiple files so if you don't get them all they just re-replicate.


      If your website doesn't make much them maybe you can "learn" what is needed to be done. There are plenty of tutorials on removing malware from websites.


      Been there once before and learned all this the hard way.
      I certainly agree, with this sentiment. If your website is making money, then pay an expert to fix it. If it's not making money, then use this opportunity as a learning curve to prevent this problems from arising in future.

      Just move to a new hosting service and transfer the content from your hacked website to your new hosting. This way if your website is making money, then you can continue to grow your online income while you repair your hacked website.
      {{ DiscussionBoard.errors[11339545].message }}
      • Profile picture of the author Tony Marriott
        Originally Posted by Internet Trillionaire View Post

        I certainly agree, with this sentiment. If your website is making money, then pay an expert to fix it. If it's not making money, then use this opportunity as a learning curve to prevent this problems from arising in future.

        Just move to a new hosting service and transfer the content from your hacked website to your new hosting. This way if your website is making money, then you can continue to grow your online income while you repair your hacked website.
        You can't just move a hacked site from one hosting to another. It will still be a hacked site. Whatever you do you need to clean up your site.
        {{ DiscussionBoard.errors[11340531].message }}
  • Profile picture of the author asim recro
    Put the SSL and website security.If you want I will do it for you.
    {{ DiscussionBoard.errors[11342356].message }}
  • Profile picture of the author ThomasMeyers
    Chas,
    The dredded Sitelock circle. I dont even need to ask where you hosted it, I know it's hostgator. Same thing happened to me. What set me off was hostgator's total lack of caring. They just pointed me to sitelock where they tried to sell you something. It's maddening if nothing else. Me with hostgator support- "Why do I need to buy sitelock because your security blow's. Why don't you buy SiteLock for hostgator.com so your customers don't have to?"
    Reach out, ill help you out. Tom
    Signature

    Welcome, I hope what I posted up there helped you. Good to chat with warrior legends, rising stars and forum newbies. Tom

    {{ DiscussionBoard.errors[11342625].message }}
  • Profile picture of the author Natalie Piper
    You can ask for help from experts. They will help you to overcome from hacking and also guide to improve your website security
    {{ DiscussionBoard.errors[11405263].message }}
  • Profile picture of the author schwartz
    this plugin is great for this https://www.wordfence.com/
    {{ DiscussionBoard.errors[11460725].message }}

Trending Topics