What Should You Do If Your Website Gets Hacked?

by James Liberty 12 replies
What is the proper thing to do if your website gets hacked? Should you contact your hosting company? Contact the police? Both?

What's the proper protocol for this?
#main internet marketing discussion forum #hacked #security #website
Avatar of Unregistered
  • hi james
    there is not much you can do to catch the hacker.

    the most important thing is to protect your site better

    first, update it
    no metter what script you using update the script to the latest version.

    second, i whould recommend talking to a web security advisor, they know how to do it well, i did it whenn my site were hacked too

    if u want me to give you their contact pm me

    tahnks
    and good luck

    shlomi k.
    {{ DiscussionBoard.errors[153641].message }}
  • Profile picture of the author James Liberty
    Ummm... do the police really not care???

    (Translation: I want someone's head).
    {{ DiscussionBoard.errors[153690].message }}
  • Profile picture of the author Darth Executor
    It's not that they don't care, it's that there's nothing they can do about it. It's like calling an ambulance for a robbery. If you have the resources you can hire someone to track them down and sue them, but that's about it.
    {{ DiscussionBoard.errors[153693].message }}
  • Profile picture of the author AgileHosting
    The only way to get critical information about your server's security, as well as access/FTP/SSH logs, is to contact your web host.

    There are also some exploits which are not a problem with server nor script security, but rather are caused by a person's PC running a trojan. Hundreds of seemingly unrelated sites on a single server can end up exploited this way. But the only way to nail it down is to go over the access logs with a fine-toothed comb, and then figure out what all those sites have in common. This is information and detective work simply not available to you as a site owner ... you have to get it from your host.

    The only way that reporting it to local authorities really makes any difference is if the site was hacked by someone in the same state as you (if you live in the U.S.). If it was done by someone in another state or another country, that makes it a federal issue, and let's be honest, an individual's website is not going to get any attention by the feds. They have to prioritize things, and a standard inter-state or international exploit is pretty low on the totem pole.

    There are exceptions to this of course...
    • If you are a student and the site was cracked by a fellow student;
    • If the site was cracked by someone using an academic IP (any grade level);
    • If the site was cracked by a co-worker or employer, or was cracked by someone using an employer's or ex-employer's computer system;
    • If the site was cracked by a government IP;
    • If user data was exposed, including names, addresses, or financial information.

    Not an all-inclusive list, but you can see the kinds of things I'm talking about. Those all need to be followed-up on by local authorities, so a police report is essential. Be sure to get all the information available from your web host re. access logs, IPs, files accessed and modified, etc.

    But if it's the run-of-the-mill XSS or injection attack, overseas script kiddie getting cheap thrills wrecking peoples' sites, there's no point to filing police reports or anything. See if you can find the point of entry on your own within the first 12-18 hours. (Why so soon? -- because hosts with overloaded servers rotate their logs every 24 hours or less) If you can't find it, ask your host for help. Once you've nailed down the point of entry, close the hole and clean up the site.

    Hope this helps!

    Bailey
    Signature

    Guacamole.

    {{ DiscussionBoard.errors[153706].message }}
    • Profile picture of the author Eric Lorence
      Contact your host support, have them run a security scan.

      Change every password, every one.

      Be forewarned that you may have to restore your entire site through a backup.

      Do not waste your time with law enforcement. This happens all the time, there is nothing they can or will do.

      Good luck!
      {{ DiscussionBoard.errors[154020].message }}
  • Profile picture of the author AlexKaplo
    Yup immidietly contact your hosting company and explained to them what happened... I'm not a pro but I think they might be able to trace the I.P..

    It really sucks but there is so little you can do once you get hacked. That's one of the reason I run my entire business like if there was an imaginary thief, hacker, what ever you want to call it sitting right next to me. It's scary though but it keeps me safe and I sleep great at night knowing everything is secure!

    Here are some helpful tips:

    -Change all your "important" password as often as possible. (Once a month if your like me).

    -Never!, Never! Use the same password more then once!

    -Backup all your files weekly (or even daily if you can) to an external hard drive or to a computer which has NO connection to the internet.

    -Run double background checks on ANY freelancer or anyone that has once logged into your hosting company account.

    -Always make sure there are NO funny backround programs working when you type any passwords to any account. (There are some programs on the internet that actually run on the background of your computer and read everything you type on your keyboard and registers any passwords you type and instantly sends it to the user which the program is registered too).



    Yup definitly be on guard on the internet it's full of scamers and thieves ready to steal from you with the most sophisticated equipment!


    Regards,

    -Alex Kaplo
    Signature

    {{ DiscussionBoard.errors[154059].message }}
    • Profile picture of the author James Liberty
      Originally Posted by AlexKaplo View Post


      -Run double background checks on ANY freelancer or anyone that has once logged into your hosting company account.
      Hi Alex,

      How exactly do you go about this?
      {{ DiscussionBoard.errors[154783].message }}
  • Profile picture of the author AlexKaplo
    Hey there,

    This is how you do it.. Insists for all the info before you transact with the vendor, freelancer or whatever. One excellent way to double the if the person is legit and not lying is by running a background check. Ask the seller for the following:

    - Seller's full legal name
    - Seller's primary address
    - Seller's telephone number and cell phone number
    - Seller's company name
    - Seller's business license number
    - Seller's bank name and telephone number
    - A scan of fax copy of seller's identification card or driver's license
    - References from company's seller has worked with before, preferably in your country


    Mention to the seller that you will be running a background check on him and that you'll absolutely need all this information, (this alone would scare any real scammers!). You can use Intellius.com services to run background check on them.

    You can also open an account with ReadNotify.com. It costs only $3.99 per month and $29.99 per year. ReadNotify.com services will give you the ability to see the actual origin of emails you send and receive from the seller. So if the seller claims he lives in the United States or in the UK to look more legitimate when he is in a country known for fraud like Romania or Indonesia. ReadNotify will tell you exactly where the seller is located, so if he is lying you'll immediately know. Here's an example if you send an email to email@whatever.com, with ReadNotify you would use this email, email@whatever.readnotify.com, by adding .readnotify at the end of your email address and at the exact moment the seller or freelancer open's the email you will be able to see their location in the world. By the way it is impossible for seller to see the .readnotify at the end of your email address, because it is invisible so don't worry about that.

    And finally you can also
    run a Whois.netcheck on the seller's website. You'll be able to check if the seller's name and address match the internet registrar's record of the owner. It's as simple as typing the website into the search bar.

    Hope this helps you! Take Care


    Regards

    -Alex Kaplo
    Signature

    {{ DiscussionBoard.errors[155084].message }}
    • Profile picture of the author AgileHosting
      Originally Posted by AlexKaplo View Post

      Ask the seller for the following:

      - Seller's full legal name
      - Seller's primary address
      - Seller's telephone number and cell phone number
      - Seller's company name
      - Seller's business license number
      - Seller's bank name and telephone number
      - A scan of fax copy of seller's identification card or driver's license
      - References from company's seller has worked with before, preferably in your country


      Mention to the seller that you will be running a background check on him and that you'll absolutely need all this information, (this alone would scare any real scammers!).
      Yeah, and you're going to alienate 95% of the legit people too, with that list. The company's bank, personal ID, cell phone, etc. are completely off-limits to customers, I don't care if you're the Pope himself (no disrespect intended, I'm being literal here) ... you can do a decent background check without being inappropriately intrusive.

      The answer to this question is quite simple: GOOGLE. Just Google the data provided to you by the seller or consultant. For instance James, I offered to provide you with references ... that was so you could contact those third parties and quiz them freely about my work and character. You'd be able to verify they were from different parts of the country by checking their IPs, you could Google their names and come up with full histories on them too ... Then you put the pieces together and decide if this is the kind of person you want to work with, or not? It'll be pretty obvious. Go with your gut, it's rarely wrong.

      It is fine to ask for references, work history, a portfolio, qualifications and the like. Business name & address are fine. Not all businesses are required to have a "business number" - that will vary by locale. But the financial and personal information? -- forget it. :rolleyes: Ain't gonna happen. There's this thing called "propriety," and from the seller's standpoint, you're requesting information that can easily be used against them in the form of identity theft. This game goes both ways ...

      I always encourage people to research their prospective hosting companies and tech contractors, always have and always will. However it must also be remembered that at the end of the day, it still boils down to plain old-fashioned trust. Do your best to align with good people, but educate yourself adequately so you can CYA in case you make a bad pick.


      Bailey
      Signature

      Guacamole.

      {{ DiscussionBoard.errors[157310].message }}
  • Profile picture of the author tommygadget
    I do two things: 1) As stated above, I rotate passwords at uneven intervals not exceeding 30 days. 2) I make backups of my sites when I build them. If I see a problem with my statistics (I check them every day) then I simply restore the site from the backup.

    TomG.
    {{ DiscussionBoard.errors[155088].message }}
  • Profile picture of the author Talltom1
    Hey everybody. A number of quick observations here. There actually is quite a bit you can do about a hacker. I created a Word document that explicitly discusses how to determine who the hacker is, how they gained access to your site, and what they did internally. It also gives very explicit instructions step by step, regarding the technical stuff you need to do in order to prevent repeat attacks. If you'd like a copy, pm me and I'll send you a copy.

    Also, a primary way for a hacker to access your site is via your web form - that form you have somewhere on your site, which is soliciting names, emails, address info, etc. for the user to enter. What they're doing is entering SQL script into those form fields, and then submitting the form. The way to combat this is to limit the length of those form fields, such as the length of the name field is < 25, for example. The SQL hacker scripts are actually quite lengthy, and won't function with this length limitation.

    Two things, a hacker doesn't always leave behind blatant warning pages and flags and disable your access. At least weekly, I go into my site, and check all of the file dates in the root directory. If I have any recent, unexplainable new file dates, I will open up the html code for each of those files (almost always html and php files) and check the lines of code at the very bottom - that's where these SQL injection hacks place script code in your webpage without your knowledge.

    The last time I had somebody hack into my website, my analytics systems, and server logs had enough information about him that I knew his name, age, address. Unfortunately, it was on the other side of the world in a region where I didn't have any friends or acquaintances.

    Come to think of it, would anybody be interested in paying me a small fee to come in and perform a security analysis of their website for them? I was thinking in the order of $50 for a complete check. Any takers? PM me.

    Hope this helps.

    Talltom
    Signature

    {{ DiscussionBoard.errors[155343].message }}
    • Profile picture of the author AgileHosting
      Originally Posted by Talltom1 View Post

      Also, a primary way for a hacker to access your site is via your web form - that form you have somewhere on your site, which is soliciting names, emails, address info, etc. for the user to enter. What they're doing is entering SQL script into those form fields, and then submitting the form. The way to combat this is to limit the length of those form fields, such as the length of the name field is < 25, for example. The SQL hacker scripts are actually quite lengthy, and won't function with this length limitation.
      Well actually, the best way to prevent this is to simply use a secure form script right from the start. I can't think of the last time we had a site exploited via a contact form script, but then again, we don't allow exploitable scripts to be installed or run on our servers, so .............

      Bailey
      Signature

      Guacamole.

      {{ DiscussionBoard.errors[157314].message }}
Avatar of Unregistered

Trending Topics