Website hacked-Now what?

32 replies
Hi,

Woke up today to see my website was hacked. Any suggestions on what to do next? Site is only about a month old and hosted on Hostgator. Both domains on my account were hacked. Thanks in advance for your help.

Thanks-Paul
#hacked now #hackednow #website
  • Profile picture of the author Sleaklight
    Change your ftp password, report the incident to hostgator, upload your back up and move on?
    {{ DiscussionBoard.errors[1832302].message }}
    • Profile picture of the author concorde
      Banned
      [DELETED]
      {{ DiscussionBoard.errors[1850965].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by concorde View Post

        yes is the right way... do it soon
        Actually it is the wrong way... All will happen is it will just get hacked again.. You must plug the cracks closed that the hacker is using to get in..

        James
        {{ DiscussionBoard.errors[1851120].message }}
  • Profile picture of the author Kat Bartone
    What are you actually seeing?

    Sometimes they just mess with the index.html (.htm, .php) page etc and everything else is there.

    First thing is to secure it. Talk to hostgator, change your access password immediately.

    I'm no security expert, so you'll need more help than what I can offer. But if you're using WP make sure it's the latest version.

    And what are the chmod settings for your files and directories?

    Back up your database lately?

    Check your logs for suspicious activity?

    I'd begin with a fast phone call to hostgator. They can even 'turn your site off' for awhile while you figure things out.
    Signature

    Your search for the perfect WordPress theme is over. Here it is.

    Coming soon: Compelling Content from the PLR Article Wizard

    {{ DiscussionBoard.errors[1832305].message }}
  • Profile picture of the author jennypitts
    This happened to a friend of mine not long ago. I do suggest changing ALL passwords, backing up all the material, and of course reporting the incident to Hostgator. I have heard of MANY people's sites being hacked into at hostgator. I am not sure if they have some sort of glitch in their security.

    Also if the hacker posted any hate extremist messages, which is what happened to my friend, you SHOULD report it to federal authorities. The reason for this is that, because of the problems surrounding terrorism federal authorities are constantly looking to the internet for leads. So, you want to protect yourself and your business for which you have worked extremely hard. In addition, the FTC has been trying to regulate the web better and hacking is a violation.
    Signature
    Traffic Exchange - Solo Ads - Contact Solo Ads
    Social Networking For Internet Marketers to Increase Traffic to Referral Program or Site.
    {{ DiscussionBoard.errors[1832340].message }}
  • Profile picture of the author gsgoh
    I'd suggest changing ALL passwords, even your PayPal or any accounts that are of value to you because you might not know if you have be keylogged. Then do a full system scan to check for malicious files in your system. If there are, then clear it asap. Not to create false alarms but do change your passwords on another computer if available.

    Re-upload your website files if you have back ups. Back ups are important as you never know when something like this will happen. A tip is to backup once a week, or two if you are busy. But it should never be put off. Never.

    Then check the logs if your server does support logging and ban that ip from permission to access your account. Try speaking with the live support team for this.

    I'm currently studying for my Diploma In Infocomm Security Management. Looks like I've done my homework!
    {{ DiscussionBoard.errors[1832395].message }}
    • Profile picture of the author seasoned
      Originally Posted by gsgoh View Post

      I'd suggest changing ALL passwords, even your PayPal or any accounts that are of value to you because you might not know if you have be keylogged. Then do a full system scan to check for malicious files in your system. If there are, then clear it asap. Not to create false alarms but do change your passwords on another computer if available.
      Nice OBVIOUS, GENERAL, advice

      Re-upload your website files if you have back ups. Back ups are important as you never know when something like this will happen. A tip is to backup once a week, or two if you are busy. But it should never be put off. Never.
      MISSED A SPOT!!!!!! Reloading your website now might be FUTILE!

      Then check the logs if your server does support logging and ban that ip from permission to access your account. Try speaking with the live support team for this.
      WRONG! Your server SHOULD have logging! BESIDES, it is REQUIRED to do OTHER things you should have, like statistics. Banning the IP WILL NOT HELP!(Study up on IPs) What can, what WILL, the support team do for that? You should report it, as it might be a common problem, but customer support is relatively rare. Especially with only one limited breakin.

      I'm currently studying for my Diploma In Infocomm Security Management. Looks like I've done my homework!
      Must not have been much homework. Back to the books....

      irish67,

      Get the file stats of whatever was changed, if possible. Let's say the change was to index.html, and you find it changed 3/3/2010 at 8:00am. THEN you have a timeframe to look at!

      Try to scan for rootkits. There should be free software on the internet for this. I use rkhunter. rkhunter - Wikipedia, the free encyclopedia It not only searches for rootkits, but for port use/availability, old/changed software, etc...

      If you are using other people's software, look for exploits and bugs in it(via google). If you wrote your own, make sure IT is tight.

      Go through your logs covering the time you got above, and earlier periods, say about an hour span. Pay SPECIAL attention to redundant parameters, odd parameters, LONG parameters, and ones that look SUSPICIOUS! IF, for example, it said like "action=update%20admin_table%20set%20PASSWORD. ..." then you know they were trying to do SQL injection.

      Go back to the exploits, and look for matching entries. If you find odd parameters, like in the last statement, and can't find an exploit, then try to google the parameter and/or app.

      Make sure ALL software/files have the tightest security they can have. chmod 777 *, for example, is a VERY bad practice! Make sure any data directories for programs, programs, and packages that you sell through them, are under cgi-bin. WHY? Because it can have HIGHER security, and most webservers can NOT access it, to read. Access is granted only to run software or through that software.

      THEN, YOU can decide if further fixes require only a minor setting change, or a full restore.

      Just THINK! If you uploaded the site again, the hacker could do WHO KNOWS what else if you don't plug the holes as best you can FIRST!

      As for ME? Well, I know about all the hacking methods, have seen people do them in logs, have studied AND setup networks, have studied for the MCSE, even though I only became an MCSD, because it was a better fit, am a programmer, worked with most databases anyone is likely to name(And SQL SERVER was one of my electives on the MCSD and I took both tests and passed with a score in the high 90%), have administered UNIX, etc....

      I won't claim this advice is perfect, but I will say you would be hardpressed to find better general advice. And I stated things that ANY good webserver security book should cover.

      Steve
      {{ DiscussionBoard.errors[1835088].message }}
  • Profile picture of the author Trivum
    I was hacked awhile ago. It was a wordpress site, and it was many years old, so it had a lot of content. I couldn't just cut bait, so I had to try to fix it. It turned out that it was a fairly sophisticated job (encoded text in random files all over the place as well as the easy to find files). It allowed them to get into my database and inject whatever they wanted even after removing obvious hack files.

    To make a long story short, I ended up going to rentacoder to get someone to help me. .... If your site is database driven, and they have compromised it and still have hacks hidden somewhere, simply changing your passwords will not help (though you will want to do that, of course).

    I would make sure it's absolutely clean before you start investing in a future with it.
    {{ DiscussionBoard.errors[1832462].message }}
    • Profile picture of the author irish67
      Quick update: I called Hostgator and they did a good job fixing most of the problems. Changed all passwords and reinstalled WP and theme. Seems to be working ok for now. Thanks to everyone that replied.

      Paul
      {{ DiscussionBoard.errors[1833822].message }}
      • Profile picture of the author Marhelper
        In a situation like this ... does the downtime on your site mean all ranking in the SERPS for individual keywords is lost?
        {{ DiscussionBoard.errors[1833836].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by irish67 View Post

        Quick update: I called Hostgator and they did a good job fixing most of the problems. Changed all passwords and reinstalled WP and theme. Seems to be working ok for now. Thanks to everyone that replied.

        Paul
        Paul,
        Now you should get your WP secured, because if they did it once they will try again ... Changing passwords will not help..

        James
        {{ DiscussionBoard.errors[1833988].message }}
        • Profile picture of the author cma01
          If anyone else has a problem like this in the future, if you have Hostgator, they run a backup every Sunday. The fastest way is to have them restore the last backup.

          Then immediately change your passwords and make sure your platform and every plugin is backed up. 99% of the time, the reason someone gets hacked is because their installation isn't up to date.

          To keep your Wordpress installation secure, don't use wp_ for the database prefix, change it to something else.

          A couple of plugins to use are Wordpress Database Backup and Wordpress Security Scan.

          If you can't restore it from a back up. Do a Google search on some of the symptoms you're seeing. This will give you a clue to what happened.

          Basic Wordpress Restore:

          Back up your configuration file, your images, make a note of all the plugins you used and back up your theme. Then delete the entire WP directory and upload a fresh copy. Upload your configuration file, your images and reinstall the theme and plugins.

          If you still are having problems, do the same thing again, but this time, go through the images one by one, because sometimes they get their foot in the door that way. If that doesn't work, you're going to have to go through your database to find any malicious code.
          Signature
          "Wise men talk because they have something to say; fools, because they have to say something."
          ~ Plato
          {{ DiscussionBoard.errors[1834381].message }}
          • Profile picture of the author TheRichJerksNet
            Originally Posted by cma01 View Post

            Just to note this plugin provides no security at all, despite the name. Only way to make wordpress secured is to change the coding.

            Changing the db prefix without wordpress being secured means nothing, you should change your prefix but that is not going to make you secured.

            James
            {{ DiscussionBoard.errors[1834426].message }}
            • Profile picture of the author jamiedolan
              Originally Posted by TheRichJerksNet View Post

              Only way to make wordpress secured is to change the coding.
              Do you have a reference for this or something that could guide me towards the specific problems to look for?
              Signature
              {{ DiscussionBoard.errors[1834555].message }}
              • Profile picture of the author thunderbird
                Originally Posted by jamiedolan View Post

                Do you have a reference for this or something that could guide me towards the specific problems to look for?
                Funny that you should ask him. TheRichJerksNot wrote an excellent reference manual on how to do this. Not sure if it has been updated for the latest version of Wordpress.
                Signature

                Project HERE.

                {{ DiscussionBoard.errors[1846343].message }}
                • Profile picture of the author TheRichJerksNet
                  Originally Posted by thunderbird View Post

                  Funny that you should ask him. TheRichJerksNot wrote an excellent reference manual on how to do this. Not sure if it has been updated for the latest version of Wordpress.
                  Thanks.. Brandi posted it above...

                  I have not upgraded to the latest yet but I have started. WP 2.9.2 gave me some issues so taking longer than it should ... Hope to have new version out by next month...

                  James
                  {{ DiscussionBoard.errors[1846349].message }}
  • Profile picture of the author CodyTemke
    Report, call your host and change your fttp PW fast!

    Good luck i hope it all works out.
    {{ DiscussionBoard.errors[1833863].message }}
  • Profile picture of the author precious_ngwu
    Banned
    [DELETED]
    {{ DiscussionBoard.errors[1834617].message }}
    • Profile picture of the author Jeremy Morgan
      This happens a lot. To prevent it in the future:

      1. Always update any software you have. Wordpress and PhpBB are two pieces of software that are constantly hacked, and constantly updated. They are hacked often not because the software is bad or insecure, but because it's so popular. If they recommend an update do it immediately.

      2. Use weird passwords with uppercase and lowercase letters, numbers and symbols. Don't use dictionary words or anything resembling a real world. Combine numbers, letters and symbols. One thing that works well is holding down shift and typing your phone number:

      867-5309

      becomes

      *^&%#)(

      Pretty hard to guess huh? Of course you know your number and your zip code, so it's easy but will hacker guess that? Here is a great password I could use:

      J3r3mY*^&%#)(L1nUx

      That would be a great password that's hard to guess, and hard to crack.

      3. Never use the same password twice. A lot of people make this mistake. If you make your hosting password the same as the one you use for email, or accounts for article submission, your password is vulnerable. Lets say a guy runs a site like ezinearticles, and he uses plaintext passwords. He could grab your account, and password and try it in other places. Believe me there are people who do this, so be careful. (No this isn't a slam on ezinearticles just using them as an example. There is no reason to believe they do this).

      4. Make frequent backups. Your information and content is an asset, and should be treated as such. You lock the doors to your house and car, and don't leave important things laying around. So why would you leave your company assets unprotected? Backup often and you'll save yourself some time later.

      5. If you write your own software, learn the basics of securing it. One of the neat benefits of PHP is the fact that it's really easy to learn, and super powerful. You could spend a couple nights studying PHP and build yourself just about anything you want. But this same easy power comes at a price. Learn about the basics of secure software development.

      Do some research on things like cross-site scripting, AJAX xml vulnerability, session hacking and SQL injection. Just to name a few. If you get into good habits while programming you'll be able to stop a lot of the beginning hackers and script kiddies at least.

      I hope this helps, and good luck with your projects.
      Signature
      Jeremy Morgan, Software Developer / SEO
      Check out my Programming Blog for news, tips and tutorials
      Connect with me on Google+
      {{ DiscussionBoard.errors[1834638].message }}
  • Profile picture of the author krispy
    If you have a recent backup everything should be ok. Change the passwords and do some research on how to improve the security and fix the vulnerabilities or ask someone who know about that stuff
    {{ DiscussionBoard.errors[1834991].message }}
  • {{ DiscussionBoard.errors[1835224].message }}
  • Profile picture of the author digidoodles
    I have to give a shout out for James' product for securing your wordpress sites:

    WordPressSecured.com :: secure, security, wordpress, exploits, hackers, secured, wordpress.org

    $38, it's a no-brainer.

    There's some warriors whose stuff is just good no matter what it is. James, Pat Jackson, Daniel Tan all come to mind. This product is no exception!

    Hope that helps!

    Warmly,

    Brandi
    Signature
    My niche is feeding my family... What's yours?
    http://www.DoOrDieMarketing.com
    Watch Us as We Do It Or D.IE... Are you Along For The Ride
    {{ DiscussionBoard.errors[1841615].message }}
    • Profile picture of the author eco
      My wordpress site has been hacked 5 times in the last 10 days! I'm at my wits end and don't know what to try next.


      Things I have tried so far:
      - Completely deleted everything on my account including the database and reinstalled latest wordpress version (did this twice).
      - Installed some security plugins (exploit-scanner, login lockdown, secure-wordpress and wordpress firewall)
      - I uploaded an html .index to my plugins folder to hide my plugins.
      - I scanned my computer for malware (though I use a Mac and it's less likely to be infected)
      - I changed all the passwords on my account at least twice after reinstalling wordpress, and I'm using very strong passwords
      I deleted the "admin" user and created a new one
      - I changed the security keys in wp-config.php
      - scanned my site using Dr Web (by the way, I scanned it using Dr Web after it had been hacked and before I restored it and it came up clean!)
      - I have had no plugins installed since the last time I reinstalled wordpress in case they were getting in through plugins.
      - I've asked my hosting provider (Hostgator) for help and they don't seem to be able to prevent the problem.

      Could Hostgator be a problem? Can anyone suggest a good alternative host?


      I'd very much appreciate any help with this problem.
      Thanks in advance.
      {{ DiscussionBoard.errors[1846316].message }}
      • Profile picture of the author TheRichJerksNet
        Hostgator is not the problem, they have up to date servers which are monitored and do have several fire walls...

        With that said .. Plugins are the LAST thing I would use for security. Who is to say the plugins do not have more security issues ?????

        Uploading index.html does not hide your plugins folder, why people think it does I have no idea. It will cause people using a "browser" to see a blank page but that is all...

        Since you have a Mac your problem is wordpress (or another site you have installed on the same server). I am not talking about a site someone else has, this bull crap people say about shared servers is nothing more than bull crap. Just because Jane gets hacked, that does not give the hacker access to Jack's site.

        You need to secure wordpress and not use any stupid plugins to do it .. Brandi posted above the real solution to your problem.

        James

        Originally Posted by eco View Post

        My wordpress site has been hacked 5 times in the last 10 days! I'm at my wits end and don't know what to try next.


        Things I have tried so far:
        - Completely deleted everything on my account including the database and reinstalled latest wordpress version (did this twice).
        - Installed some security plugins (exploit-scanner, login lockdown, secure-wordpress and wordpress firewall)
        - I uploaded an html .index to my plugins folder to hide my plugins.
        - I scanned my computer for malware (though I use a Mac and it's less likely to be infected)
        - I changed all the passwords on my account at least twice after reinstalling wordpress, and I'm using very strong passwords
        I deleted the "admin" user and created a new one
        - I changed the security keys in wp-config.php
        - scanned my site using Dr Web (by the way, I scanned it using Dr Web after it had been hacked and before I restored it and it came up clean!)
        - I have had no plugins installed since the last time I reinstalled wordpress in case they were getting in through plugins.
        - I've asked my hosting provider (Hostgator) for help and they don't seem to be able to prevent the problem.

        Could Hostgator be a problem? Can anyone suggest a good alternative host?


        I'd very much appreciate any help with this problem.
        Thanks in advance.
        {{ DiscussionBoard.errors[1848870].message }}
        • Profile picture of the author seasoned
          Originally Posted by TheRichJerksNet View Post

          ...
          your problem is wordpress (or another site you have installed on the same server). I am not talking about a site someone else has, this bull crap people say about shared servers is nothing more than bull crap. Just because Jane gets hacked, that does not give the hacker access to Jack's site.

          ACTUALLY, this depends on the security from the HOST! They actually have OPTIONAL patches, that are USUALLY installed ***NOW*** to fix the problem with perl and php. ALSO, MOST use OPTIONS on the http server to set the user to the one for that site. And the HTTP server is USUALLY running under a special restricted account, like NOBODY. And they may have a special restricted shell. And the main directory is USUALLY something like 700. Miss ONE point, and a user, or someone else, can at least SEE another site. Sometimes they can even MODIFY things!

          So it IS more than "bull crap".

          Steve
          {{ DiscussionBoard.errors[1849363].message }}
          • Profile picture of the author TheRichJerksNet
            He stated he as on hostgator, this is not a problem with them so my post is based upon him being on hostgator...

            Hostgator has PhpSuExec installed it does not run under "nobody"

            James

            Originally Posted by seasoned View Post

            ACTUALLY, this depends on the security from the HOST! They actually have OPTIONAL patches, that are USUALLY installed ***NOW*** to fix the problem with perl and php. ALSO, MOST use OPTIONS on the http server to set the user to the one for that site. And the HTTP server is USUALLY running under a special restricted account, like NOBODY. And they may have a special restricted shell. And the main directory is USUALLY something like 700. Miss ONE point, and a user, or someone else, can at least SEE another site. Sometimes they can even MODIFY things!

            So it IS more than "bull crap".

            Steve
            {{ DiscussionBoard.errors[1849491].message }}
  • Profile picture of the author Gary King
    Don't forget to check your computer too, not just the web server.

    Get a decent anti-malware (spyware) program, install, update and run a full scan.

    I've had the best success with Malwarebytes
    Malwarebytes.org

    Start with the free version.


    Then, get a good anti-virus program, install, update and do a full scan.

    There are several, but here's one that has been around the block:
    AVG Free - Download Free Antivirus and Antispyware for Windows 7, Vista and XP

    Again, don't go for the upsell initially at least, you can start (and probably stay) with the free one.

    The reason I suggest these steps too is that many forms of spyware in the wild today contain keystroke loggers. Every letter you press is captured and sent to a hacker/hackers. They can then read that collection (it's usually like a little text file) and get your usernames/passwords and use them to hack/deface your site or get your banking info, etc.

    Best of luck.
    Signature

    ===========================
    OFFLINERS! Warning: Unless You Know These Pricing Secrets, You are Leaving THOUSANDS on the Table. Get Your Free Report Now.
    {{ DiscussionBoard.errors[1846424].message }}
    • Profile picture of the author eco
      Thanks Gary, but I use a Mac and these programs are for PCs. Anybody know of any good Malware scanners for Mac?
      {{ DiscussionBoard.errors[1846438].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by eco View Post

        Thanks Gary, but I use a Mac and these programs are for PCs. Anybody know of any good Malware scanners for Mac?
        You already have the best anti-Virus ... You own a Mac ....

        James
        {{ DiscussionBoard.errors[1846480].message }}
        • Profile picture of the author Gary King
          Originally Posted by TheRichJerksNet View Post

          You already have the best anti-Virus ... You own a Mac ....

          James

          ROFL... True!
          Signature

          ===========================
          OFFLINERS! Warning: Unless You Know These Pricing Secrets, You are Leaving THOUSANDS on the Table. Get Your Free Report Now.
          {{ DiscussionBoard.errors[1847804].message }}
      • Profile picture of the author Gary King
        Originally Posted by eco View Post

        Thanks Gary, but I use a Mac and these programs are for PCs. Anybody know of any good Malware scanners for Mac?
        PC Tools makes pretty good products for the PC side, here's a MAC version of their anti-virus:

        PC Tools iAntiVirus - Protect your Mac

        There's a free version for personal use on that page.

        MacScan is another option - haven't used it, but it gets discussed in MAC forums a lot.

        PC Tools iAntiVirus - Protect your Mac

        Norton/Symantec (don't anyone throw anything) has a long history running on macs - you could always try a trial there.

        Hope it helps.

        Gary
        Signature

        ===========================
        OFFLINERS! Warning: Unless You Know These Pricing Secrets, You are Leaving THOUSANDS on the Table. Get Your Free Report Now.
        {{ DiscussionBoard.errors[1847822].message }}
  • Profile picture of the author moneytize
    you should change yoru password to something more secure and ALWAYS save a backup so you can quickly just swipe in the old files. good luck!
    {{ DiscussionBoard.errors[1847818].message }}
  • Profile picture of the author seasoned
    eco,

    you do NOT use a mac FOR YOUR WEBSITE! You said you use Hostgator! I'm not familiar with Hostgator, but they COULD have poor security, a buggy http server, etc...

    OH, you sound like you covered everything, but you really didn't cover much:

    Look at all the stuff I recommended that you didn't mention...

    Get the file stats of whatever was changed, if possible. Let's say the change was to index.html, and you find it changed 3/3/2010 at 8:00am. THEN you have a timeframe to look at!

    Try to scan for rootkits. There should be free software on the internet for this. I use rkhunter. rkhunter - Wikipedia, the free encyclopedia It not only searches for rootkits, but for port use/availability, old/changed software, etc... (BTW I forgot to mention you MIGHT have trouble with this on a shared server)

    If you are using other people's software, look for exploits and bugs in it(via google). If you wrote your own, make sure IT is tight.

    Go through your logs covering the time you got above, and earlier periods, say about an hour span. Pay SPECIAL attention to redundant parameters, odd parameters, LONG parameters, and ones that look SUSPICIOUS! IF, for example, it said like "action=update%20admin_table%20set%20PASSWORD. ..." then you know they were trying to do SQL injection.

    Go back to the exploits, and look for matching entries. If you find odd parameters, like in the last statement, and can't find an exploit, then try to google the parameter and/or app.

    Make sure ALL software/files have the tightest security they can have. chmod 777 *, for example, is a VERY bad practice! Make sure any data directories for programs, programs, and packages that you sell through them, are under cgi-bin. WHY? Because it can have HIGHER security, and most webservers can NOT access it, to read. Access is granted only to run software or through that software.

    THEN, YOU can decide if further fixes require only a minor setting change, or a full restore.

    Just THINK! If you uploaded the site again, the hacker could do WHO KNOWS what else if you don't plug the holes as best you can FIRST!


    Thanks for playing though, you made my case. Restoring should be a LAST RESORT, NOT the first thing. Do it first thing and you:

    1. lose data.
    2. get upset visitors.
    3. NEVER find the problem.
    4. probably have the same thing ALL OVER AGAIN!

    Steve
    {{ DiscussionBoard.errors[1848793].message }}

Trending Topics