AAAAHH! I've been hacked! What should I do now?

22 replies
Hi Warriors!

I just realised my website has been hacked. www. Instantprofitpeople.com] hacked By D'Jawa[

What is the best course of action to take now? Should i report it anywhere? Do i just go in to cpanel and install my back up? How do I prevent this from happening again?!

Thanking you all in advance!

Nick!

I had to edit this post to break up the url.
#aaaahh #hacked
  • Profile picture of the author Steve Fleming
    You can report it to your host... it most likely won't do much and
    they will no doubt blame you.

    Good on you for having a backup... so many people forget that

    Change all the passwords http://strongpasswordgenerator.com/
    Make them hard and write them down in an excel spreadheet.
    Reinstall
    Add some security plugins (eg: Better WP Security etc)
    Keep the site updated all the time

    I'm sure there's more but that's all i can come up with off
    the top of my head.

    Sorry about the hacking mate...that sucks big time!

    Steve
    {{ DiscussionBoard.errors[7654998].message }}
  • Profile picture of the author RichBeck
    Nick,

    Report it to your web hosting provider....

    Many of these "hacking" events are due to using FTP...... Which you should never use..... It sends the passwords in clear text... So, it does not matter how "strong" the password is.... The hacker can see it...... If you must, use one of the secure FTPs....

    Go in and delete all your ftp accounts.... Then, restore the backup.... Double check you have no active ftp accounts...

    That is a start....

    I hope you can return to business as usual soon.

    Take Care,

    Rich Beck BCIP, MCSD, MCIS
    {{ DiscussionBoard.errors[7655007].message }}
    • Profile picture of the author Nick Lawless
      Originally Posted by RichBeck View Post

      Nick,

      Report it to your web hosting provider....

      Many of these "hacking" events are due to using FTP...... Which you should never use..... It sends the passwords in clear text... So, it does not matter how "strong" the password is.... The hacker can see it...... If you must, use one of the secure FTPs....

      Go in and delete all your ftp accounts.... Then, restore the backup.... Double check you have no active ftp accounts...

      That is a start....

      I hope you can return to business as usual soon.

      Take Care,

      Rich Beck
      Thanks Rich.

      Im still kinda new so when u say ftp account do u mean like filezilla? Thats the one i use at the moment. What is a secure ftp?

      Thabks. Nick
      Signature
      Just starting online and need a website? Let me build one for you - FREE


      Click Here to claim a FREE customized website.
      {{ DiscussionBoard.errors[7655186].message }}
      • Profile picture of the author RichBeck
        Originally Posted by Nick Lawless View Post

        Thanks Rich.

        Im still kinda new so when u say ftp account do u mean like filezilla? Thats the one i use at the moment. What is a secure ftp?

        Thabks. Nick
        Nick,

        You are welcome, my friend.

        Yes..... Using FTP like filezilla is not secure....

        Your user name and password are seen in plain text... Sent through various servers on the Internet... It is very easy for hackers to see....

        From Wikipedia:

        FTP is not able to encrypt its traffic; all transmissions are in clear text, and usernames, passwords, commands and data can be easily read by anyone able to perform packet sniffing on the network.
        Secure FTP is FTP over a secured connection; it is commonly called SFTP or FTPS. Please see this for more information.

        If your current FTP program doesn't support Secure FTP, search on Download.com to see what is available for your operating system.

        God Bless,

        Rich Beck BCIP, MCSD, MCIS
        {{ DiscussionBoard.errors[7656244].message }}
    • Profile picture of the author Jensha
      Originally Posted by RichBeck View Post

      Nick,

      Report it to your web hosting provider....

      Many of these "hacking" events are due to using FTP...... Which you should never use..... It sends the passwords in clear text... So, it does not matter how "strong" the password is.... The hacker can see it...... If you must, use one of the secure FTPs....

      Go in and delete all your ftp accounts.... Then, restore the backup.... Double check you have no active ftp accounts...

      That is a start....

      I hope you can return to business as usual soon.

      Take Care,

      Rich Beck
      If we're not supposed to use FTP how can we upload the files we want to upload in our websites?
      {{ DiscussionBoard.errors[7655623].message }}
      • Profile picture of the author RichBeck
        Originally Posted by Jensha View Post

        If we're not supposed to use FTP how can we upload the files we want to upload in our websites?
        Jensha,

        I would find an FTP program that supports Secure FTP. Download.com is a great place to start.


        God Bless,

        Rich Beck BCIP, MCSD, MCIS
        {{ DiscussionBoard.errors[7656264].message }}
  • Profile picture of the author professorrosado
    Try to assess the method the hacker used to get into your site: WP-admin, FTP, Mysql, etc. Address the issue.

    Look into your error logs for attempts to access your files - note IP addresses.
    Add extra security based on your findings.

    See if host can help you out on this. Host should be able to firewall your sites and add more security.

    WP Sentinel has been recommended as a good measure.
    {{ DiscussionBoard.errors[7655011].message }}
  • Profile picture of the author Kingfish85
    1. contact your web host.

    2. try to track down what was exploited. Wordpress - 99% probable plugin exploit.

    3. Restore from a backup.

    Your web host may/may not have backups. It's always a good practice to keep your own backups in the event your web host does not. If you cannot do any of the above, I'd recommend getting in touch with a security professional.

    Remember - don't starting throwing "security" plugins at your site, and in most cases they aren't as secure as you think they are.
    {{ DiscussionBoard.errors[7655039].message }}
  • Profile picture of the author Jensha
    My god!
    I checked his website and it's completely hacked.
    And the name at the tab really shows hacked by d'jawa!
    So that's why I see lots of offers for secured FTP because they're usually the cause of hackers being able to hack our websites!
    That's a creepy hacker, I mean he just ruined the site and that's it?
    What for?
    Hoping to get infamous for doing that?
    {{ DiscussionBoard.errors[7655621].message }}
  • Profile picture of the author SDStudio
    Nick,

    Once you get your website back, make sure that you check all the files in your directory of your site, that being said, allot of times hackers leave a file trace when they are hacking... this means they leave some type of file and they would store on your server/site and they are able to return to your site again.

    I went to your site and it had a redirect login so you can not login to the admin panel.. There is some type of php file on your server and I'm sure it is preventing you from getting into your admin file. I've seen this before where the hacker added a php file in the main directory so you can not get into the back end of your site. I've had to help one of my friends WP after they have talked with there host provide and we followed the step below and never been hacked ever sense.

    I suggest you contact your host provider and let them know someone had taken over your site. I'm sure they can revised your site back to normal, but you need to let them know that it has been hacked and you can not login to your admin site, and it is seem to be redirecting it back the admin login and there is nothing there. Once they have gotten your site back you have so much time to make changes to your wordpress.

    FileZilla is a great FTP program, i recommend that you used that program when you get your site back.

    Allot of people are forgetting the rule of thumb, when setting up a wordpress site. Most of the skilled Hackers will target your wp-config as it's in an unsecure place by default.

    Wp-config file is the most important file present on your wordpress blog. It holds very sensitive information such as including your database access, table prefix and Secret Key, So in order to protect your wordpress blog from getting hacked you would need to harden your wp-config file.

    The way the hacker got in was through the “wp-config.php” when it was readable as plain text. From that, the hacker can get your database name, and your database username and password. This could’ve have easily been prevented, even if the hacker could read the “wp-config” file.

    Protect it the .htaccess Way!

    Here is a simple htaccess tutorial on modifying your .htaccess to protect the wp-config.

    Here’s the .htaccess code:

    Code:
    # protect wpconfig.php
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>
    Protect the WP-Config by Moving the File!

    Now one can move the wp-config to an unpredictable location and change the code in the source, but that would be a pain to do with every WordPress upgrade.

    How about creating a separate PHP file in a non-WWW accessible location and use the WP-Config to include that file. Say for example that your web include path for your server was /home/yourname/public_html/. You can actually save a file in the /home/yourname/ area and it won’t be web accessible. Meaning that even if somebody were able to read your wp-config, they wouldn’t get anything valuable.

    Step ONE!

    Create a “config.php”

    Within this config.php file included the following:

    Code:
    <?php
    define('DB_NAME', 'your_db_name');    // The name of the database
    define('DB_USER', 'your_db_username');     // Your MySQL username
    define('DB_PASSWORD', 'your_db_pass'); // ...and password
    define('DB_HOST', 'localhost');    // 99% chance you won't need to change this value
    
    // You can have multiple installations in one database if you give each a unique prefix
      = 'yourdbprefix_';   // Only numbers, letters, and underscores please!
    ?>

    Uploaded this file to a non-WWW readable location. Normally this should be the directory before “public_html” or “www”.

    Modify the WP-Config

    Then modified the “wp-config.php” file to include the file. If somebody were to somehow read the contents of my WP-Config, all they would see is this:

    Code:
    <?php
    include('/home/yourname/config.php');
    
    // Change this to localize WordPress.  A corresponding MO file for the
    // chosen language must be installed to wp-includes/languages.
    // For example, install de.mo to wp-includes/languages and set WPLANG to 'de'
    
    // to enable German language support.
    define ('WPLANG', '');
     
    /* That's all, stop editing! Happy blogging. */
    define('ABSPATH', dirname(__FILE__).'/');
    require_once(ABSPATH.'wp-settings.php');
    ?>
    Please note that the include paths change from server to server, but hopefully you get the idea. Save your sensitive information in a non-WWW location, and have the WP-Config file read it in. This way you won’t have to change anything if you have to upgrade WordPress.

    If a person with malicious intent finds your WP-Config file and can actually read the contents, your website is exposed. This is how easy it is for a hacker to change your password (and get admin access to your blog) using phpMyAdmin.

    You can never be too careful about these things, so protect your WP-Config and make sure you have a recent database backup.

    Hope this helps and good luck!
    {{ DiscussionBoard.errors[7655796].message }}
  • Profile picture of the author CyberAlien
    Don't do anything to the website or in cPanel. Email support@hostgator.com and let them know what happened. If you make any changes, it will make it significantly more difficult for their security team to figure out what happened and prevent it from happening in the future.
    {{ DiscussionBoard.errors[7655911].message }}
  • Profile picture of the author moneymakerway
    The option for you is to call your web host provider!
    Usually there is a phone number in the support section of the site.
    The good thing is that you have your backup files, so you would
    be able to restore your site after you resolve the problem with support team.

    In order to prevent similar issues in the future install WP Security
    plugin (if you have wordpess installed on your site).
    {{ DiscussionBoard.errors[7656289].message }}
  • Profile picture of the author cchipster
    MQSQL injection possibly? Are you using wordpress? If so, make sure to update your databases and change your passwords.
    Signature
    No signature, I'm sure you will be ok.
    {{ DiscussionBoard.errors[7656387].message }}
    • Profile picture of the author so11
      Hello,

      here are the steps you should be taking :

      1. Identification (Identify what's going on, the damage, what exactly got hacked, make security scans, vulnerability scans, etc. Contact your host to see if they can give more info, etc.). Without knowing what exactly happened, we can be guessing for hours what have happened...
      2. Containment (Prevent the hack from spreading for example to the other sites if you are on shared hosting or to your machine, etc.). It is here that you may be thinking of just cleaning up the whole directory of your site...Take notes!!!
      3. Eradication (Putting your stuff back...ex. from a clean backup, or just cleaning up the files. Depending on the degree of the attack).
      4. Recovery (Making sure that your stuff is back and up and running, auditing your new configurations to make sure that everything is secure and patched)
      5. Follow-up (Taking lessons, thanking everybody for the support , )

      good luck
      Signature
      www.groupesoloviev.com
      We help businesses manage cyber risk and compliance requirements.
      {{ DiscussionBoard.errors[7656567].message }}
      • Hi Nick

        There is some great advice above as you would expect.

        I personally had a very similar situation about 12 months ago and would you believe the place I found my saviour was Fiverr of all places (I stress it cost me more than the Fiverr, actually $25). Despite thinking there would be no way this guy would do something that many on Scriptlance said coundn't be done, he came up trumps in a big way. If you wish to know the guys details just pm me and I'll dig them out for you.

        The second step I took was to try and bolt the door shut for future attacks. I ramped up the passwords and found various plugins that I have used to good effect.

        I can report so far so good with the plugins stopping a number of attempted attacks.

        I hope you get everything back as it should be soon.

        All the best
        Andy
        Signature
        {{ DiscussionBoard.errors[7656625].message }}
  • Profile picture of the author Sir Dude
    You already got a lot of good advice, just make sure to also check your own system, as most of the times the infection starts or remains there. Make a full scan with your antivirus (packed with the last definitions) and also use a malware scanner (i.e. malwarebytes), after that you can recheck your system with ESET online scanner. If you want to be extra careful you can use ComboFix, just make sure to read the disclaimer and follow the instructions if you don't know it.
    {{ DiscussionBoard.errors[7656642].message }}
  • Profile picture of the author Jake Draper
    My site is wordpress and have an ssl. Can a site still be vulnerable because of wp?
    Signature

    {{ DiscussionBoard.errors[7656806].message }}
    • Profile picture of the author so11
      Originally Posted by Jake Draper View Post

      My site is wordpress and have an ssl. Can a site still be vulnerable because of wp?
      Hi Jake,

      to answer your question, we need to clarify the purpose of SSL certificates...

      SSL certificate does two things:

      1. Proves the authenticity of the site. So if I visit test.com, and it has a valid certificate, it means that I'm really on that site and not a fake copy of it.
      2. SSL certificate allows us to encrypt communication between client and server, so we can safely pass information (ex.: password and user name)

      That's all, no more no less.

      So yes, your site, blog, etc. can be vulnerable!!! But not because of WP. Any website can have vulnerabilities, misconfigurations, etc. That's why it is important to be proactive in your security practices.

      good luck
      Signature
      www.groupesoloviev.com
      We help businesses manage cyber risk and compliance requirements.
      {{ DiscussionBoard.errors[7657172].message }}
  • Profile picture of the author mdan287
    Ask your hosting to restore back up and then follow this one http://www.warriorforum.com/main-int...ml#post7655796
    {{ DiscussionBoard.errors[7657043].message }}
  • Profile picture of the author LWYSIWYG
    Wordpress.org/extend/plugins/bulletproof-security/

    A MUST HAVE for WordPress users
    {{ DiscussionBoard.errors[7657651].message }}
  • Profile picture of the author Maui Joe
    1. Find a new host
    2. Install backups to new host
    3. ???
    4. Profit
    {{ DiscussionBoard.errors[7657663].message }}

Trending Topics