My websites got hacked

19 replies
  • WEB DESIGN
  • |
HostGator account got hacked and they planted a bunch of malicious folders and files in my various domain folders. Now, there are some folders I'm not sure if I should delete or not.

I have a few questions. What kinds of files do I have to be worried about? Will they plant software that will allow them access back into my account, even if I change the password? Do you think they deleted any of my files?

I have backed up my site using a BackUp WordPress plugin. Will that be enough to restore my entire site, if I delete the entire thing?

It seems now, if you are hacked, they are referring you to their SiteLock website security service. They want like $70 a month to protect my website. I can't afford that. This almost seems like a ploy by HostGator to get you to sign up for their security service.

I just paid $15 to have my account restored from a week ago. Many of the spam files are gone but I'm sure they are going to re-appear. Can anyone offer me some advice on what to do?
#hacked #websites
  • Profile picture of the author AnniePot
    You do not say if you have any security programs in place with your Wordpress installations.

    Install WordFence Security on each of them and run a scan. This YouTube video will guide you on the best settings:
    {{ DiscussionBoard.errors[10558851].message }}
  • Profile picture of the author David V
    AnniePot is right, you need a good security plugin.
    It's not a magical solution, but absolutely needed.

    No plugin will clean up the mess though, it's more of an after the fact solution to tighten security.
    You said you have a backup, are you 100% positive it's a clean backup?
    You'll want to do a clean re-install, check your theme files, and restore your database. (If your sure it's clean).

    Put security protocols in place like the security plugin. I prefer iThemes Security, but their both good plugins.
    The security plugin should also help you set the right permissions on folders and files as well as tighten security throughout the site for various small settings and tweaks.

    Of course if your not sure your database or files are clean, adding security after the fact will be messy.
    Scans can catch many things, but not everything.
    You should review the log files (Almost every host has them) and it may help determine an entry point or exploit.
    XSS is super common, that's why it's important everything is kept updated. You wouldn't want the exploited area to still exist in the re-install.
    Security holes are being discovered and corrected all the time so updating is essential. (WP, plugins, themes)

    You mentioned your HostGator account got hacked. Was it actually the account or the website...
    If it's actually your HG account, that's a little different. It doesn't dismiss anything that's been said, but someone getting into your actual account is certainly a high priority concern... Really tighten those passwords.
    If you can remember a password... it's not a good password. Use random, mixed, and long. No rhythm, rhyme or readability.
    That's just my personal preference on passwords


    Here's a really quick procedure overview/list:

    1. Remove all the content from the root folder for your install. You could put up a maintenance page temporarily. (Make sure you have backups)
    (Helps ensure all hacked/malicious assets have been removed)

    2. Examine the log files to help determine how/when the site was compromised.

    3. Analyze your database for exploits.
    (This will require knowledge, so a professional could be useful here)

    3. Download a fresh copy of WordPress. Download a fresh copy of all plugins including your premium ones. Change your wp-config.php salts.
    (We need to make sure all the hard assets are clean)

    4. Re-install WordPress. No need to go through all the settings since you'll be taking your recently scanned and clean database backup and migrating it to the site.
    (This will re-install your current website database and all past settings will be there)

    5. As a precaution, run the WordPress database upgrade.
    (Point your browser to http://yourwebsite.com/wp-admin/upgrade.php)

    6. Login, verify there are no extra "users" in there. Change all passwords for all users including yours. You should also change all passwords for everything related to the site. Cpanel, mail, etc...

    7. Install and setup a good security plugin. Do a security scan of the site. There are many sites that do this (Securi is good).
    Most security plugins should have this built in as well.

    8. Check to see if your site is on any blacklists. Login to Google webmaster and see if you have any site warnings.
    This is only a quick overview, there are many little steps within these steps that need to be done. Likely the toughest part is ensuring your database is clean. The hard assets are quite easy to replace/upgrade.

    I personally would do all of this in a staging area, not the live site. Once your satisfied things are clean, push to the live site and lock it down with security.
    Signature
    "David has managed the digital side of my retail business for over 8 yrs
    and I can't imagine working with anyone else. ~ Carrie Silva | TheDoghouseLLC
    "
    {{ DiscussionBoard.errors[10559233].message }}
    • Profile picture of the author iconoclast
      Originally Posted by David V View Post

      AnniePot is right, you need a good security plugin.
      It's not a magical solution, but absolutely needed.

      No plugin will clean up the mess though, it's more of an after the fact solution to tighten security.
      You said you have a backup, are you 100% positive it's a clean backup?
      You'll want to do a clean re-install, check your theme files, and restore your database. (If your sure it's clean).

      Put security protocols in place like the security plugin. I prefer iThemes Security, but their both good plugins.
      The security plugin should also help you set the right permissions on folders and files as well as tighten security throughout the site for various small settings and tweaks.

      Of course if your not sure your database or files are clean, adding security after the fact will be messy.
      Scans can catch many things, but not everything.
      You should review the log files (Almost every host has them) and it may help determine an entry point or exploit.
      XSS is super common, that's why it's important everything is kept updated. You wouldn't want the exploited area to still exist in the re-install.
      Security holes are being discovered and corrected all the time so updating is essential. (WP, plugins, themes)

      You mentioned your HostGator account got hacked. Was it actually the account or the website...
      If it's actually your HG account, that's a little different. It doesn't dismiss anything that's been said, but someone getting into your actual account is certainly a high priority concern... Really tighten those passwords.
      If you can remember a password... it's not a good password. Use random, mixed, and long. No rhythm, rhyme or readability.
      That's just my personal preference on passwords


      Here's a really quick procedure overview/list:

      1. Remove all the content from the root folder for your install. You could put up a maintenance page temporarily. (Make sure you have backups)
      (Helps ensure all hacked/malicious assets have been removed)

      2. Examine the log files to help determine how/when the site was compromised.

      3. Analyze your database for exploits.
      (This will require knowledge, so a professional could be useful here)

      3. Download a fresh copy of WordPress. Download a fresh copy of all plugins including your premium ones. Change your wp-config.php salts.
      (We need to make sure all the hard assets are clean)

      4. Re-install WordPress. No need to go through all the settings since you'll be taking your recently scanned and clean database backup and migrating it to the site.
      (This will re-install your current website database and all past settings will be there)

      5. As a precaution, run the WordPress database upgrade.
      (Point your browser to http://yourwebsite.com/wp-admin/upgrade.php)

      6. Login, verify there are no extra "users" in there. Change all passwords for all users including yours. You should also change all passwords for everything related to the site. Cpanel, mail, etc...

      7. Install and setup a good security plugin. Do a security scan of the site. There are many sites that do this (Securi is good).
      Most security plugins should have this built in as well.

      8. Check to see if your site is on any blacklists. Login to Google webmaster and see if you have any site warnings.
      This is only a quick overview, there are many little steps within these steps that need to be done. Likely the toughest part is ensuring your database is clean. The hard assets are quite easy to replace/upgrade.

      I personally would do all of this in a staging area, not the live site. Once your satisfied things are clean, push to the live site and lock it down with security.
      Thank you so much for your detailed response and thanks to everyone who replied. I have a few more questions, if you don't mind. I'm assuming it was my Cpanel account that got hacked. I had my main domain myname.com and then I had four add on domains under that same account. They added malicious files to three of the domain folders. I don't even use myname.com for anything but I did have Wordpress installed on it because I was testing out some new themes and stuff. Do you think that is what made my site more vulnerable? Is it through WordPress that they are able to access my Cpanel?

      The last time I backed up my site was on Feb. 1st. This problem showed up around Feb. 18th. Do you think my back up is clean? How can I check the database on my back up file? I also tried to check my logs in my hosting account, as you suggested, but I couldn't find where to do that.

      If I clean out my root folder, like you suggest and re-install from my backup. Will everything return to the website, including my pictures? Can I just install the back up over the existing files? I've never restored a site before. Hopefully, I can restore the site and then install the security plugin. Thanks again.
      Thank you. This is really frustrating.
      {{ DiscussionBoard.errors[10559494].message }}
      • Profile picture of the author David V
        Originally Posted by iconoclast View Post

        Thank you so much for your detailed response and thanks to everyone who replied. I have a few more questions, if you don't mind. I'm assuming it was my Cpanel account that got hacked. I had my main domain e.g. myname.com and then I had four add on domains under that same account. They added malicious files to three of the domain folders. I don't even use myname.com for anything but I did have Wordpress installed on it because I was testing out some new themes and stuff. Do you think that is what made my site more vulnerable? Is it through WordPress that they are able to access my Cpanel?

        The last time I backed up my site was on Feb. 1st. This problem showed up around Feb. 18th. Do you think my back up is clean? How can I check the database on my back up file? I also tried to check my logs in my hosting account, as you suggested but I couldn't find where to do that.

        Thank you. This is really frustrating.
        If you are using addon domains, than the actual files all sit on the same server. (So if you FTP in you'll see them all).
        Maybe they got into cpanel, maybe not. Only the logs will really reveal where this began.

        They can't get into cpanel through WordPress. It seems unlikely anyway. Cpanel has way to much "fun" stuff for them than going into the "file manager" to play with your installs. Email, redirects, and all kinds of goodies would likely be compromised if it was cpanel.

        Because they hacked your addon domains doesn't even really mean they accessed the root. Maybe they did, maybe not.
        Files can be uploaded, added, without direct access.

        I'd say any site that's not locked down is vulnerable, testing or not.
        If you want to do testing (good idea), using a staging area. Lock this down to the public. So you have to login, than login again to the WP admin.
        Not only will this prevent the public from seeing your testing, it will prevent search engines from listing your half finished designs and posts.

        It would be pure speculation about how they got in.
        The logs, the logs...... reveal the truth.

        Even though your backups are a few weeks prior, you should still scrutinize them. An exploit could still be sitting in the backup. It could be as simple as an outdated plugin with a XSS vulnerability, or something more complex.

        A lot of hacks are not always some "person" sitting behind a computer on your site. There are some clever bots and apps that scan for sites with exploits. They make a list, than give you a visit.

        The real work will be cleaning up your databases. The hard assets and files will be easy to update/replace.
        View the logs or you'll never really know the "how".

        It's coincidentally funny.... well...not really funny... but someone tried hacking me this morning.
        Security pays off... they were auto banned, blacklisted, and on my hack list within 20 seconds.
        Signature
        "David has managed the digital side of my retail business for over 8 yrs
        and I can't imagine working with anyone else. ~ Carrie Silva | TheDoghouseLLC
        "
        {{ DiscussionBoard.errors[10559512].message }}
  • Profile picture of the author iconoclast
    Can you tell me where I can read the logs, please? I'm not sure what I'm looking for. If I decide I need to restore my site, do I need to delete the current database from my host server, first?
    {{ DiscussionBoard.errors[10559594].message }}
    • Profile picture of the author David V
      Originally Posted by iconoclast View Post

      Can you tell me where I can read the logs, please? I'm not sure what I'm looking for. If I decide I need to restore my site, do I need to delete the current database from my host server, first?
      I believe if your in cpanel, you may see "raw access logs" under metrics. I usually view my logs by accessing the server and not cpanel, but you should find something like that in cpanel.
      I don't use hostgator, so it could be slightly different.
      There are other logs there as well. I'd dig around the date you think this happened.

      As a matter of fact... Hostgator how to.

      For the database. No. To be on the safe side, leave it for the moment.
      Create a new database (and user), install WP.
      Now you can migrate/import your database into the clean install.
      You'll need to change the new database details in the wp-config.php file.

      There are several ways to import/migrate the database in. You may or may not need to drop all the tables first. It depends on how you do it.

      For the old database, just delete it after you've re-installed your site to your satisfaction.
      Deleting it first may result in a "oh sh*t" moment. I like to always have 2 redundant backups for everything. Sometimes things fail to export, import, etc...
      Signature
      "David has managed the digital side of my retail business for over 8 yrs
      and I can't imagine working with anyone else. ~ Carrie Silva | TheDoghouseLLC
      "
      {{ DiscussionBoard.errors[10559682].message }}
  • Profile picture of the author iconoclast
    I found the raw access logs but they are saved a .gz file and I have to find a program to extract it. Can you suggest a good place where I can get help with this issue? SitLock is Hostgators site security company and they want 300$ to clean one website and $80 a month to protect it. Can you recommend a good place where I can get some professional help with this. I think some of this is over my head. I have no experience with building databases and I don't want to muck it up.

    Also, my main domain name doesn't have wordpress installed on it so I can't install a security plugin. How should I go about protecting it?

    I think I may just switch my hosting over to A2 hosting and see if they'll re-install my backup files for me as part of their free site migration offer. I found an old backup file from 2013. Surely that one is not infected but I'll have to make some updates. Do all hosting companies get hacked just the same or are some more vulnerable?

    I also noticed that anonymous FTP was enabled and there were a couple anonymous FTP accounts in my Cpanel. I'm not sure if this is something the hacker did or not but I disabled them.

    What all is restored in a backup file? Will all of my plugins and themes be in there as well? Sorry for all of the questions. Thank you.
    {{ DiscussionBoard.errors[10560516].message }}
    • Profile picture of the author Ralph83
      I use 7-Zip to extract .gz files (it's free, popular and great): 7-Zip Please note: .tar.gz files have to be extracted twice.

      Great idea to disable anonymous FTP accounts.

      Usually you should be able to extract backup files, so you can take a look and see which files (plugins, themes etc) they contain.

      Some hosting companies are definitely better than others... you get what you pay for. Plus, the big, popular companies are also bigger targets.

      A good hosting company should be able to give you good advice + help you with security issues.

      Unfortunately I don't know enough about your specific setup, to give you solid advice on protecting your main domain. But I feel this is also something your hosting company should help you with or at least provide you with some solid advice.

      Good luck!
      {{ DiscussionBoard.errors[10560733].message }}
      • Profile picture of the author professorrosado
        If you need "live" help, I am available to look at your situation and resolve this (or suggest options). Any one with similar issues, especially WP sites welcomed to PM me for assistance.
        {{ DiscussionBoard.errors[10560871].message }}
      • Profile picture of the author iconoclast
        Originally Posted by Ralph83 View Post

        I use 7-Zip to extract .gz files (it's free, popular and great): 7-Zip Please note: .tar.gz files have to be extracted twice.

        Great idea to disable anonymous FTP accounts.

        Usually you should be able to extract backup files, so you can take a look and see which files (plugins, themes etc) they contain.

        Some hosting companies are definitely better than others... you get what you pay for. Plus, the big, popular companies are also bigger targets.

        A good hosting company should be able to give you good advice + help you with security issues.

        Unfortunately I don't know enough about your specific setup, to give you solid advice on protecting your main domain. But I feel this is also something your hosting company should help you with or at least provide you with some solid advice.

        Good luck!
        Thanks for the tip. I tried extracted the access log with 7zip but it left it in a Msdos file type and I still can't read it. Maybe that's what you meant by extract it twice but I don't know how to extract it further.
        {{ DiscussionBoard.errors[10560872].message }}
  • Profile picture of the author iconoclast
    A couple of weeks before my website was hacked, I noticed I was getting a LOT of spam comments on some of my posts. Most of them seemed to be coming from Facebook profiles. I don't know if that those comments had anything to do with my site being hacked or not.

    Since then I've moved to a new server and rebuilt the site. In the last few days I've been receiving strange comments via the contact form on my website. Could these comments be new attempt from the hacker to hack my new site? Here is what the comments look like. Thanks for the help, everyone.

    From: hermesmadisonavenue <pptldxtfpq@gmail.com>
    Subject: hermesmadisonavenue

    Message Body:
    It was Esposito's third goal of the tournament not bad for a guy who got cut from the junior team the first three times he tried out.
    <a href="http://www.librafluid.com/wp-includes/css/toms.php?p=167" >hermesmadisonavenue</a> hermesmadisonavenue

    And the other one.

    From: suedehandbags <uaxwfxb@gmail.com>
    Subject: suedehandbags

    Message Body:
    Jordan Morris is about halfway to a Stanford University diploma. He is much further along graduating from American soccer prospect to bonafide national team player. supporters. And those who knew of him were aware only of his place on the under 23 squad attempting to qualify for the 2016 Olympic Games.
    <a href="http://www.chambersouth.com/wp-content/reports/do.php?p=27" >suedehandbags</a> suedehandbags
    {{ DiscussionBoard.errors[10592753].message }}
    • Profile picture of the author professorrosado
      Try an invisible captcha that will catch software spammers.
      WP has a few plugins for this and for contact forms with the feature.

      These are spammers and not your hackers.

      But what are you doing to monitor hacking attempts?
      {{ DiscussionBoard.errors[10592814].message }}
      • Profile picture of the author iconoclast
        Originally Posted by professorrosado View Post

        Try an invisible captcha that will catch software spammers.
        WP has a few plugins for this and for contact forms with the feature.

        These are spammers and not your hackers.

        But what are you doing to monitor hacking attempts?
        I have installed a security plugin with produces captcha on post comments and my WP login but I guess it doesn't affect the contact form. I have followed some precautions to prevent another hacker attempt but nothing to monitor hacking attempts. What would you suggest, Professor?

        What good does it do someone to spam my contact form when I am the only person who will see that? Thank you.
        {{ DiscussionBoard.errors[10595221].message }}
        • Profile picture of the author professorrosado
          Originally Posted by iconoclast View Post

          I have followed some precautions to prevent another hacker attempt but nothing to monitor hacking attempts. What would you suggest, Professor?
          I believe some plugins have been listed previously:
          Wordfence Security includes a live monitoring feature you can monitor traffic live on your site and see who is trying to hack into your site real-time. It also will record 404s and the like for up to 30 days. You can block attempts from this interface directly.

          There are a few others that feature live logging, notifications on 404s, lockout login.php access immediately, and more things like that - the more the merrier.

          For your forms issue, I suggest using a widget from an email autoresponder service which allows you to create forms and have them on your site. GetResponse has a forms feature and the good thing is that you get an email for your list while keeping that access point (via discovered vulnerabilities) away from your site - and it kills spam if you set it up right.

          Malware Scanner: GOTMLS

          BTW - there is a vulnerability via your forms plugin. Watch your forms and newsletter plugins > hackers find them easy points of entry. If anyone has them on their site and you're not LIVE Monitoring, then its just a matter of time.
          {{ DiscussionBoard.errors[10615484].message }}
  • Profile picture of the author waynmeyer
    Hey, sorry to hear you got hacked. However i feel the root of the cause is not having a strong enough password or giving your credentials away to people you should not trust.

    None the less, i would start with inspecting your database thoroughly as folders and file are not the only concern when getting hacked.

    Use mysql in your host manager to inspect your tables for non relevant values.
    Signature
    Build Your Online Business With Me From Scratch!!
    Join waynemeyer.org to experience professional level support

    Learn how i rake in over $600 000 p/m PROFIT with ecommerce websites, directory websites, affiliate websites, blogs, business websites, membership websites and Social networks.
    {{ DiscussionBoard.errors[10596400].message }}
  • Profile picture of the author marks2424
    I hate to say it but this is why I don't use wordpress. I use a different web editor so that means My site is on my computer and I load it onto the hosting companies server. If somehow someone gets into my hosting companies account and messes up a site all I need to do is delete the site change my password and re install my site back onto the hosting companies server. It would take less then 5 minutes to do this.
    {{ DiscussionBoard.errors[10607206].message }}
    • Originally Posted by iconoclast View Post

      I have installed a security plugin with produces captcha on post comments and my WP login but I guess it doesn't affect the contact form. I have followed some precautions to prevent another hacker attempt but nothing to monitor hacking attempts. What would you suggest, Professor?

      What good does it do someone to spam my contact form when I am the only person who will see that? Thank you.

      Looks like you needed a hosting with Malware Scan and Script Update for WordPress. Do not fall for anything HostGator says if you still have any site with them, in many cases, the malicious files could be removed with a 5 minute malware scan and core file update.

      Do you have any security for the contact form? Security can be implemented through captcha and PHP sessions. This will prevent automated contact form submissions.
      Signature
      [ Pure SSD ][ Shared, Reseller, Dedicated Server Hosting ] - [ MECHANICWEB.COM ]
      [ LiteSpeed | CloudLinux | MariaDB | cPanel | Malware Scan | Softaculous | SpamExperts ]
      {{ DiscussionBoard.errors[10607262].message }}
      • Profile picture of the author iconoclast
        Originally Posted by MechanicWeb+shoss View Post

        Looks like you needed a hosting with Malware Scan and Script Update for WordPress. Do not fall for anything HostGator says if you still have any site with them, in many cases, the malicious files could be removed with a 5 minute malware scan and core file update.

        Do you have any security for the contact form? Security can be implemented through captcha and PHP sessions. This will prevent automated contact form submissions.
        Do you suggest a tool to use for a malware scan? I don't have any security on my contact form. I use contact form 7. Can contact form submissions be a point that hackers use to infiltrate my site? Thanks for the help.
        {{ DiscussionBoard.errors[10608353].message }}
        • Originally Posted by iconoclast View Post

          Do you suggest a tool to use for a malware scan? I don't have any security on my contact form. I use contact form 7.
          No tool for malware scan. Because in my experience, most of the times clients come from HG/Arvixe with a few infected files which can easily be fixed with a malware scan. Tools will be costly and seems unnecessary at this point.

          You should use a hosting that includes daily malware scan + script updates for your WordPress site. I think this will fix your issue once and for all.

          >Can contact form submissions be a point that hackers use to infiltrate my site?

          It can be if there's enough exploit. For Contact Form 7, you may use reCaptcha for Contact Form 7.
          Signature
          [ Pure SSD ][ Shared, Reseller, Dedicated Server Hosting ] - [ MECHANICWEB.COM ]
          [ LiteSpeed | CloudLinux | MariaDB | cPanel | Malware Scan | Softaculous | SpamExperts ]
          {{ DiscussionBoard.errors[10608558].message }}

Trending Topics