What to do after your site is hacked, & prevention

[SteveW]

This thread is for reader comments about my article "How to prevent your site from getting hacked. How to repair a damaged site. Website security precautions."

Whether

• you are trying to repair your website after it's been damaged...
• you are trying to make it more secure and need some guidance...
• the article isn't as clear as it should be...

questions and comments are welcome. I get an email whenever a new message is posted in the forum, and I try to reply promptly with useful information.

When giving the address of a website that contains malware or is currently flagged by any browser or search engine for being harmful (even if you don't believe it actually is harmful), please give it like this, using hxxp instead of http:

hxxp://website.com/page.htm

As you can see, hxxp prevents the text from turning into a hyperlink so no one can click on it by accident and end up at a malicious site. Anyone who needs to can copy and paste the text into their browser address bar, change hxxp to http, and go to the site that way.

-----

If you are doing an investigation into what happened to your website, or if your topic is likely to create many replies for other reasons, it might be better to create a separate new thread for it by clicking the New Topic button in the Website Security section of the forum.

[jimlongo]

Hi Steve, Great resource, thank you.

I was initiating several of your recommendations in regards to php.ini and .htaccess hardening after experiencing an attack that left a couple of malicious php files on my server - files that purpose was to fool Googlebot into seeing different content and links than the public see.  Luckily I caught it early enough through Google Webmaster Tools, but I'm now more aware of the issues that can allow this to happen.  In my case the doorway was an installation of OSCommerce that had not had all the precautions recommended for that script in place.

Anyway a comment about the section of Rewrites for .htaccess

Code:

RewriteCond %{QUERY_STRING} ^.*=(ht|f)tp\://.*$ [NC]
# Allow yourself, for SMF Forum Package Manager upgrades.
# Set it to your own IP address so you are the only one who won't be blocked.
#RewriteCond %{REMOTE_ADDR} !^111\.222\.333\.444$ [NC]
RewriteRule .* - [F,L]


RewriteCond %{QUERY_STRING} (\?|%3F) [NC]
RewriteRule .* - [F,L]

I couldn't get any of these to work until I remembered the line that needs to precede them
Rewrite Engine On

[SteveW]

Thank you, Jim. I've added that line to the example code in the article, to avoid confusion when someone doesn't already have it in their .htaccess. Note that the command should be just two words rather than three:

RewriteEngine On

For others wanting to explore how to use Apache mod_rewrite, its reference is at http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html. That page links to others with further explanations and examples.

[shobha]

Hello,

I read about How to prevent site from getting hacked and How to repair a damaged site.It was so informative.I got very good information from your posting.Thanks for this posting.I will look forward for your future updates also.

seo services

[TimP]

I've poured my heart into a research wiki that I couldn't get anyone to visit because it was emitting malware. You've helped me restore the value of an incredible amount of work that I've done over the last 6 months. Thank you.

[CoastWeb]

I've developed some software designed to help someone clean up their website after it has been hacked. Basically it scans the files looking for content that could be used to exploit the system, giving you a shortlist of files that should be investigated for possible exploits. Its at www.phpsiteminder.com/pss/ if anyone is interested. Note: your site needs to be on a php5 server (most php servers these days are php5).

[windyt]

Hello and thank you for your time to write this great resource. I am a victim of a recent hacks - but every time I clean the site, they come back and over ftp replace all the files. I have even deleted the domain in my VPS cpanel and recreated with a new password but they still keep coming - from my ftp log:

the first IP is mine - I uploaded index.html saying site is down
Thu Aug 26 20:56:24 2010 2 24.19.224.207 30115 /home/tomasv/public_html/tracker-bevo.png b _ i r tomasv ftp 1 * c

Fri Aug 27 04:01:58 2010 0 64.71.229.10 141 /home/tomasv/public_html/images/gifimg.php a _ i r tomasv ftp 1 * c
Fri Aug 27 04:02:05 2010 0 64.71.229.10 37721 /home/tomasv/public_html/wp-content/plugins/akismet/akismet.php a _ o r tomasv ftp 1 * c
Fri Aug 27 04:02:06 2010 0 64.71.229.10 14861 /home/tomasv/public_html/wp-content/plugins/akismet/legacy.php a _ o r tomasv ftp 1 * c

The other lines are them uploading a new Wordpress that is infected - how do I find out more about the RFi attack and how to prevent it please? This is the 3rd time I cleaned the site, generated the ftp password using the cpanel generator and within 48 hours I am hacked again :-(

Thank you again for your time and help...

[SteveW]

Hello windyt, I'm sorry for my delay in replying. Due to hardware failure, I've been offline for several days.

Be sure to scan your PC (at home/office, not your website's server) carefully for viruses, using a scanner different from your usual one. If any malware is found, clean it out and then change your website passwords again.

However, I believe gifimg.php that they uploaded is a filename frequently used for backdoor PHP scripts. Once they have uploaded a backdoor, they can call it from their web browser and manage your site remotely using it. If you examine that file, you'll likely find it full of malicious PHP code for managing the site (upload/download, etc.). If that's the case, delete the file. Also check out anything else they uploaded.

Unfortunately, these backdoor scripts are things that they can only upload to REgain access after they've already hacked their way in once, so it's not how they originally got in. You still need to find the original method of entry: viruses on your PC, outdated WordPress version, etc.

I should also point out that the first line in your log, even if it's your IP address, is not an upload of index.html. It's for a file called tracker-bevo.png. If that's not the name of the file you intended to upload, it is another indication that your PC may be infected with malware.