Start a conversation Sign in
Start a conversation
  1. Eicra Soft Limited
  2. Knowledgebase
  3. Webmaster Tips

How To Repair And Secure a Hacked webSite.

This page provides information about identifying, removing, and preventing badware on your website. It does not cover every situation, only the most common cases that we see at StopBadware. Some cases may require further assistance from a security professional. Several malware applications are spread on the internet through infected web pages and executable downloads . for instance, The hackers exploit vulnerabilities in web applications and inject malicious code, You may use a vulnerable open source wordpress,joomla,Ckfinder....

Computer hackers can secretly embed hundreds or thousands of links to your website. Hidden links are against Google policy, and if the company suspects that your website has these links, your ratings will drop. Google could even remove your website from its index. If you are planning to build your website using WordPress, think again. WordPress is now the number one hacked website and blog platform on the internet. For a very simple blog, it can be effective and secure, but when you begin adding features required for website design and other bells and whistles, it can leave back doors open for intruders.

Prevention :

Webmasters who have endured the tedious procedures in relation to malware hacks understand the importance of prevention.

Prevention is the final step in securing a website . Keep web application updated and track the web applications security flaws and server. Run antivirus on machines that have access to the website or server that host the portal, And always monitor traffic and logs for hack attempts.

There are three basic steps to restoring and maintaining a clean website:

  1. Identifying badware behavior
  2. Removing the badware behavior
  3. Preventing future infection

Identifying badware behavior

The first step to keeping your website badware-free is to check for any badware or badware behaviors that may already be on your site.

What to look for

The three most common forms of badware that StopBadware sees on compromised sites are:

  1. Malicious scripts
  2. .htaccess redirects
  3. Hidden iframes

Malicious scripts

Malicious scripts are often used to redirect site visitors to a different website and/or load badware from another source. These scripts will often be injected by an attacker into the content of your web pages, or sometimes into other files on your server, such as images and PDFs. Sometimes, instead of injecting the entire script into your web pages, the attacker will only inject a pointer to a .js or other file that the attacker saves in a directory on your web server.

Many malicious scripts use obfuscation to make them more difficult for anti-virus scanners to detect:

picture of obfuscated script

Some malicious scripts use names that look like they’re coming from legitimate sites (note the misspelling of “analytics”):

picture of deceptive script

.htaccess redirects

The Apache web server, which is used by many hosting providers, uses a hidden server file called .htaccess to configure certain access settings for directories on the website. Attackers will sometimes modify an existing .htaccess file on your web server or upload new .htaccess files to your web server containing instructions to redirect users to other websites, often ones that lead to badware downloads or fraudulent product sales.


Hidden iframes

An iframe is a section of a web page that loads content from another page or site. Attackers will often inject malicious iframes into a web page or other file on your server. Often, these iframes will be configured so they don’t show up on the web page when someone visits the page, but the malicious content they are loading will still load, hidden from the visitor’s view.

picture of a hidden iframe injected in a web page

How to look for it

If your site was reported as a badware site by Google, you can use Google’s Webmaster Tools to get more information about what was detected. This includes a sampling of pages on which the badware was detected and, using a Labs feature, possibly even a sample of the bad code that was found on your site. Certain information can also be found on the Google Diagnostics page, which can be found by replacing example.com in the following URL with your own site’s URL: www.google.com/safebrowsing/diagnostic?site=example.com

There exist several free and paid website scanning services on the Internet that can help you zero in on specific badware on your site. There are also tools that you can use on your web server and/or on a downloaded copy of the files from your website to search for specific text. StopBadware does not list or recommend such services, but the volunteers in our online community will be glad to point you to their favorites.

 

Removing the badware behavior

Once you have located the code that is causing the badware behavior, removing it is often as simple as deleting the offending code from all files in which it appears. Sometimes, it is easier, if you have a clean backup of your site’s contents, to re-upload all of the site’s files, though be careful about overwriting files that may have changed since your last backup. In some cases, the bad content may be stored in one or more database records, in which case restoring a recent backup of the database or manually editing the relevant records may be necessary.

Preventing future infection

Preventing badware on your website requires protecting three things: your site itself, the password(s) used to upload content to the site, and the computer(s) used to upload content to the site. The site itself must be protected because attackers often look for vulnerable software to exploit so they can modify your site’s contents. The passwords are critical because, if they are guessed or stolen, they can be used to modify the site. Finally, computers are important because badware on your computer can steal your password and/or modify the contents that you are uploading.

Protect your site

  • Ensure that any software you use (e.g., blogging software like WordPress, third-party scripts, etc.) is kept up to date with the latest security fixes, either by you (if you installed the software) or by your hosting provider.
  • Remove any scripts, services, or other software that you are no longer using.
  • Change any default passwords that come with the software you are using.
  • Use appropriate file permissions on your web server.

Protect your password

  • Use a strong password and change it occasionally, especially if you have reason to think it has been compromised.
  • Tips for choosing and protecting a strong password can be found at this helpful page

Protect your computer

 

Protect your media library /uploads folder 

Disables direct access to files in /wp-content/uploads/  (of your upload directory) serves up this content after first applying the appropriate level of authentication (e.g. is this user a subscriber?). Here’s an example .htaccess file you’d want to create and place in your ‘wp-content/uploads’ directory: 

IndexIgnore *
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?myprotectedmemberssite\.com/ [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx) [NC]
RewriteRule .*\.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx)$ http://yourdomain.com/ [NC]



In the above example, the first line disables file directory listings (so no one can view the files in the ‘uploads’ or any of its subdirectories. The line with HTTP_REFERER makes sure linking to a particular file is coming from my site. The gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx) is a list of file types I want to prevent from being directly linked to (unless they are clicking from my site).

Sorry, this doesn’t use a plugin to solve this (maybe I should write one?), but this seems to do the trick. 

You can also look for few plugins to prevent file upload vulnerabilities such as rapid7.com or wordfence.com and more. 


XSS or Cross Site Scripting is the other major vulnerability which dominates the web hacking landscape and is an exceptionally tricky customer which seems particularly difficult to stop. Microsoft, MySpace, Google… all the big cahunas have had problems with XSS vulnerabilities. This is somewhat more complicated than SQL Injection, and we'll just have a quick look to get a feel for it.

XSS is mostly of concern to consumers and to developers of web applications. It's the family of security nightmares which keeps people like MySpace Tom and Mark Zuckerberg awake at night.

Local File Upload Vulnerability

A remote file upload vulnerability is when an application does not accept uploads directly from site visitors. Instead, a visitor can provide a URL on the web that the application will use to fetch a file. That file will be saved to disk in a publicly accessible directory. An attacker may then access that file, execute it and gain access to the site. 

Visit https://codex.wordpress.org/Brute_Force_Attacks for details. 

 

Authorization Bypass 

Authorization Bypass is a frighteningly simple process which can be employed against poorly designed applications or content management frameworks.

You know how it is… you run a small university and you want to give the undergraduate students something to do. So they build a content management framework for the Mickey Bags research department. Trouble is that this local portal is connected to other more important campus databases. Next thing you know, there goes the farm

Authorization bypass, to gain access to the Admin backend, can be as simple as this:

  • Find weak target login page.
  • View source. 
  • Copy to notepad.
  • Delete the authorization javascript, amend a link or two.
  • Save to desktop. Open on the desktop. 
  • Enter anything into login fields, 
  • press enter.
  • Hey Presto.

Here's a great video of a White Hat going through the authorization-bypass process on YouTube. This was done against a small university's website. It's a two-minute process. Note that he gets into the User 1 account, which is not the Admin account in this case. Is Admin User 1 on your User table?

A Few Defensive Measures :

  • Use anti-virus scanner 
  • AdAware Free anti-malware scanner 
  • Microsoft Windows Defender, which is a free anti-malware program 
  • Spybot Search and Destroy, a free anti-malware program

  • If you utilize a web content management system, subscribe to the development blog. Update to new versions soon as possible.
  • Update all 3rd party modules as a matter of course — any modules incorporating web forms or enabling member file uploads are a potential threat. Module vulnerabilities can offer access to your full database.
  • Harden your Web CMS or publishing platform. For example, if you use WordPress, use this guide as a reference.
  • If you have an admin login page for your custom built CMS, why not call it 'Flowers.php' or something, instead of “AdminLogin.php” etc.?
  • Enter some confusing data into your login fields like the sample Injection strings shown above, and any else which you think might confuse the server. If you get an unusual error message disclosing server-generated code then this may betray vulnerability.
  • Do a few Google hacks on your name and your website. Just in case…
  • When in doubt, pull the yellow cable out! It won't do you any good, but hey, it rhymes.

 

 

Database Hacks

Certain hacks, particularly SQL injection attacks against vulnerable Joomla! installations, may result in the database being altered with malicious code. Such a modification can allow the hacker back in even if you've updated to the latest version and cleaned off all foreign files. For this reason it's a good idea after a hack to inspect the database in the same way you check your files to see if anything has been changed that should not be. If you know when the hack occurred you may even wish to revert the database back to a prior time then please contact A2 Hosting support and we can restore the database from our backups.

 

Restoring Lost/Modified files

Please see the 'Server Rewind' icon in cPanel to restore lost files in your home directory from within the last month. For databases, please contact us in a Support Ticket.

Useful Links

http://googlewebmastercentral.blogspot.com/2008/04/my-sites-been-hacked-now-what.html

Increased Security Using CouldFlare

CloudFlare is a content delivery network (CDN) service that A2 Hosting provides to our Web Hosting customers for FREE. On average, a website using CloudFlare loads 30% faster, uses 60% less bandwidth, has 65% fewer requests and is much more secure. CloudFlare's network blocks threats and limits abusive bots before they hit your server, increasing security and reducing wasted bandwidth.

You can enable CloudFlare on our shared webhosting accounts via cPanel. You can also opt to sign up directly on CloudFlare's site if you are using a non shared hosting environment. http://www.cloudflare.com

 

Looking For CGI Hacks

The first thing you'll want to do is go through any pre-packaged software under your domain and make sure that it is up-to-date with the most recent version offered by the vendor. "Pre-packaged software" effectively means any software package that you've placed in your domain directory such as a blog, gallery, forum, shopping cart, content management system, etc. Out-of-date versions of such softwares frequently have well-known security holes that can be exploited via simple scripts that are bandied about freely amongst "hacker" and "script-kiddie" groups.

Don't overlook plugins when updating software -- if you have any non-standard plugins activated for your applications try a search engine query for the plugin name + "vulnerability" to see if anything crops up in the version you're using. If there are known vulnerabilities for the plugin in the version you're using make sure to apply any available patches, otherwise deactivate the plugin.

Once you've updated any software, proceed to "Cleaning Up After A Hack".

 

Change Passwords

Once the PC is free of viruses, it is crucial to change the cPanel, email, FTP and database and all other passwords.  Make sure the new passwords are very strong and difficult for people to decipher. Try and use different passwords for each and everything.

Once you’ve repaired the damage done, it is time to make sure it doesn’t happen again.  You will have to manage your website properly keeping it safe and secure.

Here are a few tips:

  • Install a good antivirus software program on your PC. You will need real-time continuous protection as scanning it once a day is not good enough. Malware has the ability to delete itself after causing the damage.
  • Install all the latest security patches on Windows systems as well as all other internet-related software.
  • Use strong passwords using upper and lower case letters, numeric as well as punctuations in the password.  Do not use the same password for everything.
  • You must make sure it is safe before downloading anything from the internet; whether it is a script or something else.

You must give your website the same importance you would give the house you live in. Just as you would secure it properly to make sure nobody gets in, you must ensure your website is locked for all bad elements.

 

 

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Support-Agent

  2. Posted
  3. Updated

Comments