Blog

Hacked!?

Word hacked overlaid over hackers viral code

If your site is using a CMS (Wordpress, Drupal, Joomla, etc.), there is always the possibility of it being hacked; in the last two years here at 4Site, I’ve had to repair nearly a dozen websites from new (and existing, to a lesser degree) support clients.  Depending on who hacked your site - how savvy they are, and what their motives are - you may not even notice it.  One of the more interesting infiltrations, for example, involves “hiding” content on your website that is visible only to a web crawler (the indexing bots used by search engines).

Some infiltrations are as simple as static webpages being uploaded to your server.  Others are more complex, involving changes to your CMS framework’s template files & modules or changes to your database.  It’s not unusual for your site to have been compromised multiple times in different ways, oftentimes by the same perpetrator, over the course of months.  As a result, when repairing a hacked site, it is best to assume the worst case scenario and perform an exhaustive repair of the site.  Here are the steps that I take:

  1. Completely replace the framework and plugins/modules with a fresh install of the same version.  This includes any third-party libraries and scripts (the WYSIWYG editors in particular--CKEditor, TinyMCE, etc.).

  2. Check all folders for files & folders that do not belong.  This can be time-consuming, because some files & folders may belong to custom additions to the site, so each folder & file that is not part of the default installation should be examined to see if it is a legitimate addition of the site (and if it is, visually inspect it for any intrusions.)  Common signs of an intrusion are obfuscated or encoded portions of the file.

  3. Check the uploaded files folders for any php files and unnecessarily permissive webserver config files.  Remove php files and update webserver config files to lock down the folder to only the necessary permissions for the site’s operation.  Note that the webserver configuration requirements vary by CMS and required site functionality.

  4. Check the SQL dump for embedded javascript and links. This is another potentially lengthy step, depending on the size and configuration of the site.  Cleaning up SQL dumps, if the database has been infiltrated to a large degree, generally requires running regex patterns to locate and remove malicious content.  Once the dump is cleaned up, wipe the database and re-import the modified dump.

  5. Change passwords for all server (ftp, cpanel, etc.) and CMS accounts that have write permissions.  As a security precaution, admin/super-user accounts should not use default usernames (ie, “admin”).

  6. Re-index the site’s search if it has one.

  7. Perform a post-repair QA, verifying site functionality.

  8. Make a backup of the repaired site.

  9. Install all security updates to the site, and implement security measures where appropriate without reducing required access levels to the site (for Wordpress, I’ve found the Sucuri plugin to do an excellent job at hardening the site, as well as providing scanning functionality as an additional check on your work).

  10. Check the major search engines by searching for the site.  If the search engine is reporting that the site has been compromised (Google reports this in its search results, for example), then request a review by the search engine.  To do this with Google, access Google Webmaster Tools for your site, and request a review.  As of the last time I performed a site repair, I have not seen any search engine other than Google report potentially compromised sites.  If your search results are showing bad content in the results, request a re-indexing of the site (again, Google Webmaster Tools is the way to do this via Google).  Note that getting the the search results corrected can take up to a week.

And that’s that!  It’s a lot of work, but better to make certain you remove all the backdoors and malicious scripting now, rather than have to come back a month later and do it all over again because you missed something.