Herself’s Webtools

Webtools for Webmasters: Scripts, HowTos, Templates, Plugins, Widgets, Tips and Useful Information

Herself’s Webtools header image 1
How to get browsable image galleries in your current Wordpress theme PHP log parsers to make it easier to find trouble in your access-log

So you’ve been hacked, now what?

July 7th, 2008 · No Comments

I. Take your site offline.
You can do this with a temporary redirect in your .htaccess file.

RewriteCond $1 !site-offline\.html$
RewriteRule ^(.*\.php)$ http://www.yourwebsite.com/site-down-message.html [R=302,L]

2. Download everything on your website to a safe computer at home. You will want to see what went wrong and it’ll serve as an emergency backup.

3. Check all your CMS ( content managment software ) for new versions and load new, clean versions on to the site.

4. If you have a clean back up of your site upload it now, taking care not to over write the new CMS.

5. Check everything, then check it again. Make sure everything is clean and you’ve prevented future attacks by what ever method the attacker entered.

6. Check Google Webmaster tools to see if you’ve been banished and check Stop Badware. Let them both know your site has been attacked, cleaned, and it back up again.

— Many of the newer attacks plant things in your MySQL database to reinfect your site once you’ve cleaned it so be sure to wipe them too.

— But since no one is ever thinking I’ll be hacked today I think I’ll do a back up, you might not have a clean backup. Contact your hosting company, they might if you don’t.

— If there are no clean back ups you’ll have to do it by hand. This means you must find a corrupted file and see what the attacker added. Usually it will be in an iframe. If you have a Mac or Linux box you can go to the root directory of the website files and type

grep -R ‘iframe badStuff’ *

and get a list of every file that has the bad stuff in it. Replace badStuff with what ever string the attacker placed in your files. Do this also with the directory holding your MySQL backups. MySQL backups are text files and easily edited by hand.

If you have Windows you will need to download a copy of grep from WinGrep.

If you use

grep -Rn ‘bad stuff’ *

it will also give you the line number the bad stuff is found on each file.

Keep grepping for corrupted files and cleaning until you have a clean copy of your website.

Next check with all the content management systems you are using for updates. Very likely there has been an update to what ever software was hacked. Upload new, clean copies of the blogging, photo or other software. Then upload your cleaned files and restore your cleaned databases.

Download everything and check again to make sure you were not re-infected.

Now if you can run cron jobs on your webhost you will want to run the following script daily
find . -mtime -1 -print | ls -lt

And have it email you the results. This will send you a list of every file that has been changed in the last 24 hours. This way you can keep a close eye on your site until you are sure everything is locked down and secure.

And remember you can’t have too many backups.

More information:
Know your enemy: web application threats

Tags: security · things you should know

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

You must log in to post a comment.