Recently a Client/friend asked me to help him with his site after he found out he was hacked, in a situation like that i would gladly volunteer my time to help assess and fix the issue and prevent it from happening again. All the Guides from the major CMSs or other frameworks all have help guides to helped you when you get hacked. WordPress and Zen cart both have very good guides, but this guide should be a general help guide to getting back on track, you may have better site specific info from the company that developed the framework. Also check the forums as well for other people that have been hacked and how they fixed it and what the cause was.
There are a few important steps that have to be taken when something like this happens. Try not to Skip them as well because they will be important later on.
1) Shutdown the Site, or put it into maitinence mode until this is sorted out and cleaned up. there are other ways of doing this as well, change the .htaccess file to point to another index file or folder or rename the index file and replace with a blank or custom message, also most hosting services have a way to change the root folder as well. All a great options, depending on your situation.
2)contact your hosting service. They will be able to let you know if the server itself was hacked or if the attack came through your site. Another person to contact is your webmaster or the person who helped you with your site. If you don’t have any one that helped you or your technically inclined, there are lots of resources out there if you know how to look for them.
3) assess the damage done to your site and contact any customers, users or affiliates that this attack has affected, or compromised any personal data.
4) Change Your Passwords For all your admin accounts!
After that is done, you should start looking for where the attack came from. There are lots of possibilities, to name a few places to look.
- uploaded pictures/files
- new users
- any place a user can input text
if you cant find where the attack came from, you may have to wait to hear form your hosting service so they can point you in the right direction. Don’t worry to much if you can’t find the out where the hole is, you may find it later on after you finish your clean up.
Now for the fin part, finding all the pages that have been hacked or altered, and cleaning the database of any malicious code. For your files the best way to find the code is use a small linux utility called Diff, it compares file or directories and out puts the difference between them, most linux distros include it into there system. To do this step you will need to have an older backup of your site directories and files, then get a current backup. Now keep them in separate directories and run the diff too
diff [-options] [dir1/fiile1] [dir2/file2]
if you get a syntax error try using man diff or diff –help, this should get you to how to use the tool. Look over the report it puts out and find the code that was placed in there, most of the time you will not be able to read the code that was inserted. on the site that was hacked, the code that was inserted was
there are other forms as well but this style is the most popular, becuase you cant read it till its decoded. But you want to remove all the code that is malicious. but before you go around removing lines make a nother copy of the hacked site just in case that you break the page when the code is removed.
later we will decipher the code to better understand what the hacker was trying to do. but that is beyond the scope of this part. After finding and removing all the code from the pages, next you want to start searching the database for any comment entries or other code that may have been uploaded to it, you may not find anything at all. Some things that may help are, look for special characters like ? < > ; ‘ / * ( ) and $ %, another thing to look for is weird links and unreadable strings. hope this will help with a search through your database.
After all the clean up is finished, you can either save your content and reload everything from scratch then put the content back, which is the preferable way, or re-upload the cleaned file, then update your framework to the most current version. I know WordPress can be done within the framework, others its just a reinstall over the current files, and some have patch files used instead, choose the one that works with your framework and make sure it has all the security updates to prevent thsi again. Once the site is back up , you want to test every page and link to make sure everything is workin the way that you had it. If all went well you should have your cleaned site up and running again. Next check the permissions of all your folders, the easiest way is to use the ls command from your ssh login if you have it available. Files should be set to no higher than 755. now what does that mean?
A little explanation of permissions on linux, more info here, most of the time you will see the permissions in 2 forms. First is the octal style, usually in the form of xxxx , x = a number 0-7. The first number usually is a 0 but not always, this is called a sticky bit, and is not important at the moment. The second x is for the owner, the Third is Group and the last is Other. Now each x except for the first has a number 0-7 each has its own meaning .
This table shows what numeric values mean:
|Octal digit||Text equivalent||Meaning|
|0||---||All types of access are denied|
|1||--x||Execute access is allowed only|
|2||-w-||Write access is allowed only|
|3||-wx||Write and execute access are allowed|
|4||r--||Read access is allowed only|
|5||r-x||Read and execute access are allowed|
|6||rw-||Read and write access are allowed|
|7||rwx||Everything is allowed|
so 755 = owner can do everything, the group can read and execute the file, other can do the same.
So which files need which permissions? usuelly 644 is the default for most files
which eaqluils owner can read and write, groups can read only and other as well can read only. Scripts and PHP files or anything that would run on the server first would need the 755 permissions. On a side note, never give a directory 777 permissions, this allows any one and everyone to run delet modify any files that have that permissions. Exceptions would be a file upload directory but even then I would not set the directory to 777 instead use 622 or 666,
the other way to write it is -rwxrwxrwx, a good explanation of the setup
* position 0 is the type of the file. It is either “d” if the item is a directory, or “l” if it is a link, or “-” if the item is a regular file.
* positions 1 to 3 are permissions for the owner of the file.
* positions 4 to 6 are permissions for the group.
* positions 7 to 9 are permissions for others.
a few examples
- 777 = -rwxrwxrwx
- 755 = -rwxr-xr-x
- 644 = -rw-r–r–
- 755 directory = drwxr-xr-x
now once all the permissions are fixed, test your site again to make user its working, if now find the file that cant be run or executed and change to the correct permissions.
After all that work you should now have a cleaned up website, double check everything one last time to be sure. If you couldnt find the point of entry into your site from the begining, look one more time for the hole that the hackers exploited. Still cant find it?
Well….theres not much else you can do to find it unless you hire a security expert to look through all the info and data, or the hosting company finds something that you can use or points out.
Now lets review to make sure you have done everything and brought your site back up.
- taken site down or into maintenance mode
- called hosting company to report that you have been hacked
- assess all damage done, contact users or affiliates/customers that are affected by the hack
- Change all your password for your admin accounts
- Start looking for the Hole the hacker had entered through
- check database for any mal code
- clean up, remove any mal code or Wipe site and reinstall and update
- check permissions, test and check again
- any other details that may be needed
- learn from the mistakes and correct for next time, Make a back up!
Now all should be back to normal, and the site up and running and everything is secure. So what was that hacker trying to do? I will explain on a real world code what the hacker was trying to acomplish in the next part of this post, look for it soon!