My Website Has Been Compromised/Hacked - What Can I Do?

Please note that all web masters, (clients), are responsible for the security/maintenance of their own websites and I have put some information together, below, which I hope you find useful.

A common attack method is known as script injection. Typically, this works by forcing a site to execute code when it was expecting to process another input - fake '.txt' files are often used for this purpose and it appears that is what happened with your site.

Because script injection attacks the site code itself, it is able to completely avoid webserver security. Unfortunately, some content management systems (especially older versions of Joomla) are extremely susceptible to this form of attack.

In the site directory structure there may also be "backdoor" scripts also known as Trojans, and scripts written to probe the server and remote sites. These are generally installed on the site through the use of vulnerabilities in the site scripting. Generally this is usually achieved in one of several ways:-

a) Site allows arbitrary uploads - easy way to get scripts onto a site.
b) Site allows the "inclusion", via PHP, of remote text.
c) Site allows the running of code from a remote location.
d) Site has directories with permissions that allow anyone to create files there.

Once the infected files have been used by an attacker the site is known to be vulnerable and this information is distributed around cracking sites. This means that another attack is likely unless the vulnerabilities are removed.

Here is the best way to get a 'hacked' site back up and running:

1) backup the database and ensure the passwords are all recorded.
2) backup the site, but mark it as unclean so that is never re-used.
3) remove the entire site.
4) change the FTP and database passwords.
5) if the site connects to any external data-sources - databases, rss feeds, etc. Change the password there as well and modify scripts as necessary.
6) download the LATEST versions of the software used for the site. Again - don't rely on version numbers being the same.
7) upload and configure the new software, to get the site back as-was.
8) ensure no directories are writeable by any other user. So, "drwxr-xr-x", not "drwxrwxr-x", or "drwxrwxrwx". (chmod 0755)
9) remove any installation files - typically named something like "INSTALL.php"

As these infections commonly come via addon modules, extensions and themes, we'd suggest limiting these to only those necessary and taking care to ensure they come from the module provider's home site (as many themes/modules/extensions come pre-infected on third-party sites).

A simple way to remove the ability for attackers to use options "b", and "c", in the list above is to add a php.ini file at the top-level of the website with the following contents - be aware though that the site will need testing to ensure that no legitimate actions are affected by this.

The php.ini directives are:

allow_url_include = "0"
allow_url_fopen = "0"

On a final note, it is important that whether you download and manually install scripts/programs yourself or if you install direct from the hosting control panel, that you check for the latest versions and update as necessary.

  • 5 Users Found This Useful
Was this answer helpful?

Related Articles

Which modules are installed on the web servers?

All standard Apache modules are installed on the web servers, including mod_rewrite. In...

Can I point multiple domain names to my account?

There are two approaches to this: 1. A simple way to get your account to support more than one...

Do you have any FAQs on PHP, cgi, mySQL and scripts?

Can I place a PHP script in any directory I choose? Yes, PHP scripts do not have to reside in a...

FTP file size limit

The maximum file upload size is 150MB. If a file is greater than 150MB is attempted to be...

Hosting terms and conditions

Please refer to http://www.myqiq.info/tandc/