Steps to take if your website is hacked.

Step 1 Take the site offline with .htaccess Add this to your HTACCESS make sure the down.php exists.

RewriteEngine On RewriteBase / #add exception for your IP address RewriteCond %{REMOTE_ADDR} !¹¹¹\.111\.111\.111$ RewriteCond %{REQUEST_URI} !^/down\.php$ RewriteRule ^(.*)$ /site-offine.php [L]

Step 2

Take a full backup of your compromised site and database You can use phpMyAdmin or similar to backup DB Make sure to include server log files

Step 3

Alert your web hosting provider and/or web team.

Step 4

Check your website for malicious code. Quite often it will be enclosed in a “eval” something similar to this below.

eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snb XJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9));

Some basic commands to get you started if you are familiar with ssh.


Find common problems in wordpress hacks

Finds eval or base64 decode

grep -ri “eval” [path] grep -ri “base64_decode” [path]

Recently modified files

find -type f -ctime -0 | more

The -type looks for files, and -ctime scans last 24 hours. Subtract days by number (-1 24 gours) or -2 (48 hours) , See man find for more info

Find PHP files in uploads directory

find uploads -name “*.php” -print

Find a string of hex digits
grep -rP “(?:\\\\x[A-F0-9]{2}){5}” *


Step 5

Change the passwords on all website user accounts FTP, SSH, MySQL users, WP, etc.

Step 6

Check to see if you have a good backup.

If no backup available:

Take note of all settings Examine/clean files Scan & manually check folders/files for suspicious files

Step 7 Create new FTP user account Create new database/user Restore from secure backup Reinstall, redo any settings changes In both scenarios:

Change all passwords; completely wipe files Step 8 Test and debug the site for any issues, broken paths., and missing media Bring site back online After the site is back online look through server logs & site files to discover how you were hacked. To do this use a text file comparison tool like diff

OSSEC is an Open Source Host-based Intrusion Detection SystemYou can use this to analyze server logs and try to pinpoint where/how the attack occurred

http://ossec.github.io/ Report the attack to the FBI via www.ic3.gov Be prepared to share your post-mortem backup