Steps to take if your website is hacked.
Step 1 Take the site offline with .htaccess Add this to your HTACCESS make sure the down.php exists.
RewriteEngine On RewriteBase / #add exception for your IP address RewriteCond %{REMOTE_ADDR} !¹¹¹\.111\.111\.111$ RewriteCond %{REQUEST_URI} !^/down\.php$ RewriteRule ^(.*)$ /site-offine.php [L]
Step 2
Take a full backup of your compromised site and database You can use phpMyAdmin or similar to backup DB Make sure to include server log files
Step 3
Alert your web hosting provider and/or web team.
Step 4
Check your website for malicious code. Quite often it will be enclosed in a “eval” something similar to this below.
eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snb XJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9));
Some basic commands to get you started if you are familiar with ssh.
Find common problems in wordpress hacks
Finds eval or base64 decode
grep -ri “eval” [path] grep -ri “base64_decode” [path]
Recently modified files
find -type f -ctime -0 | more
The -type looks for files, and -ctime scans last 24 hours. Subtract days by number (-1 24 gours) or -2 (48 hours) , See man find for more info
Find PHP files in uploads directory
find uploads -name “*.php” -print
Find a string of hex digits
grep -rP “(?:\\\\x[A-F0-9]{2}){5}” *
Step 5
Change the passwords on all website user accounts FTP, SSH, MySQL users, WP, etc.
Step 6
Check to see if you have a good backup.
If no backup available:
Take note of all settings Examine/clean files Scan & manually check folders/files for suspicious files
Step 7 Create new FTP user account Create new database/user Restore from secure backup Reinstall, redo any settings changes In both scenarios:
Change all passwords; completely wipe files Step 8 Test and debug the site for any issues, broken paths., and missing media Bring site back online After the site is back online look through server logs & site files to discover how you were hacked. To do this use a text file comparison tool like diff
OSSEC is an Open Source Host-based Intrusion Detection SystemYou can use this to analyze server logs and try to pinpoint where/how the attack occurred
http://ossec.github.io/ Report the attack to the FBI via www.ic3.gov Be prepared to share your post-mortem backup
Questions/Comments?