fb-page
601-500-1794

Steps to take if your website is hacked.

Entrepreneurs. Connectors. Developers…

We are the WordPress experts. We specialize in WordPress hosting and Security.

Steps to take if your website is hacked.

Step 1 Take the site offline with .htaccess Add this to your HTACCESS make sure the down.php exists.

RewriteEngine On RewriteBase / #add exception for your IP address RewriteCond %{REMOTE_ADDR} !¹¹¹\.111\.111\.111$ RewriteCond %{REQUEST_URI} !^/down\.php$ RewriteRule ^(.*)$ /site-offine.php [L]

Step 2

Take a full backup of your compromised site and database You can use phpMyAdmin or similar to backup DB Make sure to include server log files

Step 3

Alert your web hosting provider and/or web team.

Step 4

Check your website for malicious code. Quite often it will be enclosed in a “eval” something similar to this below.

eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snb XJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9));

Some basic commands to get you started if you are familiar with ssh.

 

Find common problems in wordpress hacks

Finds eval or base64 decode

grep -ri “eval” [path] grep -ri “base64_decode” [path]

Recently modified files

find -type f -ctime -0 | more

The -type looks for files, and -ctime scans last 24 hours. Subtract days by number (-1 24 gours) or -2 (48 hours) , See man find for more info

Find PHP files in uploads directory

find uploads -name “*.php” -print

Find a string of hex digits
grep -rP “(?:\\\\x[A-F0-9]{2}){5}” *

 

Step 5

Change the passwords on all website user accounts FTP, SSH, MySQL users, WP, etc.

Step 6

Check to see if you have a good backup.

If no backup available:

Take note of all settings Examine/clean files Scan & manually check folders/files for suspicious files

Step 7 Create new FTP user account Create new database/user Restore from secure backup Reinstall, redo any settings changes In both scenarios:

Change all passwords; completely wipe files Step 8 Test and debug the site for any issues, broken paths., and missing media Bring site back online After the site is back online look through server logs & site files to discover how you were hacked. To do this use a text file comparison tool like diff

OSSEC is an Open Source Host-based Intrusion Detection SystemYou can use this to analyze server logs and try to pinpoint where/how the attack occurred

http://ossec.github.io/ Report the attack to the FBI via www.ic3.gov Be prepared to share your post-mortem backup

Questions/Comments?