Home | Client Login | Server Status | Contact
 

Hacked / Compromised / Defaced Website Help Guide

This article aims to outline how account compromises occur, the implications of being hacked, why hackers do what they do and how to restore and secure the account.

How an account can be compromised: The most common methods:

- Using an exploit within outdated software (Joomla, Word Press etc) installed on your account (this is almost always the case)
- Password obtained via malware/virus/trojan/key logger on a PC you've used to login to cPanel or FTP (less likely, but not uncommon)

There are many other methods that can be used, however these are either outside of our control or are known/outdated and patched against (brute force/dictionary attacks and some web attacks).

Ultimately, account compromise on our servers are almost certainly the result of either using an infected PC to login to cPanel/FTP or due to having exploitable software on the account.

Implications of your account being hacked: The most common problems:

- Defaced website (your site shows a you've been hacked page)
- Addition of malware/malicious code or other unwanted code (intended to spread malware or show advertising)
- Redirection of all traffic from your site to another site (a you've been hacked page and/or a website with malware on it)
- File modification and/or deletion
- Database access/modification/deletion (data compromised if you store personal data or passwords)

Note: Hackers almost always leave a 'back door' so that they can gain access to the site in the future, this could be in the form of database changes i.e. adding an 'admin' user if you use Word Press for example, or adding files which allow them to gain access again.

Why hackers do what they do

- Its usually just a matter of them wanting to cause disruption to any site that contains exploitable / outdated software
- If the attack is targeted, the attacker may be trying to gain access to data or just trying to cause disruption to the specific site
- The attacker may want to spread a message to internet users (often relating to religion or politics)
- To use the account to send bulk email (spam)
- To use the account to host fraudulent/phishing sites (fake bank websites etc)
- To try and cause disruption to all accounts on a shared server
- To use the server to attack other servers (sending dummy traffic to other servers)

How to restore your account and prevent further security breaches

It is important that you report the compromise to us immediately so that we can restore the account from backup for you.
The longer the account is left the less likely it is that we will have a working backup to restore for you. (As per our TOS, backups are the responsibility of the customer and are not guaranteed).

If we restore the account for you to a working (non hacked) version you should take the following steps:

- Run the 'Virus scanner' in cPanel. It's unlikely to find everything, but it may find some infected files for you.
- Update any software on your account (such as Word Press, Joomla etc)
- Remove any unneeded or outdated plugins or themes. Sometimes plugins/themes are no longer updated by their author, so they could contain exploits that never get fixed.
- Search the developer’s site/forum or Google search for any known exploits and patches. Remove anything that may contain exploits that haven't been patched.
- Update all remaining plugins and themes. Avoid using patches that haven't been updated for a long time.
- Check for any files that you don't recognise in FTP or File Manager in all folders on the account and remove anything you don't recognise. This can be difficult on bigger sites but if you miss a single 'back door' the site is at risk of further compromise. Malicious files or 'back doors' are often encoded, so if you check a file and it’s full of a long string of letters/numbers, it’s very possibly a back door, but lots of commercial software uses encryption technology (IonCube, Zend) which looks similar.
- Change all account passwords including but not limited to cPanel, additional FTP accounts, databases, email accounts, admin logins for any scripts you have installed.

If we are unable to restore the account for you to a working (non hacked) version:

The steps you need to take will vary depending on what is on your account - whether you have software installed or not and how severe the compromise is.

The above points are a good starting point. If the hack is more severe and you are using software to run your site such as Joomla or Word Press you may need to take a backup of the account as it is, then delete all the files and try uploading a clean copy of the Joomla or Word Press files to see if this works. If your database is damaged and you don't have your own backup there is little that can be done.

We've tried to include all the information that we usually send to clients who have had their account compromised. You may open a support ticket if you are still stuck, but this article does contain pretty much everything that'd we'd check. If you don't have the technical knowledge required to get your website back online we may be able to help for a small charge, as this is outside the scope of standard web hosting support.



Was this answer helpful?

Add to Favourites
Print this Article

Also Read
Official cPanel Manual (Views: 2479)
Official WHM Manual (Views: 2251)
Common Paths - PHP, SendMail, Perl, ImageMagick, Python, Curl etc (Views: 2508)
Cant access your website/email/ftp? Server Status page says everything is online? (Views: 1064)
PHP Time Zone Errors (Views: 670)

Web Hosting

Reseller Solutions

Audio Streaming

Other Links

Company

Galaxy Web Solutions Ltd. Registered in England and Wales. Registered no: 06737243.
Copyright © Galaxy Web Solutions Ltd. All rights reserved.