I have been hacked! [step-by-step troubleshooting guide]
How to unhack WordPress, Joomla or any other website.
It happens to everyone. Up to 30,000 websites is being hacked every single day. Both personal blogs and big corporate websites are being compromised. There is no way to make a website 100% hacker proof. So the best you can do now is to focus on solving the problem and then making everything possible to harden the website security.
Talk to the website owner
If you are reading this you are probably somehow responsible for the website that has been hacked. Talking to the website owner (if it’s not you) should be one of the first things to do. First of all, explain him, that every website can be compromised and probably the website has been hacked by an automated script. No one is trying to hurt them personally. It's more about bad luck.
Be honest and don't blame the hosting company or the creator of the websites. The only person that could be possibly held accountable is someone responsible for keeping website up-to-date (only if the website software has been outdated).
Next, I suggest you explain them what steps you'll undertake in order to recover the websites and to harden its security in the future.
Make a copy of the hacked website
Your task is not only to purge the website, but also to prevent similar attacks in the future. A copy of the hacked website will be useful in later stage for autopsy. Save it for later on your hard drive. The set should include:
- all files (code, images, etc)
- database dump
- server logs
If you have access to the server getting the things mentioned above shouldn’t be a problem. If you don’t have it or don’t know how to do it (e.g. download logs or database dump) then contact your hosting provider and ask for assistance in this process.
Inform users to change their passwords
If users can create accounts on the websites that has been compromised they should be informed immediately. It happens that the website owner would prefer not to reveal the fact that the website has been hacked but that a breach of trust and a violation of a responsible disclosure policy we all should follow. Remember that such situations are quite common and even big companies like LinkedIn or MySpace had to ask their users to change their passwords.
The best way to let users know is to email them with an information that the website has been hacked and their password may have been obtained by the attacker. The main purpose of this email is to make them aware that, if they use same password in many places (which is risky, but very common), they should change the password in all places that password was used. Additionally, when I write such email I always encourage users to set different passwords for every websites or service and to start using password managers to store all these different passwords.
Discover when the website was hacked
It's crucial to learn when the website has been compromised. This will indicate how old must the backup in order to consist of an uncompromised website.
This may seem quite an easy task at first, but frankly is not. It’s not about the moment someone has spotted that the website has been hacked. It’s about a moment the website has been successfully compromised. Sometimes it take some time for people to notice. Especially, if the website is not very popular or a hack is difficult to notice. Moreover, some hacking scripts remain silent for a certain period of time after compromising the website. In the late 2015, a blog of British newspaper The Independent has been hacked for 6 weeks before anyone noticed.
Analyzing server logs and dates of file modifications is the key to learn the correct date.
Try to find a backup from before hacking
The easiest way to unhack a website is to restore it from a backup done before the website has been hacked. So now it’s the time to check if there are any backups available.
If you did regular backups yourself - good for you. If not - contact hosting provider, as almost all of them do backups of all stored data. But you’d better be quick. Some hosting providers keeps only limited number of backups (e.g. from last 7 days) so the earlier you ask, the bigger the chance for a backup of a non-compromised website.
Additionally, many web developers keep the copies of all the websites they have created. So, if you haven’t developed website yourself it’s a path worth exploring. If there were no changes made to the website since release and no content has been added then this may be also a viable way to go.
Pull together a temporary landing page
You will need some time to purge the malicious scripts of the website, so it’s advisable to pull together a temporary landing page for people visiting the website. Just write the website is „under maintenance” and „will be back soon”. You can also paste a link to a Facebook page (if there is any). The best way to do that is to create a static html file, upload it to the server and redirect the traffic in .htaccess file.
This should give you a peace of mind to deal with the hack and make sure that you’ll solve the problem completely and avoid similar situation in the future.
Find out the way of entry
I know it may seems difficult, but unless you do it you are blind and you can never be sure that the website will not get hacked again, and again, and again. For this task you will need a copy of a hacked website together with server logs that I mentioned in one of the prior steps.
If your site is running WordPress, extract the hacked website in some isolated environment and use WPScan to see if it reports any vulnerabilities. That will be the most probable way of entry.
If your website is not running WordPress or scanning mentioned above didn’t return anything useful it’s time to dig into the server logs. Scan your access logs for unusual request paths and suspicious User Agents (e.g. a recent Joomla exploit used a bug in parsing the User Agent, allowing for remote code execution) Here’s a great guide by Sucuri how to use grep on server logs.
You can also just grep through your site’s code looking for signs of potential malware (e.g. evals, system calls, calls to chr).
Recover the website
Now it’s time to bring the website back to life. I recommend you focus first on cleansing the code and in the next step we will discuss how to increase the website security.
The way of conduct will depend on whether you have a backup from prior to website being hacked or not.
If you have a backup
If you have such backup restore it somewhere and then compare the old code with the code of a the hacked website. Most popular IDEs have a diff function which is very helpful for that purpose. This way you can easily find all the modifications made in the code since the last non-compromised backup has been create.
Now, take the database from the current version, the code from the backup, add modifications made later on (apart from the one made by a hacker) and you have a website to restore.
If you don’t have a backup
If you don’t have a backup the situation is more difficult. Basically you need to rebuilt the codebase from scratch. I suggest starting by installing the CMS in the same version as the on on the hacked website. Next add all the plugins and themes (again, ideally in the same version). Then compare this codebase with the code of a the hacked website. Most popular IDEs have a diff function which is very helpful for that purpose. This way you can easily find all the modifications made in the code since the last non-compromised backup has been create.
Take the current database, the newly created code, and add all the modifications (except from these made by a hacker). Before the last step, you can consider updating CMS, themes and plugins (if the websites was not running the latest version which is almost always the case) and add the modifications in the code afterwards.
Harden the website for the future
You have solved problem for now. Congratulations! Now let’s talk bolstering your website security for future attacks. Because, let's be honest, there will be more and more hacking attempts on websites. Some basic steps will include:
a) setting a regular backup schedule, so that you are sure that you have a copy of a website that can be use for restoration any time you need it. Here’s my article on how to configure backup correctly.
b) keeping all your website software up-to-date. Keep in mind that outdated CMS, plugins, themes or even PHP is currently the most favorite way of entry for hacker. Using tools like Perfect Dashboard can help you to manage updates easier.
c) Web Application Firewall can also be beneficial to stop most common types of attack. I recommend Sucuri as their solution is suitable for most popular CMS.
All in all, getting hacked is never a pleasant experience, but if you follow this guide I’m sure that you will be able to purge malicious code from the website and significantly decrease the number of such incidents in the future.
Mateusz Podraza contributed to this guide.