How to recover from a hacked website
Addressing hacks is usually a nightmare which can cost you a lot of time/money. Acenet puts a lot of resources in ensuring that all server-side software is up to date and has all necessary security patches applied as quickly as possible.
- 1 Acenet's Shared/Managed Server Security Measures
- 2 How was my website hacked?
- 3 Now that I've been hacked, what should I do?
- 4 How can I prevent my account from being hacked?
Our Technical support staff regularly watches for security bulletins regarding your shared/managed server's software. Our kernels are kept up to date, non-standard ports are closed off in our aggressive firewall, and server software is kept at the latest stable, secure version.
How was my website hacked?
You may be wondering "How was my website hacked?"
Here are the two main reasons why websites get hacked:
1 ) A script vulnerability was exploited. (most common)
If you installed a script and failed to keep it updated, you can be all but certain that is why you were hacked. It is imperative that you regularly update all the scripts you use. Script developers endlessly release new versions that patch discovered vulnerabilities. New vulnerabilities are introduced into the code as script developers code new features. Discovered vulnerabilities are patched; new features are coded, which introduce new vulnerabilities. It is a never ending cycle.
2 ) A password was compromised.
Hosting servers managed by Acenet feature Brute Force Protection. Brute force is a technique used by evildoers to defeat password protection mechanisms; this technique involves trying a large combination of passwords until the correct password is guessed. After a few unsuccessful login attempts, the person attempting to login is locked out from any further login attempts on hosting servers managed by Acenet. If you are an Acenet shared hosting subscriber, your password cannot be defeated by brute force.
If your password cannot be defeated by brute force, how could an evildoer defeat password protection on your account? Here are two reasons:
1) You are using a ridiculously weak password.
Use a secure password. A secure password is a random combination of lowercase letters, uppercase letters, numbers and special character symbols. A ridiculously weak password, for example, would be your username. Another example of a ridiculously weak password would be "admin". Ridiculously weak passwords can easily be guessed in a single login attempt. If you were using a ridiculously weak password, that is probably how the evildoer hacked your website. You can generate strong, secure passwords inside cPanel using the random password generator.
2) Your workstation is compromised.
If you do not keep your workstation clean and secure, an evildoer could have access to all the passwords you use on your workstation.
Install these free Windows security software packages:
A) MalwareBytes download it free at http://www.malwarebytes.org
B) Microsoft Security Essentials download it free at http://windows.microsoft.com/en-us/windows/security-essentials-download
Now that I've been hacked, what should I do?
The next obvious question is "Now that I've been hacked, what should I do?"
Acenet strongly encourages you to hire a qualified professional to repair your hacked website for you. The cost will be minimal compared to the amount of stress your are spared. Plus, if you do not do it right, you will just get hacked again. A qualified professional will provide the emotional relief you desire. You won't have to exert an ounce of energy recovering from this nightmare. And you will enjoy peace of mind knowing your website is properly secured -- it won't be hacked again when you wake up.
Best of all, Acenet found a qualified professional for you -- a guy who genuinely cares about you and your website. Helping you recover from a hacked website is his life passion. His name is Jim Walker, he has 15 years experience, and you can call him on is cell phone any time of day. His number is (619) 479-6637. Once you call Jim, you will know you are in good hands. You can learn more about Jim and what he does by visiting his website http://hackrepair.com/. You can also email Jim; his email address is jim [at] hackrepair.com. (Neither Jim Walker nor hackrepair.com have any affiliation with Acenet, Inc.)
Acenet has written the following general guide for those who insist on handling the recovery on their own.
This guide was written with a novice in mind, but covering all necessary vocabulary, industry knowledge, and script-specific information is impractical. Novices should expect to do additional research (Googling) to fill in their knowledge gaps. Hiring a qualified professional is highly recommended. (Call Jim Walker at (619) 479-6637.)
Here is what Acenet suggests webmasters do:
Backup your account
You can download all of your site's content to your local machine via FTP or, if you have access to cPanel, you can process a full account backup through your cPanel. You can view our knowledgebase article for more details on Generating a Full Backup
Download the backup to your local machine. You will want to ensure you have your backup saved somewhere other than your account on the server before proceeding with the next step.
Reset all of your passwords
This includes your cPanel (control panel), FTP users, database users, script admin users, and email addresses.
Delete all cron jobs
If you have access to cPanel, you can view our knowledgebase article on how to Delete a Cron Job
Remove your current content
Delete all of the content from your account's document root folder. This is most commonly the public_html folder.
Once your account is compromised, it is possible that the attacker has installed a backdoor for easier access in the future. Deleting all of the content from your account's document root folder is the only true way to ensure you have cleared out all untrusted material.
Re-install your site's scripts
Re-install the latest version of any scripts you still need. This includes any plugins, modules, addons, themes, and etc.
If you have shared hosting with us or have purchased Fantastico and/or Softaculous for your virtual/dedicated server(s), we suggest installing your script(s) using Fantastico or Softaculous which are available in your cPanel. Fantastico and Softaculous can send you notifications when new versions of the script(s) you have installed are available and installing scripts through Fantastico and Softaculous is a lot easier than manually installing them.
Check your databases to see if they were hacked
Hacked databases are not common but it does happen. If the database is hacked, it will need to be cleaned before you use it again.
Reconnect your scripts
Re-configure the newly installed script(s) to connect to the appropriate database. You will want to proceed with this step once you have confirmed that your database(s) are clean. There are circumstances where your database(s) may need to be converted to work with the latest version of the script you installed. Most of the time all that needs to be done is the script's configuration file needs to be modified to use the database's connection details.
If you're unsure which file holds the database information for your script, we maintain a Configuration File Location Cheat Sheet
Upload clean files
Upload any needed clean files from the backup you generated.
How can I prevent my account from being hacked?
This is a question that is also best answered by your webmaster or the script developers of the script(s) you have installed within your account. Here are some suggestions Acenet has:
Keep scripts updated
Keep all scripts installed within your account updated to the latest version available.
Developers of web-based scripts release new updates to their software periodically. These updates often contain feature upgrades, but more importantly contain security updates as well. By keeping your scripts up to date, you ensure that the latest security holes are patched and only the content you post is displayed on your website.
If you have installed any scripts through Fantastico or Softaculous within your cPanel, you can have a notification emailed to you once a new version is available for any of the scripts you have installed.
Use secure passwords
Only use secure passwords. A secure password consists of letters, lowercase and uppercase, and numbers composed in a random pattern. At the very least, you want to ensure your passwords do not occur in a dictionary. It is not uncommon for hackers to attempt what is called a "Dictionary Attack". In such an attack, all of the words contained within a dictionary are guessed as a possible password. If your password occurs in the dictionary, such a brute-force guessing attack will succeed and allow unauthorized visitors access to privilleged information. Here are a few examples:
Bad Passwords: password sailboat admin yellow
Good Passwords (but don't use these exactly): hal2kejslIs9 122l0745Js Plwn24sueh37
Your passwords should be 8-15 characters in length and, if you cannot remember it, should be written down in a location only you are aware of. Do not share passwords with untrusted individuals.
Remove script install files
Remove any script install files from your account. Scripts usually let you know, after installation is complete, what files should be removed from your account. If you're not sure what can and cannot be removed, you will want to contact the script developers for assistance.
Password protect admin folders
Password protect the directory where any script's admin panels are located.
This is just added security to ensure only the individuals you want to have access to your script's admin panel have access. If you have access to cPanel, you can password protect a directory through your cPanel. You can view our knowledgebase article on how to Password Protect a Directory
Secure Upload scripts
Make sure any upload scripts installed within your account are locked down so that only the individuals you want to be able to use them are able to do so.
Doing this could be something as simple as password protecting the directory where the upload script is located. It depends on how the upload script is installed. If you're not sure how to lock down your upload script(s), you will want to contact the script developers for more details on how to do so.
Unique MySQL users
Use a username and password to connect to a database that are only used to connect to that database.
What this means is do not use a username and password that are used to connect to other things related to your account. For example, scripts can be configured to connect to a database using the account's cPanel username and password. This is insecure because the database connection details specified within a script's configuration file are usually stored within a flat text file which can be read. If a hacker is able to read your script's configuration file, using a username and password that are only able to connect to the database specified within the configuration file will ensure the hacker does not gain access to anything else.
Install any available security plugins that are recommended for your script(s).
If you're not sure of any, you could search for recommendations to see what other users of your script(s) recommend or you can contact the script developers directly and ask what they recommend.
Separate Addon Domains
Do not host multiple sites that have scripts installed within them under one user.
It is best to keep sites that have scripts installed within them separated into their own user spaces. The reason being because if one of the sites gets hacked, the hacker will most likely have access to all of the other sites being hosted under that user. By separating the sites into their own users, you are limiting the damage the hacker can do.
As the saying goes, an ounce of prevention is worth a pound of cure. Recovering from a hacking can be time consuming, not to mention detrimental to your site's image. By following the preventative measures above, you can spare yourself the hassle of restoring your site and removing unwanted material.