How to recover from a hacked website: Difference between revisions

From Acenet Knowledgebase
Jump to navigation Jump to search
m Docs admin moved page My Site was Hacked, What Do I Do? to My Site was Hacked, What Do I Do without leaving a redirect
Line 25: Line 25:
The next question you should ask yourself is "Now that I've been hacked, what should I do?"
The next question you should ask yourself is "Now that I've been hacked, what should I do?"


This is a question that is best answered by your webmaster. Acenet does not assist with recovering your site after it has been hacked. This is the responsibility of your webmaster. If you do not have a webmaster that can assist you with recovering your site from being hacked and you're not comfortable recovering your site yourself, we suggest hiring a professional. You can find available professionals that can assist you at the links posted below.
Acenet has written this guide to assist you but this is a question best answered by your webmaster. You can either follow this guide or hire a webmaster. Acenet's experts are occasionally available to take on paid webmaster work. The billable rate for webmaster labor is $79.95/hour.  
 
Alternatively, you can find available professionals that can assist you at the links posted below.


http://elance.com
http://elance.com
http://guru.com


http://guru.com
This guide was written with a novice in mind, but covering all necessary vocabulary and industry knowledge is impractical. Novices should expect to do additional research (Googling) to fill in their knowledge gaps. Hiring a qualified professional is highly recommended.


Here is what Acenet suggests for your webmaster to do:
Here is what Acenet suggests for your webmaster to do:

Revision as of 11:40, 8 February 2013

Addressing hacks is usually a nightmare which can cost you a lot of time/money. Acenet puts a lot of resources in ensuring that all server-side software is up to date and has all necessary security patches applied as quickly as possible.

Acenet's Shared/Managed Server Security Measures

Our Technical support staff regularly watches for security bulletins regarding your shared/managed server's software. Our kernels are kept up to date, non-standard ports are closed off in our aggressive firewall, and server software is kept at the latest stable, secure version.

How was I hacked?

If your account has been hacked, the first question you should ask yourself is "How was I hacked?"

There are a number of possibilities in regards to how a hacker gained access to your account.

[1] They obtained your login details.

[2] Through a vulnerability in an outdated/insecure script. (This is the most common)

Acenet, Inc. does not monitor the content you put on your website. You are free to host a wide range of scripts from shopping carts to image galleries. Similar to our precautions server side, it is a good idea to ensure that the software or scripts you use are kept up to date within your user space. This includes any modules, plugins, themes, addons, and etc. you may have installed.

The latest version of a script can also be vulnerable to hackers. You will want to contact any script developers to ensure the latest version of their script is secure and if it's not, what needs to be done to make it secure.

[3] Uploaded a malicious file(s) using an upload script available in your account.

Now that I've been hacked, what should I do?

The next question you should ask yourself is "Now that I've been hacked, what should I do?"

Acenet has written this guide to assist you but this is a question best answered by your webmaster. You can either follow this guide or hire a webmaster. Acenet's experts are occasionally available to take on paid webmaster work. The billable rate for webmaster labor is $79.95/hour.

Alternatively, you can find available professionals that can assist you at the links posted below.

http://elance.com http://guru.com

This guide was written with a novice in mind, but covering all necessary vocabulary and industry knowledge is impractical. Novices should expect to do additional research (Googling) to fill in their knowledge gaps. Hiring a qualified professional is highly recommended.

Here is what Acenet suggests for your webmaster to do:

Backup your account

You can download all of your site's content to your local machine via FTP or, if you have access to cPanel, you can process a full account backup through your cPanel. You can view our knowledgebase article for more details on Generating a Full Backup

Download the backup to your local machine. You will want to ensure you have your backup saved somewhere other than your account on the server before proceeding with the next step.

Reset all of your passwords

This includes your cPanel (control panel), FTP users, database users, script admin users, and email addresses.

Delete all cron jobs

If you have access to cPanel, you can view our knowledgebase article on how to Delete a Cron Job

Remove your current content

Delete all of the content from your account's document root folder. This is most commonly the public_html folder.

Once your account is compromised, it is possible that the attacker has installed a backdoor for easier access in the future. Deleting all of the content from your account's document root folder is the only true way to ensure you have cleared out all untrusted material.

Re-install your site's scripts

Re-install the latest version of any scripts you still need. This includes any plugins, modules, addons, themes, and etc.

If you have shared hosting with us or have purchased Fantastico and/or Softaculous for your virtual/dedicated server(s), we suggest installing your script(s) using Fantastico or Softaculous which are available in your cPanel. Fantastico and Softaculous can send you notifications when new versions of the script(s) you have installed are available and installing scripts through Fantastico and Softaculous is a lot easier than manually installing them.

Check your databases to see if they were hacked

Hacked databases are not common but it does happen. If the database is hacked, it will need to be cleaned before you use it again.

Reconnect your scripts

Re-configure the newly installed script(s) to connect to the appropriate database. You will want to proceed with this step once you have confirmed that your database(s) are clean. There are circumstances where your database(s) may need to be converted to work with the latest version of the script you installed. Most of the time all that needs to be done is the script's configuration file needs to be modified to use the database's connection details.

If you're unsure which file holds the database information for your script, we maintain a Configuration File Location Cheat Sheet

Upload clean files

Upload any needed clean files from the backup you generated.

How can I prevent my account from being hacked?

This is a question that is also best answered by your webmaster or the script developers of the script(s) you have installed within your account. Here are some suggestions Acenet has.

Keep scripts updated

Keep all scripts installed within your account updated to the latest version available.

Developers of web-based scripts release new updates to their software periodically. These updates often contain feature upgrades, but more importantly contain security updates as well. By keeping your scripts up to date, you ensure that the latest security holes are patched and only the content you post is displayed on your website.

If you have installed any scripts through Fantastico or Softaculous within your cPanel, you can have a notification emailed to you once a new version is available for any of the scripts you have installed.


Use secure passwords

Only use secure passwords. A secure password consists of letters, lowercase and uppercase, and numbers composed in a random pattern. At the very least, you want to ensure your passwords do not occur in a dictionary. It is not uncommon for hackers to attempt what is called a "Dictionary Attack". In such an attack, all of the words contained within a dictionary are guessed as a possible password. If your password occurs in the dictionary, such a brute-force guessing attack will succeed and allow unauthorized visitors access to privilleged information. Here are a few examples:

Bad Passwords: password sailboat admin yellow

Good Passwords (but don't use these exactly): hal2kejslIs9 122l0745Js Plwn24sueh37

Your passwords should be 8-15 characters in length and, if you cannot remember it, should be written down in a location only you are aware of. Do not share passwords with untrusted individuals.

Remove script install files

Remove any script install files from your account. Scripts usually let you know, after installation is complete, what files should be removed from your account. If you're not sure what can and cannot be removed, you will want to contact the script developers for assistance.

Password protect admin folders

Password protect the directory where any script's admin panels are located.

This is just added security to ensure only the individuals you want to have access to your script's admin panel have access. If you have access to cPanel, you can password protect a directory through your cPanel. You can view our knowledgebase article on how to Password Protect a Directory

Secure Upload scripts

Make sure any upload scripts installed within your account are locked down so that only the individuals you want to be able to use them are able to do so.

Doing this could be something as simple as password protecting the directory where the upload script is located. It depends on how the upload script is installed. If you're not sure how to lock down your upload script(s), you will want to contact the script developers for more details on how to do so.

Unique MySQL users

Use a username and password to connect to a database that are only used to connect to that database.

What this means is do not use a username and password that are used to connect to other things related to your account. For example, scripts can be configured to connect to a database using the account's cPanel username and password. This is insecure because the database connection details specified within a script's configuration file are usually stored within a flat text file which can be read. If a hacker is able to read your script's configuration file, using a username and password that are only able to connect to the database specified within the configuration file will ensure the hacker does not gain access to anything else.

Security Plugins

Install any available security plugins that are recommended for your script(s).

If you're not sure of any, you could search for recommendations to see what other users of your script(s) recommend or you can contact the script developers directly and ask what they recommend.

Separate Addon Domains

Do not host multiple sites that have scripts installed within them under one user.

It is best to keep sites that have scripts installed within them separated into their own user spaces. The reason being because if one of the sites gets hacked, the hacker will most likely have access to all of the other sites being hosted under that user. By separating the sites into their own users, you are limiting the damage the hacker can do.

As the saying goes, an ounce of prevention is worth a pound of cure. Recovering from a hacking can be time consuming, not to mention detrimental to your site's image. By following the preventative measures above, you can spare yourself the hassle of restoring your site and removing unwanted material.