This knowledgebase will guide you on how to secure your website even after it has been hacked. Also, you will get guidance on how to prevent your site from future attacks.
# How to determine the cause?
The first step to secure your website from attacks and bring it back to normal operation mode is to identify how it was hacked. Generally, hacks occur due to one of the following reasons :
• Your FTP/SSH password can be easily identified.
• You might have given easy permission for the files or directories in the public_html directory.
• The software application installed on your website might contain vulnerability. The vulnerability doesn’t allow arbitrary code to run on the server.
Due to the huge growth in pre-bundled software applications, the software vulnerability hacks can be found more common than FTP/SSH password hacks. Most of the time users set up an application and then forget to apply security updates, leaving their sites vulnerable to the attack.
Likewise, if a file or directory in the public_html directory has given permissions set to 777 (i.e. full access), then code or data may get exposed and potentially gets exploited by an attacker.
# Settling the FTP/SSH password :
First you need to determine, if someone has hacked your password and logged into your account. To do this perform following steps :
1. Using SSH, log in to your account.
2. Type the following command :
history
This command will display the last 1000 commands that run on your account with their time. You can review recent entries in the list that seem suspicious to you or that you haven’t type.
This may not be the 100% fool-proof method, because the command history can be altered and forged by a malicious practitioner.
3. Type the following command :
cat ~/.LastLogin
The command will display the IP address of the last user who had logged in to your cPanel account.
In-case, you find or suspect that an unauthorized user is accessing your account then :
• Change you cPanel account password immediately.
• Don’t use FTP now. Regular use of FTP transmits your password over the internet in unencrypted plain-text form and can be easily intercepted. Instead use SFTP or SSH.
• Be assure that you are running up-to-date virus and malware protection on any computers that you have used to access your account.
Once you have followed all these steps, go to the Cleaning up after a hack section below. However, if you haven’t found any suspicious behavior, then go to the next section.
# Finding out software vulnerabilities.
Outdated software applications often contain well-known security vulnerabilities that malicious practitioners can easily exploit by using automated scripts. Software applications can include anything that you have installed using the Softaculous, also any other packages that you have installed manually. These applications are mainly blogs, images galleries, forums, shopping carts, content management systems, etc.
You need to review all the software applications that are installed on your website. Be assured that you have installed the most recent versions and all updates. When you update the software applications, make sure that you have checked the plugins also. If you found any non-standard plugins installed with your applications, then do a web search for the plugin name and the term “vulnerability” to view, if there are any known issues with your version. In case you discover any known vulnerabilities, either update the plugin or disable it immediately.
You also need to check for the recent errors on your website by using cPanel’s Error Log feature. These error images help to find which software applications or files are vulnerable.
Once you have updated your software applications and plugins, go to the Cleaning up after a hack section below.
# Steps for cleaning up after a hack :
After securing your website, the next procedure is to clean up the mess left behind by the perpetrators and restore the normal operation.
Stop the malicious process :
In the cleanup process, firstly you need to ensure that there are no malicious processes currently running on your account. Or else, you can go through the following cleanup steps, to eliminate the havoc that can be caused later.
Perform the following steps to view the user processes running on your account :
1. Using SSH, login to your account.
2. Type the following command :
ps faux
3. Inspect the list of running processes and find out the suspicious activities. If any suspicious process is found, note its process ID (PID) number.
As you run the ps command in step 2, it is not a malicious process and thus, should not be terminated.
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
username 2847697 0.0 0.0 108504 1900 pts/2 Ss 16:37 0:00 -bash
username 2885143 0.0 0.0 109960 1016 pts/2 R+ 16:44 0:00 \_ ps faux
These two are the normal processes.
4. To eliminate any suspicious processes that you found, type the following command for each of the processes.
kill process_id
Use the process ID (PID) that you noted in step 3 at the place of process_id.
# Remove the hacked files
Go through all the files present in your account and delete anything that you haven’t put in there. In case you are using an FTP client, make sure that it is set to show hidden files. Likewise, in case you are using the command line in SSH, make sure that you use the -a option with the ‘Is’ command so that it will show all files. ( Many malicious files are marked “hidden”).
While going through all the files, you can prioritize the search. Like first look for file modification timestamps that have changes since the last modification of your site or that has occurred around the time the hack took place. In case you have identified a file that has been modified during the hack (like a defaced index page), then you may be able to locate other affected files by searching for similar timestamps.
For example, find all the files that have been modified in your public_html directory, by performing the following steps :
1. Using SSH, login to your account.
2. Type the following command :
cd ~/public_html find . -mtime -4
Note: You can edit the -4 option to control for how many days in the past the file command should search for modified files. For example, to search back 6 days instead of 4 use, -6.
# Set the correct file permissions :
By default, every directory under the public_html directory should have its file permissions set to 755 (i.e., full access for the only owner, and read and execute access for everyone else). Moreover, every file should have its permission set to 644 (read and write access for the owner, and read access for everyone else). Now perform following steps to set these permissions for your account :
1. Using SSH, login to your account.
2. Type the following command :
cd ~/public_html
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
Note: Once you have made these changes then you need to adjust permissions for a few individual files depending on the applications that you have installed. Also, it a good practice to set permissions initially, and then make any individual adjustments as necessary.
# Restore databases
Do you know, SQL injections can attack against vulnerable Joomla installations, that may alter the database with malicious code? These modifications can easily grant an attacker with the access to your account even after you update applications and remove the altered files.
Thus, you need to review your database to see if there are any suspicious changes. You can also store the database from a backup that was completed before the attack occurred.
# Restore databases
Do you know, SQL injections can attack against vulnerable Joomla installations that may alter the database with malicious code? These modifications can easily grant an attacker with access to your account even after you update applications and remove the altered files.
Thus, you need to review your database to see if there are any suspicious changes. You can also store the database from a backup that was completed before the attack occurred.
# Restore the lost and modified files
Use the Server Rewind feature in cPanel to restore files in your home directory that have been lost or modified within the past month.
# Reconfigure the WordPress
If you are using WordPress then you need to take some additional steps that secure your site after an attack. For example : you need to reset the WordPress security keys.
# Cloudflare’s use to enhance the security
If you want to prevent the future attacks, then you should consider enabling the Cloudflare to your account.
Cloudflare is a content delivery network (CDN) service that is provided for free from MilesWeb. Cloudflare’s network blocks the threats and also limits abusive bots before they can reach to the webserver. This increases security and also limits the wastage of bandwidth.
For a shared web hosting account, you can activate Cloudflare in cPanel. Or-else you can contact MilesWeb support and they will incorporate it to your account. Or if you don’t have the shared web hosting account, then you can sign up directly on Cloudflare’s site at http://www.cloudflare.com.
Also Read :
