In this article, you will find a guideline in which it is explained how you can get a hacked website to work and/or secure it from possible future attacks.
Determining the cause
Before you can secure and repair your website, you need to know how it was hacked. Usually, most of the hacks occur for one of the following reasons:
- Your FTP/SSH password has been compromised.
- File permissions for files or directories in the public_html directory are too permissive.
- You have a software application installed on your web site that contains a vulnerability. The vulnerability is being exploited to run arbitrary code on the server.
It is more common that websites are hacked through a software vulnerability, then through a password. That primarily happens because of the huge growth in pre-bundled software applications. When users set up an application but forget to update it, they leave it vulnerable to malware attacks. Similarly, if a file or directory in the public_html directory has permissions set to 777 (full access), code or data may be exposed and potentially exploited by an attacker.
Looking for FTP/SSH password compromises
First of all, you still should make sure that it isn’t your password that was hacked. In order to determine this, follow the steps below:
- Log in to your account using SSH.
- At the command prompt, type the following command: history. This command will display the last 1000 commands run on the account, as well as when they were run. Just review recent entries in the list for any commands that seem suspicious or that you did not type. Remember though, that this method is not 100% accurate as history can be altered by a malicious actor.
- At the command prompt, type the following command: cat ~/.lastlogin. This command will display the IP address of the last user who logged in to your cPanel account. This information is also available from the cPanel home screen.
In case you find unauthorized access to your account, make sure to perform the next actions:
- Change your account password in cPanel immediately.
- Stop using FTP. Regular FTP transmits your password over the Internet in unencrypted plaintext and is easily intercepted. Use SFTP or SSH instead.
- Verify that you are running up-to-date virus and malware protection on any computers you have used to access your account.
If you do not find any suspicious behavior or unauthorized entries after you followed all the steps above, try looking for software vulnerabilities.
Looking for software vulnerabilities
If some software applications on your website are out-of-date, they can contain well-known security vulnerabilities that malicious actors may exploit using automated scripts. Software applications are any software applications that you have installed using Softaculous, as well as any packages that you have installed manually. Usually, these are applications such as blogs, image galleries, forums, shopping carts, content management systems, etc.
In order to find any vulnerability, please check all of the software on your website for updates. Then make sure you have installed the most recent version and all updates. When you update software applications, make sure you check the plugins as well. In case you installed any non-standard plugins on your website, perform a web search for the plugin name with the term “vulnerability”, and see if there are any known vulnerabilities of the particular plugin or the version of it that you have. In case you do discover any vulnerability, you will have to either update the plugin or just disable it.
As a precaution, you should also check for recent errors on your web site by using cPanel's Error Log feature. Error messages may help you determine which software applications or files are vulnerable.
After you checked every software application and plugins you have, updated or disabled them, you can finally clean up your website.
Cleaning up after a hack
After you protected and secured your website and followed the guidelines above, it is time to clean up the malware mess and get your website working just like before the hack.
Stopping malicious processes
First of all, you will want to make sure that the malicious processes running from your account completely stopped and are not corrupting your website anymore. This is important because you won’t want to go through the guide below and then have to redo it all over again.
In order to view the user processes running on your account, follow these steps:
- Log into your account using SSH.
- At the command prompt, type the following command:
ps faux
- Examine the list of running processes and look for anything suspicious. If you do see a suspicious process, note the process ID (PID) number.
- To kill any suspicious processes that you found, type the following command for each process. Replace process_id with the process ID (PID) that you noted in the previous step:
kill process_id
Removing hacked files
Go through all the files you have on your account and delete anything that you didn’t upload there. If you are using an FTP client, make sure it is set to show hidden files.
In case you are using the command line in SSH, make sure you use the -a option with the ls command so it shows all files, as a lot of malicious files will try to stay in your account by being hidden.
Although we recommend going through all of your files, you can prioritize your search. Look first for file modification timestamps that have changed since you last modified your site, or that occurred around the time the hack took place. If you identify a file that was modified during the hack, you may be able to locate other affected files by searching for similar timestamps.
For example, to find all of the files that have been modified in your public_html directory within the last three days, follow these steps:
- Log in to your account using SSH.
- At the command prompt, type the following commands:
cd ~/public_html
find . -mtime -3
Setting correct file permissions
Every directory should have its file permissions set to 755 beneath the public_html directory by default. Except for that, every file should have its permissions set to 644 (read and write access for the owner and read access for everyone else). In order to set these permissions for your account, do the steps below:
- Log in to your account using SSH.
- At the command prompt, type the following commands:
cd ~/public_html
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
Restoring databases
Some hacks may change the database and put a malicious code there, like in case of SQL injection attacks against vulnerable Joomla! installations.
Because of this code, the attacker can get access to your account even after you’ve updated everything and properly secured your account.
Thus, you have to look through your databases and see if there are any suspicious alterations. It would be an even greater idea to load the backup of the databases that was completed before malicious files were uploaded there.
Restoring lost and modified files
You can use the Server Rewind feature in cPanel to restore files in your home directory that have been lost or modified within the past month.
Reconfiguring WordPress
If you use WordPress, there are additional steps you must take to secure your site after an attack. For example, you must reset the WordPress security keys.
Using Cloudflare to enhance security
Consider enabling Cloudfare on your account in order to protect your account from future possible malware attacks.
Cloudflare is a content delivery network (CDN) service that we provide to web hosting customers. Cloudflare's network blocks threats and limits abusive bots before they reach the webserver. This increases security and reduces wasted bandwidth.
If you have a shared web hosting account, you can enable Cloudflare in cPanel. If you do not have a shared web hosting account, you can sign up directly on Cloudflare's site at http://www.cloudflare.com.
