Help! My website has been hacked!

Any research, news or information regarding the wide variety of techniques criminals use to take over your computers or web servers.

Help! My website has been hacked!

Postby AlphaCentauri » Sat Jan 04, 2014 7:07 pm

This thread is meant to be a resource for website owners whose sites have been compromised. Email and forum spammers use those sites to protect their own sites from being shut down. The domain owners are innocent victims, so we don't want to shut their sites down, but we want them to stop being used to boost the search engine status of spammers' sites. If you contact the owner of a hacked site, you can point them here.

Recognize a hacked site:
Usually this is easy. The spammy link leads to a page on their site that advertises something like pills or NFL jerseys, but if you look at the home page, it is a functioning website for a legitimate business/organization.

Contact the owner:
You don't want to contact the owner via the contact form on the website, as anything going through the website will be visible to the spammers. They could redirect the email to themselves, in fact. Look for an "out of band" contact, like an email address on another domain, a "live chat" (by an outside support provider) or a phone number. You may have to go through the whois information in the domain registration. There may be a contact at the bottom of the home page for the tech company that mainatains the website, though often that company may have their domain compromised as well. In a pinch, contact the hosting company or registrar and ask them to forward a message to the owner.

Provide the proof:

Give the exact link to the compromised page.

Link them to this thread for information/help
This sticky thread will have general information. People who wish more specific help can register accounts and post threads of their own for help.

If you are a new member registering for help, please send a private message to Red Dwarf or me to explain the situation, so we can expedite membership approval. (New members have to have posts approved until their membership has been approved, to discourage spamming.)
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Help! My website has been hacked!

Postby AlphaCentauri » Sat Jan 04, 2014 7:07 pm

Information for owners of hacked websites:

You just found out that spammers have hacked your website. They have posted pages advertising illegal crap. They may be reading your emails. Ick!

What do you do?

It's not as easy as removing the unauthorized files. You have to find out HOW they got there in the first place, so you can stop them from being re-posted.

In order to post on your website, the spammers need a username with authority to post, and a password for that username.

Most hacking is done by robots with lots of time on their hands but no imagination. They are looking for low-hanging fruit. They will try common usernames with lots of passwords, or they will try common passwords with lots of usernames. Best to have your usernames and passwords be uncommon.

Is your username obvious? Obvious ones are things like "administrator," "admin," or "root." Your domain name is also an obvious one. Best to have something else if your web host/software allows it.

Is your password common? Many people use common passwords thinking that no one has any reason to want to hack their site. But they don't want to hack your site in particular. Any site will do, and they'll find the low-hanging fruit.

There are many sites with lists of common passwords; here is one:
https://xato.net/passwords/more-top-worst-passwords/
Also avoid any passwords that are the same as your username or passwords that are the same as the site you are logging into.

Are you using the default file structure? Many users have sites using formats like WordPress. That means that any spammer that tries to log into a website without having to actually view it manually can program his robot to go to the default login screen URL. There are WordPress add ons like "Change Database Prefix" that rename those URLs. The spammer can go to your site and find out what the new names are, but if they're looking for the sites most likely to have obvious passwords, why would they?

Are you using the same username/password on multiple sites? Sites get compromised all the time. The spammers then use the usernames from those sites to try to log in other places.

And very important: Which computers have been used to access the site to upload files? This means every computer used by every user. If any one of them is infected with malware (malicious software), it could be harvesting usernames/passwords, or it could even be uploading the spammy files itself. Those computers are all suspect.

To avoid providing your new passwords to spammers, consider accessing your site with a Live CD. A live CD is a read-only CD that has a different operating system on it. You boot your computer while clicking on "escape" or "F8" or "F12" or whatever the key on your computer is to control the boot sequence. When a black screen comes up to ask you what you want to use to boot, you change it from the hard disc to the CD, then continue booting. If your computer has malware on it, it has to be designed to work on its particular operating system. Boot with a different operating system and the malware won't launch.

One choice for a Live CD is Ubuntu. It is based on Unix/Linux. It is fairly user-friendly, and it has Firefox included in the package. Remember to write down you current username/password and the URL for you website's log in before you boot up, because your computer won't be running its usual operating system to get your bookmarks. Once you boot in Ubuntu, you can launch Firefox and access the internet relatively normally. (Some Firefox add ons may not be available for Ubuntu.)

Ubuntu is free and can be downloaded from
http://www.ubuntu.com/download/desktop
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Help! My website has been hacked!

Postby AlphaCentauri » Sat Jan 04, 2014 7:16 pm

If you find that your PC is infected with malware, there are websites with volunteers that will help you disinfect it for free. One that several members here are associated with is
http://spywarehammer.com/simplemachinesforum/index.php/board,10.0.html

Please read the instructions and follow all steps in order. They've been doing this a long time and they can help keep you from making things worse. Please also be patient, as they are all volunteers, and please check back with your thread frequently to continue the disinfection process each time you get a reply.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Help! My website has been hacked!

Postby spamislame » Mon Jan 13, 2014 6:24 pm

I have some further recommendations based on the past 8 years of helping victims of server hijacks...

If you run Wordpress: upgrade it. Immediately. Do that and change the password for your admin user and the database that Wordpress connects to.

If you run Joomla: do the exact same thing.

Make the password extremely difficult to guess:

http://strongpasswordgenerator.com/

I swear the sheer volume of sites that use the most obviously stupid choices for their passwords is in the hundreds. Don't be lazy. Use a strong password, make sure you have it saved somewhere you can easily get it again (and not in an account with a similarly simple / ridiculous password) and you have solved 80% of the problem.

Also update all of the plugins used by either Wordpress or Joomla.

Do not use a crappy ISP for your website. My top three would include GoDaddy, iweb and Softlayer / ThePlanet. 90% of all of the hacked sites I have ever reported or gotten cleaned up were all hosted on these ISP's.

Rather than using "shared" hosting, strongly consider using VPS virtualized hosting which is much more secure and robust. With shared hosting, very often if the criminals find a way into your server, they likely will end up having access to at least several hundred others via the access they gain from your site.

The biggest problem of all is "hobbyist" or "trial" websites. Some newbie will install Wordpress or Joomla on their server to "test it out." They'll tinker with it, try out some themes, and then never touch it again. After several months of this abandoned installation being there, usually at least one criminal hacker (but very often far more than just one) will have discovered an exploit on this installation of Wordpress or Joomla, and will now be using your site for all manner of nefarious uses.

If you want to tinker with it: by all means do. But remove the installation once you know you're not going to be interested enough to pursue it further.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5058
Joined: Tue May 09, 2006 9:18 am

Re: Help! My website has been hacked!

Postby AlphaCentauri » Mon Jan 13, 2014 11:43 pm

Actually, almost all the links to hacked sites I'm seeing recently on our Esteemed Guests forum are for InMotionHosting.com. I don't know if it's a shared hosting problem like you mentioned or what.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Help! My website has been hacked!

Postby spamislame » Wed Jan 15, 2014 4:06 pm

That's interesting, because they offer VPS servers (virtual private servers) which are a variation on what I recommended above.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5058
Joined: Tue May 09, 2006 9:18 am

Re: Help! My website has been hacked!

Postby AlphaCentauri » Thu Jan 16, 2014 2:19 am

The sites I'm seeing hacked aren't the kinds of organizations that would be running their own VPS. Maybe there is a reseller creating websites for them, and that person's credentials were breached?
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am


Return to Botnets, Hijacks and Hacking

Who is online

Users browsing this forum: Baidu [Spider] and 1 guest

cron