We went to your site in the morning, and it is full of foreign banners or is it completely blocked? Most likely, it was hacked or infected. Council number 1 - do not panic, everything is fixable. Most importantly, do not despair, and even more so do not agree to the offer to "buy back" your site back (yes, it happens). We personally do not negotiate with attackers. And we will show you how to deal with them.
Who is the pest?
It would seem, well, what normal person needs to hack someone else's site, spend time and resources on it? For what? Just blackmail the owner? In fact, the list is much broader. Most often, cybercriminals hack websites in order to:
Use it for "phishing" - a type of Internet fraud, when accounts, bank card details and other personal information are stolen from visitors on fake sites.
Send spam from a hacked site.
Use the site for malicious activity, DDoS attacks.
Forward visitors to other sites.
It is corny to annoy a competitor by disrupting the work of his site.
Therefore, even the fact that you do not store personal data of users on your site and do not conduct financial transactions will not save you from falling into the field of view of hackers.
Symptoms
Of course, if cybercriminals have placed their banners on the site or when they enter the site, they transfer visitors to other resources, you will probably notice this without additional diagnostics.
In addition, if the hackers have already managed to "naughty" (send spam, carry out a DDoS attack, etc.), your site may be blacklisted by search engines. Google puts a lot of resources into fighting pest sites, so it will probably quickly track down your site and start alerting potential visitors. Of course, this will affect the attendance.
warning-pic
Also, "symptoms" of a compromised or infected site can be unknown files in the directory and foreign code in the body or files of the site.
Finding the reason
You can identify malicious files, and at the same time weaknesses of the site, as follows:
Find infected files with an antivirus. The clamav and maldet antivirus utilities will cope with this task . If ClamAV is present in the system, maldet will use not only its own bases, but also clamav bases when scanning.
For scanning, it is important to use a command that will not move files to quarantine. Otherwise, the date of their modification will change and further "investigation" will not work. A command like this would work
Important!
Check the computer itself from which you are managing the site for viruses - if a hack is made as a result of a password leak, a new password may be stolen again after some time.
Find out the time when the virus was last modified. This can be done with the ls utility (a utility for listing directory contents).
The time the file was last modified is usually displayed. Attackers could change it:
Use less (a file reader) and grep (a string search utility) to check the last modified time against the web server logs .
It will look something like this:
Each of the five (in our case) selected scripts can be the cause of the infection.
Important!
Typically, attackers break into the site itself, not the system on which it operates. The easiest way to check is to see who owns the infected files. If the same user on whose behalf the PHP scripts were run (depending on the system settings, this is either the same user who owns the other website files, or the system users apache or nobody), most likely the hack was due to a password leak or vulnerabilities in the site code.
How to "cure" a site
After detecting viruses:
Update the CMS of the site and all modules / plugins, since the virus often enters the site through gaps (vulnerabilities).
Change the passwords for all (!) Site users and all accounts that are related to the site (access to the FTP server, hosting control panel, etc.). There is a possibility that the virus was able to inject its users into the database and already quite legally performs any malicious actions.
Remove all possible malicious files. This can be done both by manually editing files and using scripts that will delete files without breaking the site structure.
Restrict access to all site directories.
Extreme measures
If the site still failed to "cure", you will have to deploy it from a backup copy. Do you make copies every day? Then such a deployment will not cause big problems. But if days or even weeks have passed since the last copy, it is a problem, the loss of important changes is almost inevitable.
Prevention
The best treatment is prevention. To minimize the risk of being hacked: Support analysts
Check your website and virtual machine for viruses.
Limit access to the site. Each employee must have exactly the level of access that they need to get the job done.
Never use the default login and password. Choose your password carefully, use all valid characters and their variations.
Limit the number of user authentication attempts.
Take care of regular backups in advance .
Install plugins to protect your site from hacking, for example, WordFence for CMS WordPress and analogues for other CMS.
But the most important rule is to trust only professionals to manage your site.
conclusions
A hacked site is not a verdict yet. The situation is fixable even in the most advanced cases. But prevention is always better than aggressive treatment. Therefore, we recommend that you adhere to basic security rules even before attackers open up to your site. Well, for fast website loading and reliable operation, take care of high-quality hosting for both small and large-scale projects .
No comments:
Post a Comment