As the owner of a small web site, having your site fall victim to an attack may not be the one thing that keeps you up at night. After all, you have to worry about so many other things: can potential visitors or customers find your site, is your content relevant and timely, is your site optimized, etc. And who would want to hack your site anyways right?
Unfortunately, attackers target small sites more than they do larger ones, and for good reason:
If your site was hacked in a malicious manner, you have two options. You can sit around and think back on all the ways you should have hardened your site against attacks, or you can start cleaning up the mess and get your site back on track.
If you have realized that hindsight is 20/20 and prefer not to dwell on the mistakes that were made, you are ready to get your site cleaned up. This is not an easy task, but it is a necessary one. The following steps should be performed in the order they are written to help prevent the situation from getting any worse.
The first task is to secure your site so that you are no longer vulnerable to attack. It would be a waste of time to clean up your site only to have the attacker come right back in and damage your site again.
This is essential because of two reasons. First, if the search engines crawl a site that is loaded with malware, it is going to be flagged as such causing visitors to avoid your site and causing your search engine page ranking to plummet. The second reason is that a visitor or customer may land on your site only to find that it has infected their computer with malware. In this instance, you can be sure they won’t be back. People can accept a web site being down for a while, but they won’t accept your site causing damage to their computer. Serving a 503 error page with some readable content for visitors will take care of this.
The most common way attackers access your site is by stealing your site’s FTP and administrator credentials through malware on your computer. When you login, keystroke loggers can send this information from your local computer to the attacker to give them free reign of your web server. Update your virus definitions and your spyware definitions and run a full system scan with both programs. When you are done, download and run Malwarebytes AntiMalware to make sure your computer is clean.
Start with your email accounts and then change your FTP, administrator, database, and any other passwords you have. Anyone else who has access to your website through FTP or admininstrative Make sure to use strong passwords so that the attacker has a hard time using a brute force tool against your site to regain access.
What type of attack took place? Were pages defaced? Is your site hosting malware? Is your site hosting illicit links? Has data been stolen? These are the things you need to think about. Odds are, if any pages were defaced then your site probably isn’t being used to house malware or suffering from a link injection because the defaced pages scream out, “Hey admin! I’ve been attacked!” The other types of malicious hacks work better when the admin isn’t aware that their site has been attacked. Of course don’t rule out the possibility of other problems if your site was defaced.
If you are using WordPress, Joomla!, Drupal, Moodle, or any other software you are using. Most of these third-party applications are free/open source so attackers have access to their code where they can find the vulnerabilities that exist. When these vulnerabilities are exposed, the developers update the software to plug up the security holes. In addition to your software, make sure that any plug-ins, components, modules, or other add-ons are updated as well.
While there is often not much they can do to help you, you can see if they will scan the server for rootkits and backdoor programs.
Now that you have blocked the attacker from getting back into your site, it’s time to start cleaning up the mess he made. If you don’t want to clean up the problem files, you can opt to delete the installation and then start fresh. However, unless you have backed up all of your site’s content, you will have to rebuild this as well. Additionally, you will need to check content pages for malicious links and files as the restore will put them right back into your site.
You can look for clues that point to who the attacker is and from where the attack was launched but keep in mind, a) they probably have used one or more jumps to hide their location and b) all the poking around you have done has modified your site to the point that any evidence most likely can’t be used. This is ok because unless your hosting provider chooses to pursue legal action, you are not to find much of a response from law enforcement by reporting it on your own as jurisdictional issues arise.
Now that you have brought your site back online, keep it safe. Install security add-ons, make sure everything is constantly updated, make sure your computer is malware free, etc. You may want to consider enabling log archiving so you can review these from time to time. They will give you a great look into what is going on within your web site. Also, consider a host that makes use of a Web Application Firewall to help mitigate against many of the common threats that lead to a compromised web site.