Has Your Site Been “Hacked”? Recovering From Cyber Vandalism

Generally I prefer to avoid using the term “hack” in the way most people use it. However, I will, for the duration of this post, use the term in the way the average non-geek would use it. In short, I will use the term “hacker” with the meaning of “someone who vandalizes websites” instead of the definition used among geeks, which is basically a synonym for geek. Read about the controversy at Wikipedia. That aside, let’s move along.

Imagine this scenario: You start-up your computer one morning, and head over to your website. Instead of seeing your well-designed site, you see a black screen with red text reading “This Site PWNed by TehH4k3r.” Uh oh, that’s not good.

If something like this happens to you, drop everything and investigate. You need to move fast, or risk losing visitors and search rankings. Fire-up your FTP client, and log-in to your database admin panel (e.g. phpMyAdmin). Your mission is to figure out what happened exactly, fix it, and find out how the sneak got in in the first place.

Index / Templates

FTP into your site’s web root (the location of the index.php file). Before poking around there, though, try visiting another page in your browser. Is it just the index that’s corrupted? Try loading a different page, like an About page. Did it load correctly? If so, then the problem lies with something on the main page. If it bears the same legend as the index, then it’s a site-wide problem (so “TehH4k3r” changed something in one of your site-wide templates or in the database).

While you’re checking that out, load one of the problem pages again. Did you see your site for a fraction of a second, only to be replaced by the “This Site PWNed” screen? If so, check the address bar in your browser. It’s a different domain than yours, right? It looks like “TehH4k3r” slipped a meta redirect into your site somehow. Find it, remove it, and your site should function properly.

The Database

Once you’re in phpMyAdmin (or whatever software you use to access your database), run over to the database table that stores your posts. Are they still there? Hopefully “TehH4k3r” was nice enough to leave your posts intact. If he wasn’t, then I hope you have a backup.

Next, search for strings such as “PWNed by” and “TehH4k3r.” In the case of a meta redirect, search for the URL that you are redirected to. Use a SELECT command, or the nice search feature in phpMyAdmin. Fix whatever tampering you come across.
In addition to meta redirects, a common exploit done by accessing the database is to change the admin account’s password and email address so they can log-in and change anything that the blog admin allows. Check the table that stores the user information. Is your account’s email address the same as it was before? Is there another admin-privileged account? Delete any new accounts created by the hacker, and reclaim yours if it’s been tampered with (there’s a 99.9% chance it has been, if the jerk got into the database). To fix your account, use phpMyAdmin to edit the stored email address, then you need to fix the password. To do that, you need to generate a new MD5 hash of your password. Use a hash generator (like this one) to generate the hash, then paste it into phpMyAdmin. Now you should have access to your CMS’s admin panel again, and the hacker won’t.

How did the hacker get into the database to begin with? Most scripts that utilize databases have a file that stores the details required to connect to the database (host, password, user, db name). In WordPress installations, it is called wp-config.php. That’s how “TehH4k3r” got in. You left your keys under your welcome mat. To prevent another hacking attempt, you need to make it so no one can access this file. One solution is to CHMOD it so only “owner” has permissions to access it. There are other methods, but CHMOD is the easiest. All scripts with databases have similar files to this, and the steps to secure them are similar.

Conclusion

This is by no means a definitive guide to recovering from having your website “PWNed.” There are tons of ways for people to break your website. Keep your scripts up-to-date, take all the security precautions recommended by the scripts’ makers, make backups, and you’ll be fine.