A recent article in the New York Times, security experts say that there are two types of companies in the U.S.: those that have been hacked and those that don’t know they’ve been hacked. In last month’s post, we discussed five basic security precautions that can help keep you from becoming a hacker’s next “low hanging fruit.” But what if you have already been hacked? What do you do? Join us as we take a look at ways to know if you’ve been hacked, how it happens, and what steps to take in getting your site running again.
How do you know if you’ve been hacked?
There are many ways you may find out that your website has been hacked. The most obvious is when the hacker has simply defaced your website. You wake up one morning, open your browser and low and behold, your website is no longer there. It has been replaced by a new page and has a big sign saying “Hacked by ______ (fill in the blank).” Or even worse, you get redirected to, hmmm, let’s call it an “unsavory” website. Well, in those cases it is obvious that you’ve been hacked.
However, hackers oftentimes will attempt to cover their tracks so that it isn’t obvious that a site has been hacked. They’d really prefer that you didn’t know about it, because they want to use your site as long as they can to do their dirty work.
Here are some big signs that your website has been hacked:
- Your website is defaced.
- Your website redirects to an ‘unsavory’ site such as a porn site or pharmaceuticals site.
- Google or Bing notifies you that your site has been compromised.
- Your Firefox or Chrome web browser indicates that your site may be compromised.
- You notice strange traffic in your web logs such as unexplained big spikes in traffic, especially from other countries.
How does it happen?
In a survey last year by StopBadWare and Commtouch, 63% of website owners indicated that they did not know how they were hacked. If your website has been hacked, it is critical to understand how it happened in order to prevent another hack by the same hacker.
There are many, many ways a website can be hacked. Here are some common ways hackers can take control of your website:
- Guessing your password.
- Using malware on your local computer to capture your login credentials.
- Finding a security vulnerability in specific software that you happen to be using (especially outdated software).
- Hacking someone else’s site that resides on the same shared-server that you are using for your site.
Note: getting hacked because of someone else's site on the same server is a good reason to avoid cheap hosting providers. They don’t always have the best security practices and you often have “bad neighbors” on the same server.
5 Critical Steps to restore it.
Getting your website hacked is a big deal and it can be fairly complex to clean it up. But here are the high-level steps that you and / or your support team should take once you discover that you’ve been hacked.
1. Stay calm
First of all, stay calm. You can recover.
2. Call in your support team
If you don’t have the right technical expertise on staff, your best option will be to call in a support team. Ideally, this will be someone with both strong technical expertise as well as someone who is familiar with your site and its configuration. This can include your web developer and/or your hosting provider.
Web designers without a programming and technical background may have a harder time assessing the issue and fixing it. Experienced web developers (e.g. programmers) should have the necessary skills to assess and fix the problem.
Many hosting providers will not do the actual work of cleaning your website. But they can provide invaluable assistance or may have other customers that are experiencing the same issue.
3. Pull together the information your support team will need
You will need to get your information together for your team. Your developer / team will need access to:
- CMS Login: your content management system with administrative / super admin rights
- Hosting Login: your hosting control panel to access your database and web logs
- Your web logs: both the access logs and error logs. Be sure that your hosting company provides the web logs. Most web hosts do, but a few hosting companies do not turn those on by default or may not provide access to them.
- FTP / sFTP access credentials: this should include the hostname, username, and password
- Backups: Any backups you may have
You should consider keeping this information together in a safe location that you can access quickly in case the need should ever arise.
4. Take your website offline
You should temporarily shut the site down while it is being assessed and fixed. Your hosting control panel may have the ability to temporarily turn off your site. Or you may need to password protect the main directory where your website resides to block visitors from accessing your site while the team works on fixing it.
5. Scan your local computers for viruses and malware
You will want to scan your local computer(s) with your anti-virus software to make sure they aren’t infected with malware, spyware, Trojans, etc. Be sure your anti-virus software is up-to-date before using it to scan your computer.
The Cleaning Process
Your support team will hopefully be fully engaged by now working to diagnose how the site was hacked and then work to clean up and restore your site. Here is a sample of what they will be doing:
- Changing your passwords for website logins, database, ftp, etc.
- Making a backup of the site and downloading it for inspection
- Examining log files and other data to determine how and when the website was hacked
- Examining the software extensions used on the site and ensuring they are up-to-date and do not have any known vulnerabilities
- Reviewing any custom software code (if applicable) for any obvious security flaws
- Cleaning the site and putting it back online.
It is very important if at all possible to understand how the site was hacked so that it can be properly cleaned. I’ve seen a number of websites that were repeatedly hacked by the same hacker until the proper fixes were in place.
Getting your website hacked is no fun. But you are able to recover from it. So stay calm and call in the right support team to get it fixed and running again. While we’ve just skimmed the surface of the process needed to clean the site, having the right support team in place can make a big difference.
Content will be erased after question is completed.