Towards the end of last week, I was made aware that some websites hosted on a server operated by one of my clients had been hacked. The initial compromise targeted just the websites running PHP, replacing all .php files with code to re-direct visitors to a website hosting malicious code, thus causing Google to flag the sites as harmful.
We spent most of the weekend replacing as much of the compromised code as possible, but my client discovered that their backups were out of date, and therefore we had in some cases to restore old versions of the applications that had been compromised.
A couple of days after the initial compromise, and while I was still trying to figure out how the attackers had got access to so many sites, the second stage of the attack occurred, in which the attackers added code to the bottom of all .html files, that rendered an invisible iframe at the bottom of the page containing the same malicious site, thus causing the remaining sites to be flagged by Google.
At this point, I worked out that the attackers were targeting the FTP logins for each of the sites, as well as trying to brute-force the root user login via SSH. So I set up rules in the firewall of the server to block access to both FTP and SSH from everyone except the IP addresses of the people responsible for uploading clean copies of the compromised sites.
What Steps Should You Take If Your Site is Compromised?
- Change ALL Passwords - You must change all passwords on the server, especially if you can prove that some of them have been compromised. Use a password generation tool, like the ones mentioned in our Password Management post, to generate random, strong passwords - you won't stop them, but a sufficiently complex password will certainly slow them down.
- Restrict access to authorised IP addresses - once you've worked out how they got in, lock down the server to only allow access to those people involved in the recovery process. This will prevent further strain on the server, and prevent your attackers from completing their attack, forcing them to move on to other targets.
- Work out how they are getting in - log files can be especially helpful in working out where the attacks are coming from, and what part of your server they are targeting (your FTP server normally logs successful logins to the /var/log/messages kernel log file on a Linux system, so check there for FTP logins at strange times (when you are pretty sure no-one who is authorised would be logging in).
- Restore from Backup (if possible) - You probably know that you should have regular backups of your servers, and the reason for it becomes crystal clear when you're faced with having to remove malicious code from 100+ HTML files manually because you didn't have a recent backup.
- Install latest versions of applications/plugins - You could restore your entire CMS from a backup, and if it's a custom application that is probably the easiest, but if you're using one of the popular Open Source applications, download a recent copy from the project website, and install that, along with your database. This will ensure that you have the most recent version, if you weren't keeping up with updates before the compromise.
If you can't work out how the attackers are compromising your server yourself, you may need to call on the services of specialists like us, we will analyse your server to try and work out how the attackers are breaking in and, should you not have any backups, even help you remove their malicious code from your sites be warned however, that this process can be extremely time-consuming, and therefore costly.
Prevention is Better Than Cure
The best course of action for any website, is to ensure that you are using strong passwords, that aren't easy to guess (or even remember), and that you store them securely. Recent news reports have been spelling the end of the password for some time, and continual advances in graphics card technology make cracking even complex passwords easier every year.
A few years ago, many people would have told you that an 8 character password was long enough to make cracking it too costly for your average attacker. However, given the advances in computing power present in even your mid-range desktop today, anything less than a truly random password of at least 20 characters, is within easy reach, especially if it is based on any dictionary words or identifiable pattern.
It is also vital that you change your passwords regularly, to ensure that people who you may have given access, but who no longer require it, cannot access your servers.
Ensuring that you keep the software on your server up-to-date is also the best way to prevent your websites from being compromised, as the security updates that many site owners take months to install correct published security flaws.
One final task that you may find useful is to contract a security firm like us to perform monthly assessments of your server, checking for un-patched software vulnerabilities and weak passwords, and alerting you to them before your server is compromised.