Tag: website hack

Dissection of a WordPress hack.

Dissection of a WordPress hack.

Today on episode 17 of Web Hosting Podcast, Megan and I, dissect a website hack we have been working on. We discuss the how, the what and ways to prevent future hacks. We also discuss the defacement of webhostingpodcast.com and how I recovered the site so quickly. And remember those quick tips I use to run? They are coming back in a new way!

Podcast phone line 971 249 2359 is manned by me on Thursdays 9AM PST – 12PM PST. Feel free to call in and press (2) to reach me directly during those hours. If you want to just leave me a message anytime, press (1) and it will send you directly to a voicemail box.

Dissection of a WordPress hack we have been dealing with, the topics we cover are.

How we think it happened.
How we cleaned it up.
What could have prevented it.

Info on what we found from sucuri, regarding this specific website hack.

You will find the plugin I used to find that the wordpress core files had been modified. This plugin is since abandoned by automattic (the makers of wordpress, woocommerce and jetpack to name a few) but it can still be used. You need to download the hash file for the version of wordpress you are using. I would just like to point out that other external and filesystem based scans did NOT find this hack. Only by careful examination of the output of the exploit scanner were we able to find the source of this hack. It is no longer enough to just scan with one tool and think the site is clean. I recommend that you scan with multiple sources if you think you have been hacked, or if a hack keeps coming back after being cleaned. I also, and I can not stress this enough, recommend a daily backup of your website. There are many tools out there that will help you obtain a regular backup to a external location, such as dropbox, s3, ftp, or google drive. There is no reason to not have this setup for your site.

This is the plugin link 
And this is the location of the hash file on github.

Dealing with a hacked website and Malware types.

Dealing with a hacked website and Malware types.

Dealing with a hacked website and Malware types.

Virus/Malware/Ransomware/etc….Covering the differences and how they might affect you.

Definitions resourced from Comodo

 

Differences between them all.

  • Malware – Malware is software written specifically to infect the target host system. Subcategories of Malware include.
  • Virus – Virus is a specific type of malware by itself. It is a contagious piece of code that infects the other software on the host system and spreads itself once it is run. It is mostly known to spread when software is shared between computers. This acts more like a parasite.
  • Adware – Adware is also known as advertising-supported software. It is software which renders advertisements for the purpose of generating revenue for its author. The advertisements are published on the screen presented to the user at the time of installation. Adware is programmed to examine which Internet sites, the user visits frequently and to present and feature related advertisements. Not all adware has malicious intent, but it becomes a problem anyway because it harms computer performance and can be annoying.
  • Spyware – This type of malicious software, spies on you, tracks your internet activities. It helps the hacker in gathering information about the victim’s system, without the consent of the victim. This spyware’s presence is typically hidden from the host and it is very difficult to detect. Some spyware like keyloggersmay be installed intentionally in a organization to monitor activities of employees.
  • Worms – This type of malware will replicate itself and destroys information and files saved on the host PC. It works to eat up all the system operating files and data files on a drive.
  • Trojan – Trojans are a type of virus that are designed to make a user think they are a safe program and run them. They may be programmed to steal personal and financial information, and later take over the resources of the host computer’s system files. In large systems it may attempt to make a host system or network resource unavailable to those attempting to reach it. Example: you business network becoming unavailable.
  • Ransomware – Ransomware is an advanced type of malware that restricts access to the computer system until the user pays a fee. Your screen might show a pop up warning that your have been locked out of your computer and that you can access only after paying the cyber criminal. The cyber criminal demands a ransom to be paid in order for the restriction to be removed. The infamous Cryptolocker is one type of ransomware.

 

Checking for a virus in your hosting environment.

 

Cpanel virus scan – uses clamav as the scanner.

Login to your cPanel account and look or search for “Virus Scanner”. Click on the image to open. You should now be presented with a series of radial check boxes.

  • Scan Mail – this is used to scan your email folders only.
  • Scan entire home directory – this is used to scan your cPanel home directory, including web/ftp/email spaces.
  • Scan public web space – this is used to scan only your web site locations on disk in your home directory.
  • Scan public FTP space – this is used to scan your FTP location on disk in your home directory.

I like to use “Scan Entire Home Directory” so it will scan everything. This could take a while to complete initially. Select this option and click on the “Scan Now” button. The Virus scanner will now start scanning your entire home directory for infected files. If it finds an infected file, you will be presented with 3 options for every file listed as infected.

3 options when it finds a virus.

  • quarantine – this will move the files selected in a quarantine folder in your home directory called quarantine_clamavconnector.
  • remove/delete – this permanently deletes the file with no hope of recovery. Be aware that you could possibly break your site if a core file is deleted using this option.
  • ignore – this will ignore the selected file. This allows you to manually remove the file or replace it through another means.

You can scroll to the bottom of the found virus list to use the “Select All” button for each of the above.

Gotchas I ran into during my testing.

Clamav was able to identify viruses on disk effectively, where external scanners could not see them at all. I chose to use sucuri site scan, to try and find these infected files. It was not able to. This leaves me to believe that unless the hacked/virus infected files are coded as part of your site (example in your footer.php), external scans will never see them. It is still a good idea to have external scans, but doing a regular scan at the host level that can see your actual files is still required. I highly recommend Clamav and CXS (Configserver eXploit Scanner) CXS ties into a database of php exploits as well as clamav and can scan your entire cPanel account for exploits that external scanners can not see.  CXS can also tell you what is outdated in your chosen CMS.  This is great for finding forgotten and possibly dead websites in your hosting account.

Dealing with a hacked website.

  1. Do not panic and stay calm.
  2. Take site offline.
  3. Change passwords (cPanel, ftp, email accounts, mysql, all of them).
  4. Diagnose/Scan – Either do this yourself or find/hire someone to do this. Some hosts can scan your hosting account to determine how bad the hack is and possibly how it was done.
  5. Remove hack – File restore, edit/clean files, clean database.
  6. Scan site again to ensure site is clean.
  7. Scan local computers used to maintain and access site to ensure they are not compromised or contain malware.
  8. Update site to be current.
  9. If you are on the google/firefox not safe list, you will need to get site delisted.
  10. If you did a clean restore your site, be sure to change the site password again. Often a restore will revert the password back to what it was previously which could have been compromised.
  11. Update everything!!
  12. Scan for virus and vulnerabilities again.
  13. If all clean, preform a final clean backup and archive it someplace safe.
  14. Get setup on a regular site security scan. This can be something as simple as sucuri or a host provided CXS (Configserver eXploit Scan). Maybe they have something else that they can do for you regularly, I would recommend checking with your own hosting provider to see what options they may have.

New 30 second tip from Megan Ferrell of websites503.com

If you would like to present your own 30 Second Tip, please use the contact page.