What To Do If Your Site Has Been Hacked

What To Do If Your Site Has Been Hacked
Unfortunately either your site is not secure or the server you are being hosted on is not secure. You can only make sure your site is secure and talk to your host to see it they can secure their server. Nowyou have to make a choice:-

1) Do it yourself == See below on how to get a totally free, no obligation, Tips & Tricks sheet.
2) Get someone to do it for you == Which is where I might come in, with my Diagnose, Cleanse and Secure option.

If you are going to do it yourself you have 2 choices:-
1) Wipe your entire site and restore the code and data from a known good backup and apply the security patches.
2) Cleanse the site.

Once you decide on how you are going to proceed, you also have to decide "shall I close the site whilst I am doing this?", this is a bit of a no brainer, lock down your site so no-one can get in. Do this by password protecting the root of your site, use your hosting control panel to do this and get to work. When you have finished and the site is OK again you can remove this password.

Even if you have a clean backup, you have to discover how they got in and plug the hole.

If you want to cleanse your site it yourself I have a list of useful tips and tricks such as:-
1) For an unsophisticated hack look at the date/time of the files on your site and see if there are files changed at a date/time that you did not do.
2) Look in those files and see if there is some suspicious code.
3) If there is, remove the "suspicious" code.
4) Check the logs for that period and see how they got in. You have to check the access logs and ftp access logs and look for suspicious entries.

Look for POST commands like -[01/Jan/2011:08:51:14 -0500] "POST /catalog//admin/categories.php/login.php?cPath=&action=new_product_preview

This is the suspicious bit - categories.php/login.php - - [31/Jan/2011:11:13:44 -0500] "POST /account.php HTTP/1.0" 200 9 www.xxxxxxxxx.com "-" "-" "-"

Here it is the "-" "-" "-" that is suspicious.

Use our "Contact Us" page to request a more complete copy of this set of Tips & Tricks.

If you have a basic OSC install but no backup, it might be better to save the data, wipe the site, reinstall, add on any contributions etc and lock down the site by installing the security contributions as recomended on the OSC Security forum.

If your site has been significantly amended and you do not have a clean back up then you will need to go through every file on the site and check its' contents. This can be done on a local copy of the files and a good editor.

Try these simple instructions on how to disinfect your site.

There are 2 contributions that highlight hacked files

VTS - Virus Threat System, excellent for initial cleansing.
Site Monitor - Better for ongoing monitoring

This one even tries to disinfect the site for a specific hack but can be altered for yours if required.
Site57 .info Hack Fix

Then make sure you install the Security Contributions recommended in the fist thread in the osc security forum, as they plug the known holes in the code, before you go live again.

You should also verify the permissions on the directories and files on your site are correct.

How to restore your database / To overwrite a db with a back-up

1. Take a back up of tye current db and store on your local PC.
2. Open file to be restored in notepad or other editor.
3. Check if "CREATE TABLE IF NOT EXISTS `address_book`" statement is present.
4. Check if "truncate table if exists `address_book`" statement is present.
5. Go into phpmy admin.
6. Select the db you want to import.
7. Select the Import tab.
8 Follow the options available.


Customers who bought this product also purchased
Diagnose, Clean, Secure and Monitor
Diagnose, Clean, Secure and Monitor
0 items
Share Product
Share via E-Mail Share on Facebook Share on Twitter Share on Google Buzz Share on Digg
Manufacturer Info
Other products
Quick Find
Use keywords to find the product you are looking for.
Advanced Search