Help! My Site Was Hacked!
Topics discussed in this article:
-
Why Google shows, “This site may be hacked.”
-
The first thing you should do if you website is hacked
-
How to fix a hacked website
-
How common is website hacking?
-
What do the hackers want?
Tens of thousands of websites are compromised every day. Malicious automated software (“robots”), usually running on servers overseas, are constantly trolling the Internet looking for servers with vulnerabilities, which can be exploited by the robot. The motivation for hacking1 websites is typically financial. Once hackers have access to the programs that run a website, they will of replace or add code that serves their nefarious purposes. This may be sending spam email, posting comment spam, redirecting visitors to the hackers website, or using the good reputation of the legitimate website to promote the attacker’s site. The purpose of some infections is to spread a virus that can actually harm the site visitor’s computer.
Once a web server has been compromised, the site will soon be blacklisted by search engines; an event that can be devastating to the site owner’s business. Infected servers can be quite difficult to fix. The process requires a high level of technical skill. After remediation, additional measures are required to get the site de-blacklisted. This is an essential step in restoring the good reputation of the website. This article provides some information that might help the highly-skilled website/server administrator repair a hacked site and get it off the blacklists. Please contact BridgeTown Hosting Company if the challenge proves too great.
This article was originally written to inform our clients on the issues and risks discussed.
Although it has since been expanded it is, by no means, all-encompassing. Please contact
BridgeTown by phone if you have specific questions. For questions of a more general
nature please use the comment section at the end of this article.
Google Listing Warnings:
“This site may be hacked.” and “This site may harm your computer.”
If one of these phrases surfaces with a Google search result it’s fairly certain that the person performing the search is not going to visit the website. Even more drastic warnings will appear if the user tries to visit the site using Google’s Chrome browser.
“This site may be hacked.”
“This site may harm your computer.”
These messages are an indication that the site needs technical attention very quickly to remedy the hacker’s intrusion. Infected sites are soon punished. Search engines will blacklist compromised websites; severely demoted the search engine ranking or de-listing the site.
There are very few false positives. If this shows up then the website is in need of repair. The site administrator should quickly take the site off-line and fix the problem. It will take some time for the website to regain credibility after an intrusion has compromised the site, so it is essential to act fast. Considerable technical expertise is required to repair an infected site. This includes the ability to work with the server from the command line and an in-depth understanding of the website’s “behind-the-scenes” programming. For those who have the technical skills this is still a challenging and time consuming task. For more information about remediation watch the entire video series by Google about fixing a hacked website. BridgeTown Hosting Co. can help if you don’t have the technical background or the time to meet this challenge.
The First Thing You Should Do if Your Website is Attacked
Quarantine your site!
If your website is infected contact your technical support team and your website hosting company. Even if your website appears to be working normally, being blacklisted by a search engine indicates a near certainty that your site has been compromised. Take it off-line immediately. Not all hacker intrusions will disable a web site. Your server may be infecting others or distributing spam. Put up a temporary page announcing that your site is under maintenance and do not let any of the old code execute. Leaving a compromised website on-line is very irresponsible and may lead to sensitive information (usernames, passwords, etc.) being stolen or malware proliferation.
How To Fix a Hacked Website
Websites are attacked in many different ways and for differing reasons. To identify and fix the problems, one has to know what are the cyber criminal’s intentions. Without knowing the motivation of the hacker it will be nearly impossible to have confidence in the solution. Some sites are compromised for the purpose of posting spam messages in comments or discussion forums. Other servers are invaded to hijack the RSS feed engine. Websites might also be cracked to steal sensitive information. Each of these situations will require different remedies. Follow these steps:
- Quarantine the website
- Contact the web host, webmaster, and server administrator
- Identify the intentions of the cyber criminals (malware distribution, spam, data theft, etc.)
- Figure out how the attacker gained access
- Find and fix damage
- Perform updates, clean-up, and maintenance
- Install measures to prevent future attacks
- Request a review of the site from all major search engines
Google has provided detailed guidance for repairing a compromised website and restoring the site’s good reputation. Those who find the scope of remediation overwhelming should seek outside technical help. After the problems are fixed the site owner should use the Webmaster Tools for all the major search engines to verify ownership of the site and to report that remediation was completed. This process is required to get rid of the “This site may be hacked” notation in the Google listing.
Why was my site hacked?
BridgeTown Hosting Company is frequently asked this question. Site owners may say that there is no sensitive information to be stolen and can see no reasons for the attack. Most of the time, the target of an attack is not specifically singled out for any particular reason. Robots often simply poke at any website they can find until they get in or give up and move on. It’s analogous to a burglar walking down the street jiggling every doorknob until one is found unlocked. The overwhelming majority of the compromised websites BridgeTown is contracted to repair are WordPress sites. WordPress uses a MySQL database to store the information that appears on pages and posts. The web pages are not stored as HTML files like a traditional website. Rather, they are built on the fly when a when a user accesses the page. When a browser requests the page, PHP scripts execute, which pull information from the database and construct the HTML code understood by browser software. The core WordPress installation includes many small PHP scripts. Each is a piece of programming code. Added to this are WordPress plugins, which provide additional functionality to the website and themes, which define the overall appearance of the site content. Sometimes these PHP components have weaknesses; security flaws that are exploited by cyber criminals.
Malicious software robots scan the web looking for websites with known vulnerabilities the hacker can exploit. This allows them to gain access to parts of the target site or to seize control of the whole website or the server on which it runs. These processes are automated and run 24/7. The malicious server could be located anywhere but most are outside the United States. It is believed that the number of websites compromised daily is at least 30 to 40 thousand. A common technique is a brute force method, whereby the invader tries a different username and password again and again, in hopes of gaining administrator access to the site. For example, one of our client’s website was pummeled this way by servers in the Ukraine, North Korea, the Netherlands, and China 31,873 times in just eleven days. Although the client had no extra security measures in place, they were fortunate enough to avoid a break-in because they had used very strong passwords with a good mix of upper and lower-case letters, numbers, and symbols.
Once the attacker gains some level of access they may quickly start the dirty work or hang back, Trojan-style, for later mischief. What happens next depends upon the motivation of the attacker. Sometimes they want to post comments on a legitimate website containing links to another site; for example, one that sells pharmaceuticals. The aim is not only to attract new customers from the posted spam comments but also to give their own website the appearance of legitimacy to search engines crawling the victimized website. Another common angle is to exploit the RSS feed system of a site.
Many WordPress sites use RSS to notify users and search engines when new information is added to the website. Once a hacker has control, they will exploit the RSS feed to send out spam or to promote their own interests to search engines. Recently, a site owner contacted us because the Google search result for their website had the warning, “This site may be hacked“. The client was puzzled because their website appeared to be functioning normally and no spammy messages where found on the site. The site owner was not aware that the RSS hijacker was using the owner’s website to send spam ads for pharmaceutical products. Our investigation revealed that the robot attacker only had to guess about 150 times before finding a password granting administrative access to the site (the result of weak passwords). After the hacker gained control, the legitimate administrators were locked out and unable to take any action. The hacker then began adding and replacing PHP code which allowed them to use the victim’s system as a spam machine.
BridgeTown Can Fix Your Hacked Website
As outlined in this article, fixing a website broken by hackers presents serious technical challenges. Odds are high that if the problem is not addressed quickly it will become more difficult to repair. It is also true that the longer the website, or the server itself, are out of the owner’s control, the greater will be the harm to the reputation of the owner’s site. The vast majority of these cases can be solved within a few days. The cost of this service depends upon the complexity of the site and the extent of the damage. Remember, the longer your site is blacklisted the greater the harm to your business.
Upon your request BridgeTown Hosting Co. will quickly investigate your infected website. We will assess the damage and provide recommendations and a price estimate for remediation. If you choose to move ahead with our services we will quarantine your site, perform a thorough technical inspection of the code followed by a report detailing the steps necessary to correct the problems. This may include a revised estimate of the cost to repair the site. After your site is repaired, tested, and restored to functionality we will likely install additional security precautions to help reduce the risk of future attacks. At the end of the process we will submit requests to Google and others to perform a site review and remove the warnings. Typically, a site review is completed in less than a week.
The price for our service ranges from a few hundred to a few thousand dollars, with the average being around $600 to $700. Please call for a more specific estimate.
Additional resources:
(links open in new tab or window)
www.stopbadware.org
google.com/webmasters/hacked
codex.wordpress.org/FAQ_My_site_was_hacked
1hacking:
The terms “hacking” and “hacker” are grudgingly used in this article because they have become the widely understood words for describing malicious computing activity. Among us old-school programmers, a.k.a. “hackers”, the cyber criminals were traditionally called “crackers”, since they were trying to crack into a closed system. Too avoid confusion we’ve caved in to the popular vernacular. Due apologies are offered to the true hackers. Please take no offense.
Image credits:
Malware_logo by Terra Green at en.wikipedia. Later version(s) were uploaded by Noir, DanielPharos at en.wikipedia. [LGPL (http://www.gnu.org/licenses/lgpl.html)], from Wikimedia Commons
Hacker_-_Hacking_-_Symbol by www.elbpresse.de (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons
Thanks for the information about how to remove the “This site may be hacked” notice in the Google listing for my web site. I followed the instructions and it worked.
Thank you!
We have seen this “Database Error” message in some cases of hacking. This is often an indication that something is wrong with WordPress configuration. Sometimes this is seen when a WordPress is first installed but not completely set up. Similarly, the message “Error establishing a database connection” may be seen. This could be a result of incorrect information in the wp-config file. It could also be showing because of a corrupt database.
It sounds like in your case the site had been functioning normally before this happened. You will probably only be able to fix this by using FTP to access the server and replace the missing or damaged core WordPress files and configuration file. Be sure to follow up with all of the measures described on this page, including the links under “Additional resources”.
Most likely your site can be salvaged. Please call us if you need further assistance.
None of my WordPress site pages load. It just says ‘Database Error’. Is that sign of hacking?