Computer sites are being hacked every day and the consequences of such actions can be devastating. From removing whole sections of the sites, to virus infections and the theft of sensitive data found therein. However in many cases the intrusions might be done so subtle that both the owners and visitors may not find out that the site has truly been hijacked by criminals. This guide offers an extensive list of top recommendations that will guide you onto restoring potentially affected sites and deleting any found malware code in them.
How To Check If Your Site Has Been Hacked?
Security specialists often note that one of the most important factors regarding a successful restoration is time — this sums up not only the time of discovery of the incident, but also how quickly the site administrators can handle the issue.
There are several different ways that the site owners can find out if their site has been accessed by an intruder. Normally the steps will be different depending on the exact hosting provider and amount of access to the servers. The first stop would be to check the detailed access log files for any unusual activity. Administrators can cross-check any odd behaviour such as frequent login attempts or repeated requests to download a certain page or section of the page.
These two activities are signs of brute-force attempts that use different algorithms and hacking toolkits in order to attempt to authenticate as a user or site administrator. This is very common of the web sites have some sort of interactive fields. They will be automatically targeted as they perform request to the backend. Attacks are much more likely to be conducted on sites that use popular content management systems like WordPress, Drupal and Joomla. They use a lot of rich content that can easily be exploited — themes, plugins and etc.
On the other hand the repeated network requests against an interactive page or a certain web script object can result in specific vulnerability exploitation — weaknesses in the way the scripts are processed can lead to site problems that can inject code or errors in the way authentication works. As a result the criminals will be able to break into the systems. In addition security checks can be bypassed if they are isolated and denial-of-service attacks are done against them. In this case the hackers may also disable key functionality in the process of hijacking the site.
Latest Ransomware Infections & Ongoing Website Malware Campaigns
A very dangerous method of spreading ransomware is by launching exploits leading to ransomware infections to the actual web servers powering the sites. While this is regarded as very difficult and rare occasion some of the latest ransomware infections can be very effective in this regard. The typical approach made by most of them will be the following:
- Network Lookup — The first step would be to find out which is the host behind the hosted sites that the criminals want to take down and/or infect with ransomware. This is done by performing several manual checks and cross-referencing the results. At this stage the hackers will enumerate what kind of services are running on a given host and make a list of possible weaknesses that it can target.
- Attack Preparation — This is the most complex stage in which the hackers will need to program their toolkits with the necessary code. Additional research and information can be gathered from previous attacks or experience shared on the underground forums.
- Intrusion and Infection Attempts — The final step is to carry out the infection and find out to what extend damage has been done. In most cases this is done with remote control functionality which will allow the hackers to drop ransomware and Trojans.
The reason why this is done so is because if the server powering the websites is impacted it will give hackers to ability to not only hack all websites offloaded to them, but also to restricted resources. This means that the hackers will be able to blackmail both the website administrators, as well as the hosting provider.
What Are Common Symptoms That Your Site Has Been Hacked
There are certain well-known symptoms that already impacted sites may exhibit. If any of them are spotted then the administrators should perform an in-depth check check for any malicious activity. The majority of infections can be easily spotted by looking at the hosted contents — most of the malware will automatically insert dangerous code into the shown text and multimedia files with the aim of infecting visitors with different types of viruses.
Changes to the website contents can include any of the following:
- New Content Insertion — One of the most frequently made changes are those to the already placed text contents. The hackers will institute redirect code to another hacker-controlled site or will directly place malware virus files in place of download links or legitimate software.
- New Elements Introduction — The malicious actions instituted by the hackers can include the addition of new malicious elements — banners, pop-ups and even ads. They may be intrusive and persistent and serve not only to infect the users, but also to generate revenue for the hackers by providing sponsored and affiliate content.
- Contents Sabotage — The often used technique known as defacement serves to sabotage the hosted sites. It will remove contents (either partially or completely) or replace them with warning pages and credits to the hacking team.
- Cryptocurrency Miners — This is a popular tactic of late wherein the compromised sites will be injected with dangerous cryptocurrency miner scripts. These are small-sized samples that when opened by the victim browsers will download a sequence of hardware intensive tasks that will place a heavy toll on the performance of the computers. This includes the CPU, memory, hard disk space and network speed. These tasks will be run in succession and for every completed task the hackers will be rewarded with cryptocurrency that will be directly wired to their digital wallets.
Malware activity has also have a dangerous impact on the search ranking of high-traffic sites. This may be deliberate, there are several cases where competitors are believed to have paid hackers in order to “derank” other sites. The easiest way to spot a malware infection on high-traffic sites is when a an unexpected drop in traffic is detected. The analytics and SEO tools will show that the unusual activity is due to content changes. By evaluating the code of the pages snippets of malware may be found. There are several places where potential infections can be housed:
- Website Pages — These are by far the most popular and easiest to spot sections of the victim sites where dangerous code can be included.
- Databases — Many attacks are done using the so-called SQL Injection method of infection. This is done by targeting older installations that are unpatched to vulnerabilities that allow this to happen. The database malware can be harder to trace and it can have a devastating impact on interactive sites as they depend on it to run normally.
- Uploaded Files — The hackers can also replace, add or remove existing files uploaded onto the sites. They can host all kind of malware including Trojans, ransomware, browser hijackers, miners and etc.
Here’s What To Do If You Find Malware On Your Site
If you have been able to uncover a malware infection using manual methods, an automated tool or a monitoring system (such as an intrusion detection system) one of the first things that you have to do is not to panic. As long as you can identify which areas have the malware code then you can start to recover you site from the infection. Unlike traditional viruses the website infections are handled in a different manner — they require a very thorough check that ensures that all dangerous code is removed. Usually if a virus threat is removed from one section of the site it may be linked in another.
If the users are running a content management system then they will need to evaluate all installed additions to the base engine — plugins, themes, custom code and etc. In many cases the users will need apply additional cleanups, updates and hotfixes. Note that CMS installation are often targeted by zero-day vulnerabilities, in these cases there are very few mechanisms that can provide adequate protection
The best defense is to research the infection in order to uncover the magnitude of the intrusion. If the site owners can find out any identification strings that can reveal information about the hacking group or the current attack campaign. This can be in the form of text files which are left on the servers hosting the site, specific text strings or posted images.
You can always rely on regular backups which are automatically created for the site owners. Check with your hosting provider to see the frequency of the copies. By making comparisons between the images (the so-called diff method) the administrators can see at which point the infection has been made. This can serve as a pointer giving information about how exactly the information was made.
As soon as the malware code is isolated the administrator will need to change all account credentials following the rules for strong passwords. Many security experts also advise owners of high-traffic and dynamic sites to create a separate database backup in addition to the main one.
Make sure to also review the following files:
- Files in the “public_html folder”
- wp-config.php (Main WordPress configuration file)
- Any Suspicious Linked Files
- Theme Resources and Plugins
One of the best advise that is often given to affected site owners is to notify the host. They may have custom security solutions that can help restore the site in a quicker way. Also if the site is hosted on a shared server the notification can help prevent infections to other websites.