How to repair a hacked website

Revised: 11/2/2015

Owner: Administrator

How to repair a hacked website: First steps after a website hack

Info

Author

Philipp Bellmann

Date

August 14, 2015

If your website has been hacked, the most important thing is that you stay calm and systematically take the appropriate measures. This tutorial will show you how you can recover your website one step at a time.

OK, let’s get started!

Content

You will complete the following tasks during recovery of your website:

Checking your computer for viruses

Before you start recovering your website, you must exclude the possibility that your computer was the origin of the attack. For this reason, first check your local computer for viruses and/or infections with malware.

Virus scanners: For example, you can use the free EU-Cleaner from the German “botfrei” anti-botnet initiative.

Consulting: The Anti-Botnet consulting center will help you delete the viruses for free. For 1&1 customers: If your website has been hacked, we will automatically send you contact data and a ticket number by e-mail, so you can contact the Anti-Botnet consulting center in addition to 1&1 support.

Changing passwords

As a first step, make sure that the attacker can no longer access your webspace, website or database. You manage passwords in the customer area of your web hosting service and in the admin area of your website. As a 1&1 customer, you can adjust your passwords in the 1&1 Control Panel.
Learn how to change your 1&1 passwords in the 1&1 Help Center.

Change the following passwords:

SFTP password (Change now in the 1&1 Control Panel)
SSH password (Change now in the 1&1 Control Panel)
Database password (Change now in the 1&1 Control Panel)
Website users: Reset the passwords for all users. The attacker may have created new users. Carefully check the user account administration for your website and remove any suspicious users.

And three more important tips:

Always access your webspace using secure protocols like SFTP.
If you also used your passwords for other services, you also have to change the passwords in those services.
Choose secure user names: Never use default names like adminor test. This is the most effective way to prevent hacker attacks in which the administration password is stolen.

Resetting your website admin password with phpMyAdmin

If you are no longer able to log in to the admin area of your website, the attacker may have deactivated your account or changed the password. In this case, you must change the password in the database. Let’s go through the whole process using WordPress as an example:

Start phpMyAdmin (find out more: 1&1 Help Center)
In the database of your website, open the users table
Search for your user and select Edit at the beginning of the line.

Delete the hash value in the user_pass
You now have to store your new password as a hash value in the user_pass. To generate a hash, you can, for example, use the md5 Hash Generator.
Select Save and click OK.

Full tutorial: How to Change your WordPress Admin Password using phpMyAdmin (Database Method)

Assessing damage

Now it is time to evaluate the situation and plan how to proceed.

Which files are affected?
Did the attacker have access to your website?
Is just one website affected, or are multiple websites on your webspace affected?
Did the attacker have access to your database?
Is sensitive data affected? Who needs to be informed?

For example, to assess the extent of the damage, you can use the Google Webmaster Tools. You will need a Google account. Google recommends the following steps (excerpt):

To find out what Google’s automatic scanners have found, open the Google Safe Browsing diagnostics page for your website (http://www.google.com/safebrowsing/diagnostic?site=www.example.com; replace “www.example.com” with the URL of your website).
If your website has been infected with malware, check the “Malware” page in the Search Console. Click Status in the website dashboard and then Malware. This page lists example URLs of your website that contain malicious code. Hackers sometimes add new URLs to your website for their malicious purposes. For example, this is the case in phishing attacks.
Check the .htaccess file (Apache) or other access control functions (depending on the website platform) for any malicious changes.
Check your server logs (in your webspace under ~/logs/) to see when files were hacked. Note that hackers can also change logs. Look out for suspicious activities such as failed login attempts or unknown user accounts, and check the command history (particularly roots).

Source: Google Search Console Help

Restoring your backup and checking for malware

In this step, you replace all the infected files with files from an uninfected backup. As a 1&1 customer, you can find a list of affected files in your webspace in the log directory under ~/logs/forensic/.

If you cannot exclude the possibility that the attacker had access to your database, you should also restore the database from a backup.

If you had not previously created a backup…

If you had not previously created any backups, you have the following options:

Restarting: Delete your website and your database and set them up again.
Recovery via a backup from your web hosting provider: 1&1 offers customers in Shared Hosting the option of recovering files on their webspaces.
Recover files in your 1&1 Control Panel now / Instructions (1&1 Help Center)

control-panel-webhosting-recovery

Manage webspace: Webspace Recovery

In the future, you can use one of these backup solutions, for example:

Creating WordPress backups: for a fee, with a subscription: VaultPress. Free backups: BackWPup Free
Creating Joomla! backups: You can create backups directly and at no charge in Joomla using Akeeba Backup or EJB (Easy Joomla! Backup).

These solutions back up your files and database.

Important: Backups in your webspace could be compromised by attackers. For optimal protection of your backups, you should always copy them to a separate local data storage device or cloud storage.

Updating applications, extensions, plugins and themes

To close known security holes, you must update all applications, plugins, extensions and themes as soon as you have restored your backup.

Attackers very often use security holes in plugins and themes. For this reason, make sure you update all plugins, extensions and themes, and check which ones you actually need. Every plugin affects the security of your website. Weigh the benefits and risks before you decide to use a plugin.

Removing your website from blacklists

Google, Bing, Yahoo and many antivirus programs maintain blacklists for websites that are infected with malware. Websites on Google’s blacklist, for example, are removed from the search index or at least punished with a lower ranking.

You have changed all your passwords and imported a clean backup? Now is a good time to have your page removed from these blacklists.

Requesting a new malware review (using Google as an example)

If Google reported malware or unwanted software on your website, you can use the Google Webmaster Tools to request a new review. Google will check your page for malware again in the next 24 hours.

You can find the status of the review using the Google Webmaster Tools in the Search Console in the Security Issues section. Open Google Webmaster Tools

If you have successfully removed all the malware, the status message for your website should look like this:

Video: Help for hacked sites (Google)

This video from the Google Webmasters shows you how and why websites get hacked, and what recovery options you have.

Google offers very good information for webmasters, as well as help on the topics of malware, security flaws and website recovery in the Google Search Console Help.

Evaluate: How did my website get hacked?

Cyber criminals either use weak points in the software you use or find out user data to attack your website:

Software/security holes: Attackers can use security holes in a CMS (content management system) like WordPress or Joomla!, or security holes in plugins, extensions or themes, to access your system.
User accounts/passwords: This is a direct attack via FTP or the admin account of your website. Attackers use passwords they have stolen or determined using brute force. This presents a higher risk for anyone who uses weak user names and passwords, and accesses his or her webspace using unencrypted connections (FTP).

In order to protect you and increase the security of your website, 1&1 checks all files that are changed for malware. If we find malware, we immediately lock the affected files, inform you, and offer our assistance.

Conclusion

Attacks on websites are part of daily life on the Internet. If your website has been hacked, you may initially feel a little shocked. At this point, it is important to stay calm because you now know what to do and can act effectively. Experienced employees in 1&1 Support will help you through each step in recovering your website.

Increase your website’s security and stay off blacklists with 1&1 SiteLock

If you want to be proactive, you can use 1&1 SiteLock, to protect your website from hacks. As the complete security solution for your website, 1&1 SiteLock provides the following:

Website Application Scan: Keeps you informed on the vulnerabilities of your applications used (the most common entry point for hackers). This saves you time because you won‘t have to personally check with your software vendors for updates and security patches.
SQL Injection Scan: 1&1 SiteLock performs a SQL Injection Scan to detect risks quickly and efficiently. This helps you block access to your databases and sensitive customer data to outsiders.
Cross-site scripting (XSS): 1&1 SiteLock checks your site, discovering places where an attacker could inject malicious code.
Malware Scan: 1&1 SiteLock scans for malware and external redirects, hidden links or links to recognized malware sites. Protects your customers from viruses and trojans on their computers.
File Change Monitoring: 1&1 SiteLock will monitor changes made to any file during a scan. So you‘ll be made aware if any unwanted changes were made.
Search Engine Blacklist Monitoring: 1&1 SiteLock scans make sure your website is not blacklisted from any search engines, and your e-mails are not marked as spam, to ensure uninterrupted communication with your customers.
SSL Verification: 1&1 SiteLock verifies your SSL certificate and makes sure that it is compatible with the requirements of your web browser. This ensures that no customers get a warning for data security, and there are no uncertainties.

How to Use 1&1 SiteLock (1&1 Help Center)

The Basics for a Safe Joomla! Website

Two Factor Authentication for WordPress and Joomla! with Google Authenticator and YubiKey

Title	How to repair a hacked website
Doc	How to repair a hacked website: First steps after a website hack Info Author Philipp Bellmann Category How-To Web Hosting Date August 14, 2015 If your website has been hacked, the most important thing is that you stay calm and systematically take the appropriate measures. This tutorial will show you how you can recover your website one step at a time. OK, let’s get started! Content You will complete the following tasks during recovery of your website: Checking your local computer for viruses (preparation) Changing passwords Assessing damage Restoring your backup Updating plugins and themes Removing your website from blacklists Checking your computer for viruses Before you start recovering your website, you must exclude the possibility that your computer was the origin of the attack. For this reason, first check your local computer for viruses and/or infections with malware. Virus scanners: For example, you can use the free EU-Cleaner from the German “botfrei” anti-botnet initiative. Consulting: The Anti-Botnet consulting center will help you delete the viruses for free. For 1&1 customers: If your website has been hacked, we will automatically send you contact data and a ticket number by e-mail, so you can contact the Anti-Botnet consulting center in addition to 1&1 support. Changing passwords As a first step, make sure that the attacker can no longer access your webspace, website or database. You manage passwords in the customer area of your web hosting service and in the admin area of your website. As a 1&1 customer, you can adjust your passwords in the 1&1 Control Panel. Learn how to change your 1&1 passwords in the 1&1 Help Center. Change the following passwords: SFTP password (Change now in the 1&1 Control Panel) SSH password (Change now in the 1&1 Control Panel) Database password (Change now in the 1&1 Control Panel) Website users: Reset the passwords for all users. The attacker may have created new users. Carefully check the user account administration for your website and remove any suspicious users. And three more important tips: Always access your webspace using secure protocols like SFTP. If you also used your passwords for other services, you also have to change the passwords in those services. Choose secure user names: Never use default names like adminor test. This is the most effective way to prevent hacker attacks in which the administration password is stolen. Resetting your website admin password with phpMyAdmin If you are no longer able to log in to the admin area of your website, the attacker may have deactivated your account or changed the password. In this case, you must change the password in the database. Let’s go through the whole process using WordPress as an example: Start phpMyAdmin (find out more: 1&1 Help Center) In the database of your website, open the users table Search for your user and select Edit at the beginning of the line. Delete the hash value in the user_pass You now have to store your new password as a hash value in the user_pass. To generate a hash, you can, for example, use the md5 Hash Generator. Select Save and click OK. Full tutorial: How to Change your WordPress Admin Password using phpMyAdmin (Database Method) Assessing damage Now it is time to evaluate the situation and plan how to proceed. Which files are affected? Did the attacker have access to your website? Is just one website affected, or are multiple websites on your webspace affected? Did the attacker have access to your database? Is sensitive data affected? Who needs to be informed? For example, to assess the extent of the damage, you can use the Google Webmaster Tools. You will need a Google account. Google recommends the following steps (excerpt): To find out what Google’s automatic scanners have found, open the Google Safe Browsing diagnostics page for your website (http://www.google.com/safebrowsing/diagnostic?site=www.example.com; replace “www.example.com” with the URL of your website). If your website has been infected with malware, check the “Malware” page in the Search Console. Click Status in the website dashboard and then Malware. This page lists example URLs of your website that contain malicious code. Hackers sometimes add new URLs to your website for their malicious purposes. For example, this is the case in phishing attacks. Check the .htaccess file (Apache) or other access control functions (depending on the website platform) for any malicious changes. Check your server logs (in your webspace under ~/logs/) to see when files were hacked. Note that hackers can also change logs. Look out for suspicious activities such as failed login attempts or unknown user accounts, and check the command history (particularly roots). Source: Google Search Console Help Restoring your backup and checking for malware In this step, you replace all the infected files with files from an uninfected backup. As a 1&1 customer, you can find a list of affected files in your webspace in the log directory under ~/logs/forensic/. If you cannot exclude the possibility that the attacker had access to your database, you should also restore the database from a backup. If you had not previously created a backup… If you had not previously created any backups, you have the following options: Restarting: Delete your website and your database and set them up again. Recovery via a backup from your web hosting provider: 1&1 offers customers in Shared Hosting the option of recovering files on their webspaces. Recover files in your 1&1 Control Panel now / Instructions (1&1 Help Center) Manage webspace: Webspace Recovery In the future, you can use one of these backup solutions, for example: Creating WordPress backups: for a fee, with a subscription: VaultPress. Free backups: BackWPup Free Creating Joomla! backups: You can create backups directly and at no charge in Joomla using Akeeba Backup or EJB (Easy Joomla! Backup). These solutions back up your files and database. Important: Backups in your webspace could be compromised by attackers. For optimal protection of your backups, you should always copy them to a separate local data storage device or cloud storage. Updating applications, extensions, plugins and themes To close known security holes, you must update all applications, plugins, extensions and themes as soon as you have restored your backup. Attackers very often use security holes in plugins and themes. For this reason, make sure you update all plugins, extensions and themes, and check which ones you actually need. Every plugin affects the security of your website. Weigh the benefits and risks before you decide to use a plugin. Removing your website from blacklists Google, Bing, Yahoo and many antivirus programs maintain blacklists for websites that are infected with malware. Websites on Google’s blacklist, for example, are removed from the search index or at least punished with a lower ranking. You have changed all your passwords and imported a clean backup? Now is a good time to have your page removed from these blacklists. Requesting a new malware review (using Google as an example) If Google reported malware or unwanted software on your website, you can use the Google Webmaster Tools to request a new review. Google will check your page for malware again in the next 24 hours. You can find the status of the review using the Google Webmaster Tools in the Search Console in the Security Issues section. Open Google Webmaster Tools If you have successfully removed all the malware, the status message for your website should look like this: Video: Help for hacked sites (Google) This video from the Google Webmasters shows you how and why websites get hacked, and what recovery options you have. Google offers very good information for webmasters, as well as help on the topics of malware, security flaws and website recovery in the Google Search Console Help. Evaluate: How did my website get hacked? Cyber criminals either use weak points in the software you use or find out user data to attack your website: Software/security holes: Attackers can use security holes in a CMS (content management system) like WordPress or Joomla!, or security holes in plugins, extensions or themes, to access your system. User accounts/passwords: This is a direct attack via FTP or the admin account of your website. Attackers use passwords they have stolen or determined using brute force. This presents a higher risk for anyone who uses weak user names and passwords, and accesses his or her webspace using unencrypted connections (FTP). In order to protect you and increase the security of your website, 1&1 checks all files that are changed for malware. If we find malware, we immediately lock the affected files, inform you, and offer our assistance. Conclusion Attacks on websites are part of daily life on the Internet. If your website has been hacked, you may initially feel a little shocked. At this point, it is important to stay calm because you now know what to do and can act effectively. Experienced employees in 1&1 Support will help you through each step in recovering your website. Increase your website’s security and stay off blacklists with 1&1 SiteLock If you want to be proactive, you can use 1&1 SiteLock, to protect your website from hacks. As the complete security solution for your website, 1&1 SiteLock provides the following: Website Application Scan: Keeps you informed on the vulnerabilities of your applications used (the most common entry point for hackers). This saves you time because you won‘t have to personally check with your software vendors for updates and security patches. SQL Injection Scan: 1&1 SiteLock performs a SQL Injection Scan to detect risks quickly and efficiently. This helps you block access to your databases and sensitive customer data to outsiders. Cross-site scripting (XSS): 1&1 SiteLock checks your site, discovering places where an attacker could inject malicious code. Malware Scan: 1&1 SiteLock scans for malware and external redirects, hidden links or links to recognized malware sites. Protects your customers from viruses and trojans on their computers. File Change Monitoring: 1&1 SiteLock will monitor changes made to any file during a scan. So you‘ll be made aware if any unwanted changes were made. Search Engine Blacklist Monitoring: 1&1 SiteLock scans make sure your website is not blacklisted from any search engines, and your e-mails are not marked as spam, to ensure uninterrupted communication with your customers. SSL Verification: 1&1 SiteLock verifies your SSL certificate and makes sure that it is compatible with the requirements of your web browser. This ensures that no customers get a warning for data security, and there are no uncertainties. How to Use 1&1 SiteLock (1&1 Help Center) You might also like The Basics for a Safe Joomla! Website Two Factor Authentication for WordPress and Joomla! with Google Authenticator and YubiKey
Revised	11/2/2015
Key Words	info, solution, web
Owner	Administrator
upload
user ID

Contact Administrator

openSource, created by Jerry Clark