More Info »
» Home » List of articles » Website hacked?
Your website is hacked?
This article, how to protect web page content and block bad bots are result of my research about that matter. Everything started maybe year ago, when one successful website was under hackers attack and heavy spamming. What pushing me to the right direction was that all those attacks (including forged contact email to spamming around) are directed primary to kill website search engine ranking (some well known and less known methods were used for this).
Long story short, one of "hackers" was identified and tracked. Who was behind those attacks? My dear jealous competitor.
Why they are hacking websites
Example above is only one reason for website attack. DDoS (Distributed Denial of service) is attack on server, probably some revenge or blackmail try. Result is server overload due to many requests at the same time. For that kind of attack, infected computers are used. In case of DDoS attack, you can experience slow connection, if server is good enough.
Challenge is one more common reason. Infected with "I am better hacker" brain setup, kids with scripts (freely available!) are hacking websites for fun and to show their friends that they are better "hackers". So, when you see different home page on your website, with something like "This site hacked by (some stupid nick)", it is the time to update your scripts...
Worst hacker attacks are directed to make damage to your business website. I don't talk about spies and industrial secrets, that is separate category. In this case, your website could be used to spread malicious software (trojans, viruses..). It is important to monitor website logs to see who is sniffing your site, to spot unusuall activity and strange files, and be prepared to fight back.
Enter keyword (variation of) in google search form: "wordpress hacked", and you can find wealth of information about hacking blogs and CMS (content management system) platforms (software, scripts).
Wordpress is targeted because it is free, simple and most popular blogging software. What means, many bloggers don't know anything about programming, so default installations are everywhere. And older versions. Older versions are in danger due to known bugs, later used from spammers and hackers to gain access, and / or inject (upload) malicious codes. Cure for this is simple upgrade to newest version. Anyway, it is not problem to check website log files for strange requests, and to check content of directory where wordpress is installed, looking for suspicious files.
One nice example is redirection script "uploaded" to one wordpress folder of one hacked website. Link to that script is displayed on Google SERP with title and description of hijacked web page from one other popular web site (well known google 302 bug). Instead that script is redirecting to original site (what is the case in normal 302 hijacking ), it is redirecting to PPC directory, using keywords from google. Nice try, but easy spotted, and it seems that guy is banned from that program. WhoIs of that directory site shows public private info and alexa rankings is showing very fast climbing in traffic. Domain was only one month old. Get money fast or get banned fast?
Fast search shows that script in question was "installed" on many websites with high Google PR and older version of Wordpress. Enough said.
This example is not that common, since redirecting stolen traffic to your affiliate links shows who you are.
Scripts attacks (cross site scripting)
Script attacks or testing, not a big difference. In both cases, automated tools are looking for a known scripts (allowing user input), bugs in those scripts are used to gain access to website, or to pass links (hide origin). In most cases, Iframe is inserted in your pages, containing link to malicious code (trojan, worm..), infecting your visitors. In fact, all CMS, forums and blogging software are collection of scripts. Below are some common attacks.
Mail Form scripts: Notorious FormMail.pl, older versions, are used to post spam emails, using that script like relay. Newer versions are with patch (referral check, recipient inside script). In case that you are still using that script, add some kind of captcha.
For protect your mail form page, it is good to add robot meta tag on form page (noindex,follow). Any link to that page could have rel=nofollow. Your mail form page will not be displayed on search engines. Don't use robots.txt to block access to that page. You will show shortcut to spammers.
Blog comment spam is one more problem. Use form with captcha, if images are static, modify them, if they are generated, modify code. Any modification can help (script name, code...)
Redirection scripts: redirection scripts are used to hide original source or destination. You can probably find some requests as is "go.php?http/somesite". Solution here is not to use redirection script without some kind of database (not adding visible url as above)
Malicious Code injection: Called Rootkit attack too, usually (automated) attacks some php script with known bug, to gain access, trying to include script code from some other hacked site.
Example of hacked website
Still can't figure how php scripts were injected on one of websites. First sign was strange 404 (file not found) requests. Name of those web pages were looking like automatically generated (name with no sense), enough for checking directories from where those pages were requested. Long story short , found some new php scripts and .htaccess residing there. In this case, every 404 (file not found) request is redirected (.htaccess) to uploaded script. Source of that script shows that collected info from visitor is sent to (base64) coded url (domain). Yes, script is "little" modified and IPs collected, since hacker (bot) was testing redirections. This was only one version of those scripts, some other versions are more dangerous.
This hack is nothing new, it is a few years around. Although I can't figure how scripts were uploaded, I saw that they are uploaded only to directories what were accidentally left word writeable (chmoded 777), and this happened day after website was moved to another server.
Since this attack is not that rare, you can protect yourself: check if any directory is chmoded to 777, change to 755, track 404 (file not found) requests and take a look to that directory, if any "new" script is there (name usually contains some numbers), delete that script and .htaccess (if not used) in that dir, and chmod directory to 755.
FTP passwords stolen?
This part is moved to How FTP passwords can be stolen, as separate article, with added info about how to find and remove trojans from your PC. Do not miss that article if you found more than one website hacked at the same time.
If you are using some kind of CMS (Joomla, Drupal...) or wordpress, or forum, it will be nice to customize scripts to avoid detection and make website more safe.
Hackers and spammers are often using search engines to find where some software is installed. That is why it is neccessary to remove or change all kinds of "Powered by", "Version x.xx", and similar, what can be found on every default installation. These are "fingerprints". Second, rename scripts where ever is possible. Generic attacks are targeted to well known file names. Third, use mod_rewrite to hide names of scripts. Partially success, but that is, at least, search engines friendly mod. Don't use themes/templates from everywhere, be sure there is no malicious code inserted there. Any plug-in (CMS, blogs) allowing user input could contain security hole.
And most important: keep your eye on website logs. There are fingerprints left from hacking attempts, and that could be early warning that somebody is testing your scripts.
Update your modules, an do it now, and be sure that Mod_security is installed on your server. Less headache...
For more about this theme, use Google and search for these keywords:"SQL injection" , "XSS" or "cross site scripting", "how to hack Web site", etc...