Is my website hacked? …and cleaning strategy!

Posted on

Quick post with list of third-party systems, where you can easily check – if your website has any (usually) Javascript injected scripts or other viruses or harmful code. I personally use them, when a customer complains about page being hacked, blocked by antiviruses or google – these external online checkers help me find bad code and then – search and remove it from the actual website.

My favorite and best in class – https://sitecheck.sucuri.net – this will show exact reason, exact code (html, javascript, etc) that is considered harmful.

Next one online tool is amazing for checking for viruses – https://www.virustotal.com

And one more tool, that sometimes is helpful – https://scanner.pcrisk.com/

Do you know others? Do you know some, which is better? Please contact me and share!

Website cleaning strategy, simple short version

Sharing my thoughts, ideas and workflow for website cleaning. It might take some time, attention to details and a bit of knowledge. Also there are a lot of geeks, who can help and therefore these steps are as approximate as possible and intention here is to show direction, rather than fixed and strict checklist to follow. Bare in mind, that order for these steps is not how you see them – in the best scenario you should feel them and play and combine them to achieve the goal – clean and working website.

Change your password for FTP and control panel access. This is usually the first and quite important step.

Answer yourself a question – why do you think, that website has been hacked. Sometimes hackers destroy files, sometimes they inject bad code, sometimes they might gain access to your DNS and screw that part.

Often restoring from the backup – both files and database is the easiest and quickest solution. Then only thing to bare in mind – make sure, that version from the backup does not contain hacked version or injected trojan backdoor code. Often it helps to restore from the backup and then fine-clean website.

If possible – create backup version of your website before starting cleaning process. You can screw your website more. Extra backup never hurts.

If available at your hosting provider – use antivirus and malicious code scanner. To be honest, I have not seen them being super efficient, but in some cases – they still do help. Some, like Imunify – can even help you clean/delete bad files. That saves a lot of time.

If you are using WordPress – and if it is working and accessible – Wordfence plugin is a big and good friend, especially when it comes to finding modified or “extra” files, which usually are amazing trojans, backdoors, uploaders and file modification tools. We use Wordfence a lot and in most cases free version is good enough. Big thanks to developers.

If you are using WordPress and it has been corrupted or inaccessible – quite often it helps to simply upload and rewrite latest WordPress source files. Very often hackers modify or damange core WordPress files. Also – sometimes your WordPress might stop working because of failed updates (and not because it was hacked). I use this “fix” quite often. Make sure you have made backup of your website (even if it is not working) before you start. Yes – files and database.

Cleaning text files (HTML, PHP, Javascript) with injected malicious code is often not easy on a Windows PC with a good antivirus installed. My antivirus will detect bad malicious code and won’t let me neither download, nor open such files. For these scenarious I have local virtual machine running Ubuntu and I use it for file cleaning. If I have ssh access – I would also use that and try to clean files directly on the server through console. It might sound time consuming for large amount of files, but can be very handy in many other situations (when you need to search for a malicious code).

While not being a suggestion for cleaning – I feel like mentioning it. Do not host a lot of websites under single account. I know, very often it is much cheaper, but security wise – it is a bad idea. Usually files and other resources are shared for a single user (I mean FTP, linux user) – so several addon or parked domains will have access to each other files and if one of them gets hacked – technically (with a high probability) – other sites can be easily hacked.

These are very brief steps and explanation, but I hope it will take you in the right direction. Always happy to help!

0
Online tools, Security

Leave a Reply

Your email address will not be published. Required fields are marked *