When a website gets infected, it generally means someone (a hacker) has used an exploit or vulnerability (in the form of viruses, trojans, rootkits, spam bots and more) to take control of your site.
This tutorial outlines the most common methods hackers use as well as how to counteract them and avoid future mishaps.
How do I know if my website is hacked?
Hackers do their best to ensure their “doings” remain unnoticed, however there are various symptoms that may signal a cause for concern:
- Pages take longer to load and website is less responsive;
- A sudden increase in website traffic;
- A sudden decrease of visits from search engines;
- An increase in traffic from people finding your site in search engines using irrelevant search terms;
- Your site or some particular web pages have been removed from search engines;
- Your AdSense account is blocked. Google may block access if it detects illegitimate activity.
- Doing a Google site: search on your site brings up a ridiculous amount of links and pages you can’t identify.
Why did my site get hacked?
The most common reasons hackers target websites are to:
- Steal account and financial information – account numbers, passwords and other confidential information;
- Trick the user into buying something they never intended to;
- Steal visitors and redirect them to another site;
- Send out Junk email (spam);
- Attack other computers or networks;
- Steal your bandwidth/traffic (by hosting data on your space);
- Distribute even more malware/badware
How did my site get hacked?
The most common methods hackers use to exploit vulnerable websites are:
- Cross-site scripting (XSS): Cross-site scripting holes are web-application vulnerabilities which allow attackers to bypass client-side security mechanisms normally imposed on web content by modern web browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user.
- Weak Authentication and Authorisation: Poorly-scripted systems that don’t securely pass session information over SSL can be hacked by sniffing the traffic to discover an active users authentication and/or authorisation credentials.
- SQL Injection: The hacker embeds SQL code into web forms or other unprotected areas of the site to manipulate the site’s database. Once the database has been exploited; they can gain complete control of your site and user account information. This commonly happens with outdated CMS package or poorly-scripted sites.
- Remote command execution: This is when a site vulnerability (again, usually due to poor scripting) allows an attacker to run operating system commands with the privileges of the web server.
What do I do when my website gets hacked?
Refer to Google’s Webmaster guidelines for Cleaning your site.
I’ve done what Google suggested but my site is still blocked
Google doesn’t re-scan your site everyday – it may take 1-2 weeks between site scans. If you want to push for a quicker scan, you can request a malware review via Google Webmaster Tools.
How can I protect my site against future attacks?
- Periodically scan for viruses and malware. There are many free cloud alternatives to commercial virus scanners.
- Keep essential software up-to-date (OS, Web Browser, Browser Plugins, Anti-virus/Anti-spyware)
- You can use online tools such as Secunia Online Software Inspector to check for insecure versions of common/popular programs installed on your PC
- Use browser security extensions like NoScript to minimize risks of being infected while surfing the web.
- Hire an experienced developer/designer when building your site (you get what you pay for): During the initial design stage of a website handling sensitive data, the development team should have already unidentified key information assets that should be protected.
- Periodically update your passwords. Make them strong, otherwise this could happen.
- Where possible, use secure protocols like SFTP or FTPS. FTP is an insecure protocol that transmits your credentials unencrypted (in clear text), which makes it easier to steal them.
- Update your CMS and/or web software: One of the most common types of attacks is through exploits in outdated open-source CMS and applications. Keep up to date with security fixes and patches through the vendors homepage.
- Keep up to date with web software vulnerabilities related to your software on sites like exploit-db.
Related posts:
