Chapter 6: Examine Your Database, User Content, & .htaccess
If your site is based on a content management system (CMS) such as WordPress, Drupal, or Joomla!, you’ll need to examine your database for signs of compromise. My experience is that this doesn’t happen often, but it certainly can, & if you reinstall the site using a compromised database, you’re precisely where you were before going through all the previous steps. Not cool!
Since going line by line through a very large database is time-consuming, my tendency is to load the backed-up database file into a text editor that can handle very large files & search for the following words:
- <? php
- <script
- base64
- eval
- preg_replace
- strrev
This is not an exhaustive list, nor is the presence of any of these words conclusive proof of a site compromise, though some are more suggestive than others. If you find these words, especially if you find several of them, & are concerned that your database may be involved, you would do well to have a professional take a look.
If your site is being redirected to another domain, or your website mentions a domain when you visit, it, then search the database for that particular domain. If certain words such as medications are appearing in search results for your site, use the text editor to search the database for those specific words.
If your database has been compromised, I would definitively suggest hiring a professional, as repairing the site is likely to be quite complex, unless you have a relatively recent backup of the database available that has not been hacked. This is 1 of the best reasons I know of for keeping good backups, as they can save you tremendous amounts of both time & money.
Next, you’ll want to ensure that your user-generated content is free of any evidence of compromise. The best way, of course, is to simply upload fresh copies of the files. If you can’t, then there are several ways you can look for words in files, including via your operating system, text editors, or find utilities. Essentially, you’re looking for text such as <? php or <script in files like images or documents that should never contain that text.
Lastly, you’ll want to check your .htaccess file to see if it contains signs of compromise. This may be difficult for those who aren’t sure what to look for. If you have a known good backup of your .htaccess file, your best bet is simply to replace it. Again, if you’re at all uncertain, it’s best to hire a professional to examine it.
Next, we’ll go onto the last step in the process, that is, reinstalling the site.