• Part 1: Introduction


    If you’re a business owner, your website represents you to the world. Even if your site is a personal one, you’ve still done a lot of work on it. The last thing you want is to go to it one morning and see this.

    Website Defacement--Hacked by ALFA TEaM

    Or perhaps a client emailed you that when he went to your site, he received this message:
    Reported Attack Page

    Or perhaps when checking your site in Google, you saw this, though your website has nothing whatever to do with any sort of drugs.
    antivert Prescription

    BTW, just as an aside, in case you’re unaware and actually care, Antivert is available over-the-counter in any pharmacy. no prescription necessary. You don’t have to go to some dodgy website.

    However you discovered it, you suddenly realize you’re the victim of a website hack. You’ve got a thousand questions. How did this happen? Why did this happen? Why me? But your first question is “Now what?” And you suddenly realize you have absolutely no idea. It’s a nauseating, gut-wrenching feeling. If there’s a bright spot in all of this, though, it’s that you’ve come to the right place. The information set forth in the following posts will help you reclaim and repair your site, as well as put you on a better security footing than you were on previously, thereby hopefully preventing future incidents like this from ever occurring again.

    Objectives

    When dealing with a hacked site, there are two basic objectives that need to be accomplished. The site owner believes that if the site is repaired, all is well. The truth is that’s seldom the truth, though it is an important objective,of course. The problem is that most criminals that hack a site generally leave behind what’s known as a “backdoor”, so they can easily re-enter your site, even if the site appears to be repaired. Thus, the hard work of repairing your site can blow up within seconds to days, depending on how long the bad actors take to determine you’ve “fixed” it. So the second objective of fixing a site hack is to lock and bar the door, thereby unceremoniously kicking the hackers out for good.

    Here, we provide you with all the information you need to accomplish both objectives. And if you don’t feel confident in doing so, we offer professional services to help you repair and reclaim your site. If you just have a question you need answered, then please drop a line in the
    forums

    We’re with you every step of the way as you seek to repair and reclaim your site. Just let us know how we can help. Others have survived this. You will, too. You’re not alone.

  • Part 2: What Is a Site Hack


    A site hack, technically known as a site compromise, is when someone takes over your site. It’s very much like when a plane is hijacked.
    US's First Plane hijacking, Jacksonville, Fl, Airport

    So, essentially the criminals have taken over your site, and they can basically do whatever they want with it. You are no longer in full control. They are.

    Fortunately, you don’t have to sit helplessly by, as in a high jacking. You have tools available both to repair and reclaim (take back control of) your site. This site will show you what they are and how to use them, as well as how to prevent future hacks. You can win. We’ll show you how.

    The content of this site is directed primarily toward those with a nontechnical background. Unfortunately, fixing a site compromise does often require some considerable technical expertise. If, after reading these articles, or indeed somewhere in the middle, you feel unable to handle the task on your own, we’re happy to help. Each page of the site has our contact information. Please don’t hesitate to use it should you desire.

    What Do Hackers Want?

    Probably the #1 question I’m asked by victims of a site compromise is, “I’m small. What could anyone possibly want with me? I don’t have anything of value.” Those of us in the web hosting industry are partially to blame for this, as we do not educate site owners about the value of their website & auxiliary services, the dangers of being hacked, or how to prevent it from occurring. People are not allowed to drive without first taking a driver’s test, but we allow folks to erect a website that could infect hundres and even thousands of visitors without so much as a sentence of instruction to them. It’s shameful, in my view. I’m probably in a better position than most hosting providers, as many of my clients have chosen to host with me following a site compromise which I helped them fix. They’re aware of the security implications without me saying much, and they’re more willing to listen to instructions regarding prevention. Nonetheless, I probably don’t instruct enough. Guilty as charged.

    The things that hackers want can be divided into four broad areas, which are basically the things that all criminals want.

    • Money;
    • Prestige;
    • Promote a cause;
    • Entertainment (lolz).

    Of these, by far the most compelling is money, and I’ll therefore spend the most time discussing it.

    How Do Hackers Make Money from a Website?

    Cyber criminals, it seems, can find unending nefarious ways to make money on the web. These methods may (and likely will) change over time, but the underlying principles remain fairly stable.

    • Redirects. In a redirect, the criminal redirects the visitor from your website to a site of their choosing. This can be a “phishing” site, where the cyberthugs try to get such things as login credentials (in hopes you use them on multiple sites), credit card information, social security number, driver’s license, and other personally identifiable information (PII), which they hope either to sell or to use to log into other sites such as Paypal, your bank, Amazon, etc and clean out your account(s). Phishing sites may look like the site they’re trying to mimic, but a careful look at the address bar of your browser (usually in the upper left corner) (screen reader users, press alt d) will let you know it’s not the real site. They might also redirect you to their store where they sell questionable products such as medications (often for sexual dysfunction), “miracle” cosmetic and fitness products, fake apps, especially antivirus apps (often called scareware), offer loans, etc. The likelihood is that you’ll merely be providing the thieves with your credit card information and get nothing in return, except, perhaps, a big fat virus on your computer if you download their apps.
    • Search engine spam. In this type of compromise, the site comes up in search engine results that have nothing to do w/the contents of the site. I was searching for a daily quote plugin, for example, and a compromised site came up in the search results for that type of plugin, but also contained entries for nonprescription Antivert, which, incidentally, is OTC anyway.
      antivert Prescription

      Another trick the criminals use is injecting links or other content “off screen”, where it can be detected by search engines but not by a typical visitor. It can be seen by viewing the source of the website (control+u) in almost all browsers. Once, in viewing the source of a church website, I saw: “position: absolute; top: 0px; left: -8000px;”>Links to <a target=”_blank” rel=”dofollow” href=” httx://bbetting.co.uk/”>Best Bookmaker Bet365</a> it The UK” Note the link was changed to httx in order to make it non-clickable. The position was set to be off screen so that site visitors would not notice it, nor would site administrators, so it was less likely to be fixed.

    • Malware infection. In this type of compromise, the criminals download malicious software, or “malware” to your visitors’ computers. In this context, “malware” is usually defined as software that is installed without the user’s knowledge or consent. It may cause the user to click on ads of the criminals’ choosing in order to get money (pay-per-click malware), lock their files until they pay (ransomware), crypto mining (using computers to get digital currency) & others. Schemes tend to change over time. Whereas in 2016 ransomware was very popular, crypto mining has become much more so now. Fake tech support malware can also be downloaded to your visitors’ machines. In this scenario, the owner of the infected computer is told they have a virus & that they need to call a specific tech support number. The message usually identifies as coming from Microsoft or some other well-known company. If the person calls the number, the “technician” will ask to remotely connect to the computer in order to “clean it up”. In reality, all that will happen is that the bogus company will get your visitor’s credit card information, & more bogus software will be placed on their computer, such as ransomware.

      Ransomware called “Bad Rabbit” is one example of malware that a visitor’s computer can contract by visiting a compromised website.
      Screenshot of the Bad Rabbit Ransomware Note Presented to Infected Users

    • Email spam. If your domain has a good reputation, the criminals can use this to their advantage by sending emails, purportedly from you, that advertise their dodgy wares. Because domains that send spam get on blacklists fairly quickly, cyber criminals are always looking for domains w/good reputations through which they can send emails that are likely to be delivered, until, eventually, those domains get blacklisted as well.

    This list is not exhaustive, &, as stated, these methods will change over time. But hopefully you can see now why your website is of value to criminals as well as to yourself. Even though your site is not a large one & may not store credit cards & other user information, criminals still find what you have to be of considerable value. Your reputation depends on protecting your site from these ne’er-do-well’s, thereby protecting your visitors from being harmed and your domain’s reputation in the process.

    Prestige, Lolz, and Causes

    As often happens in the criminal world, those just starting out in crime want to prove their “chops” to others who are more advanced. Hacking a website is one way to do this. In addition, some of these folks (generally kids) are just bored, & hacking a website simply provides entertainment, as is the case w/most teenager-perpetrated vandalism. Hacktivism, or compromising a website in order to promote a cause, also occurs at times. The group called “Anonymous” has recently gained notoriety in the headlines for such activities.

    Screenshot of a Site Hacked by Anonymous

    Sometimes site compromises are motivated by revenge on the part of family members, friends, employees, or, more likely, former members of the above groups of people. Careful auditing of user accounts & the privileges they possess, along w/removal of such accounts when they are no longer required, will go a long way toward preventing these sorts of compromises.

    These sorts of hacks tend to be perpetrated mostly by amateurs, & they’re usually readily noticed because of the damage they cause. The bad actors interested in compromising a site for monitary reasons, on the other hand, tend to try to make their mischief as invisible to the site owner as possible so they can continue their bad activities. Keeping a site compromise invisible is known as “cloaking”.

    Preventing a Site Compromise

    As I hope you can see by now, your website is a constant target.
    Target

    Welcome to the Worldwide War Zone! What I also want you to understand, however, is that there are things you can do to minimize the dangers of a site compromise, & they don’t require a degree in Computer Science or Worldwide Web. In no particular order, these are:

    • strong passwords. Make passwords that are tankproof, ie, easy for you to remember but hard for others to guess.
      Military Tank

      They should be long & strong, ie, contain upper & lower-case letters, numbers, & punctuation signs. An article on my website brighter-vision.com, entitled Protect Yourself with Passwowrds or Pay is an example of how nontechnical folks have created passwords that pinned the WordPress strongometer. Basically, you’re protecting at least 1, & perhaps up to 3 passwords:

      • Your Hosting provider’s control panel password;
      • Your administrative dashboard password, if applicable; &
      • Your website’s database password, again if applicable.
    • Don’t use the same password on more than one site. If the site gets breeched, then your password has been exposed, & the bad guys will surely try to use it on other sites, including your website, in order to compromise it. Again, the above-mentioned article talks about this in detail, showing you how to create strong passwords that can be changed somewhat for use on multiple sites.
    • Keep your software up-to-date. If your site is built via a content management system (CMS) like WordPress, Drupal, or Joomla!, you will need to keep your site updated. As the folks at
      sophos say, “update early, update often.” They use this quote in conjunction w/updating your computer, but the same can be applied to your website as well. The reason is that code can sometimes contain weaknesses, called “vulnerabilities” or “security holes”, which criminals can use to break into a website. These “vulnerabilities” are (hopefully) first disclosed to the authors of the program in question so they can make a piece of software called a “patch” to fix this weakness, but these vulnerabilities are eventually publicly disclosed. Even if they are not, it’s a good bet the bad guys have also found them, sometimes even before the good guys do. Updates will contain these patches, thereby protecting your website.
    • Use only well-maintained software. If you are using a CMS, it’s important to look at the software which you’re using periodically to see if it has been maintained. Unfortunately, if the author of a theme or plugin/module feels it’s no longer worth his/her time to maintain it, the software can remain on the CMS’s site for download but may contain vulnerabilities, as mentioned previously, that have not been patched. It’s wise, in such cases, to find another piece of software w/similar functionality but which is being regularly maintained. My own advice is that if a piece of software on your site has not been updated in a year or more, it’s time to look for other software to meet your needs. Additionally, delete any software on your site which you’re no longer using. Despite it not being active, it can still be an attack vector for the bad guys to use to compromise your website.
    • Check out your host’s reputation. Some hosts are blacklisted because they don’t do much to prevent spammers from sending emails through their servers. Others configure websites improperly, such that a compromise of a single site can easily lead to all of the sites on that server being hacked. One gentleman I recently worked with regarding his compromised site as a volunteer contributor on the
      WordPress Support Forums was on a host that was blacklisted by at least 2 services as well as having misconfigured DNS (Domain Name Server) problems. I can’t say it was the cause of his site compromise, but it couldn’t have helped!
    • Avoid using “cracked” or “pirated” versions of software, & obtain any 3rd-party software from reputable sources. There is no free lunch, & pirated software almost always contains code that will compromise your site in some way. In addition, you should only obtain software from your CMS’s site or from reputable vendors. When thinking about purchasing a piece of software, consider googling for user reviews.
    • Keep the devices you use to log into your website free of malicious software, & don’t log into your website using Wifi hotspots, such as hotels, cafes, transportation hubs, etc. Remember that these are generally not secured, & some may even be fake. It does no good to have tankproof passwords if they’re intercepted.
    • Secure your website w/an SSL certificate. You can contact your host for one or purchase them from a variety of sources. An organization called
      Let’s Encrypt provides them for free. Unfortunately, they’re only good for 3 months, while those which are purchased are usually good for a year. Still, this encrypts traffic between users (including you) & the website, making it that much more difficult for the bad guys to intercept traffic that might prove useful in their quest to compromise your site. A bonus is that sites w/SSL certificates tend to rank higher in Google’s search results.
    • Use secure file transfer methods. If you upload files to your website, it’s a good idea to use a secure file transfer method such as “Secure FTP”. Many FTP clients, such as
      Filezilla , permit encrypted file transfers. Support for the various methods of file transfer encryption varies from host to host. Consult your host’s knowledge base for details .
    • Use a security plugin/module. These can provide a variety of functionality, depending on which one is chosen, from guarding against spam to preventing “brute force” attacks (where someone repeatedly tries guessing your login credentials), to protection via a firewall. Some of these are free, while others provide a paid version w/an increased feature set. Protection against brute forcing the login screen is the minimum protection that should be in place.
    • Don’t grant others privileges on your site they don’t need. If someone only authors articles for you on your website, give them the user role of ‘Author’ rather than ‘administrator’. Definitively do not give privileges higher than ‘Subscriber’ to anyone you don’t know.

      Always delete user accounts, of employees or others who once had access to your site’s dashboard, but because of separation from the organization/family/circle of friends, should no longer have such access. Though site compromises are often thought of as being perpetrated by strangers, disgruntled members or former members of your organization, family, or circle of friends can also compromise a site, often w/even more disastrous results than a stranger because they know their way around. Change passwords of any accounts you cannot delete, i.e., the hosting control panel, the database, &/or your dashboard password if there’s any reason to believe the person who’s left your organization, family, or friendship circle had, or may have had, access to them. This can often be hard for a small organization where leadership is somewhat fluid, i.e., a church where board members/administration changes often, but 5 minutes spent changing passwords is far better than many hours spent reconstructing a website that’s been completely destroyed by a knowledgeable person w/criminal intent & insider privileges. Even if you’re positive the person who separated wouldn’t do such a thing, change the passwords anyway. You’re likely right that they wouldn’t, but the truth is you never know. Just change them! & if you’re not sure whether the person who left knew your important passwords, just change them!

    • If your CMS permits editing of files on the site itself, disable that functionality if at all possible. In WordPress, for example, just above the line that says “stop editing, happy blogging, type the line: define( ‘DISALLOW_FILE_EDIT’, true ); This way, if criminals do manage to get administrative privileges, they cannot edit the site files directly. Be aware, however, that some themes & plugins require the file editing functionality to be enabled in order to work. You can simply delete the line if something on your site breaks.

    Lastly, don’t forget to back up! While this technically does not per se prevent a site compromise, it makes recovering from one a whole lot easier. If you use a CMS, the parts which should be backed up are:

    • User-generated content, i.e., pictures, documents, & audio/video files you’ve uploaded;
    • Purchased software such as plugins/modules/themes;
    • Your database.

    There are many plugins/modules to help w/this, & your hosting provider’s control panel may have facilities for doing this as well. How often you back up your site is up to you. Sites w/more content will likely need to back up more often than sites that have very little.

    Summary

    In this article, we briefly looked at:

    • The definition of a site compromise (hack);
    • Why cybercriminals wish to compromise your site;
    • Methods hackers use to gain control of your site;
    • How to prevent a site compromise

    In the next part, we’ll go through the steps necessary to repair & reclaim your site. That is, we’ll fix any damage the criminals have caused to your website, & we’ll fully return control of the site back to you, the rightful owner. Then, by implementing the recommendations you’ve learned here, you’ll go a very long way toward keeping the bad guys out for good. Most burglars, when breaking into a house, want “easy pickins”. If all the windows & doors are locked & dead bolted, they’ll probably just move on & go elsewhere. The same applies to compromising your site. Indeed, many compromises are done, in whole or in part, not by humans at all, but by bots. If the bot’s algorithm detects that everything it has in its arsenal is being thwarted, it’ll move on to greener pastures.