Mark Berthelemy | Recovering from a hacked web-based system

Articles / Recovering from a hacked web-based system

Following on from my past two posts about risk and security, it’s probably a good idea to identify a few techniques which might help you to recover your systems following an attack.

Remember that most attacks succeed on systems that haven’t been kept up-to-date. You can mitigate a lot of risk just by ensuring you have the most recent version of the software installed on your servers (assuming you’re using software that gets updated regularly).

Spate of attacks

There are a lot of attacks taking place at the moment on popular open-source applications like WordPress and B2evolution. L&D teams across the world are starting to embrace these types of easy-to-use content management systems. They are extremely simple to install, and also to modify – using plugins, with very little technical expertise required.

But this simplicity makes them vulnerable. Administrators will need to ensure that the modifications they make, as well as the core system, are maintained. If you have an old WordPress installation, that’s no longer used, but is sitting on the same server as your other systems, then that puts everything at risk.

How do you know you’ve been hacked?

The most usual means to find out that your system has been attacked are:

A message from your friendly web-hosting service, which has detected something odd – often through their anti-virus programme
A message from a friend who’s seen odd behaviour on your site – perhaps strange messages, a virus warning in their browser, or even the wrong site being displayed
A message from Google’s webmaster tools warning that you’ve been hacked. (You will need to register your site with Google to take advantage of this.)

If Google or your web-host are involved, they should hopefully be able to give you some pointers as to what type of attack you’ve suffered. Two typical ones are:

URL injection – where your URL takes people to another, malicious site. If this happens, check your .htaccess file for strange entries, as it’s the most probable location of the redirection code.
Code injection – where the attacker has managed to place malicious code into your files. To fix this will involve considerable analysis to find the hacked files, which code has been placed there, and to remove it.

Both of those situations can be resolved by finding the appropriate bits of code and clearing them out. If a lot of files are involved, then it’s possible to write a “script” that runs through and checks each file in turn. But take care that you don’t cause more damage than the original attacker!

If a hacker has chosen to damage your files or your database, as well as add code to it, then the usual way to recover is to restore from a recent backup – losing everything that has been saved in the meantime.

Once you’ve recovered your system, then you will need to spend some time trying to ensure that the attacker can’t get back in again. This will involve:

Changing all administrator passwords
Upgrading your system, and plugins, to the most recent version
Clearing out old applications that are no longer used
Clearing out old plugins that have not been updated for a while

Posted: 17 May 2014

Tags: Technology