One Of My Website is Hacked Repeatedly, What is the Best Thing To Do?

Julie Viola · #1 (**permalink**) 07-02-09, 09:55 PM

Hi friends,

One of my website is being hacked three times already in the past two weeks. I noticed it yesterday that it has been hacked again so I simply Upload and publish it again. But just now, It's been hacked again.
What should I do? It's really annoying me now to say the least..

I need some advice and help. the site is تم الاختراق من قبل كاسبر هكر

Thanks
Julie Viola

Nico · #2 (**permalink**) 07-03-09, 04:07 AM

Change all passwords. FTP/cPanel, etc...

And what exactly are they doing to your site?

wirehopper · #3 (**permalink**) 07-03-09, 06:26 AM

Sorry, but I'm not going to a site that's been hacked. Too easy to get some nasty malware.

Find all the applications that are running on the site and check for security issues at Secunia.com. Blogs, chat applications, some content management systems, etc. often have vulnerabilities that are exploited over and over until they are upgraded.

If there is a custom application on the site, it may have security issues. They must be addressed. An audit is available at PHP Security Consortium.

It is also possible that there is a file on your server that is allowing someone else to upload code. Until you remove it, they will control the server.

I'm assuming it an HTML site on shared hosting, you have one account on a publicly accessible server. In that case, my recommendation would be to download ALL the files from the www or public_html account (or whichever directory index.html is in) and all the subdirectories. Then, look at them on your PC. If there are any files you didn't put there, delete them. Another approach would be to delete everything and put a clean copy up.

You could also contact the hosting company for help. They will be reluctant to delete any files, because they aren't familiar with your site - but they also want to protect their server.

End User · #4 (**permalink**) 07-03-09, 09:20 AM

You really need to look at the log files to determine what's the point of entry for the hack. Somewhere in the log are some lines showing malicious commands, SQL injection, etc etc. Until you know what the point of entry is, I think it would be a waste of time to just keep republishing the site over and over. It'll just get hacked over and over.

Julie Viola · #5 (**permalink**) 07-03-09, 10:29 PM

My website is a static html and i do not have any other applications that goes with it. Its a simple static website.

I really do appreciate all your advices and knowledge in dealing with such problems. I am really sorry though that I was not able to reply to your advices right away as I have to do very important family stuffs.

BTW. It was just the home page that was having the bad stuffs and all the rest of the pages are okay.

Again, thanks a lot Nico, WireHopper and End User....
I Do appreciate your time and effort in helping find solutions to my problem,.

Julie Viola

wirehopper · #6 (**permalink**) 07-04-09, 12:11 AM

If it is just HTML, the most likely issue is that the file is being corrupted during transfer.

Boraan · #7 (**permalink**) 07-04-09, 11:47 AM

Hey aside from a perl programmer I'm a network security and IDS specialist. Hack prevention, threat assessment, firewalls, etc. email me please. I need to know if you have access to your logs and what kind of system your sites is hosted on. I also need a time frame of when the hack occurred. If you have access to those logs I should be able to tell you how your site was hacked, where they entered, etc. and help you set up your server config to prevent it from happening again. DO NOT reply with that information here. message me please

Julie Viola · #8 (**permalink**) 07-04-09, 01:07 PM

Wirehopper, do you mean when I publish the site contents. Because I do update the site recently as i added a few pages.
My host is GoDaddy.com and I do not have the log files applied yet. I have to subscribe to it and apparently there is a fee for getting those visitors IP addresses.

Thanks
Julie Viola

Boraan · #9 (**permalink**) 07-04-09, 01:21 PM

eew. godaddy. enough said. If you want I can let you borrow some of my server space and I can keep track of your log files to see where the attacks are coming from, no charge

ddd · #10 (**permalink**) 07-05-09, 07:23 PM

Hi Julie,

Some simple advice to you:

-Change all your passwords. That's the easiest method for them to keep modifying it.
-Upgrade your system. If you are running wordpress, make sure you are on version 2.8.
-If you have any script (cgi, php, etc) remove them until you are sure they are safe.
-Check your system for new accounts and remove them.

After you are done, start monitoring your site: A suggestion is the free Sucuri information security (BETA) that alerts whenever your site is changed/hacked/blacklisted/etc.