I think my site has been hacked, how can I tell?
Typical indications that your site has been hacked:
- When you search for your site, search engines are advising you that your site has been hacked.
- Your web browser alerts you to say its not safe or has found spyware or malware within the code
- Unwanted content is being displayed when you load your site (defacement).
- Your computers AntiVirus or Anti-Spyware software indicates a threat when you visit your sites pages.
- You find unexpected files have appeared on the FTP server in your hosting directory.
The first thing to do is make a note of the date and time that you first became aware of the changes, along with all the pages/files you feel are affected. Now disable FTP access in your control panel (if the option is available), and change the passwords of any FTP enabled accounts. If possible enable or upload a holding page whilst the compromise is investigated further. If you can fix your site yourself we recommend that you do so to limit downtime on your site, but we do request that you report your findings, and retain copies of the files involved.
Note: Please do not delete the affected files, as they may prove useful in helping our system engineers to determine the method used or even who is responsible. To save these affected files rename them, and move them outside of your web-root (/web) to prevent them being used/viewed again.
Reporting your findings.
Once you have secured access via FTP and removed the visible traces of the hack, please raise a support enquiry and report your findings. In the email please explain what you have done to temporarily prevent further unwanted access and where you have placed the affected files. We will then investigate the matter further to identify how this attack was performed, and then advise you of the measures you can take in order to prevent it from occurring again.
What can I do to prevent it happening?
Unfortunately there is no clear cut method to prevent hackers from attacking your web site/s, you can only take precautions to greatly reduce the risk of their success. The two most commonly used methods of attacking websites are to either gain access to the server via FTP, or to use a badly written websites page to attack the site. We recommend that you always have an up to date AntiVirus program as they should alert you when you visit an infected site.
How can I prevent unwanted FTP access?
The Online Control Panel allows you to remove your FTP access from the accounts you use to manage your sites files remotely. We advise you to remove this access from accounts during long periods where FTP is not being used.
Change your FTP passwords as often as you can. The more regularly you change the passwords, the lower the risk of your FTP account being used against your site.See:How to reset your FTP password
We recommend you keep the passwords on the accounts, difficult to guess. When setting a password we suggest that the password be at least 8 characters long and contain a mix of upper and lower case letters and at least one number.
Any machine used to upload files to the hosting also needs to be checked regularly for all forms of malicious software (viruses, spyware etc.). Ensuring that the software you use to perform such checks is run regularly, and most importantly kept up to date. There have recently been a number of viruses that obtain your FTP username and password from your PC, either from the stored username and password in your FTP client, or it waits for an FTP connection to open, and then saves the username and password you type. In both cases this information is then sent back to the hackers. There are no security measures that we can take to protect against this, as the details are obtained from your PC, and the hacker uses your correct username and password to log in.
How can I prevent a web page being used to attack my site?
Many sites are created using widely available content management systems (CMS), such as Joomla! or Wordpress. The source code for these CMS's are generally in the public domain. This allows hackers to identify security holes in these systems quickly, but also the CMS developers can release patches and updates regularly to fix them.
Note:If you have chosen to use a CMS or other such 3rd party software for your site, you must ensure the live site is kept up to date with all patches and updates released by it's developers.
For ANY site hosted on Linux/Unix services, file permissions are a critical aspect of a sites security. Ensuring that your directories and files are assigned the "least level of access" necessary is a key point in preventing a site from being exploited. Please read the following article for further information: What permissions should I use for a script?
Note: If you are using a CMS or other 3rd party software, please ensure you follow the developers guidelines on file and directory permissions. Finally, if you are unsure what the permissions should be, seek advice do not grant world write or execute if you are not certain.
If the site does not use widely available software, then the sites developers need to ensure that it is written with security in mind.
- Ensure that the data handled by the site is always screened, using white-list and blacklist techniques to filter input. Never trust a page visitors input.
- If a form is available, place a CAPTCHA on the form, and again filter all received data from the form.
- When inserting information into a database, make sure you have screened the data and suitably escaped it.
- Use .htaccess files to limit access to sensitive areas of your site e.g. administration sections.
- Regularly update administration passwords, following the same guidelines given for FTP passwords.