jonlee.ca

Yesterday I documented what happened to my blog when it got “hacked”. If this ever happens to you, here are steps to consider when recovering from a hacked site or blog:

1. Regain Access/Control to your Site
   Most likely, your intruder would have changed one or more of your passwords. To regain control, you should contact your web host immediately to change your passwords and to alert them of the situation. It could perhaps be a server-wide vulnerability.
2. Restore Files and Database from a Backup
   Assuming you do routine backups (at the very very least once a month), you can restore your files and database from the latest backup. If you don’t have a backup, check with your web host. Many web hosts do routine backups of entire systems and may be able to retrieve a more up-to-date version of your page.
3. Restore Missing Information
   Files that were not in your backup may need to be restored manually — either by creating the file again or in the case of a blog, you can find your article archived somewhere (i.e. archive.org, Google cache, RSS Reader history).
4. Locate the Vulnerability
   This is very important. You need to pinpoint exactly how the hacker got into the system. Take note of which version of software and plugins you’re using and look at changelogs to see if there were any open vulnerabilities. If you can’t find anything, you can take a look at your access logs to see if there has been any suspicious activity. Detailed access logs may only be available through your web host so ask them for help, they’d know what to look for!
5. Eliminate the Vulnerability
   This step is pretty obvious. Depending on what your vulnerability is, get rid of it. If for some reason it isn’t possible, then work around it. For example, if you find that your contact form plug-in has an unpatched hole, then use another contact form or simply give a regular e-mail link. To be on the safe side, take this chance to upgrade everything to the latest version.
6. Do a Sweep for Suspicious Files
   The hacker could easily have left a malicious file somewhere which will give them a backdoor to your system even after you have eliminated the original vulnerability. One way to check for this is to install the same software in a different location and look for files unaccounted for in your original installation. Likewise, you can usually find a list of installed files from the software’s documentation. If necessary, it would be safest to do a complete reinstallation from scratch.
7. Monitor Site Activity
   Over the next couple weeks, you should keep an eye on your site activity. Note suspicious activity such as access to files that you don’t recognize or log-in attempts.

Steps need not be necessarily done in this order but at the very least, they should all be considered. Let’s hope you’ll never have to refer to this post.

Popularity: 38% [?]

This entry was posted on Sunday, July 22nd, 2007 at 10:03 pm and is filed under How-to. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.