Finding out just how you got hacked in the first place is very important as flushing out the point of entry and getting rid of any backdoors stops hackers just simply rehacking your site. So then just how do hackers gain access? There are a few ways hackers can gain access to your website, for example a vulnerable file you have uploaded to the server may act as a point of entry for attackers or your computer may have a virus on it allowing hackers to listen in on your ftp connections and fish login details from your computer allowing them to hack your site… Sometime it may not be even your fault that you get hacked because a vulnerability in your actual web-server can cause hackers to be able to compromise your site and everybody else site hosted on that webserver time and time again.
Once hackers have compromised a site they will upload backdoors to your site allowing them to regain access if the vulnerable file which let them in initially is deleted.
If you are running a wordpress site (this technique can be adapted to fit virtually any content management system) here is what you should do
Step 1 exporting your data
You can export your content with two two different ways depending on how paranoid you are.
The first way is simply going into the wordpress dashboard>tools>export and exporting all relevant data that you need. Then opening up the exported file in notepad and checking that there is no odd data that doesn’t conform to a proper wordpress export xml for example there isnt any base64 code. It is a good idea to limit your export to just important content such as post’s and pages so there is less to check and less chance of something slipping through the net.
If you are a little more paranoid and suspect that the hackers may have placed something dodgy in the xml file you may want to export your content with MYSQL instead.
Exporting the database tables that you need and checking through them making sure that all the data exported is correct and nothing dodgy has been added.
Step 2 deleting everything!
Once you are happy that there are no backdoors hidden in your exported content you are going to have to delete everything from your site! All files, folders and databases!
Step 3 changing your passwords and checking that there are not additional ftp users!
This is very important and should be done after everything has been deleted and before you install a new wordpress install. If you forget to change your password or there is a ftp user the hacker has created the hacker the hacker still has a point of entry and the problem isnt solved.. not by a long shot!
Step 4 Reinstall WordPress and import your exported data!
Things to note when reinstalling wordpress
Make sure you use a different secure password
Make sure you use a different username than just “admin”.
Do not re-upload the dodgy theme, plugin files that made your site vulnerable in the first place
Make sure you keep your plugins, themes and WordPress install up to date this time.
IF YOU ARE STILL BEING HACKED… The point of entry is from a server vulnerability and not your fault!
Chances are if you are still being hacked despite going through all these steps perfectly your server has been compromised. At the end of the day you may have the most secure site in the world but if your hosting is rubbish your just going to keep on getting hacked so you may want to change host to one with better security!
This post was inspired after one of my sites hosted on site5 was server sided hacked.
If you have came here because your site has been hacked you probably can thank the retards at exploit-db. exploit-db is a website that finds and exposes exploits, creates up-loaders and backdoors and lists ways to find vulnerable sites (Google dorks) for internet criminals to exploit sites so that they can promote illegal fake drugs and counterfeit goods online. exploit-db is the scum of the internet.