Things to do if you suspect that your web hosting account has been compromised. …
Change your passwords — site administration control panel, SSH, FTP, database, CMS administrators, whatever.
Search site:example.com on Google; see if anything is unexpected.
Review all the files in your account, examining:
- File modification dates. Keep in mind that if the root account has been compromised, then the attacker may have altered file timestamps. Of course, if you suspect this then you have bigger problems than forged timestamps.
- Permissions. Excepting exceptional circumstances, directories should be no greater than 755 and files no greater than 644.
- Files that don't belong.
- Executable files you no longer need. All those deprecated form submission scripts, that web calendar you noodled around with but decided not to use, that CMS installer you forgot to delete, that phpinfo.php file you used for debugging way back when… they're all potential holes.
- Non-executable files you no longer need. They're not vulnerabilities, but they are needless clutter that slow you down in moments like this. If you delete them now, you'll thank yourself during the next file audit.
Review server access logs.
Report the incident to the web host's support or abuse staff. Be specific in describing the incident and your response to date. Don't assume that the incident was their fault: such an attitude will close your eyes to ways in which you can improve your own practices.
Audit all software you have installed (CMS, form submission scripts, etc. Insure all are currently supported stable production versions. Upgrade as needed, keeping in mind that all you need is a secure version and not necessarily the most recent one with all the newest bells and whistles. Make sure you have in place a means of receiving security updates from each software project (RSS, mailing lists, Twitter, etc.). If you already had such notifications set up, check them all to insure they continue to work. Invariably when I do this I find that I had been relying on at least one or two dead feeds or superseded mailing lists.
Better yet, uninstall any software you don't absolutely need.
Now audit the software the web host offers (kernel, web server, database, etc.). If you find something amiss, nag them to update if needed.
Download files and use a diff checker such as Meld to compare each file to known clean ones in offsite backup or on your local development box. TODO: Can meld work with online files, thus obviating the need to download fles? If not, is there an alternative to meld that can?
If you or others access the hosting account using an insecure operating system (I'm looking at you, Windows), consider the possibility that the local computer has been compromised and fessed up the hosting credentials.
Depending on what you found, consider changing your password(s) again.
ADDITIONAL STEPS TO TAKE IF YOU SUSPECT MALWARE HAS BEEN PLANTED ON YOUR SITE
The Google safe browsing diagnostic page will show if Google has found malware on your site. View it at https://www.google.com/safebrowsing/diagnostic?site=example.com, replacing example.com with your domain. Additional information about detected malware can be found in Google Webmaster Tools: log in, select the site, and check Diagnostics – Malware. Naturally, this only works if you have a Webmaster Tools account and had previously added the site to it.
A few third party services (by no means all). Makers of security software that incorporate website checking schemes in their products; the pages below allow you to check their current database. None of these I regard highly, but even false positives can damage a site's reputation.
AVG Threat Labs
Norton Safe Web
It's from Norton — need I say more? Registered site owners can request a site rating or reevaluation, but I've never had reason to try this, because their scanner has never detected any of the malware infections I've been called to work on.
The one service of its type I have some confidence in. Webmasters can request reevaluation.
Unlike other services mentioned here, WOT apparently uses only community ratings and performs no automatic scanning. Registered site owners can request reevaluation and reply to user comments.
Not all security software makers with website checking schemes allow you to consult their current database. Avast, for example, apparently does not.
Once your site has been cleaned, the following steps will minimize the chance of being compromised again and simplify detection and cleaning if it happens again.
So make sure at least one of those addresses goes to you.
Were you satisfied with your web host's response to your incident report? Are you comfortable staying with them? I've dumped more than one host on these grounds — they weren't necessarily responsible for the incidents, but they certainly were irresponsible in their responses.
If it happens again and you are confident that your practices are now secure, then it may be time to change hosts. There are a lot of insecure hosts out there, particularly among the cheap guys.