What to do if you suspect your web hosting account has been compromised

Things to do if you suspect that your web hosting account has been compromised. …

GENERAL ADVICE
Change your passwords — site administration control panel, SSH, FTP, database, CMS administrators, whatever.

Search site:example.com on Google; see if anything is unexpected.

Review all the files in your account, examining:

  • File modification dates. Keep in mind that if the root account has been compromised, then the attacker may have altered file timestamps. Of course, if you suspect this then you have bigger problems than forged timestamps.
  • Permissions. Excepting exceptional circumstances, directories should be no greater than 755 and files no greater than 644.
  • Files that don't belong.
  • Executable files you no longer need. All those deprecated form submission scripts, that web calendar you noodled around with but decided not to use, that CMS installer you forgot to delete, that phpinfo.php file you used for debugging way back when… they're all potential holes.
  • Non-executable files you no longer need. They're not vulnerabilities, but they are needless clutter that slow you down in moments like this. If you delete them now, you'll thank yourself during the next file audit.

Review server access logs.

Report the incident to the web host's support or abuse staff. Be specific in describing the incident and your response to date. Don't assume that the incident was their fault: such an attitude will close your eyes to ways in which you can improve your own practices.

Audit all software you have installed (CMS, form submission scripts, etc. Insure all are currently supported stable production versions. Upgrade as needed, keeping in mind that all you need is a secure version and not necessarily the most recent one with all the newest bells and whistles. Make sure you have in place a means of receiving security updates from each software project (RSS, mailing lists, Twitter, etc.). If you already had such notifications set up, check them all to insure they continue to work. Invariably when I do this I find that I had been relying on at least one or two dead feeds or superseded mailing lists.

Better yet, uninstall any software you don't absolutely need.

Now audit the software the web host offers (kernel, web server, database, etc.). If you find something amiss, nag them to update if needed.

Download files and use a diff checker such as Meld to compare each file to known clean ones in offsite backup or on your local development box. TODO: Can meld work with online files, thus obviating the need to download fles? If not, is there an alternative to meld that can?

If you or others access the hosting account using an insecure operating system (I'm looking at you, Windows), consider the possibility that the local computer has been compromised and fessed up the hosting credentials.

Depending on what you found, consider changing your password(s) again.

ADDITIONAL STEPS TO TAKE IF YOU SUSPECT MALWARE HAS BEEN PLANTED ON YOUR SITE
The Google safe browsing diagnostic page will show if Google has found malware on your site. View it at https://www.google.com/safebrowsing/diagnostic?site=example.com, replacing example.com with your domain. Additional information about detected malware can be found in Google Webmaster Tools: log in, select the site, and check Diagnostics – Malware. Naturally, this only works if you have a Webmaster Tools account and had previously added the site to it.

A few third party services (by no means all). Makers of security software that incorporate website checking schemes in their products; the pages below allow you to check their current database. None of these I regard highly, but even false positives can damage a site's reputation.

AVG Threat Labs
Must enable JavaScript for avgthreatlabs.com and disqus.com. Doesn't give actionable information when a vulnerability is found, but leaving a comment sometimes gets a personal reply from AVG with more useful specific information.

Norton Safe Web
It's from Norton — need I say more? Registered site owners can request a site rating or reevaluation, but I've never had reason to try this, because their scanner has never detected any of the malware infections I've been called to work on.

Stop Badware
The one service of its type I have some confidence in. Webmasters can request reevaluation.

WOT
Unlike other services mentioned here, WOT apparently uses only community ratings and performs no automatic scanning. Registered site owners can request reevaluation and reply to user comments.

Not all security software makers with website checking schemes allow you to consult their current database. Avast, for example, apparently does not.

iScanner is an open source tool to detect and remove malicious code from your website. Review (PDF) from 2010 here.

NEXT STEPS
Once your site has been cleaned, the following steps will minimize the chance of being compromised again and simplify detection and cleaning if it happens again.

Open a Google Webmaster Tools account and add your site to it. When Google detects malware, they send notices to the following addresses:

  • abuse@
  • admin@
  • administrator@
  • contact@
  • info@
  • postmaster@
  • support@
  • webmaster@

So make sure at least one of those addresses goes to you.

Were you satisfied with your web host's response to your incident report? Are you comfortable staying with them? I've dumped more than one host on these grounds — they weren't necessarily responsible for the incidents, but they certainly were irresponsible in their responses.

If it happens again and you are confident that your practices are now secure, then it may be time to change hosts. There are a lot of insecure hosts out there, particularly among the cheap guys.

REFERENCES
Google help: About malware and hacked sites
Stop Badware: Information for Website Owners

Advertisements

About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s