What to do if the site was hacked?
We received a message from a client of ours – who had a website five years ago – that his site had been hacked and a messenger message had been sent to him:
“Hello, your site was hacked – I.
Your site has a critical vulnerability that allows access to the server side.
What-to restore the functionality of the site, find out the vulnerabilities need to pay a small amount of money.
And also, ready to offer services fix vulnerabilities and black SEO.
English4u”.
“HACKED BY WHOAMINN to restore performance
Going to your site saw a picture and text:
and find out the vulnerabilities of the site contact telegram. WHOAMINN “
The client refused to pay them and asked us to restore the site and see and cover the holes with which they were able to break into the site.
Stages of solving the problem:
1. Went to hosting and saw that all the files of the site – were removed and they threw in hosting only one file index.php, which is implemented in a template of the main page.
The first thing to do is to check what exactly has been changed, whether all the files are on the hosting. In our case it turned out that 7 other sites were infected on the hosting in addition to this one. And all the sites are absolutely different: DFS, sites with plain HTML-CSS without the engine, sites with the latest versions of Oprekart – that is, the problem is not only with this site. File PHP, which was left on the hosting :
2. The second thing we did was to restore site files and database from backups. All sites of our clients are on the best web hosting service at present, Yukrain. In our opinion this hosting is better than the others because it is cheaper and very convenient and has many features to help the user. So if you are hosting on UKRAINE you should not worry. If you are not hosting on UKRAINE, ask your hosting provider if they make automatic backups. If yes, then go and restore – if not – then go to the link Hosting ukraine.com.ua and move your site there.
3.If you have a site on CMS – you need to change the database password and rewrite it in the file Config.
4. Close access by FTP except for your IP addresses. Specify a list of IP addresses or networks for which FTP access is allowed
4. do the same for the Database.
6. Next, you need to change the password in the control panel of the site – if you have a site on a CMS. This can be done in the control panel or through a database. And the most important thing to note – how many users are there, are all those who created you or are there left users.
7. Update all the necessary modules, plug-ins and components to the latest version.
8. Delete all unnecessary extensions.
9. We also looked at the code of the main page and removed obsolete code. For example, widgets of third-party sites.
10. Updated version of CMS to the maximum possible well as extensions.
11. upgrade version of PHP on hosting in site settings – also to the highest possible stable version.
Look at the other sites on the hosting – update everything and remove all the left modules and extensions. Run antivirus scan on the hosting.
Once again – if possible – find out what other sites are on the hosting and check what other sites in your account is so. Because on this hosting a few sites simultaneously infected. And it turns out the virus can be on another site and through it to control your sites on the hosting.
So do not worry – all problems can be solved. The main thing is in time to update your website or order our technical support for the site and do not worry – what can happen to the site.
On google looked there are a few hacked sites:
Also found an interesting page on pastebin – may be useful to someone:
Good luck to everyone – take care of your sites – so as not to get caught by hackers. Or if you do not have time to deal with your sites – leave it to us.