Surviving a Hack

By Mike Rohde

There’s a topic that all web developers need to keep current on — regardless of whether you’re a newbie or a veteran, if your site has been up for 10 years or for 10 minutes — and that topic is web site security and protecting yourself from hackers. What can be even more important than prevention is the cure in case your site is hacked.

Unfortunately, this is a topic that I was forced to dive deep on over the past few weeks. When I came back into the office after the holidays, I received an email from a client stating that all kinds of weird text was appearing not only on the site, but also in Google search results as well. That email immediately signaled the end of my vacation and for me to get back to work.

Of course, the first thing that I did when I learned about this “weird” text was to scan the site to look for it. I couldn’t find anything at all. But then the client sent a screenshot of what he was seeing, and sure enough, the terms “cialis,” “levitra,” and “viagra” were sprinkled throughout the text on the site. Then I did a Google search to find my site and there was the hack text again.

After doing some research on this specific type of attack, I learned that this “Pharm Attack” was rather common in the middle of 2011. At first, the hack was targeted at WordPress sites and then it grew to include Joomla! sites as well. Unfortunately, there is no easy fix for the Pharm Attack and it still happens. The hack only appears in Google search results and the offending text only appears on your site when your visitor clicks through the Google search results and lands on your page. That’s why many web site owners will never realize their site has been hacked; how many times do you visit your own site via a Google search? Unless you’re obsessed with search rankings, you might rarely search for your own site and therefore never see the hack.

How the Attack Happens

The attack occurs when hackers gain access to your database through the web host. Once they have access to your database they then add in malicious code to key files. They can also add in entirely new files that can be buried deep within your directory. Finding and deleting this code and the bad files can be a hard fought battle. I’ve even learned through my research that deleting the bade code and files can actually make the problem worse because deleting the files can trigger more files to become infected or new files to be created.

For WordPress, the names of possible hacked files could be:

 

  • .akismet.cache.php
  • .akismet.bak.php
  • .akismet.old.php
  • class-akismet.php
  • db-akismet.php
  • wp-content/uploads/.*php (random PHP name file)
  • wp-includes/images/smilies/icon_smile_old.php.xl
  • wp-includes/wp-db-class.php
  • wp-includes/images/wp-img.php

 

Hacks can be placed inside of plug-ins as well:

 

  • akismet/wp-akismet.php
  • akismet/db-akismet.php
  • wp-pagenavi/db-pagenavi.phpv
  • wp-pagenavi/class-pagenavi.php
  • podpress/ext-podpress.php
  • tweetmeme/ext-tweetmeme.php
  • excerpt-editor/db-editor.php
  • akismet/.akismet.cache.php
  • akismet/.akismet.bak.php
  • tweetmeme/.tweetmem.old.php

 

For Joomla!, it’s the same type of situation. Your main .php files could get hacked and new malicious files can be added to folders.

So, how do you fix an infected site?

Backups

Any and all web site owners should religiously back up their sites every time the site is updated. This is fine for sites that are rarely updated, but it makes it tougher for news sites and blogs that are updated daily. Even still, at least weekly back ups are recommended. However, regular backups won’t necessarily save you from a hacked site. One aspect of the Pharm Attack is that the infected files could lie dormant for weeks or months at a time. Because of that, you could have a hacked site with zero symptoms for a long period of time. That could lead to many back up files being infected as well. This means that even if you restore to a previous back up, you could be simply restoring infected files. With that stated, this does not mean you should stop backing up your files.

Akeeba Backup

Personally, I’ve been using Akeeba backup for my Joomla! sites. The core version is free and it works great. You can download it here:

”https://www.akeebabackup.com/

It is available for Joomla! 1.5 and 1.7. After installation, you can back up your site from the back end and it creates a .jpa file. You can download this file from the back end of your site, but it is recommended to download this file via FTP. You can find the backup file by following this path: root > administrator > components > com_akeeba > backup.

To restore the backup, you will need the Akeeba Kickstart files, which is also free and can be downloaded from the Akeeba site. After you download and unzip the Kickstart files, you upload all of those files to your root directory via FTP. You also place the .jpa back up file in the root directory. With those files uploaded, you then direct your browser to http://www.yoursite.com/kickstart.php. This page will prompt you to completely install and restore your Joomla! site.

That’s all well and good if you have a back up that you know for sure isn’t infected. But what if it is?

Local Replica of Site

There’s another way to back up your site instead of restoring a back up. You need to keep a replica of your site on your local machine. When you first built your site, you most likely did not build it online. Rather, you probably built your site on localhost, and then uploaded it online. And then you forgot about it. And you did all future updates on the live site. I’m here to tell you not to do that. A best practice is to keep a replica of your site on your localhost. That way if your site is hacked, and your back up files are hacked, then you still have your local version.

You can back up your local version using Akeeba back up just as if it were online. However, when you restore the local backup to the root directory of the online site, then you’ll need to update the configuration so that it’s no longer localhost, but rather the settings for the online version.

Of course, you should always make backups of your local version in case your hard drive crashes or your computer is attacked by a virus.

Completely Rebuild the Site

Completely rebuilding your site is the worst case scenario. You might have to take this drastic step if you have no clean back up files and you don’t have a replica of your site on your local machine. This is what I had to do. Luckily, the site I had to rebuild is basically a brochure site and is limited to hundreds of pages and not thousands or tens of thousands of pages. I was able to rebuild the site in a matter of days. This did give me a good opportunity to upgrade to Joomla 1.7 and to learn all of the new features this build has. I was currently using Joomla 1.5 before and it was time to upgrade. I held off upgrading before because there is no clean method of migrating content. And not all extensions and plug ins were currently available. Enough time has passed now and many popular add-ons have been updated or created for Joomla 1.7. So, the excuses for not upgrading are slowly dwindling away.

Security Tools

There are probably a ton of security tools that you can add to your site. Hopefully, you can implement something before your site gets hacked and not after. Akeeba does offer a tool called Admin Tools that will put an extra layer of security on your site. You do need to pay 20 euros for the Web Application Firewall settings, but the low cost could make it very worthwhile. I got the green light for that purchase without any hesitation. It’s now installed on all of my Joomla! sites.

Google Webmaster Tools

After you know for sure that your site is completely free of any infected files, you will need to submit your site map to Google Webmaster Tools ( https://www.google.com/webmasters/tools). However, this may not be enough. It’s possible that you will need to submit each page that is showing up with the hacked text in the Google search results. The Google Webmaster Tools does allow you to fetch specific pages and then submit them for indexing. However, you only get a limited number of fetch requests, so use them wisely. There’s no telling how long it will take for Google’s search results to become clean. Hopefully, it happens sooner rather than later.

To wrap up, the best approach to restoring a hacked site is to use a back up file generated from a replica site on your local machine, which you also keep backed up in case your hard drive crashes or your computer gets a virus. The hackers will get sneakier and the hacks will continue. As a web site owner, it’s in your best interest to protect your site as best you can.

Editor’s Note: Do you have a hacked story or a suggestion regarding this topic? Share it with us in the comments below!



Make a Comment

Loading Comments...

  • Web Development Newsletter Signup

    Invalid email
    You have successfuly registered to our newsletter.
  •  
  •