It was just another day. All work was done for the day. Everything was OK until I opened my blog. BOOM !!! Google alerted big red screen into my face with message “The site ahead contains malware”. My blog got hacked, I became a victim of cyber attack.
It was kind of scary. The thing which was working perfectly fine few minutes before, suddenly became malfunctioned. I was totally blank and clueless about what was happening. I went into panic mode without actually solving the issue. Then I took a pause and thought, lets first read and learn about it and then take an effective action rather than to keep trying here and there which will go in vain. Following are my findings, lessons and experiences which I got throughout the process of bringing my blog back to normal from position of being hacked.
- The first tool you will come across :
While crawling, When google finds any suspicious behaviour from your site, it lists your site as malfunctioned. For security reasons google prevents all users coming directly to site and also marks it under blacklist for search results. On the warning page itself google gives an overview of what kind malwares are present on the site so that user should not know them all before landing on the page.
For further and more detailed report you as owner need to register your site in Google Web Master. Generated security report contains detailed information about which attacks are their along with their url location and potential solution. It also provides reading material for each of attack which helps you to tackle them effectively and quickly. Below is the report generated by the tool.
What kind of attacks are possible :
So what does it means when someone says I got hacked. Hacking of content basically means any type of content put on your site without owner’s permission and which can potentially harm user and user’s data, in short it is result of security break on your site. As google keeps its user away from malicious sites, it will blacklist your site resulting low priority in search results. So it is always recommended to keep your site secure but this not the ideal world thats why the more important thing is that to clean up all the malware from your site as soon as possible. It will keep your sites search score as it is for google. following is the brief info about what kind of attacks are possible to your siteRedirects -
In this attack hacker puts malicious code into your sites pages which will redirect user to target url. In this case target url could be anything which will affect your site’s brand value. In my case, hacker was redirecting user to his domain on which malware is hosted.Injected content -
In this attack hacker injects any malicious code into your pages. This could be very dangerous as it can potentially harm client by copying or manipulating clients data. I had come across multiple of these attacks on my site. The hacker had injected multiple eval() in theme template which was adding iframes with hacker’s malicious code. In other places hackers had injected iframes into my content not found page, which was causing redirect to other sites.Added content -
In this attack hacker adds extra content into your site like pages, posts etc. In this case it will not harm your existing content but the newly added spammy content can cause issues in your site’s search result.Hidden content -
In this attack hacker tries to manipulate your existing content but this is not that straight forward. Hackers put this content such that it is seen differently by search bots and normal user, also known as cloaking. This is very dangerous as user will get false results for correctly searched query. This is because search engines thinks it is serving genuine content but hacker is playing in between to display false result to user. This can also be avoided by keeping it in mind while coding to not do anything special for search bots.
what you should do if your site got affected :
Now comes the most important part of the discussion that what you should do if get hacked and your site gets affected. Following are the things I came across with and followed to bring my site to normalTake your site down immediately -
This is important for two reasons. First is that you should not keep hampering your users with malicious content until you fix it. Second is that you should try to be out from blacklist of different search engines. Try not to give chance to search bots to crawl your site when it is being attacked and is malfunctionedContact your hosting provider -
Most of the time if your are using shared hosting site it could be the case that the server itself is hampered with hacker attacks. That’s why you should first raise ticket into your hosting provider’s support forum. This was that exact case with me :’(Change all your security passwords -
It could be the case where hacker has theft your security passwords. So you should try to change each and every password related to your site. You can you password generators like 1Password or KeePass to generate more complex password which will be difficult to hack and could prevent further malicious attacksTake backup of your content -
This thing you should do frequently, to backup your site content, all your site comments, like history and site database. It would be useful to you in worst case where you are unable to deal with this attack and you have to restore all from scratch.Follow the community and forums -
Most of us use CMS like Wordpress, Joomla, Magneto etc. So these CMS communities and hosting sites have fairly strong support for such kind of issues. If you are hosting your site on shared hosting then it is likely to happen that more other users are facing such hacking or malfunctioning issues.Updates and Installations -
We often don’t look security aspects of the CMS platform or plugins, we just look for user end experience of it. So it is likely that these are easy to get infected. Most of those systems keep improving their security related issues in next releases. So make sure you update and install keeping security in mind.Find and remove hacks -
There are many ways to find out which are hacks present on your site. Google webmaster’s security report is one of the options. Other could be security plugins which try to find flaws and hacks present on your site currently and also provide version controlling for your configurations or setting files. There are lot of wordpress malware scanner plugins available in plugin market. After using these options you will get an idea where are potential hacks are present on the system. Just go and revert all the content to previous date of attack or you can manually go check for code and see whether you can find out any malicious code is there.Restore your backup -
This the last option you should have. If nothing works for you then you can start from scratch and restore all your backup.Ask google to review your site again -
This is the last and most important thing you should do after cleaning all of your hacked content from your site. When you google show up the security report to you, there is an option below it to ask google to review your site again. This is basically like flag raising for google to inform that I have resolved and cleaned all the malicious content from my site so please verify it and remove my blog from your blacklist.Keep taking precaution to avoid further hacking -
So after google has removed you from its blacklist don’t be happy forever and leave as it is. It could surely be the next day when you can get hacked again if you don’t follow security guidelines onwards. So stay alert and keep an eye on your site to protect it.
This time I learnt the lesson in a hard way. This incident really helped me in way to open my eyes towards the security world. Next time keep in mind that anything which you are using, don’t use it in a blind way. Analyse all the aspects of your plugins, your CMS or your entire hosting platform before proceeding with it. I will suggest you to learn more about these kind of issues or hacks and be prepared before being the next victim.
Stay alert , Stay safe !