How to fix a hacked site and harden June 2019
Download as PPTX, PDF1 like1,475 views
The document presents a guide on how to fix a hacked website and enhance security, emphasizing the importance of recognizing signs of hacking, immediate responses, and understanding potential vulnerabilities. It includes steps for damage assessment, recovery, and hardening site security through tools and best practices. Regular security reviews and monitoring are essential to prevent future hacks.
![How did my site get hacked?
• Look for evidence in Cpanel error logs/raw access logs
• 77.221.130.18 - - [09/May/2019:08:54:59 +1000] "GET
/index.php?option=com_myfiles&controller=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 613 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1;)“
• 77.222.40.87 - - [09/May/2019:13:28:02 +1000] "GET
//index.php?option=com_alphauserpoints&view=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 613
"-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"](https://image.slidesharecdn.com/howtofixahackedsiteandhardenjune2019-190611121305/85/How-to-fix-a-hacked-site-and-harden-June-2019-6-320.jpg)
How to fix a hacked site and harden June 2019
- 1. How to fix a hacked site and harden security Presented by Tim Plummer Joomla User Group Sydney 11th June 2019
- 2. Recognising your site is hacked • Sometimes it’s obvious, other times more subtle
- 3. Other common indicators of hacked site • Blacklist warning by Google etc. • Warnings from web host regarding resource usage • Complaints from customers • Unusual file modifications (template, core files etc) • Malicious new users created on your site • Unexpected or abnormal browser behaviour
- 4. Immediate response • Do you have a disaster recovery plan? • What can you do quickly to minimize damage/exposure? • Site offline / maintenance mode (if appropriate) • Change passwords (Cpanel, Joomla Admin, etc)
- 5. Why did my site get hacked • Deface / vandalize • Spreading malware • Hacker showing off • Profit (e.g. crypto currency mining, spamming) • Targeted attack, for example to obtain personal information
- 6. How did my site get hacked? • Look for evidence in Cpanel error logs/raw access logs • 77.221.130.18 - - [09/May/2019:08:54:59 +1000] "GET /index.php?option=com_myfiles&controller=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 613 "-" "Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1;)“ • 77.222.40.87 - - [09/May/2019:13:28:02 +1000] "GET //index.php?option=com_alphauserpoints&view=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 404 613 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"
- 7. Do I have any outdated or insecure extensions? • Check Joomla! Vulnerable Extension List https://vel.joomla.org/
- 8. Is your core Joomla version up-to-date?
- 9. Is your PHP version up-to-date?
- 10. Does your computer have any malware?
- 11. Are there any other sites on this hosting account? • Could the vulnerability be due to another site/app on the hosting account • For example, the recent Joomla Extension Directory vulnerability was caused by an outdated Stapler web framework used by Jenkins, which is the tool used for daily automated testing etc.
- 12. Damage assessment • What files have been modified? • Have any files been uploaded?
- 13. How does the hack affect your customers? • Is there any personal/financial information exposure – do you need to report a mandatory data breech? https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme • Do you need to retain a copy of hacked files and logs for evidence/further investigation?
- 14. Recovery considerations • Do you have a good (offsite) backup from before the hack? Will there be any data loss if you restored this? • Have you addressed the source of the hack? • Is manually cleaning the files appropriate (editing source code to remove injected code)? • Should you reinstall Joomla over the top to restore core files? • Can you fix this yourself, or do you need to engage security professionals? • Do you need to change passwords (Cpanel, Joomla admin users, mySQL, FTP accounts etc) • Do you need to clean database (remove users and suspicious content)
- 15. Recovery considerations • Do you need to contact web host to remove suspension? • Do you need to request removal from blacklisting (e.g. Google Search Console)
- 16. Helpful tools/services • Myjoomla.com audit / fix hacked site service • Watchful.li malware scan
- 17. Hardening your site • Firewall software (e.g. Akeeba Admin Tools or RSFirewall) • .htaccess rules to block common exploits • Make sure all software is up-to-date (core Joomla, extensions, PHP etc). • Limit who has admin/super user access • Regular malware scans (both your site and computer) • Regular review of logs, hosting resources etc. looking for suspicious activity
- 18. After your site is fixed • Continue to monitor to ensure site doesn’t get hacked again (maybe you missed the true source of the hack in your cleanup) • Remember, security is not a once off exercise, you should regularly review your site security and make incremental improvements as needed.