Fixed Knowledge Base

Get all the help you need here.

Website Hacking and Malware

Posted 04th October, 2018

Website hacking and defacement is an extremely common occurrence. Cleaning up after a hack can be a frustrating experience.

If your WordPress site has been hacked, see our comprehensive WordPress Cleanup Guide.

fixed.net automatically scans for malware, and offers a free vulnerability scanner for WordPress. This can be set to run regularly, and alert if any vulnerabilities are found.

In addition, we can also clean up and patch vulnerable or hacked websites.

Add a site to Fixed.net

The reason a website is attacked is usually for one of the following, in no particular order.

  • To steal data from the website itself (credit card details, names, email addresses)
  • For phishing. The third party uploads a bank that purports to be from a bank or an email provider and users are redirected there.
  • To redirect site visitors to another website. Usually for phishing.
  • To send spam emails, which usually redirect to another website. Usually for phishing.
  • To cause business disruption for your site.
  • To demand a ransom from the site owner.
  • Just for fun. Because they can.

Why would someone attack a website?

In almost all cases the answer is automation. An attacker can make one script and push it to automatically attack random websites. The reasons a site is attacked is therefore one of the following:

  1. It is using outdated software - This could be an outdated core software stack (e.g. the WordPress core files, or an old plugin or theme that has not been updated. New versions are often released to cover security holes and vulnerabilities. Most software online runs on some form of OpenSource software, such as Wordpress, Joomla or Drupal. These source codes are open and out of date versions can be exploited.

  2. The username and password are insecure - Using the username administrator/admin/adminer/etc can be a bad idea, because of the many existing brute force scripts that will try to guess a username and password.

  3. Incorrect file permissions - It is bad practice for directories to be using 777 on shared hosting, as other users may be able to view and edit files.

  4. Using illegal software There are sites which offer premium themes and plugins free. In some cases these themes and plugins may have a back door or two for an attacker in exploit in order to gain access to your site's files.

A site hacking manifests itself in a few ways, for example:

  • The extreme - the site shows a hacked by message..
  • The benign - a page or element stops working.
  • The confusing - some users get diverted to a spam website.
  • The frustrating - a browser starts flagging the site as dangerous.
  • The invisible - the site works perfectly and the hack is not noticeable at all!

The most common types of hack are as follows:

Clickjacking

Clickjacking fools the user into performing an action which they did not intend to do. For example, the user might think they are browsing a website when they are instead allowing remote control of their computer. This is commonly achieved through the use of iframes.

Website defacement

Website defacement is an attack on a website that changes the visual appearance of the site or webpage. A site can then be used for scamming the visitor.

XSS

Cross site scripting attacks are where code is injected into a site. The actual site there could be working perfectly fine and seem unaffected. One example of this is the 2018 British Airways attack where credit card credentials were also sent to a third party at the point of a customer payment.

SQL Injections

SQL (MySQL for Wordpress) is the database that stores the content and data for your website. These attacks use a vulnerability in to get full access to the database. An attacker can either retrieve information from the database, or for instance add themselves as an administrator to your website.

Javascript Injections

Javascript is client side code. If changes are made to this then forms can be submitted, specific information sent to the visitor, cookies updated, and more.

Therefore the best course of action is to regularly scan a website for vulnerabilities and malware.

Third Party Tools

There are various third party tools which can scan a Wordpress site. For instance, the Fixed.net service can be used to scan a backup for any malicious files.

Fixed.net includes a Wordpress scanning tool. This scans a website for any vulnerabilities within the core version, plugins, and themes. It also provides information if any weak passwords, users, and security configuration issues.

Plugins

Server Level Scanning

Maldet is a scanning tool which can look for suspicious encryptions and/or functions. It can be run using ssh:

maldet -a /your_site's_directory/

Alternatively, grep can be used to search through files.

grep -r --include=*.php -lPHn "(eval\(.*\);)" .

or, to check for scripts which have been base64 encrypted:

grep -ril base64 *

Note that these seaches might yield false positives, as there can be genuine reasons for script content to be base64 encrypted.

Database Scan

Database exploits can be difficult to notice. The quickest way to check for any exploits is to use a database search tool, such as in PHPMyAdmin > Search > All tables > Go. Result when searching for terms such as eval, gzinflate, base64_decode, str_replace or preg_replace indicate a potential hack and should be investigated further.