wiki:fix-compromised-web-site

Version 3 (modified by Jamie McClelland, 3 years ago) (diff)

--

How do I fix a compromised web site?

A compromised web site means that someone has figured out how to take over your web site in some way. Usually it means one or all of the following:

  • Convince your web site to send a lot of spam messages
  • Add links to spam web sites via your web site's comments or by directly posting content to your web site
  • Add a "backdoor" - which enables an attacker to attack other web sites or servers from your web site

Typically, it happens for one of the following reasons:

  • Your web site is not update to date with the latest security patches (most common)
  • Your web site is not configured properly (for example, it allows anonymous users to post comments)
  • Someone has guess your login username or password

The steps to fix your site are the same regardless of what web software you are using (Drupal, WordPress or Joomla).

Every content management system has two kinds of files and directories: one kind is core software plus third party plugins and un-changed themes. The second kind is code that is customized specifically for your web site. The basic idea is to download fresh copies of everything tht is core software or a third party plugin or theme. Then, you have to carefully sift through your custom code and manual remove compromises.

Here are the steps:

  • Back up on your own computer or in your home directory all the files and folders in your web directory. Remember to check for hidden files (like .htaccess files).
  • Delete everything from your web directory, including hidden files like the .htaccess file. You should have absolutely nothing in your web directory.
  • In your home directory or on your own computer, make a new "holding" directory which will contain your custom code. Copy (from the backup) your settings files (in Drupal - sites/default/settings.php, in WordPress wp-settings.php), your files directory (in Drupal - sites/default/files, in WordPress wp-content/upload), and your custom theme directory. We will work on these files later.
  • Change your SFTP user's password via the control panel
  • Change your MySQL password via the control panel (and then update your settings file that you copied into your "holding" directory with the new value)
  • Download a clean copy of your content management system (WordPress, Druapl, etc) to your web directory.
  • Download a clean copy of all of your third party modules or plugins to your web directory. DO NOT copy them from your backup.
  • Now, we work on your "holding directory":
    • Start with your settings file - compare the file with the sample file provided when you download your content management system. Check for lines that are really long (more than 72 characters) and that have long chunks of what seem like gibberish code). If you are satisfied that it is clean, put it into your web directory.
    • Look through your files/upload directory. You should only have image files and pdf files and such in this directory. If you find any files ending in .php they should be deleted.
    • Now for your custom theme. This is the hardest. Compare your custom theme with the theme that you customized and carefully examine the differences (using the same method you used when examining your settings file. When you are satisfied, put it back into your web directory.
  • Database. In some cases, attackers add content to your database. You may need to search your node/content tables for the strings "<?php" or "<script" to find examples of database compromises.

When you are done, make a backup copy of your new web directory. If you are infected again - it will be useful to compare your fresh web directory with the compromised one - it could provide clues for how the attacker got in.