My Website Was Hacked: What to Do Next

WHY AND HOW DOES AN ATTACK HAPPEN?

In the world of the internet, nothing rests, and unfortunately neither do “hackers”, who are looking for new ways to harm other users online, either for their own benefit or just for the fun of it. Attacks are common, but they usually take 3 forms:

1. 1. In 98% of cases, a site is targeted by a virus due to an unmaintained website. The most common targets are open source and unpatched scripts such as Joomla, WordPress, PrestaShop, phpBB, etc. Attacks are also often carried out via unpatched plugins and themes that are uploaded to a particular script.
   2. The virus is downloaded on the user’s computer and “steals” the saved login data. The virus then spreads to the hosting package, having gained access due to the unprotected computer. The affected users are usually those who have a username and password stored in a browser, FTP program or mail client (Microsoft Outlook, Mozilla Thunderbird, etc.).
   3. A DDoS attack (Denial-of-service attack) is the most serious intrusion attempt, which takes place at the level of the entire server and can, in the worst case, bring it to its knees. In such cases, the “hacker” simultaneously attacks a large number of servers of different hosting providers, which are then usually used to attack larger services/institutions, such as a bank. With a larger number of servers, the hacker can also run a larger number of concurrent processes, which can “break” even the most protected networks. Such attacks are very rare, and if the server administrator sees the attack attempt in time and it is not too strong, it can prevent serious problems.
   4. Attacks vary. Usually, malicious files/code are uploaded to your hosting package, where:

• the intruder can “brag” that you have been “hacked”,
• send out huge amounts of SPAM to random addresses (including addresses in your database),
• pose as fake websites for a foreign bank (phishing) and may even steal money through them,
• obtain personal data of your customers in your database,
• delete files,
• etc.

HOW TO RESOLVE THE SITUATION?

To get started, contact your hosting provider (us) so we can check the problem in more detail and help you with the next steps. You can also inform the SI-CERT Network Incident Centre (cert@cert.si). The Centre handles up to 200 reported cyber-attacks per month from different Slovenian providers. The same situation also applies abroad.

Malicious files must be located on the server and removed or the compromised code must be cleaned. If you regularly check your website, the solution can also be quick and easy, and can be arranged by simply restoring your hosting package to the state of the previous days, which is why it is very important that your hosting provider also allows you to restore your hosting package from backups free of charge.

At NEOSERV.si we regularly make backups so that you can easily restore your hosting to the state before the attack, of course if you noticed the problem in time. You can also help in detecting a web virus by filtering/sorting files by last modified, as compromised files are usually the last modified. Often, malicious code is also thrown into the .htaccess file or the files of your themes and plugins.

In the case of a site attack via a user’s computer hosting the virus, the password of the email addresses is usually misused, which is then exploited to send out SPAM emails.

After removing the malicious content, it is recommended to change the passwords for accessing the services (hosting control panel, administration scripts, e-mail accounts, etc.).

Another excellent tool to check for malicious content on your website is sitecheck.sucuri.net/scanner/ and similar.

HOW TO PREVENT UNAUTHORISED INTRUSIONS?

The best way to protect your website is to make sure it is protected yourself by regularly updating your website (apps/scripts). As mentioned above, 98% of websites receive viruses via unupdated and therefore security-vulnerable scripts and their unmaintained plugins and themes. This is because malicious code is always lurking in older versions of web applications, for which all the vulnerabilities are already well-known.

We recommend that you check your website at least once a week for updates. If you are not responsible for the maintenance of your website, but your website builder is, they will take care of it for you, but you should of course make sure that this is done beforehand to avoid unnecessary problems and inconveniences.

If you have installed the script via the Softaculous interface and entered your contact email address during the installation process, you will also receive notification of updates to this address as soon as new updates are released by the developers. Do not ignore messages sent through this interface, but take them seriously as this is the best way to protect your website. Notification of updates is usually also located in the administration of each script, where you will also be alerted about updates to plugins and themes!

It is up to you or your programmers to ensure that your websites are secure and up-to-date, but our team and the server’s security mechanisms are responsible for security at server level. If these alert us to suspicious processes on your hosting package, we will also notify you from our side and we will try to sort it out together as soon as possible.

The Slovenian organisations Si-Cert, Register.SI, Safe on the Internet and the Ministry of Education and Sport have also worked together to produce a handy brochure with information and tips on how to manage your website successfully and safely. The ABC of Safety for Website Owners booklet can be viewed or downloaded in PDF format here.

For further assistance, please call us on 059 335 000 or email us at info@neoserv.si.