Fix a hacked or compromised server:

If your site has been compromised, your first priority is to restore your site to its original state. Also note that we need to track down the source of the compromise.

Step 1.

You need to secure all the computers that accessing your account. In most cases the viruses, trojans, malware, spyware, email exploits, and worms etc were spread from the local computer itself in doing FTP, SSH etc towards the account.

For securing the local computer,

Check and confirm that the operating system is upto date. Also install if any new patches are available.
Always update the website browser that you are using.
Install an updated antivirus software and do a full system scan regularly.
You can also install an updated spyware scanner on your local system.
If you install any other software or programs, please ensure that it is from trusted vendor.
Always make use of SFTP for file transfer.

Step 2.

The passwords need to reset to a more secure password: Ensure that you had changed all the passwords including FTP/website admin etc to new and secure password.

Step 3.

If you don’t have a current backup then, you need to take the back up of all the data in the server and store it in you local hard disk.

Step 4.

Finding the cause behind compromised account.

For that you need to find the code that is injected to the CMS. Mostly you can search for eval, base64 and unescape are all good key words that might turn up some malicious obfuscated code.

The three key items that should flag as malicious code are:
  1. The use of unescape().
  2. The use of eval().
  3. The large block of obfuscated code.

If you see any of these items while searching, then it’s almost sure that the code containing these elements is malicious.

Step 5.

Now it’s the time to clean the server. For this you can remove all the contents and need to restore it with a latest good copy of the contents. If you don’t have a recent good backup then you can remove the malicious codes from the server.

Step 6.

The main cause behind compromised accounts are,

Weak Passwords

Usage of un-trusted third-party applications

Outdated CMS Versions etc.

So you need to change all passwords to more secure passwords and update all third-party applications and Outdated CMS Versions to the latest version.

If you need our help to fix a hack or compromised website or account, please feel free to contact us, simply email to [email protected]

Monthly server support with Unlimited tickets, 24×7 monitoring, Security Audit and lot more for just $59 

[sep][/sep][button size=”large” color=”green” title=”Server Management from iServersupport” link=””]Server Management at just $59[/button]