Website hacked - what to do?

Unfortunately, it is common for websites to be hacked on the internet. This affects not only small and private websites, but especially large and well-known online presences are regularly targeted by hackers. But what can you do if your website has been hacked and how can you even notice the incident? You can find all the information in the following article.

Why are websites hacked in the first place?

Generally, hacked websites can be divided into two scenarios. In one scenario, hacker attacks target websites of well-known companies, organisations, or personalities. The goal of these attacks is to attract attention, spread a political statement, or defame the website and its operators. In this case, hackers specifically choose the website, making it very difficult to protect against and prevent the attack. Even large companies like Sony or security software providers like Kaspersky have fallen victim to such attacks. Similarly, polarising politicians like Wolfgang Schäuble or Al Gore are popular targets. Simple websites are usually almost never affected by this approach, unless they provoke the anger of a direct competitor.

A much greater danger for normal webmasters comes from attacks that are not specifically aimed at their own website. In this scenario, the attack is completely automated by tools that scan the internet for security vulnerabilities in websites. If a vulnerability is found in one's own web presence, the tools gain access and automatically inject malicious code onto the server. The website can be manipulated to be used for phishing, spamming, as well as DDOS or BruteForce attacks on other targets. Moreover, the malicious code may be responsible for installing malware on the computers of website visitors. Often, links to online offerings are also inserted into the website to improve the Google ranking of the target sites. These are often dubious or even illegal web offerings. Depending on the damage caused, the website owner may also be held responsible for further consequential damages. Therefore, it is in the website owner's interest to quickly detect hacker attacks and prevent them as much as possible.

How to recognize a hacked website?

Website owners often only find out relatively late that their online presence has fallen victim to hacking attacks. The most obvious sign is when, for example, the computer's antivirus software alerts while visiting the website. Search engines like Google also automatically check websites for malicious code when their bot scans the site. If dangerous activities are detected, visitors will receive a warning as soon as they access the URL in their browser. In many cases, friends or acquaintances inform the website owner about such incidents.

However, if the website has only been altered, such as by inserting external links but no malicious code has been added, no warning will be issued. Websites with dubious links are accessible as normal and often go unnoticed. Especially if the links are reasonably well hidden, for example, in the footer or on subpages, they can remain active for years, which is why this approach is so popular among spammers and hackers.

The most effective way to identify a hacked website is to manually check the entire online presence at regular intervals. It is important to carefully examine all pages and look out for any changes. Those with programming knowledge can also directly search the source code or inspect relevant files such as the .htaccess file or PHP scripts. Certain code snippets are particularly conspicuous, such as base64, eval, or iframe. Those familiar with these can have a significant advantage. Checking the modification date of files is also a good indicator of potential data manipulation. This can be easily verified via FTP even without extensive technical knowledge.

For those not well-versed in the subject, relying on additional security tools is necessary to perform this task. In addition to Google's useful tools, there are a variety of free and paid tools available from different providers:

• Google's Safe Browsing Checker
• http://www.google.com/safebrowsing/diagnostic?site=INSERT YOUR WEBSITE HERE
• Google Search Console
• Run malware checks
• Securi SiteCheck
• https://sitecheck.sucuri.net
• AVG ThreatLabs
• http://www.avgthreatlabs.com

What to do if your website has been hacked?

If your website has been hacked, you can follow the step-by-step guide below to regain control:

• Create a Backup
• First and foremost, it is essential to create a backup. Despite the site being infected, it is important to document the current state. This will help in identifying which files have been altered and serve as evidence in case damage claims need to be made.
• Take the Website Offline
• Once the backup is done, take the website offline to prevent the malicious code from spreading further.
• Check Your Computer
• To ensure that the security breach is not on your own computer, it is important to check your system. Hackers often use keyloggers to steal passwords for web space access without the user's knowledge. Use an up-to-date antivirus scanner and additional anti-malware software for this purpose.
• Change All Passwords
• Once your system is secure, proceed to change all passwords. This includes access to the web host's control panel, FTP access, and all passwords granting access to the database or a Content Management System.
• Determine the Source of the Attack
• By examining log files and file modification dates, you can try to determine the source of the attack and how the hackers gained access to the system. Collaboration with the web host may be necessary, especially when analysing log files.
• Delete Data on the Web Space
• Regardless of whether the cause of the attack is identified, the next step is to delete all files on the web space. This significantly reduces the risk of re-infection. Ensure not only to delete files via FTP but also databases and scheduled tasks like Cron Jobs.
• Re-upload the Website
• Finally, the website needs to be re-uploaded. Ideally, restore from a backup if available. However, it is crucial to ensure that the backup is not infected as well. Especially if the timing of the hacker attack is uncertain, verify the integrity of the backup beforehand.

What Preventative Measures Are Recommended?

To prevent hacker attacks, consider implementing the following preventative measures:

• Monitor Website and Computer
• Both the website and your own computer should be regularly checked for viruses and malware. You can use a virus scanner and anti-malware program on your local computer. For monitoring the website, there are online services or specific plugins available when using Content Management Systems like WordPress.
• Keep System Up to Date
• The server system and software used should always be kept up to date. If the server is administered by the web hosting provider, they are responsible for this. If Content Management Systems like WordPress or Joomla are used, the software, including all extensions, must also be kept up to date.
• Secure Passwords
• Strong passwords and unique usernames should be used for accessing the web hosting console, FTP, and administration area.
• Additional Security Tips
• For securing servers, you can find more information here: Secure Linux Server and Secure Windows Server



 

Unfortunately, there is no 100% security against hacker attacks on the internet. However, by educating yourself on the topic and taking preventive measures, you can significantly reduce the risk of becoming a target of an attack.