Web Site Security Breaches
From Lunarpages Web Hosting Wiki
Having your web site's security breached is never a fun thing to wake up and find in the morning. It can be a pain to deal with, so with that in mind, here are some helpful tips and suggestions on the steps you should take to get your web site back to normal. If you can provide a URL that is hacked or a snippet of the hacker code, we can do a scan for you to get a list of files that are hacked. This may help if you choose to manually edit the hacked files to remove the code or want to know how invasive it is.
Update Your Passwords
The first thing you should do is update your hosting account password. When doing so, please make sure you are doing it from a known good machine (that could not have been infected). If not, then if you had a keylogger (for example) on your computer, it could grab the new password too. This can be done via the Customer Account Page:
You might also want to update your password for other Lunarpages services you are signed up for. You can check the Account and Control Panel Logins page for more information about all of our services you may have login information for. Main ones to remember would be our forums, help desk and your hosting account. Do you have any scripts (like forums, blogs, galleries) that would use a user name and password to login to the administrator section? If so, you should update the password on any of them you have installed on your hosting account.
Scan Your Computer for Viruses, Keyloggers, Malware and More
There are many bad things that you may download on purpose or by accident on the Web that could effect your computer. There have been known cases where infected files could be uploaded to your hosting account by mistake too. Be sure to fully scan your computers with an anti-virus program.
There are many different ones to choose from, if you do not have one installed. Try Trend Micro's HouseCall. It runs from the browser, and scans your computer for viruses, spyware, or other malware.
Note that while windows is the most often targeted OS, Mac (and Linux/Unix with MacOSX as an extension of Unix) is not impervious and is starting to see more and more malware targeting it as its market share and popularity increases.
Clean Up Your Web Site Files
Another important step when it comes to dealing with web site security breaches is to get every last bit of the exploit to keep it from coming back. They usually plant a back door. You want to review your web site files and look for anything that does not belong, or you can not identify as being apart of your web site or scripts you have installed.
Here's the basic list of files/folders on new linux-based accounts:
You may also see the following, depending on your account activity:
Look at your web stats for unusual activity. Download the web and ftp access logs to look for suspicious activity and ban suspicious IPs in your control panel or via .htaccess. Be careful not to ban your own IP. Please also enable archiving in Raw Log Manager if using cPanel to keep the logs longer in case they hit again.
Check all files on the account for any you did not create or upload. Create a backup of the account in your control panel under Backups as it is right now before deleting or altering any files.
Check for extra FTP users in FTP Manager and delete any extra ones you find that you did not create.
Update all scripts and script plugins on the account to the latest versions. Delete any you are not currently using.
Make sure your domains are locked so they cannot be transferred in case the hacker got your password(s). Support can lock them for you if you ask. You can tell if they are locked by checking them in Whois. If the status is “OK”, the domain is not locked.
Contact Lunarpages Support
Submit a help desk ticket in about the issue (if you have not done so yet). If you have a backup of your files, you may upload it to the server and support can help to restore it at no charge. If you do not have a backup, time is of the essence as our tapes recycle about every 3 days (that would be 3 days from the time the files were changed, not the time you noticed). We charge $75 to restore from our backups. If you have enabled our premium restore service on your account for only $1.50 per month, restores are free but only if it has been enabled prior to the date of the restore needed.
If you can provide a URL that is hacked or a snippet of the hacker code, we can do a scan for you to get a list of files that are hacked. This may help if you choose to manually edit the hacked files to remove the code or want to know how invasive it is.