How do websites get hacked? And what to do if a site is hacked?

Drupal: 
Difficulty level: 

Site Security depends on many factors, including human (hosting support, that has control over the server). This text is translated from russian by Google Translate, bit corrected by tlito.

Sites may be hacked by:

  • Bots that automatically breack sites on the popular CMS, exploiting vulnerabilities CMS, discovered by a hacker who wrote the bot-cracker
  • Hackers who have a personal interest in your site (hacker wants to get the passwords to get access to payment information, or may be he wants to advertise his sites on your)
  • Unscrupulous hosting companies - if you are offended by something or support bothering the wrong question, and if the server is present in the face of the attacker. support is possible not only hacking, hijacking and websites (domain + hosting, which is controlled by one company).

Most are engaged in hacking program bots that bypass the Internet and to each site to the CMS perform standard testing and hacking attempts.

What are the vulnerabilities used boats hacking

Breaking in automatic mode:

  • Through registration and try to download the virus file, insert sql-injection in the posts, retrieve the administrator password,
  • Through brute force password for the admin user or administrator - the most widespread of all the admin username CMS,
  • Available through anonymous users interactive: site search, chat, classifieds, comments, input and data processing, sending any form,
  • Through a get-request to the CMS files with viral injection.

More sophisticated methods of hacking, which are produced with the assistance of a hacker (not automatically):

  • Virus through a computer administrator password and takes ftp, hosting,
  • Through the scanners network streams and unprotected FTP-connection (if you are connected to the server via ftp, instead of sftp or ssh),
  • Breaking through the admin panel hosting (if it is possible to change passwords ftp),
  • Hacking through other sites on this server if you have shared hosting, which has unprotected sites, and hacking of the website allows you to manage all the files on the server (ie the server is configured correctly and is not protected)
  • By hacking the server hosting if those. support admitted blunders affecting the security of the server (for example, after making the settings, software updates, elimination of breakages)
  • Hacking through a local network or through your use of the local network in which there are criminals (Keep the password in a secure form on a computer, work with the site through its own Internet connection, do not trust the computer to other users)
  • Simple hack the personal. Shared hosting support (a rare event, but nevertheless, there is a risk).

So, if you own a site with low attendance, then you only need to protect against bots and host your site on a safe server that is not going to happen mass hacking sites. If you have a very popular site, it is necessary to make additional efforts to ensure its security, because the resource will address many hackers personally.

My Sites with a very low attendance hacked:

At CMS WordPress - all 8 sites on different hosts, with the placement of advertising in the footer, and the transition to the site hacker when you click on any link, as well as automatic forwarding iframe - perhaps because of the inferiority of the CMS, possibly due to incorrect rights to files and folders, but broke all the sites on this CMS.
On samopisnaya CMS without database - .htaccess with the placement of the virus for mobile and attack on the site of the search - because of hacking the server risp.ru, which was not only cheaper, but also unreliable.
At CMS Drupal - hosted beget, with the placement of an advertising banner dating corner style VC messages that appear only in the evening - for some reason, perhaps because of the rights to the folder, and the presence of Devel module or other unreliable, or -this vulnerabilities Drupal 7.36 version and did not upgrade.
At CMS Drupal out of the box - these sites do not I, but on the order set out of the box - there was a break-in more likely because of the many included and unused, unexamined units out of the box.

Security policy

You have to spend time not only on the development of the site, but also on its protection and regular study of vulnerability search and virus detection.
Backup site - not just the possibility of restoration work and roll back to a working state, but also the ability to analyze the virus changed files.
Security does not tolerate flaws - if you know about the vulnerability, it is required to close. Any protected site is still not safe to 100%, so exactly known vulnerabilities Administration should be excluded.
Be sure to choose a reliable web hosting, web hosting, and change to a more expensive and safer with increasing popularity of the site, tougher requirements for operational reliability.
The roles and rights of users should have strict differentiation, introducing new functions must integrate the functions of access control on roles.
Complex projects require more complex rules of security policy, there is no clear advice.

So exactly hack sites, let it happen to your site, what to do?

What to do after breaking site?

First, you need to clear the virus from the site, and then change the password for the administrator and users with access critical level. However, passwords, email addresses, passwords from your computer, ftp-password, you can change the hosting right.

Usually viral hack involves adding files and rarely sql-injection. In any case, for greater reliability hacker locates virus files to be accessed again when the administrator deletes injection. So you need to clean the site from viruses.

1. Cleaning the site of virus

Check the rights to files and folders usually 755 for folders and 644 for files - reinstall all files and folders such rights (to be hosting some 600 files and 700 folders)
Check the file index.php at the root of the site - there is usually added shell-program - index-ny compare the file with older versions
Check .htaccess at the root of the site - it can be added to the rules of diversion, such as mobile or for all users
Check for new folders in the root and in subfolders
Check temporary files folder and the folder in which the writable
Check for new files with strange names (sometimes common names): usually with the extension php, sometimes non-executable files may contain viruses: pictures, text files, js,
Check for new file .sh - are files that may contain bash-shell-code and viruses,
Check the old php-files for viral insertion.

The following services help identify viruses found php, js, shell injection:

https://www.virustotal.com/ - online virus scanner, you can upload the backup site or specify the url.
https://sitecheck.sucuri.net/ - Sucuri - online site virus scan
http://www.rfxn.com/projects/linux-malware-detect/ - Linux Malware Detect - open-source virus scanner
http://revisium.com/ai/ - AI-Bolit - a powerful virus scanner that works with all popular CMS, written in php.
http://santivi.com/ - Santi - antivirus for sites written in php, has a version of Windows-based application.
https://github.com/novostrim/watcher4site - Watcher4site - changed search sites.
https://github.com/emposha/PHP-Shell-Detector - Web Shell Detector - powerful search injections php / cgi (perl) / asp / aspx

Following the discovery of viruses - to remove the virus files, replace infected files to clean from the dump.

2. After cleaning, change passwords

Passwords administrator account, editors, other users may have to update the passwords of all ordinary users or limit their rights.
Ftp-Change passwords to clean your computer from viruses, change the operating system.

If viruses appear again, try to move the site to another hosting for a while. If the situation persists - look for vulnerabilities.

3. After changing the password - upgrade

If a site on the popular CMS - to update the kernel and all modules.

Disable unused modules.

Check samopisnyh code modules.

4. After the update read the logs, look for vulnerabilities

This work is the most difficult. But if you do not patch security holes, the development of the project will not be possible - viruses will eat your work with the site, causing the purge, change passwords, and other non-targeted action.

Examine the following log files:

  • Ftp access
  • Php-log
  • Mysql-log
  • Apache-logs
  • Bash-logs
  • Authorization logs online

What exactly do you need to watch it: the wrong ip, with that access, work bash-script, php-scripts.

If no activity is detected hacker, if you can not read the log:

Disable unsafe modules.
Disable registration.
Limit the function of the site.
Expect the appearance of the virus again and find vulnerabilities in the site with limited functions.

Refer to the. support for hosting search free of viruses or vulnerabilities and offered to pay for security.

If no action is helping to find a weak spot, including a change of hosting does not help, it is necessary to move the site to another CMS: more reliable or samopisnaya.

Protect site by Drupal

Drupal is reliable in itself. Only the use of untested modules mistakes programmers creating their own modules to the site, and server configuration error, or failure to comply with safety fundamentals Drupal can cause cracking. Also it is not recommended to put the Drupal out of the box, including Kickstarter and other prepared solutions Drupal. What will help to make secure CMS Drupal:

https://hackertarget.com/drupal-security-scan/ - online scanner virus drupal
[Hacked!] (Https://www.drupal.org/project/hacked) - search module changed files and kontribnyh kernel modules, templates,
[Security Review] (https://www.drupal.org/project/security_review) - search for vulnerabilities
[Secure Code Review] (https://www.drupal.org/project/secure_code_review) - vulnerability analysis code
[Coder] (https://www.drupal.org/project/coder) - determines that the site code standards writing programs for Drupal

What will help make the site more reliable?

  1. Own VDS server or even VPS - instead SHARED Hosting
  2. The use of reliable samopisnaya CMS Developer
  3. Reliable passwords ftp, database admin
  4. Access rights to take action on the site and administration pages
  5. Refusal of complex functions with untested code or modules

Where can I learn about the safety and protection of sites

https://help.yandex.ru/webmaster/protecting-sites/basics.xml - security basics from Yandex
http://tlito.ru/node/58 - safety Drupal
http://habrahabr.ru/post/12067/ - basics PHP security

Summary

If your site - this is the Internet address on which is placed a set of functions and content, as well as the presence of the user, it will always be with you. Hacking breaks only function, but does not eliminate the project completely. Therefore, in any case, you can repeat the project in the new CMS, the new address, using the experience gained before.

Protect website to a decision to change CMS, hosting, addresses, resource development policy was the decision of the Administration's own resources, rather than taken under force majeure, pressure, threats, blackmail or even lawsuits.

Oh, and for the actions of hackers broke into the server, and the harm caused to users bears responsibility Administration website. So do not store any personal information of payment information or offer any features that will bring damage to users after hacking hacker site.

Questions place the questions and answers.