Domain of One's Own, DoOO Workshop, Tools

Workshop of One’s Own: Notes on Hacked Site Session

Reclaim Hosting put on its very first 2-day Workshop for Domain of One’s Own admins on November 2 & 3. The following post is a summary of the first session from morning 2 of Workshop of One’s Own.

3 STAGES:
Identifying a Compromise
Cleaning a Hacked Site + Scanning Tools
Preventing a Hacked Site

Identifying a Compromise

-Checking Apache Status in WHM- the request column
-Visit the site. Worth noting that a site can load perfectly fine even if it’s hacked.
-Connect to the site via FTP, look for files that have random names
-Process Manager in WHM & kill processes
-Email Queue (Mail Queue Manager + ConfigServer Mail Queues)- check if the account is throwing out spam; delete the entire queue. Won’t stop spamming, but clears the slate.
-Are there any strange additional users in the database?

Cleaning a Hacked Site

-Clean up tools that don’t care about the application in question
-Completely delete wp-admin & wp-includes, and every other generic WordPress file besides wp-config or .htaccess
-Remove any injected code if needed for wp-config or .htaccess
-Reupload fresh copies of all plugins & themes installed; have a conversation with the user about what they need, premium plugins/themes
-Check wp-content>uploads for .php files. You should never see any .php files there!
-Grab a clean copy of WordPress, skipping over wp-content
-After you’ve done what you can, take a back up of it.
-Restoring a backup is always an option if the user hasn’t made any changes
-Recycle account passwords

Scanning Tools

-The first line of defense: Linux Malware Detect; can be installed on the server and managed through terminal. This is free, open-source software that quarantines hacked files. You can set a cron job that runs daily. Historically, this doesn’t detect everything but is a great start & preventative measure.
ConfigServer Exploit Scanner– commands in WHM to run scans; great search features; tons of options for different scans

Preventative Measures + Good Practice

-WordPress plugin: Wordfence; free and premium version
-CXS Watch in WHM; checks for any changes across any account, could have false positives so that’s something to be aware of
WPS Hide Login WordPress Plugin
BitNinja; distributed firewall on all of Reclaim’s servers
-Keeping WordPress plugins & themes up to date

Leave a Reply