Fixing Commons Hacks

Just when you think you are safe, you realize that the shared server you have all your web stuff on gives people who also share the server a little more access than you’d like, meaning that you are really only as safe as they are.

With things like WordPress and other CMS, there are files that need to remain writeable, if not for use then for automated updates. It’s these files that are vulnerable to getting edited and slipping malware, site redirects and other problems onto your website.

Well, if you have telnet access to your account, and you should. Here are a couple commands you can use to see if you’ve been hacked and which files you need to clean to fix it. Additionally, you can change the security on these files so that they are not writeable, but you’ll have to remember that and go change them back before taking advantage of some automated updates.

First up, check your PHP files for bad stuff:

grep -lr –include=*.php –exclude-dir=logs “eval(base64_decode” .

Next, do the same thing to your HTML files:

grep -lr –include=*.ht* –exclude-dir=logs “<script>s=” .

In both cases, you’ll get back a list of file names that have matched the patterns (i.e. contain “eval(base64_decode” or “<script>s=”). You should download those files, edit them to remove the hacked code, and upload them. It’s possible, though unlikely, that you may get hits on valid uses of these patterns. So be sure you know what you are doing.

Basically, what each of these is doing is either redirecting your visitors to somewhere else, or pulling code in to be displayed on your website. Of course, the most common files to get hit with these are index.php and index.htm/index.html. If you are infected and visit your own site in Chrome (I don’t know about other browsers) and you haven’t disabled the feature, Chrome will warn you that the page is doing something that might be malicious and ask if you want to proceed anyway. That’s a sure sign that you need to do some cleaning.

Anyway, that’s a quick way to clean your website or two problems. If you don’t modify the file permissions, you should probably run these weekly just to be safe and catch problems as quick as you can.

Leave a Reply

Your email address will not be published. Required fields are marked *