Hacked? Part 1: The Why, How and What
Last update: June 2019
I wanted to start this blog post with just a quick note that our Tech Support team aren’t trained in cleaning up websites and code after it’s compromised and therefore this type of issue falls outside the scope of our support. If you are wanting expert help, I personally recommend speaking to Sucuri.
This is Part 1 of a two part series about the hacking of websites.
Hacking is a massive topic and I wanted to cover it in some detail and give some practical information to help customers understand this topic better!
In this part we will be examining the Why, How and What of compromised websites.
Getting hacked is one of those sinking feelings you get in your stomach. Like having your car stolen, your house burgled or getting a 3am call from your bank to check if you are buying things in Bulgaria.
Today we explore the ins and outs of hacking websites. We will take a look at some motivations, some common attack vectors, how to protect yourself and what to do if you do get hacked.
Why Hack a Website?
An excellent question to start with, why do people hack websites?
Once you have a basic understanding of why, you can start to look at your own site in a different light and perhaps with a critical eye at what the value of the site actually is.
Gone are the days where hacking was for the fun it, today, the primary motivation is money.
Moving money from your pocket to theirs, selling your information or using your resources to acquire money.
Let’s take a look at 2 examples, one a ecommerce site and the other a blog:
Example 1: You run a successful ecommerce site selling physical items, you take orders from customers and have a healthy PayPal account which receives reasonable income.
There are lots of vectors of attack in this case, they could change the PayPal account that the store uses to accept payments to their own to grab some money from normal orders or to steal customers information from the database to sell to other hackers.
Or even, simply grab sensitive information about your business and its operation and offer it to competitors for a price.
Example 2: You have your own blog which receives lots of traffic and click throughs, you do a small amount of advertising on the site which gives you a reasonable return due to your high quality articles.
This has become a bit more of a theme among the hacking community, because this site isn’t directly dealing with money and orders, the security is more relaxed than our other example.
But, it is equally as attractive because of a new form of income, we have found some hackers are either replacing existing advertising to link to their own account, or adding lots of their own advertising – so revenue is sent to them rather than you. It may be months until you notice you aren’t receiving any ad income at all.
This is a more subtle attack type and detection can take some time, lots of these types of compromises can have extremely specific rules surrounding them. Only show for certain countries IP’s, only during certain times, only a certain number of times a day. This weird behaviour, can take a long time to narrow down that there has actually been a compromise.
A less obvious motivation but an extremely loud and destructive situation nonetheless is trying to gain infamy. You may have browsed to a small website before and seen a ‘defacement’ page. These come in all sorts of varieties and flavours, typically it will have a message to the website owner they have been ‘hacked by xyz’.
These hacks are easy to see and detect, simply because, that is what the hacker wants.
Typically once a hacker has done this, they may post on forums and other sites of their victories to impress others and prove their capability.
How to Hack a Website?
This is a really big question, and something that this little blog post will not be able to cover comprehensively. But, I want to talk about three vectors of attack that we see in 99% of cases on the helpdesk here.
We see this all the time, a password that is too simple or has been compromised elsewhere then added to a dictionary that attackers will attempt to use.
It isn’t easy, having a different password for every site, along with each password needing to be complex. The best and simplest solution to this is to use a password manager such as Lastpass. Lastpass will save and remember all your passwords for all your sites, the only thing you need to remember is the master password.
Sure, it is a single point of failure, if someone hacks your Lastpass, then they have access to everything! But you need to weigh up the security you get by using Lastpass – You will find the pro’s far outweigh the cons. Just be sure to enable Two Factor Authentication.
Remember to have different passwords for cPanel, FTP accounts, email accounts, admin accounts and other services. Once one is compromised, you don’t want all other services to be accessible to the hacker too.
Out of date plugins, themes and platforms:
Let’s look at some stats from our friends at Sucuri in their last industry report from Q3 2016.
- WordPress makes up 73% of infected websites that they worked on.
- 55% of WordPress installations that were infected were out of date at the time of infection.
- There were 3 plugins that accounted for 18% of infections due to being out of date: Revslider, TimThumb and GravityForms.
What is the takeaway here? Well, over 50% of the hacked websites using WordPress…were just plain out of date. It is often not a complex task to hack something out of date, you simply find the WordPress version being run, look at the publicly available vulnerabilities for that version and exploit them.
The same goes with plugins, each iteration of a patch, they will notify everyone of what was patched and fixed. So the hard work is often done for the hacker to see exactly how they exploit your system.
Cross contamination – Addon Domains:
We maintain an extremely secure environment and have mechanisms in place to ensure it stays that way. It is no longer possible for compromised accounts to infect other accounts on a shared hosting server.
But the risk remains for customers using addon domains within a single cPanel. Not only is it bad practice to have multiple sites sharing the single account (as each site must share the resources with other addon domains and the primary domain), but if one is hacked, it isn’t difficult for an attacker to move to other sites under the same cPanel.
So we recommend that you only use addon domains were absolutely necessary, and if you need lots and lots of individual websites hosted, take a look at Reseller packages. Generating individual cPanel accounts ensures that if one site is hacked, the rest aren’t at risk of being contaminated.
What does a Hacked Website look like?
It is important to recognise the symptoms of what a compromised site looks like, the earlier the detection the better. If we can catch a compromise early you can often prevent a lot of negative events from coming to pass. Things like Google blacklisting and customer loss of trust can be completely taken out of the picture if we act quickly.
Here are some common things to look for:
Unusual website behaviour:
This is a difficult thing to quantify as every website is unique and can present in a myriad of different ways. You (hopefully) know what your website looks, how it functions and what is ‘normal’.
If you notice something behaving unusually, for example, clicking a link redirects to a gambling website, or the formatting is broken on a specific pages. Or you notice and admin user you didn’t create posting articles/making changes, you should start to consider the fact your site has been compromised.
If a customer/visitor comments that they were getting odd behaviour when visiting, take the feedback seriously. Some attacks are designed to be very difficult to detect, some common techniques include only showing compromised content:
- At certain times of day or certain days
- To certain IP’s or countries
- Excluding IP’s of the latest admin login
- Rotating the type of attack. For example, replacing your own ad’s with theirs, then updating the attack to replace all links and placing your ad’s back.
Last modified times on core files:
There are some core files that shouldn’t change very often, or at all after the completed installation of certain content management systems.
For example, in WordPress, the index.php shouldn’t be modified in most instances, nor should the wp-config.php. So if you log in and see the last modified time of these files was recent, it may be worth double checking over the code to ensure nothing has been added or removed that could be malicious.
Base64 encoded and odd looking code:
This is the most popular way to inject malicious code into a website. Why? Well, it fools most malicious code scanners as the PHP is actually encoded and isn’t decoded until the server runs the script.
Let’s look at an example of what this might look like, but it is usually very easy to spot due to the huge amount of random characters:
$data = “PD9waHAgcHJpbnQgJ0kgYW0gc29tZSBiYWQgY29kZS4uLm11YWhhaGFoYWhhJyA/Pg==”;
$myvar = base64_decode($data);
This is valid code, and it will run happily, when you decode the base64 you will find the following:
<?php print 'I am some bad code...muahahahaha' ?>
Some scanners will explicitly look for this base64, so to get around that I found an interesting real life case where hacker had built an enormous array that contained every character of the base64 each with randomly named keys, they then constructed the base64 code inside the array into a variable, then ran the base64 decode function on the array. This was essentially double encrypting the data to try and hide it.
Random Folders Appearing:
Phishing sites are all the rage at the moment and has been for years now due to it’s success. For those who don’t know, a phishing site is essentially a site that ‘pretends’ to be another site.
You may be familiar with spam emails about your PayPal being limited with a link to fixing it. Clicking that link takes you through to an identical looking PayPal site, but in fact the URL is different and when you enter your email and password, the hacker gets a copy of both.
Phishing sites can be difficult to detect, because the hacker will often leave your core site alone, and build their phishing page under a completely separate folder. In recent occurrences, we see folder names that are trying simulate the site they are targeting itself. Folders such as mysite.com/paypal.com.au/ or mysite.com/xyz/apple/apple.id.
So if you FTP into your account or access cPanel File Manager and see these types of folders, or even folders you didn’t create or recognise. Your site or even account may have been compromised and you need to start investigating the content of those folders.
In the next part of this blog post we will be examining some mitigation techniques and some concepts regarding the cleanup process.