Hacked? Part 1: Website Hacking , The Why, How and What
I wanted to start this blog post with just a quick note that our Tech Support team aren’t trained in cleaning up websites and code after it’s compromised, and therefore this type of issue falls outside the scope of our support.
This is Part 1 of a two-part series about website hacking.
Hacking is a massive topic, and I wanted to cover it in some detail and give some practical information to help customers understand this topic better!
In this part, we will be examining the Why, How and What of compromised websites.
Getting hacked is one of those sinking feelings you get in your stomach. Like having your car stolen, your house burgled or getting a 3 am call from your bank to check if you are buying things in Bulgaria.
Today we explore the ins and outs of hacking websites. We will look at some motivations, some common attack vectors, how to protect yourself and what to do if you do get hacked.
Why Hack a Website?
An excellent question to start with, why do people hack websites?
Once you have a basic understanding of why you can start to look at your own site in a different light and perhaps with a critical eye at the site’s value.
Gone are the days where hacking was for fun. Today, the primary motivation is money.
Moving money from your pocket to theirs, selling your information or using your resources to acquire money.
Let’s take a look at 2 examples, one an eCommerce site and the other a blog:
Example 1: You run a successful eCommerce site selling physical items, taking orders from customers, and having a healthy PayPal account that receives reasonable income.
There are lots of vectors of attack. In this case, they could change the PayPal account that the store uses to accept payments to grab some money from normal orders or steal customers’ information from the database to sell to other hackers.
Or even grab sensitive information about your business and its operation and offer it to competitors for a price.
Example 2: You have your own blog, which receives lots of traffic and clicks through. You do a small amount of advertising on the site, which gives you a reasonable return due to your high-quality articles.
This has become a bit more of a theme among the hacking community because this site isn’t directly dealing with money and orders. The security is more relaxed than our other example.
But, it is equally as attractive because of a new form of income. We have found some hackers are either replacing existing advertising to link to their own account or adding lots of their own advertising – so revenue is sent to them rather than you. It may be months until you notice you aren’t receiving any ad income at all.
This is a more subtle attack type, and detection can take some time. Lots of these types of compromises can have precise rules surrounding them. Only show for certain countries IP’s, only during certain times, only a certain number of times a day. This weird behaviour can take a long time to narrow down that there has actually been a compromise.
A less obvious motivation but an extremely loud and destructive situation nonetheless is trying to gain infamy. You may have browsed a small website before and seen a ‘defacement’ page. These come in all sorts of varieties and flavours. Typically it will have a message to the website owner they have been ‘hacked by xyz’.
These hacks are easy to see and detect simply because that is what the hacker wants.
Typically once a hacker has done this, they may post on forums and other sites of their victories to impress others and prove their capability.
How to Hack a Website?
This is a huge question and something that this little blog post will not cover comprehensively. But, I want to talk about three vectors of attack that we see in 99% of cases on the helpdesk here.
We see this all the time, a password that is too simple or has been compromised elsewhere then added to a dictionary that attackers would attempt to use.
It isn’t easy, having a different password for every site, along with each password needing to be complex. The best and simplest solution to this is to use a password manager such as Lastpass. Lastpass will save and remember all your passwords for all your sites. The only thing you need to remember is the master password.
Sure, it is a single point of failure. If someone hacks your Lastpass, then they have access to everything! But you need to weigh up the security you get by using Lastpass – You will find the pros far outweigh the cons. Just be sure to enable Two Factor Authentication.
Remember to have different passwords for cPanel, FTP accounts, email accounts, admin accounts and other services. Once one is compromised, you don’t want all other services to be accessible to the hacker.
Out of date plugins, themes and platforms:
Let’s look at some stats from our friends at Sucuri in their last industry report from Q3 2016.
- WordPress makes up 73% of infected websites that they worked on.
- 55% of WordPress installations that were infected were out of date at the time of infection.
- 3 plugins accounted for 18% of infections due to being outdated: Revslider, TimThumb and GravityForms.
What is the takeaway here? Well, over 50% of the hacked websites using WordPress…were just plain out of date. It is often not a complex task to hack something out of date. You find the WordPress version being run, look at the publicly available vulnerabilities for that version and exploit them.
The same goes for plugins. Each iteration of a patch will notify everyone of what was patched and fixed. So the hard work is often done for the hacker to see exactly how they exploit your system.
Cross-contamination – Addon Domains:
We maintain an extremely secure environment and have mechanisms in place to ensure it stays that way. It is no longer possible for compromised accounts to infect other accounts on a shared hosting server.
But the risk remains for customers using addon domains within a single cPanel. Not only is it bad practice to have multiple sites sharing a single account (as each site must share the resources with other addon domains and the primary domain), but if one is hacked, it isn’t difficult for an attacker to move to other sites under the same cPanel.
So we recommend that you only use addon domains were necessary, and if you need lots and lots of individual websites hosted, take a look at Reseller packages. Generating individual cPanel accounts ensures that the rest aren’t at risk of being contaminated if one site is hacked.
What does a Hacked Website look like?
It is important to recognise the symptoms of what a compromised site looks like. The earlier the detection, the better. If we can catch a compromise early, you can often prevent many negative events from coming to pass. If we act quickly, you can completely take things like Google blacklisting and customer loss of trust out of the picture.
Here are some common things to look for:
Unusual website behaviour:
This is a difficult thing to quantify as every website is unique and can present in many different ways. You (hopefully) know what your website looks like, how it functions and what is ‘normal.
If you notice something behaving unusually, for example, clicking a link redirects to a gambling website, or the formatting is broken on specific pages. Or you notice an admin user you didn’t create posting articles/making changes. It would be best if you started to consider the fact your site has been compromised.
If a customer/visitor comments that they were getting odd behaviour when visiting, take the feedback seriously. Some attacks are designed to be very difficult to detect. Some common techniques include only showing compromised content:
- At certain times of the day or certain days
- To certain IP’s or countries
- Excluding IP’s of the latest admin login
- Rotating the type of attack. For example, replacing your own ad’s with theirs, then updating the attack to replace all links and placing your ad’s back.
Last modified times on core files:
Some core files shouldn’t change very often or after the completed installation of certain content management systems.
For example, in WordPress, you shouldn’t modify the index.php in most instances, nor should the wp-config.php. So if you log in and see the last modified time of these files was recent, it may be worth double-checking over the code to ensure nothing has been added or removed that could be malicious.
Base64 encoded and odd-looking code:
This is the most popular way to inject malicious code into a website. Why? It fools most malicious code scanners as the PHP is actually encoded and isn’t decided until the server runs the script.
Let’s look at an example of what this might look like, but it is usually very easy to spot due to the huge amount of random characters:
$data = “PD9waHAgcHJpbnQgJ0kgYW0gc29tZSBiYWQgY29kZS4uLm11YWhhaGFoYWhhJyA/Pg==”;
$myvar = base64_decode($data);
This is a valid code, and it will run happily. When you decode the base64, you will find the following:
<?php print 'I am some bad code...muahahahaha' ?>
Some scanners will explicitly look for this base64, so to get around that, I found an interesting real-life case where a hacker had built an enormous array that contained every character of the base64, each with randomly named keys. They then constructed the base64 code inside the array into a variable, then ran the base64 decode function on the array. This was essentially double encrypting the data to try and hide it.
Random Folders Appearing:
Phishing sites are all the rage at the moment and has been for years now due to their success. A phishing site is essentially a site that ‘pretends’ to be another site for those who don’t know.
You may be familiar with spam emails about your PayPal being limited with a link to fixing it. Clicking that link takes you through to an identical-looking PayPal site, but in fact, the URL is different, and when you enter your email and password, the hacker gets a copy of both.
Phishing sites can be difficult to detect because hackers will often leave your core site alone and build their phishing page under a completely separate folder. In recent occurrences, we see folder names trying to simulate the site they are targeting itself. Folders such as mysite.com/paypal.com.au/ or mysite.com/xyz/apple/apple.id.
So if you FTP into your account or access cPanel File Manager and see these types of folders or even folders you didn’t create or recognise. Your site or even account may have been compromised, and you need to start investigating the content of those folders.
In the next part of this blog post, we will be examining some mitigation techniques and some concepts regarding the cleanup process.