Site hacked - any ideas of what to do, where to look?

Question

A site I host was recently hacked. The index page had the following code added to the bottom (just above the closing body tag):

   <script language="javascript">document.write('<div style="font-family:Tahoma,Arial,Helvetica,sans-serif;font-size:12px;overflow:hidden;color:#FF0000;height:' + (325 * 3 - 974) + 'px;width:' + (18 * 786 - 14147) + 'px;font-weight:bold;margin-top:0px;margin-bottom:0px;">'); </script>

Followed by...

Lots and lots of tags going to spammy sites...

Our server has suphp installed, so I don't think it could've happened from another account. This account does have Wordpress installed, so that may be the problem.

Any tips on where to go from here?

Thanks!

Answer 1

Chnage your Wordpress and MySQL default login names and passwords. By using the default names, you have given the hackers half of the credential puzzle.

Ensure that your services (PHP, WP, MySQL) are all up to date.

Check 3rd party plugins for known vulnerabilities and updates (this includes javascript libraries and plug-ins)

That is a good start. Oh, and you may want to start watching your logs a little closer to see if you can pinpoint how this is happening if it happens again.

Answer 2

Your logs are most likely stored in /var/log/apache2. Start searching the access logs. You can do this manually using grep, or use a tool like apache-scalp to search your logs for common exploits.

Answer 3

I'd suggest installing the mod_security Apache module: http://www.modsecurity.org/.

Also, ensure your application code is not susceptible to SQL-Injection Attacks.

Also double-check your firewall rules, and ensure only port 80 is exposed to the public.

Answer 4

Some threads that may be useful:

• https://serverfault.com/questions/81048/has-our-site-been-hacked-google-says-we-are-malware-help
• Site hacked, looking for security advice
• How Could My Website Be Hacked
• Website hacked again