Photo via subcircle
In my last post, I talked about some steps that can be taken and some policies that you can implement to help prevent your hosting account from being compromised. I made sure to point out that security will never be perfect, however, and that even if you do everything right, the worst case scenario can still happen. Hopefully you’ve taken some of that advice to heart and are taking steps now to mitigate your risk and to maintain a good security baseline on a regular basis.
Even with the best measures taken, however, you can sometimes fall victim to an intruder’s attempts to compromise your site. Exploits for web content software often come out before the releases which fix them, which means everyone running those scripts is vulnerable for a short time even if they update as soon as a new release comes out. When this impacts a widely-used package like WordPress, Joomla, or Drupal, it’s going to mean a lot of sites are going to be hit.
So what do you do if your site is one of them?
Unfortunately, it can be very difficult to track down exactly how a compromise occurred from our end. As passwords are stored encrypted on the server, we don’t have any easy way to know what sort of passwords you may be using. Tools like mod_security and suhosin catch some problems before they happen, but they can also cause problems and hence must be disabled for some customers. They’re also not perfect – the more things they do catch, the more they create problems by catching normal website maintenance actions as well. We’ve created a generally smooth balance between security and functionality, but this means some attacks will get through, and a few will succeed. So what do you do when this happens to you?
Don’t panic! Most of the time, backups are available via the R1Soft restore backups icon in your cPanel account. If you don’t see that icon, go ahead and open a support ticket to inquire about backups availability. Specifically, our UK based servers run backups differently and we’ll need to get those for you. We still very strongly recommend that you keep your own backups, too – especially a “last known good” backup – in case something happens and you don’t notice in time to restore from our backups, which we don’t retain indefinitely. Before restoring from backups, however, you’ll want to take two important steps to help insure that your account isn’t immediately compromised again after restoring:
1. Scan your computer and any other devices used to access the account for viruses and malware, and,
2. Change all account-related passwords, in case the attacker has the ones you’re currently using. Be sure to choose strong passwords.
Once that’s done, it should be safe to start getting back to your baseline with a restore. Keep in mind however that your baseline was compromised, however, so it’s important to take some additional steps, since it’s not necessarily the case that your computers or passwords were at fault. Once everything’s running again, the most critical step is to upgrade your web content software and change any passwords associated with its administrative accounts.
Your web content software isn’t just the main package – such as wordpress or joomla – however. It’s also comprised of all of your themes, modules, extensions, and other add-ons, so be sure to upgrade all of those to the latest versions as well. Some of these – especially those which aren’t as popular or widely used, can have unpatched bugs, too, so googling for them plus “exploit” or “vulnerability” may be a very good idea to ensure that the version you’re running is safe. If it’s not, remove it.
Another thing to check is the configurations for any web content software which can send email out. Having configurations which allow visitors to your site to send email to arbitrary addresses is an easy way for them to send spam, and if you allow them to send with an arbitrary from address, it can be used to send backscatter spam under certain circumstances. The to and from addresses for web scripts should always be hard-coded in the configuration and never accepted from the visitor.
Finally, you’ll want to login to your cPanel account and check the Email accounts, Addon domains, Parked domains, and Subdomains sections for anything anomalous. Spammers often setup email accounts to continue using, and phishing sites often add domains which contain the domain they’re phishing for.
Once you’ve done all of this and verified that your site is working, we recommend taking another “baseline” backup. You can use the cPanel Full Backup tool in your cPanel account to create and download a monolithic backup containing all of your content, email, databases, and configurations.
As always, if you need any help along the way, feel free to open a ticket with our 24/7 support department if you’re in a bind – we’re here to help!
Need hosting with great support?
Check out HostNine’s Shared, Reseller, Cloud Reseller, VPS, or Dedicated hosting plans!