Because there may be multiple, independent hacks in place, even if you're able to find and fix one vulnerability, we recommend continuing to search for others. Start your investigation by reading about the top ways websites get hacked by spammers.
You'll need the following:
- Shell or terminal administrator access to your site's servers: web, database, and files
- Knowledge of shell or terminal commands
- Understanding of code (such as PHP or JavaScript)
- The ability to run two antivirus scanners
Next actions
We'll cover several common ways a site can be compromised. Hopefully, one of these will either apply to your site, or at least shed light on additional possibilities.
Be aware that vulnerability scanners are different from antivirus scanners. Vulnerability scanners can be far more invasive and have greater potential to cause unwanted damage to your site. Follow all directions, such as backing up your site, before running the scanner.
Potential vulnerabilities {potential-vulnerabilities}
Potential vulnerabilities to investigate include the following:
Virus-infected administrator's computer
On an administrator's virus-infected computer, the hacker might have installed spyware to record the site admin's keystrokes.
- Check for viruses on administrators' systems. We recommend running
several reputable antivirus (AV) scanners on every computer an administrator
has used to sign in to the site. Because new malware infections are constantly
being designed to evade scanners, this isn't a foolproof method of virus
detection. Running multiple scanners helps avoid false positives and provide
more data points to determine whether a vulnerability exists. Also consider
scanning both your web server and all devices used to update or post to the
site, just to be safe.
- If the AV scanner detects spyware, a virus, trojan horse, or any other suspicious program, investigate the site's server logs to check for activity by the administrator who owns the infected computer.
- The hacker might have altered log files. If they haven't, correlating the administrator's username with suspicious commands in the log file is further evidence that a virus on an administrator's system made the site vulnerable.
Weak or reused passwords
Weak passwords are easy for hackers to discover, providing them with direct access to your server. Strong passwords have a combination of letters and numbers, punctuation, and no words or slang that might be found in a dictionary. Passwords must only be used for one application, not reused throughout the web. When passwords are reused, it only takes one security breach on one application for a hacker to find a login and password they can use elsewhere.
In the server log, check for undesirable activity, such as multiple login attempts for an administrator or an administrator making unexpected commands. Make note of when the suspicious activity occurred, because understanding when the hack first took place helps determine what backups might still be clean.
Out-of-date software
Check that your server(s) have installed the latest version of the operating system, content management system, blogging platform, applications, plugins, and any other software the site uses.
- Research all installed software (perhaps through a web search) to determine whether your version contains a security advisory. If it does, it's likely that outdated software made your site vulnerable.
- As a best practice, always aim to keep your servers' software up to date, regardless of whether outdated software caused this particular vulnerability issues.
4. Permissive coding practices, such as open redirects and SQL injections
Open redirects
Open redirects are coded with the intention for the URL structure to allow the addition of another URL so users can reach a useful file or page on the site. For example:
http://example.com/page.php?url=http://example.com/good-file.pdf
or
http://example.com/page.php?url=malware-attack-site>
- If your site is abused by open redirects, you likely noticed that the message in Search Console provided example URLs that included open redirects to an undesirable destination.
- To prevent open redirects in the future, check the following:
- Whether "allow open redirects" is turned on by default in your software.
- Whether your code can prohibit off-domain redirects.
- Whether you can sign the redirect so that only redirects with properly hashed URLs and the correct cryptographic signature can proceed.
SQL injections
SQL injections happen when a hacker is able to add rogue commands to user input fields that your database executes. SQL injections update records in your database with unwanted spam or malware content, or they dump valuable data to output for the hacker. If your site uses a database, and especially if you were infected with malware, it's possible that your site was compromised by a SQL injection.
- Sign in to the database server and look for suspicious content in the database, such as otherwise ordinary text fields that now show iframes or scripts.
- For suspicious values, check that the user input is validated and properly escaped, or perhaps strongly typed so they can't be executed as code. If user input isn't checked before database processing, SQL injection can be a root-cause vulnerability on your site.