There are basically three methods by which you can manage a hacked website. This guide will detail all three below.
Clean out the hack
Method 1 – Restore from backup
To restore the website from a backup from when the site was clean of infection is often the easiest and best method. It’s simple, because you only have to perform the restore and all malicious files are gone. It’s good because you can be rather sure that all malicious files are actually removed (as long as you follow the instructions below).
The downside of this method is that you may lose data. E.g., if your website has been hacked for a week during which you have added content to the website and then restore, your work from the past week will be lost. There is, however, a way around this which we will detail below.
If your website has been infected, both files and the database may be affected. We recommend that you begin by restoring just the files, since this will lessen the risk of data loss. If restoration of the files isn’t enough, we describe the database restoration process below.
Restore files
We have detailed instructions regarding how you use our backup software here. However, please read the text below before you continue with the restoration.
Before you can restore, you need to find a backup from a point in time where your site wasn’t infected. You can do this by selecting a couple of files from the list of harmful files you’ve received from us (if you don’t have such a list, ask us to scan your account), and check if those files exist on the backup. If you find the files on a selected backup point, you know that your site was infected at the time that backup was saved. If you cannot find the files, you’ve probably found a clean point that you can restore from.
It’s important to differentiate between malicious files and infected ones. Malicious files should not exist on your account at all. Injected files are legitimate files where malicious code has been injected. That the files exist is a good thing (minus the injected code). Hence, you need to look for malicious files while browsing the backups, not injected ones.
Once you’ve identified a backup point you wish to restore from, follow our guide to perform the restoration.
By first renaming the folder that you’re about to restore, you will have a copy of the website from before the restoration was done. Therefore, you also have access to files not available on the backup. E.g., if you miss images after you’re done restoring the files, you can copy them from the site’s folder from before. If you only do this with specific images or document, it should be fine. However, do not copy over entire folders to the clean version of the site, since malicious files may reside in that folder.
Restore the database
If restoration of the files didn’t solve your issue, you may have to restore the database as well. Where restoring a database, you don’t have to consider anything else that what we mention below. Your database will be replaced by the one from the backup server. You can read about how to restore databases here.
Since the database contains most of the content of the website, the risk of data loss is large when you restore the database. However, you can work around this if you’re willing to spend extra time on it.
Before you restore the database, create a .sql dump of the current database by following the instructions here. Then, create a new database by following the steps detailed here. Finally, import your .sql dump to the newly created backup by following this guide.
Now, you can use phpMyAdmin (which you find via cPanel) to selectively export data from the old database to the newly restored one.
Method 2 – Manual cleanup
You may also go through all files on your website and clean out all malicious code by hand. This will require a lot of time, but if you know what you’re doing you may get great results. The main advantage of using this method is that you will experience no data loss.
The only manageble way to go on using this method is via SSH. Doing it via FTP or cPanel’s built-in File manager would require at least twice as much time as if you go on via SSH.
We recommend that you start from the list of malicious files we’ve sent out (if you haven’t got such a list, ask us to scan your account). It’ll give you a great starting point on your hunt for malicious files.
Then try to find common factors between the files, e.g. if they were edited on the same day, contain the same code sequence, or are of the same file type. Once you’ve found this, use suitable Linux commands to find all files on the account sharing this factor. Probably you’ll find additional files than the ones reported.
If the database is infected, you can clean it out manually, either via phpMyAdmin or via mysql-cli over SSH.
We will not delve any deeper into this method since it’s for advanced users, and you need to find out what tools you need and how to use them on your own.
Method 3 – Start from the beginning
By starting from the beginning we mean that you delete the current website and create it from scratch. It may sound extreme, but it’s a method that works well in a few key cases. For example, if you haven’t created much content on your website yet there isn’t much to lose by starting over. Otherwise, if you’re in the process of building a new website anyway, it may not be worth spending time on cleaning and rescuing the old website. Instead, just remove the infected site and carry on building the new one.
The main advantage of using this method is that you’re guaranteed to remove all malicious files. This is a major point, since that if you miss only one malicious file the hack may happen again shortly.
After cleanup
Once you believe that you’re done with the cleanup of all malicious code, contact us via email and ask us to scan your account anew. It’d be best if you reply to our initial report, so everything is kept within one support ticket.
If we find more malicious code, we’ll get back to you.
Depending on what kind of information you store on your website, you may have to report the hack to the Swedish Authority for Privacy Protection. If you’re unsure if you need to report it or not, contact them to find out.
Why did I get hacked?
The reason why you get hacked varies. It’s uncommon that an attack is aimed directly at you or your company. Instead, the attacks are often done by automatic software searching out websites running a specific software, plugin or theme.
Below follows a few examples what the purpose may be when a website gets hacked:
- To use our servers to send spam email.
- “Script-kiddie hack”, just someone hacking the website for “fun”.
- To spread a message by swapping out the start page of the website.
- Setting up fraudulent websites used e.g. for phishing attacks, trying to get hold of banking credentials.
- To spread virus or malware, or to attack other servers online.
- To steal sensitive data stored on the website (information about certain individuals, or credit card information).