What can I do about my website that has been hacked?

Capitan Hosting

What can I do about my website that has been hacked?

An account is considered pirated (or hacked) when an unauthorized individual (or automated software, such as a virus) has compromised its security measures in order to retrieve information, deface/alter its contents, or use it as a platform for further attacks.

Why would someone want to hack my web site?

While every case is different, there are many different reasons why someone would want to hack your web site:

  • To install viruses or malware so that they may spread quickly to other users,
    To send spam,
  • To setup website copies in which they can request sensitive information for unsuspecting users (called phishing),
  • To purposely cause financial harm to your business or organization (perhaps surprisingly, this is actually quite uncommon),
  • Because they can, or to prove they are competent hackers.

How did my account get hacked?

There are generally two ways this may have happened:

  1. Your password was compromised. It may have been guessed (the password that was too easy), used by someone you trust or stolen from your computer (often by an automated virus).
  2. Your web site contained scripts or web applications that had security flaws, and those flaws were exploited in such a way that the hacker gained control of your account (this is very common, especially for the Joomla, WordPress, and phpBB applications when they are not up-to-date).
    Because of the way our hosting environment is set up, it is extremely unlikely (borderline impossible) that your account was hacked due to a server-wide vulnerability or because of a vulnerability on another account on the same server. While you may be tempted to blame the web host for security vulnerabilities on your hosting account, it is useful to note that 100% of cases reported to date were due to one of the two above-listed reasons and not to a server-wide vulnerability.

How do I know if my account has been hacked?

Sometimes a hacker will boldly display the fact that your site was hacked on your main web site. Other times, however, it can be much harder to detect that your site has been hacked. Hacked web sites may:

  1. Inject code in your web page’s HTML code that installs fly-by viruses or malware that infects your web site’s visitor. Infected sites will generally be blocked by certain web browsers and search engines in order to limit the spread of the virus. This will evidently cause substantial loss of traffic to your web site.
  2. Contain visibly pirated web pages (with links and images that are not yours) .
  3. Contain an exact replica of some other site (called « phishing »).
  4. Send spam emails from your account .
  5. Install scripts that may remotely attack other web sites or attempt to damage and further compromise the server.
  6. Manipulate/Sabotage your database or files.

If your account was hacked and we received complaints, we will send you a notice informing you of the problem and asking you to react quickly (within 24 hours) in order to correct the problem. In some extreme cases, it is possible that we suspend immediately your account to prevent important problems on the server.

Because of the security configuration of the server, a user’s account (even compromised) can not read or modify another account’s files on the same server.

What to do if your web site has been hacked?

A hacked web site cannot be considered secure unless it has been recreated with a different password. Even if you remove the files that appear infected, it is possible (and even likely) that hidden files will remain on your account and that these files may be used for similar attacks in the future.

To restore a hacked account:

  1. Run a complete anti-virus scan of your computer and any other computers having had access to the web server in the past, with an up-to-date antivirus.
  2. Locate a clean backup copy of your web site. Ideally, you should have one on your computer or on a removable storage device, which may be easily uploaded to the webserver again. If you do not have a local backup of your site, contact our technical support as we may be able to restore a backup from our servers. Please note that we do not keep backups older than a few weeks, so if your account was compromised before then, restoring it will not fix the situation. If your backup is infected or if you do not have a working backup, you may need to proceed with manual cleaning of your existing HTML, PHP, and JavaScript files (if available). This is a lengthy and tedious process that must be performed by an experienced technician.
  3. Open a Support Ticket in the Client Area and request that your account be recreated so that you can guarantee that your account is now in a virus-free state. You may want to retrieve all your emails, database contents, and other settings and files before requesting this since all your account’s contents will be deleted irreversibly.
  4. Once you’ve received confirmation that your account was recreated, upload all your files to your account again and recreate your email addresses and databases (as needed).
  5. Change your password (use a secure one!) for Client Area, cPanel, Email Accounts,  Databases, and Any web software you use (for example Joomla, phpBB, WordPress, or any other web software in use on your account)
  6. Double-check the version of all the web software installed on your account (as well as their modules and extensions), and update them as needed. Generally a simply Google search containing the name and version of your software along with the keyword “vulnerability” (example: Joomla 1.5.2 vulnerability) will return pertinent information about possible security vulnerabilities with your software version.
Table of Contents
Back to top