An Intro to Web Hacks
Back in January of 2016, Sandia Digital was contacted by the Scatena Daniels firm to look into something strange on their website. It looked like several links were being directed to a website that promoted ‘male enhancement’, and this was certainly code they did not put together in house. After taking a look at their database, it was obvious their website was hacked. We found over 14,000 pieces of spam that was injected into their older SQL Server database, and it was going to take some time to clean up.
What Scatena Daniels found is an unfortunately common occurrence with websites. Their firm underwent an attack called a “SQL Injection”. This kind of attack is used to find an exploit in a website’s database and then manipulate that database. This manipulation can be used to redirect traffic to another website, pull sensitive user information, or even drop malware into the devices of users visiting the website. These kind of attacks used to be found only in hacked websites that belong to larger corporations, however they are now seen frequently with even small businesses and non-profits.
“My website was hacked! What can I do?”
Assuming the hack was recent and was also a SQL Injection attack similar to the Scatena Daniels’ attack (these are very common), there are two things you can do that may restore your hacked website right away:
- If you have a recent backup, restore it using a method you are familiar with.
- If you do not have a backup, call your hosting provider right away! They may have backed up your website for you. They may charge you to have your website restored.
If you are not able to restore your website easily, you may be able to get rid of the malicious code if you have access to the code and database. Please note, the below instructions require some knowledge of coding and database structure. If you do not possess this knowledge or are not sure about the attack itself, please DO NOT ATTEMPT a manual restoration of your hacked website using the steps below as it may make things worse. In the steps below, we are assuming that malicious links were added to a database as this is a common attack.
- Access your hosting portal’s cPanel (Control Panel). This is found in your hosting provider’s account.
- Look for the “Databases” section of your control panel.
- Find and access your database. It will likely be “PHPMyAdmin” for a MySQL Database, and “MSSQL” for a SQL Server database. These will provide a visual aid to navigating the database.
- Export or back up your database. Even though it may be hacked, it is possible for you to make things worse by updating the database with improper code. Having a current backup will at least give you the ability to restart the procedure if you need to.
- Export your database one more time. This export is for you to modify. Save it to a different folder so you do not accidentally save over your original export from step 4.
- Open your exported database (just the one you are intending to modify) using Notepad, Wordpad, or any simple text editor.
- “Ctrl+f” to find the malicious code. For example if you notice that a link has “enhancement” in the text, search for “enhancement”. You will likely find the link and other content all there.
- If the full link reads (for example) “<a href=”badsite.com”>enhancement</a>, perfect! You found the injected code.
- “Ctrl+h” to find and replace. In the “Find” row, enter in the malicious link from step 8. In the “Replace” row, keep it empty. Press the “Replace All” button to replace all of the code in one go.
- “Ctrl+f” to double check that all of the malicious code was removed.
- Make sure that the unmodified export is safe, just in case you need it.
- In your PHPMyAdmin or MSSQL tool, “Import” the database you just altered. There should be a “success” message for a successful import.
- Open a new tab, and visit your website normally. If the database alteration was successful, the bad links should be gone!
If you are still having trouble or are unsure of the best procedure, please do not attempt a manual restoration and contact Sandia Digital right away. We are available for emergencies, and can respond to you immediately. Being local to Albuquerque we can also visit your offices on the same day.
“How can I prevent website hacks?”
The best thing you can do is maintain your website. Hacked websites generally run on outdated code and databases that have easily exploitable vulnerabilities, and hackers look for that. If you cannot maintain it, see if your host or web developer can perform simple updates on a weekly or monthly basis.
We also recommend backing up your code and database. If you are running a WordPress or Drupal site, there are lots of plugins and modules available that make backups very easy. Install and set up one of these plugins/modules to run at least monthly.