How to Dissect a Website Attack

Overview

Sometimes the only way to really learn about network security is by being the victim of a network attack. A while back, I got an email informing me that my website had been hacked and that visitors to my website were being blocked by safe search security toolbars like AVG’s and that Google itself was blocking internet searches to my website and redirecting users to a malicious activity warning page.

My first reaction was denial, “my site?, no way.” Then the second and third email arrived. So I decided to check it out, and do a Google search for my own website, … sure enough, I too was met with the warning page above. Now it’s time to figure out what is wrong with my website and fix it. So where does one start?

Find more information on your hacked website

The first thing to do is to get more information on what the problem actually is. In the image above, you can see that there was a referral link to a Safe Browsing Diagnostic Page with more information on the problem. In the image below, you can see a recent Safe Browsing Diagnostic Page for www.danscourses.com showing the site to be in good standing. Notice the ‘Next steps:’ section at the bottom of the image, which refers the owner of the website to Google’s Webmaster Tools; whether a website is infected or not infected, Google’s webmaster tools is a useful tool for all website designers and managers offering valuable information and usage statistics about your website.

At the time my website was hacked, I already had a Webmaster tools account for my site, so all I had to do was go to the Webmaster tools login page to find more information about the problems my website was experiencing. In Webmaster Tools, under the health category, there is a malware section which can give you valuable information about which web pages on your website are infected, as well as informational tips on what to look out for. In my case, Webmaster Tools informed me that visiting my website’s homepage was where the malware was detected, but more specifically, that I needed to look at the .htaccess file for the infection. Having some more information about the website infection, the next step is to login into your webhost (webserver) to find, fix, and remove the infection.

Finding the infection

There are three basic steps to fixing your hacked website:

  1. Locate the infection,
  2. Quarantine and remove the infection,
  3. Inoculate or patch your website/webserver so the same problem does not happen again,
  4. Check to make sure the problem has still not returned.

Since Webmaster Tools suggested I check my .htaccess file I decided to look at that file first. Upon opening the .htaccess file I noticed that the file had indeed been altered. How would someone know this, if they have never looked at their .htaccess file before? Since my website was built with Joomla, and all Joomla sites have either a htaccess.txt or .htaccess file in the website root directory, it is easy to download a clean version of Joomla and compare the downloaded .htaccess file to the one uploaded to the webserver. Below is an image of the the top portion of the infected .htaccess. file.

The top of the infected .htaccess file

The top of a healthy .htaccess file

Since the .htaccess file was infected, I decided to replace the infected file with a clean .htaccess file. This would take care of step 1: locating the infection, and step 2: removing the infection, and now I could move on to step 3, updating and patching my website and webserver; or so I thought. If only it were that simple…

How to Dissect a Webpage Attack -Page 2 >>

 

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published. Required fields are marked *