How to clean a hacked installation of Apache

Protecting user and business crucial information is the first priority of a developer. Nonetheless, one website is hacked every five seconds and around 63% of website owners are not aware that they have been hacked. Hacking can change your rankings; expose your visitor to viruses and Trojan attacks, and in most cases cause loss of critical content.

How do you scan the Apache for the possible hack?

Malware virus is designed to dodge scanners and that’s why scanning your computer may not be enough to detect virus. Your AV scanner might report false positives after running it for the first time but if you run several scanners, they can provide additional data points to find out whether the vulnerability exists. Besides, scanning your webserver as well as all other devices used to post or update post on the site will help you keep safe.

Suspicious activity

You should check for suspicious activity in the server log such as an administrator making unexpected demands or multiple login trials for an administrator. Be keen to note when the puzzling activity happened since understanding when the hack first occurred will help determine what backups could still be clean.

Check the database

Login into your database server and look for any suspicious content such as a regular text field (s) that shows scripts and iframes. For the suspicious values, you can check to ensure that the user input is confirmed and escaped properly or is strongly typed so that it can’t be executed as a code. However, if user input is not checked prior to database processing, injection of SQL may be what’s causing the vulnerability on your site.

Possible causes

Some of the potential vulnerabilities include:

Weak or reused passwords

A strong password has a computation of numbers, letters, punctuations, and slang that can be found in a dictionary. If you have a weak password, it can be quite simple for hackers to crack it and offers them a direct access to your server. Also, a password should only be used in a single application and not re-used throughout the web. That’s because, if you reuse passwords then it takes a single security breach on one application, it’s easy for a hacker to find your login and password and then simply try to reuse them elsewhere.

SQL injections

A hacker can add rogue commands to user input fields that your database can execute. SQL injections can update records in your database with some unwanted spam or malware content or dump crucial data to output for the hackers. If your website uses a database and if it was infected with the malware, it’s possible that it has also been compromised by the SQL injection.

Out-of-date software

 Ensure that your server(s) are running on the latest version of OS, blogging platform, applications, content management system, plugins, etc. Research on the web search about all installed software to establish whether your version has a security advisory and if this is the case, the possibility of an outdated software causing vulnerability on your site is quite likely.

The best practice is to keep software of your servers up to date, in spite of an outdated software having caused the vulnerability issues.

Permissive coding practice such as SQL injections and open redirects

Open redirects

The open redirects are coded to allow an URL structure to permit additional URL so that users can access a WebPage or useful file on the site.

Typically, when your site has the open redirects effects, you will probably notice a message in the Search Console providing an example URLs that contain open redirect to another destination.

To stop open redirects from appearing in future, confirm to see that “allow open redirects” mode is turned off by default on your software and make sure that your code prohibit redirection of off-domain or if you’re able to sign the redirect, ensure that only those with correctly hashed URL and cryptographic signature are redirected.

Possible solutions

Backup and restore

When you pin down the time and exact date that your site was hacked, the simplest solution is to restore the website to backup. Unless the entry point was at the server or domain, the previous backup could still be vulnerable to attacks. Thus, you should have a reliable backup and easy-to-restore utility to ensure that the restored backup if free from the same vulnerability. Also, it is wise to backup your wp-config.php files, database, wp-content directory so that you can replace the portions of the site.

Clean all servers

Mere upgrades may still leave files from the prior version and if infected files remains in the server, another attack is more likely to happen. Thus, perform a clean and fresh installation that includes the OS and all soft applications such as ecommerce platform, content management system, templates, and plugins. Then you can transfer the good content from the clean backup to the freshly installed server. Only ensure that you retain the right file permissions and avoid overwriting the freshly installed system files.

Change all login credentials

You never know the entirety of the information that the hackers acquired. Thus, regardless of where the security may seem to have originated from, you should create new passwords for all logins. From server management, SSH, to FTP, do not assume that any of them were not compromised. Ensure that you also generate a new set of wp-config.php.

Replace WordPress Core Files

Hackers always go an extra mile to do what they do best. If they hack into a WordPress core, webhost or any other popular plugin, for instance, they aim to gain access to multiple sites. However, they may not care to access a80yva9a dot com because it’s a domain and a site without the value of visitors traffic or distinguished reputability. Based on this theory, it’s worth replacing your web server’s copy of WordPress Core files; you can download the latest version of Word Press at http://wordpress.org/latest.zip. In addition to this, you can re-install all your plugins and remember to check your themes before re-installing. It’s also beneficial to inspect the entire wp-content directory for any bizarre files.

Resolve Specific Issues

The steps above apply to sites trying to recover from hacking, but you might have other issues to address such as web server software and webhost, among others. Using the best antivirus scanners will help pinpoint some security concerns, but no scanner is foolproof, which mean your WordPress database can still be compromised. That’s where there are services providers who not only offer free scanners but also paid monitoring as well as cleanup packages. Web hosts such as WP Engine scan and automatically fix hacking attempts and they also fix already hacked sites.

Guarding Against Future Hacks

When the Apache comes back cleaned, you can take some necessary precautions to help keep it that way.

Be proactive with your security

Use a strong password generator, change the passwords regularly, keep the administrator accounts to a minimum, and remove all unnecessary content from the site to keep it from hacking attacks. Also, if your visitors do not require written permissions on the site for uploading, block such functions on the site.

Update applications

It is crucial that you update all applications, extensions, plugins, and themes once you have restored your backup. Hackers often use security holes in themes and plugins and thus you should weigh the risks and benefits before you decide to use a plugin.

Monitor regularly

Take advantage of the monitoring service that Apache offers. You can also use Google analytics to monitor the site for unusual traffic patterns and any other suspicious behavior, and scan your site regularly to ensure that it hasn’t been compromised.

The takeaway

A hacked site can cause headaches for you, your visitors, and other servers that unfortunate enough to have been infected with malware, SPAM, and other viruses spread by your site. However, making the effort to monitor, scan, and clean your website on a regular basis comes in handy to safeguarding your site, customers, and your reputation.

Leave a Comment