What to do if site gets hacked on shared hosting (hostgator or UnIX)

For hostgator, immediately send email to security@hostgator.com

  1. If you have smaller site, they usually back it up. So talk to someone on chat and ask for a restore
  2. If no restore, then you should ask security to change all your FTP and mySQL user passwords to new one
  3. Find just files from 1 day ago and delete them using single command: find . -mtime -7  -exec rm -f {} \;
    http://www.unix.com/unix-dummies-questions-answers/50465-create-list-files-were-modified-after-given-date.html 
  4. OR Find both directories/files from 1 day ago and delete them: find . -mtime -7  -exec rm -rf {} \;
    http://www.cyberciti.biz/faq/linux-unix-how-to-find-and-remove-files/ 
  5. Make sure you protect your images directory from php scripts running inside. Put this in .htaccess file inside images directory.
    <Files ~ “(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi)$”>
    order deny,allow
    deny from all
    </Files>
    http://forum.powweb.com/archive/index.php/t-62384.html
    http://mysql-apache-php.com/fileupload-security.htm 
  6. You can make it easier to copy the above htaccess file to all iamges directory using this command:
    find . -type d -name “images” -exec cp /.htaccess {} \;
  7. Modify all your directories back to safe permissions
    find -name “*.php” -type f -exec chmod 644 \{\} \;  //for php files
    find . -type d -exec chmod 755 \{\} \;  // for directories
    http://www.cyberciti.biz/faq/linux-list-just-directories-or-directory-names/ 
  8. Check for hidden directories
    find /path/to/dest/ -iname “.*” -type d 
  9. Disable dangerous PHP functions
    http://www.eukhost.com/forums/f42/disabling-dangerous-php-functions-6020/ 
  10. To find strings inside PHP files, do this: find . -iname ‘*php’ | xargs grep ‘string’ -sl
    http://www.netsupportchat.com/2010/10/find-in-files-for-unix-linux-freebsd-find-string-in-files/ 
  11. http://www.uno-code.com/?q=node/93 to fix PHP permissions
  12. You can replace files using find . -type d -name “maker.php” -exec cp newmaker.php  {} \;
  13. Find recently changed files with find . -mmin -1 (find files changed less than 1 minute ago) or find . -mtime +1 (find files more than 48 hours ago) or find . -mmin +5 -mmin -10 find files modified between 6 and 9 minutes ago

Leave a Reply