What to do if site gets hacked on shared hosting (hostgator or UnIX)

For hostgator, immediately send email to security@hostgator.com

  1. If you have smaller site, they usually back it up. So talk to someone on chat and ask for a restore
  2. If no restore, then you should ask security to change all your FTP and mySQL user passwords to new one
  3. Find just files from 1 day ago and delete them using single command: find . -mtime -7  -exec rm -f {} \;
  4. OR Find both directories/files from 1 day ago and delete them: find . -mtime -7  -exec rm -rf {} \;
  5. Make sure you protect your images directory from php scripts running inside. Put this in .htaccess file inside images directory.
    <Files ~ “(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi)$”>
    order deny,allow
    deny from all
  6. You can make it easier to copy the above htaccess file to all iamges directory using this command:
    find . -type d -name “images” -exec cp /.htaccess {} \;
  7. Modify all your directories back to safe permissions
    find -name “*.php” -type f -exec chmod 644 \{\} \;  //for php files
    find . -type d -exec chmod 755 \{\} \;  // for directories
  8. Check for hidden directories
    find /path/to/dest/ -iname “.*” -type d 
  9. Disable dangerous PHP functions
  10. To find strings inside PHP files, do this: find . -iname ‘*php’ | xargs grep ‘string’ -sl
  11. http://www.uno-code.com/?q=node/93 to fix PHP permissions
  12. You can replace files using find . -type d -name “maker.php” -exec cp newmaker.php  {} \;
  13. Find recently changed files with find . -mmin -1 (find files changed less than 1 minute ago) or find . -mtime +1 (find files more than 48 hours ago) or find . -mmin +5 -mmin -10 find files modified between 6 and 9 minutes ago

Leave a Reply