What to do if Your Site was Compromised
Published on 11/21/2014
For additional information Click Here
What to do if Your Site was Compromised:
From my personal experience, I have become aware of a widespread problem involving compromised sites. I still don’t know how they got in but I believe that I have resolved the problem on my site. The proof to that is the number of 404 errors reported to me by Google Webmaster Tools. The same information also let me know of several others who are experiencing similar problems.
*Note: I am speaking from my own experience and only about two kinds of site compromises. For more complex issues, please consult a professional.
I have begun sending emails to notify some of these people of the problems that I have observed. There is no way for me to reach everyone so I am doing my best to share the information.
I have come up with three simple tests that may alert you to an existing problem.
1) Go to your site. Right-Click your page to View your Page Source. (Varies by Browser) If the first line of code is a SCRIPT statement, then you may have a problem. Repeat for your other pages.
2) Go to your site. Right-Click your page to View your Page Source. (Varies by Browser) Go to the second to the last line of code. If it is a huge line (3000+characters) ending in the “close body” tag “</body>”, then you have a problem.
3) Go to this page on your site, YourSite.com/ssfm.asp. It probably shouldn’t be there and you should get a 404 error message. If it is there, it will most likely Redirect you to another site completely. I don’t care to name the site directly but the shoes are a good clue. If you see Shoes, You Have a Problem.
The fourth is not really a test. With my simple HTML5 site, I have created every single file that should be uploaded. When I looked at the timestamps shown in my FileZila FTP tool, it was easy for me to see when changes were made. By keeping an eye on the timestamps of my files, it is easy to see when someone has been tampering with my site.
One more indicator can be found if you use Google Webmaster Tools. Besides telling you if links on your site have problems, as the web crawlers visit other sites, they can find links to your site that have problems. It was one of these that first indicated that I might have a problem.
What Can You Do?
My service provider has indicated that they believe the blog attached to my site is part of the problem. In an effort to regain security, I have changed passwords for my blogs as well as site access passwords. Change your passwords regularly.
Upload Clean Pages:
You or your Webmaster should upload clean copies of your website. You should also find and remove any files that you did not put there. (I found ssfm.asp and default.asp files on my site.)
Check Your Site Daily:
Institute daily checks for any changes on your site. Keep a clear record of changes that you make. When looking at my site with FileZilla, I can easily see when the last changes were made.
What Else Can We Do?
I have already reported the problem to my service provider four times. They seem to have limited capability for blocking or fixing this problem. Of course, they are quite willing to sell me services to let me know when a problem occurs.
Should we Involve the Authorities?
I have considered reporting everything I have learned to the Authorities in the US. I am quite concerned that their response would be to simply shut down the affected sites. Why should we let them do that when it is easy enough to fix the immediate problem?
Black Friday Could Become Bleak Friday:
I have uncovered what seems to be a widespread problem that may be intended to pirate massive amounts of traffic for the upcoming Black Friday and Cyber Monday sales. What happens when people trying to reach your site suddenly find themselves at another site? Black Friday could become Bleak Friday! How much money could you lose? Have you checked your site yet?
Have You Checked Your Website Today?
Has Your Website been Hacked or High-jacked?