Cleaning after a hack

Here are some tips for cleaning up after your site/server has been hacked.

Look at the files that don’t belong - find a common pattern. Most have one.

Use grep -rl pattern * to find all the affected files. If you pipe the output to a file, you can turn it into a script that can automatically delete them. However - be careful to leave any files that are important. Those will have to be cleaned up manually.

If you run into permission issues, where the files were created by ‘nobody.nobody’ or ‘apache.apache’, you can use PHP’s system command to execute the rms - like so:


system('rm -f badfile.file');

Check your error logs and access logs, as well as your stats to find any additional files.

Avoid chmod 777 - although there are times when it is necessary. This is a hazard of administering a site through the web. An excellent alternative is to always chmod 755 after you edit those files, if possible. This won’t work for caches, template compilation directories, or file upload areas.

Don’t forget to escape the input, for both command lines and SQL statements, and validate on both the client and server side.

Be sure to identify how the hacker got in, whether it was an outdated application with security holes, SSH, your code, or some other failure. Resolve that issue.

Remember that there may be more than one symptom of the hack. My server was being used to distribute files, run a phishing scam (no page requests were processed when I found it), and links to other servers in hacked templates.

If you have a hosting company, it is good to contact them for help - especially if there is any sort of phishing or other financial scam involved.

Finally, sometimes it is better to delete a corrupted application, or reinstall it.

Good luck:!: