This is a quick/simple howto on detecting and restoring a hacked website. This is not intended to be thorough / complete, just a quick 1st level things that can be tried before escalating to 2nd level sysadmin.
1. Read through the hacked website report support ticket and test the website to see the defaced / problem / hacked website.
2. SSH to server hosting the affected website.
3. Navigate to website's web directory (Check in cpanel/directadmin if unsure which directory to navigate to for the website. In CPanel, it's List Accounts -> search domain). # cd /home/website # cd public_html
4. Find the latest modified files (within 1 day):- # find . -type f -mtime -1 (-1 means files modified within 1 day earlier) - Look for new files, normally .php files - If need to zoom to .php files first (normally those are culprit), run this command:- # find . -type f -mtime -1 -iname "*.php" ./wp-includes/default-widgets.php ./wp-content/themes/theme_v2/home.php ./wp-content/themes/theme_v2/header.php ./wp-content/plugins/related-posts-slider/includes/settings.php
5. Check each file listed above for any signs of tampering. Normal pattern is the file has the following block in it:- <?php eval(gzinflate(base64_decode('pRn9c9o49ufczP0PKuPGuHHAGAihiZN2U7q7M9dtj6Y3c5OkjLBl8GJsr2wINM7/fu9J8kcI2dub67RI1vvU+5KeGvik+cpjfhAxr6n7fPkh1Q3j4e9/O5CLxRoxO8YZrDLOYz7hLIl5FkSzpiVW4a+/itwsiCMC+BMvJE1txUODIKeDAIQU8AnbBGmWNnUX4JMgCjKQJ9EONHdOHFICJIszARKLKcviBJbduUmuvo3/8fnL9WQ8uv42/u16/P63rx9HY5N0FIEWr7KCGdswlyCZgqE+ ……
6. For each file tampered this way, make a backup of it. # cd wp-includes # cp -avi default-widgets.php default-widgets-HACKED.php
7. Try to delete the tampered lines only # vim default-widgets.php - Delete tampered line - Save and test website
8. If deletion result in blank file and/or website still problem, restore that particular file from backup, and repeat test.
9. Repeat steps above with this command:- # find . -type f -mtime -10 -iname "*.php" (-10 means files modified within the past 10 days)
What if too many files have been tampered? How to recover?
Here's a quick way to remove tampered files, specifically of the form above (gzinflate(base64_decode....):-
1. Make a backup of the website folder first, in case you need to restore if something went wrong:- # cd /home/website # cp -avi public_html public_html.20140302
2. Collect all tampered files (if directory is too large, limit to dynamic web files eg php):- # cd /home/website/public_html # find . -type f -iname "*.php" -exec grep -Hi 'gzinflate(base64_decode' {} \; > ~/HACKED
3. For each matching files, remove the tampered line from it:- # cd /home/website/public_html # for file in `awk -F: '{ print $1 }' ~/HACKED`; do echo $file; perl -ni -e 'print unless /gzinflate\(base64_decode/' $file; done
4. Make sure no more tampered files exist:- # cd /home/website/public_html # find . -type f -iname "*.php" -exec grep -Hi 'gzinflate(base64_decode' {} \;
5. Test out the website to ensure operations are all ok.
