This message has been cross posted to the following Discussion Forums: Practice Management Member Conversations and Small Project Practitioners .
-------------------------------------------
Having had my office website hacked by a malware enterprise in the last week, I thought I'd pass along this note in the hopes it might help someone avoid some serious grief.
I was very surprised at what I found in researching 'what happened' and 'how to fix it'. The same features that make 'content management' based websites better for users, also have the potential to contribute to their vulnerabilities. The hack on my site may have originated in a ZenPhoto installation; and through that portal they were able to control my site to direct visitors to a russian based malware site (peace_security.ru). It appears that even when these malevolent sites are known they can continue to operate internationally.
After struggling following experts advice for many hours I finally had to redirect my domain to a static page image hosted elsewhere - as the web master (me) is responsible when others are affected by my website. Even though my site was off line by the second day of the hack - my domain was already blacklisted (by Google and probably other sites). Blacklisting creates a further mess to clean up.
Attacking websites has become a very prevalent based on the research I've been doing. If your hosting provider is not as diligent as it could be in keeping it's own software secure - there may be little you can do. I had not realized that my host had not upgraded to at least the wordpress recommended minimum version of PHP. Perhaps you are exposed in a similar way.
Here are some things I learned:
- Having backups may not help. I have access to 30 days of back ups; restoring my site only helped for a few hours. The hackers have backdoors that can survive even a full site restore.
- Keeping all CMS like wordpress and zenphoto updated is critical - but may not be enough. Zenphoto I found in my research had a major attack literally two days before my own site was attacked. I was attacked before there was any corrective measures available to protect against the vulnerability in Zenphoto (assuming that's where the entry occurred). In other words - I was a sitting duck no matter what I might have done.
- There are hosts who are helpful - and hosts who are not - when malware strikes. My host was dismissive, and pushed the problem back to me. After they were informed of the problem and I sought their help, they sent me a threatening email as a 'malware host'. It is of course possible that their OWN SERVER software was the weak link.
- Databases are NOT necessarily backed when other backups are done; and it is possible they can be a source of reinfection. Wordpress and all CMS platforms use databases.
- Unless the KEYS for the CMS platforms are updated - the hackers may be able to come bac at will. An update to the platform may NOT provide new keys - they may have to me manually installed.
- Blacklisting can occur within hours - and then trying to get off the blacklist can take a while. Your domain is dead in the water until it's off the blacklist.
- Some of the hacks have become so stealthy according to some references that a full site rebuild on a new host may be in the worst case the only way to finally get clear.
A whitepaper on this topic that I found today is attached.
What a headache.
-------------------------------------------
Michael Malinowski AIA
AIA Regional Director 2012-2014
Former AIACC VP of Communication and Public Affairs
Applied Architecture, Inc.
Sacramento CA
-------------------------------------------