Look familiar? Hopefully not. But if your site now looks like this, it’s bad, but there is hope.  I had my first foray into this world last week when my brother in law’s site was hacked.  It took some digging, but here are the steps to getting your site back again. Part one will cover getting yourself unblocked.  Part two will cover getting your posts and other data back, and part three will get you up and running and take steps to prevent it from happening again.

So the steps:

• Get rid of the offending code,
• verify you are the owner,
• request a review,
• make sure it doesn’t happen again.

Getting rid of the offending code

What happened?  In this case it was pretty clear.  The site was using an older version of WordPress (pre 2.8.3).  WordPress patched it way back in August, so part of me is impressed it took so long to get hacked.  This was a pretty serious security hole; before it was patched it managed to take out a lot of blogs (including Scoble).  Needless to say, if you aren’t running the most recent version of WordPress, or not sure stop reading. Upgrade now.  Looking at access logs it looks like the site was hacked not once, but twice. [Note to hackers: when you hack a site, try applying a patch. it's safer.]

First up is the database.  When the the hole was initially discovered, the recommendation was to NOT export your database, and instead follow a series of other steps.  At the time I would agree with that advice.  Unfortunately, once you hit the blocked list, the intercept message stops you from even logging into your site to do the additional steps.  Instead, we’ll back up the database and the site, then set up a clean room environment to export your data.   Check with your host provider for specifics, but in myPHPadmin select the database and hit export (and download as a zip).

Next up are the files.  Again, we’ll be using these for our cleanroom in part two.  Grab a blank thumbdrive, create a /hacked_site/ directory, FTP to the site and download everything straight to the thumbdrive.  Be sure to get the .htaccess files, since they are more than likely corrupt as well.  Once copied, stop thinking about them.  We’re not opening, clicking on, viewing or even looking at ANYTHING there unless we can do it safely.  That’s in part two.

Now, take a deep breath.

Delete your entire site. Seriously, all of it, especially the .htaccess files.  Don’t be concerned.  Right now no-one in the world can get to your site, and unless you do something about it, no-one ever will.  Part two will try and recover as much as possible, but even if you can’t get everything, at least you’ll be able to start over.  Until your site is unblocked, you can’t even do that.  So delete it. Delete it all.

Now, open up your faveorite text editor and create simple html file:

<html>

     <head>

        <title>Down for repair</title>

     </head>

    <body> Our site was recently hacked.  We've removed all offending code and are in the process of rebuilding the site.  We appreciate you patience. </body>

</html>

Save this as index.html and upload it to your site.  Why?  well, we need to have your site reevaluated, so you need to show you’ve actually taken steps and are ready to be checked again.  If your hosting company has a control panel, you could reinstall WordPress from there, but since the site is still blocked, there is no way to go any further than the default install.

Verify you are the owner

Next go to Google Webmaster tools.  Don’t have an account?  Perfect time to sign up (besides, if you want your site back, you have to).  Once logged in, you need to add your site.  That’s pretty straightforward.  Click on add a site:

Enter the url of the site.  For best practices, start with www.yoursite.com and you can (and should) add yoursite.com later.

Once added, you need to verify.  There are two ways, add a meta tag to your index file, or upload a specific file.  I find it easiest to upload the file:

Upload the file, double check it’s there, then click verify.  In my experience, the process is instantaneous.

Request a review

Almost done.  Once verified,  your Webmaster Tools home screen should have an alert about possible malware.  Click on the link for Request a review, and you’ll be taken to a short form.  In the text area, be sure to outline the steps taken (You completely removed all offending material, and will install the latest, patched version of WordPress)

And then wait.  In my experience it took less than a day to get unblocked.  While you are waiting check out part two (coming soon) where I’ll walk you through the process of recovering your posts.

Unfortunately, like most blogs, it sat untouched (something I’m guilty of too). Last week, he got an email from a friend who tried to go to his site. Instead of his site he was greeted with rather ominous looking red screen:

Not good.

I ftp’d to his site; there was a lot of activity. A bunch of new files had been uploaded in November, and a handful of others in January. Either the November hacker had been active, or (as I suspect), he’d actually been hacked twice.

The version of WordPress installed was older, 2.7.x; latest and greatest when installed, but never upgraded. Since 2.7, there were major holes discovered, and it’s not a stretch to assume that’s what they used (though I don’t feel too bad, Scoble’s blog was also hacked this way).

I archive the site, and will post a forensic review later, but mostly redirects to a Russian pharm site, changes to .htaccess to fake out the search engines (though he didn’t have mod_rewrite installed, so ineffective), in all pretty generic, so I suspect the site was hacked 100% via script– no user intervention whatsoever.

Since their weren’t any real updates on the site, I was comfortable starting over from scratch. I didn’t want to risk any backdoor and go through all of this again. I migrated to a different host (not that a different host would matter, the new host is just one I use regularly with my other clients, which makes it more likely I’d catch it when checking on another client). Reinstalled the latest version of WordPress, and started to rebuild his site.

Once completed, I went to look at the new, improved, malware-free version of the site. Lo and behold I was still greeted with the red screen of terror. No worries, I figured I’ll get the site fully tweaked and then deal with that issue.

There’s an option to ignore the warning (which, in any case except this I would not recommend,) so I clicked through to finish up my WordPress configs. No dice. the google intercept disabled all the css and JavaScript (which is a good thing). I tried it in Firefox, Chrome, Opera, and Safari (pretty sure there was ONE other browser which would have worked…) . So at this point I couldn’t actually log into the site.

This is where I got my introduction to Google’s Webmaster tools. With all my SEO work, Google SEO tools have always been sitting in the back on my to-do list; my work with clients focuses on honing filenames, leveraging social media, xml site map etc. By sticking to the fundamentals, my clients have been wildly successful, so the webmaster tools have been on the back burner.

In order to unblock a site you need to (obviously) remove what’s offending and then, as the site owner, submit your site for review. Proving you’re the owner is pretty straightforward, and similar to Google’s verification for other products– you either add some META to your index page or (if you’re a WordPress owner who can’t log in to adjust the META…), you upload a unique page. Once you’ve verified the site’s yours, there’s a simple form to request a re-evaluation. After about an hour his site was back up and running, sans Russian pharm.

One takeaway for me is I was forced into the Google webmaster tools, and I must say I’m impressed and it’s begun me exploring it further. For my next post I’ll dive a bit deeper into the toolkit and show how you can increase your pagerank and improve the overall quality of your site.

Now this is all well and good, and I have to say I’m a fan of malware intercepts and the webmaster’s tool in general, but I believe I’ve discovered a fundamental flaw in the system… Bonus point if you can figure it out, otherwise wait for my next post.