How My Website Got Hacked And How I Quickly Recovered

Share On Facebook

I just wanted to thank everyone who emailed me last week to let me know that one of my articles was hacked. Thanks to all of you, I discovered the problem article and was able to take action immediately.

While this wasn’t the first time that I’ve been hacked, this was the first time that the intrusion had nothing to do with my server at all.

What Happened Exactly?

Photo By Wonderlane

Shortly, after publishing my last article on How Our Online Business Needs To Be Improved, I received a flood of emails letting me know that my article was flagged as malware by Google.

When I went to see the article myself, I was greeted by a sea of red with the words “This Is A Reported Phishing Website!!”.

At first I panicked, because I was worried that my online store had also been compromised. But luckily the intrusion was limited to only that single blog article.

Ultimately, I narrowed the problem down to a third party ad server that had been hacked and was serving bad advertisements to my blog.

In short, the malware was not my fault, but since I use javascript code from a third party ad vendor, the bad code made it onto my site because the third party got hacked.

This just illustrates why I hate using third party javascript on my site and why in general I try to avoid it like the plague. Bad third party javascript can slow down your site or even cause it to crash and it’s all out of your control.

In any case, instead of just telling you how I got hacked, I thought that I’d take the time to show you how I narrowed down the hack and how I protect my websites from excessive downtime due to malicious hackers.

Getting hacked is inevitable, so you need a plan on how to get your website back up quickly when it happens.

Backups Backups Backups

Effectively protecting yourself from hackers starts by backing up your site on a regular basis. It’s not good enough just to do manual backups of your site because sooner or later you’ll forget to do it.

Trust me! And due to Murphy’s Law, the day that you forget to backup your site is the day that you will get hacked. Just take my word for it.

The best way is to automatically back up your site using cron. I’ve already written an article on How To Automate Backups that you should definitely checkout. In addition to that article, I now also take one extra added precaution.

These days, I also email my backups to 3 separate email accounts as well. It’s not good enough to store your backups at home or strictly on your server.

After all, if there’s a fire or if your server dies, you could still lose everything. It’s better to store your information “in the cloud” if possible.

I also tend not to rely on my webhost for backups. Why? It’s because I don’t trust them to do as good of a job. I don’t trust them to be as anal as I am.

Also, a backup is no good unless you know it can be restored. If you rely on your webhost, you’ll never know that your backup is restorable until you need them to do something.

Detection Detection Detection!

The other crucial component is detecting when you’ve been hacked. I have several safeguards in place to detect an intrusion that is outlined in my article on How To Minimize Downtime When Getting Hacked.

These days, I’m also a bit more paranoid so I run a program called “LFD (Login Failure Daemon)” on my server as well. This daemon basically logs every single login to my server including all ftp attempts, ssh attempts etc…

That way, if anyone accesses my server outside of myself, I know immediately via email. In addition, LFD also automatically locks out any user that fails to login 3 times in a row and permanently blocks their IP.

Make Everything Automated

Once you have your backups and detection mechanisms in place, make sure that you can easily execute your recovery plan. Whenever I get hacked, I still panic even though I know I’m prepared.

As a result, I tend to forget how to do things on the fly because I’m not in a good state of mind. That is why I implement push button scripts that do everything for me.

  • I have a script that automatically restores the latest database backup
  • I have a script that tells me any file differences between what is live and my last backup
  • I have a script that detects any changes at all to the website since my last update

What I Did That Day

So when I first discovered that one of my webpages had been compromised, the first thing that I did was to run my md5 checksum script to see if a hacker managed to change any website files.

Just in case, I also ran my “difference checking” script to see if any files were changed since my last backup. The answer was no.

Then I checked to see how my database had changed since my last backup (I do backups once a day) and didn’t see anything suspicious. I had only posted one new article and answered a few comments.

There were no malicious SQL related intrusions as far as I could tell. The database intrusion checking step is the only manual step of my process.

Because my database changes multiple times on any given day, it’s difficult to compare it to a backup automatically unless I do more frequent backups.

Finally, I checked my LFD logs and no one had accessed my servers at all. Because my files and database were safe, the only culprit left was the 3rd party javascript on my site.

I use 4 different ad networks and all of them randomly serve ads on my site. After Googling about ad servers being compromised, I discovered that many other webmasters had been experiencing the same thing.

Even though I took an in depth look at the code, the malware code was no longer being served so I sent a note to Google to remove the article from the malware database.

As an added precaution I’ve removed the ads from my blog for now. Once the coast is clear, I’ll put them back. The moral of the story here is that getting hacked is just something you have to deal with as a webmaster.

It sucks and it will happen eventually. You just have to know how to deal with it and recover. Hope this article helps you defend yourself from future attacks.

Ready To Get Serious About Starting An Online Business?


If you are really considering starting your own online business, then you have to check out my free mini course on How To Create A Niche Online Store In 5 Easy Steps.

In this 6 day mini course, I reveal the steps that my wife and I took to earn 100 thousand dollars in the span of just a year. Best of all, it's absolutely free!

Give Me Access To The Free Course!
Enter Your Email Address:
Share On Facebook

Similar Posts

Have you read these?

21 thoughts on “How My Website Got Hacked And How I Quickly Recovered”

  1. Thanks for some great information. I’m glad it wasn’t worse. You are a saavy guy with computers and know what you’re doing. I don’t have a website, just a blog which soon will also be my business HQ. I signed up with SiteUp, thanks.

    I love this blog from its title to its intelligent, resource-filled posts. Thanks for keeping it out here where I can find it. I worried how long it would take you to get back to publishing it.

    Maryellen

  2. Howdy, Steve!

    I am a true Native (Southern) Californian … Los Angeles to be precise … who transplanted in early 2009 to Greensboro, NC. I can’t remember how I originally found you…through Google or a Google ad I suspect, but I have been a subscriber for a month or two and wanted to take a few minutes to let you know how inspiring you are to me and the aspirations I have for my little family which consists of my husband and our 16-1/2 month old daughter. I will be 41 years old next Wednesday and I will be working on three business plans (believe it or not!) as soon as my student teaching requirement is completed next Friday.) So … thanks for being around and not allowing me to be a Lazy Piece of Crap. XD

    Also wanted to say that I’m really glad that your downtime was minimal and that the malware/hacking issue only put what seems to be a small monkey wrench in the program. (Rhetorical question: why do people spend so much time writing bad code created solely for the purpose of effing up someone else’s reality??) A pox on their beards!! Anyway, sending my best to you and yours!

    Namaste,
    Kaiya

  3. Hi Steve, nice article you have mentioned good steps to keep bad guys away. I do believe that prevention is always better then cure because of that its nice to be most updated as soon as possible then you can simply half your security problem and backup is must . Good Day Man !

  4. Hi there Steve. Wow…this was a potential nightmare. I’m so glad you were prepared. Thanks a ton for the suggestions. This info is useful to anyone with a website.

  5. Steve, thanks for this. I am very new to all this and will follow your recommendations. What a nasty experience!

  6. Thanks for the great information. Now i know how to back up everything, Big or Small.

  7. I can’t thank you enough for this detailed post and earlier posts it links to. I am running a few sites and some of them are very large and I’m increasingly worried about backups and hackers. I am going to do my best to follow all the steps you list here.
    BTW, I enjoy your blog – it’s one of the few IM blogs I still read!

  8. Hi, I agree that using third party javascript is very risky move, even from the large companies as they are always targeted. We push our clients towards more auditing type methods of website security so the hacking vulnerabilities are found beforehand. http://www.websafe.ie was one that helped us track a few subtle issues down.

    The main issue i see with your story above is that it took Google Malware to respond in order to your vulnerability which means that the hacked javascript was present for some time.

  9. John O. says:

    I agree with John A. Scanners like websafe and surcuri can only do so much. They can only parse the html / js, and monitor behavior (redirects, downloads, etc.). Google Safe Browsing takes time to detect the malware, especially if the domain has a low page rank and does not get crawled frequently.

    Have the site professionally reviewed if you have been hacked. Malfarmed.com. This company is owned by Convurje who provide web application security services.

  10. Yes backup is the only way to restore the site back to normal..! Cleaning process takes time and its a tedious one..!

  11. Nice Article. Now I came to know that, Yes backup is the only way to restore the site back to normal..!

  12. OMG- My website got hacked last year, and it was such a mess. I had 2 other websites hosted on my same FTP server, and they were all being redirected to some weird website selling pharmaceuticals or something. I worked on it for probably 2 days before I gave in and started looking for professional help. I found a website called eSecurityPros.com and worked with their technicians. They had my sites completely fixed, up and running in a day. The whole thing costs about $200, but definitely worth it. I’d recommend them to anyone.

  13. There are a lot of scam companies that claim to be experts in malware removal. eSecurityPros.com has only been in business for about 5 months. Trust real experts, with security credentials and degrees – scurit.com. We also don’t charge 200.00 because we know what we are doing and have been in the industry for over 15+ years, not 5 months.

Leave a Reply

Your email address will not be published. Required fields are marked *