Australia's Leading Computer Emergency Response Team

You have been advised your web site is compromised - what now?
Date: 15 November 2009
Original URL: http://www.auscert.org.au/render.html?cid=1919&it=11962

Why has AusCERT contacted me?

You are probably viewing this page because you have received advice from AusCERT that a web site, for which you are listed as a contact for, has possibly been compromised and could be being used by criminals to install malware on (infect) computers that connect to these pages.

DO NOT click on the link(s) to the page(s) that we have informed you may be malicious as there is a high possibility your computer may become infected with malware.

Does AusCERT have any more information about this incident?

No. AusCERT includes in the email message the URL/s and IP address/es current for the site at the time of the report. This is the only information that can be provided. AusCERT does not have any information that indicates what methods were used to compromise the website(s), nor any specific recovery procedures.

How can I investigate and confirm the report of malicious code on my site?

  • If you are unfamiliar with website coding you may wish to have your hosting provider confirm the report for you as to avoid having your machine infected. As web site compromises are often the result of automated scanning and exploitation, we would also suggest that you or your hosting provider check all web site directories for evidence of additional compromises.
  • If you wish to review the code in the relevant page/s yourself, first ensure you turn off JavaScript in your web browser. This will prevent any potentially malicious JavaScript code executing and possibly infecting your computer. For more information about identifying and recovering from your web site compromise, the following link should help:

    http://www.stopbadware.org/home/security

  • Additionally, Google provides a page entitled 'Webmasters help for hacked sites', which may provide some useful advice to assist you in mitigating this issue:

    http://www.google.com/webmasters/hacked/

  • There are also other products/services on the web that can analyse your site and inform you of suspicious code. Some examples include:

    Norton Safe Web - http://safeweb.norton.com
    AVG LinkScanner - http://linkscanner.avg.com
    McAfee SiteAdvisor - http://www.siteadvisor.com/webmasters
    Wepawet - http://wepawet.iseclab.org

    Ok I have found suspicious/malicious code. What now?

    If malicious code is found, there are a number of steps you should take to clean the site.
  • Firstly, you must realise that cleaning your site is much more than simply deleting the malicious code you find.
  • You should check for other occurrences of the code in your site as it may have been added to multiple pages.
  • As well as removing the malicious code, you need to find out how it got there. Your hosting provider may be able to help with this.
  • Generally speaking the best way to identify how your site was compromised is to look at the web access logs, the ftp access logs and check what software is running on the site and whether it is the latest version. Old software has a greater risk of having vulnerabilities in it, which are commonly known and exploited by attackers. The access logs will show who has accessed the site via the web and ftp. If there are any strange connections and requests, please notify your hosting provider.

    What can I do to stop search engines marking my site as malicious?

    A number of search engines have projects that identify malicious websites and inform people who are about to connect to them. If your site has been identified as malicious, once you clean the site you can have the search provider re-examine it and stop reporting it as malicious. Most search providers have webmaster tools to do this. Some examples are:

    Bing - http://www.bing.com/webmaster
    Google - http://www.google.com/webmasters
    Yahoo - http://siteexplorer.search.yahoo.com

    Should I be concerned?

    Unfortunately it is becoming more common for criminals to compromise web sites and use them to attack other computers owned by visitors to your site, perhaps your customers.

    To learn more about the problem and how to fix it, refer to this article by AusCERT - The risks borne by one are shared by all - web site compromises

    Where can I find more information on website compromises?

    For more information about preventing web site compromise, the Open Web Application Security Project (OWASP) is a good reference:

    http://www.owasp.org/

    In particular, the Top Ten project (http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) is an internationally recognised guide to the most critical web application security flaws.

    Who is AusCERT?

    AusCERT stands for Australian Computer Emergency Response Team. AusCERT is a not-for-profit group of security professionals based at the University of Queensland in Brisbane. AusCERT provides a number of free services to help Australian internet users recover from Internet based attacks, such as notifying businesses and other domain owners when their web site has been compromised.

    AusCERT provides a range of services designed to improve your organisation's online and network security.

    You can enjoy the full benefits of AusCERT's expertise by becoming an AusCERT member, including Incident Management Services and all AusCERT publications. AusCERT is one of the most respected computer security emergency response teams in the world.