This is a general document on what happens when an account is compromised, how it is compromised, and policies pertaining to resolving an account flagged for sending spam.
How does an account get compromised?
Accounts are compromised through a variety of clever engineering tactics. Just as personal software has become more powerful and smarter over the last decade, so too have the tools hackers use to compromise accounts.
Most commonly, passwords are compromised through trial-and-error from a distributed botnet controlled by a single entity. This is called a command-and-control system whereby thousands of infected machines carry out the request of a single user. These machines periodically try random username/passwords across millions of servers and report back any successful login. Eventually, if a password is weak enough, these infected machines report back a hit and your account falls under control of a hacker.
Just like e-mail, command-and-control botnets crawl websites looking for vulnerable software. Different frameworks (WordPress, Joomla, Drupal, Ruby on Rails) create consistent code and use consistent login portals. Crawlers try a variety of URL patterns to determine what a site is running.
Example: if accessing
http://example.com/wp-admin returns a web page with a login form, then example.com is probably running WordPress, because /wp-admin is the administrative login location for WordPress. Now the attacker knows what exploits to try.
Once an exploit has been successfully leveraged, the attacker has the ability to run any malicious code, including editing files in place, where permissions permit, to install new backdoors. Whenever a website is hacked, the only safe solution is to reinstall your software from scratch and next time keep current with software updates.
What does a backdoor look like?
Backdoors are typically elusive, obfuscated code designed to confuse whoever reads it. These backdoors are almost always added at the top of infected files so as to not affect how a program, like WordPress, operates. Backdoors come in a variety of forms. Some websites below have done a great job curating backdoor samples.
Website backdoor resources
- Examples of website backdoors
- PHP Backdoors: Hidden with clever use of extract function
- Backdoor examples 1, 2, 3, 4, 5, 6…
You can easily avoid becoming a victim by being smart with your account. Always use anti-virus software, keep your anti-virus software current, and follow these additional steps:
- Avoid creating “throwaway” accounts for testing purposes.
- Example: never create a user named “test”
- Use strong passwords. Longer passwords are significantly more difficult to guess.
- Example: instead of the password “gumby”, use “gumbyisacharacter1”
- Explanation: Assuming guessing a-z, 0-9 (36 characters), “gumby” would take ~60 million guesses (36^5). “gumbyisacharacter1” would require 1.03 x 10^28 guesses to discover. It’s significantly more secure and easy to remember. This version will not be compromised by brute-force.
- Never use your username in a password.
- Example: if you create a user named “purchasing”, don’t set the password to “purchasing1” or even “purchasing99”
- Always use anti-virus software. Some trojans (e.g. “PokerAgent“) simply collect login credentials and send them back to the control server without altering anything else. These are impossible to detect without anti-virus software.
- Use permission judiciously. PHP operates as a separate user and requires permission to write to files on your account. It may be easier to change permissions on every file, but this is very dangerous. An attacker can modify any file on your account once compromised requiring you to reinstall the software from scratch, since any file could potentially be compromised resulting in further security violations.
- Always update your software. Exploits do happen. Updating WordPress and Drupal is extremely easy.
- If you’re afraid of breaking something, we can update your software to the latest version for a one-time $15 fee.
- Limit the number of plugins you use on your site. Not everyone is a competent programmer. Even competent programmers make mistakes. Always use plugins that are actively maintained.
- Never use pirated software (“nulled” themes). These themes are sometimes injected with a malicious code, like CryptoPHP to turn your website into a backdoor.
All cleanups impose a mandatory $15 fee. This is to reimburse our time spent removing spam from the server and taking steps to help you secure your service. Fees are charged automatically. Failure to collect the fee will result in a suspension of service if unpaid after 72 hours.
We participate in a variety of feedback loops. When spam is reported from your e-mail address, we take steps to isolate and remove it from our network. This includes purging all mail in our mail queue sent by the affected user. Your password will be changed to a random password. You will be required to change the password for the affected user to a new password via User > Manage Users within the control panel. Never reuse the same password!
The offending malware is removed from your site. Permissions, if too liberal, thereby allowing write-access to anywhere on your account, are tightened to prevent recurring attacks. If we cannot reasonably protect your site without your intervention, web access is revoked pending a software update.
If an update is necessary, permissions are changed on the document root of the offending website revoking access to the web server (0700 permission mode). This prevents access to your website to prevent further attacks until you can update the offending software or resolve whatever vulnerability enabled the attack (usually it is outdated software). Once you have updated software, relax permissions by changing it back to 0755. You can do this within the control panel or FTP.
Recommended anti-virus software
Spam is a pervasive problem for our clients, as well as us. We use the same hosting servers that our clients use to operate. It interrupts mail flow and may result in long-term reputation loss, used by some mail filtering engines (SenderScore, Barracuda, McAfee, etc) to silently discard “spam” from legitimate e-mail.
Since e-mail is such a significant medium for business communication now, we have very strict policies on recurring infractions:
- 3 violations in a 90-day period will result in an automatic 24-hour suspension of service. This is to allow you to take proper steps to secure your network and computers that have access to your accounts on your network. E-mail and web site access is revoked during this window.
- A fourth violation results in termination and forfeiture of any unused hosting credit.