Server Was Potentially Comprimised – Steps To Take

Yesterday I got an e-mail from somebody saying that they had gone to my site and their anti-virus software popped up a message saying their was a trojan. I didn’t see anything on the site, so I asked them to send me a screenshot of the error. Once I saw the screenshot, I saw a call being made to a data.js file, which is not something that I would make a call for or uploaded in that location. I checked the site in IE, and sure enough there was the call. Somebody had been able to get it on the server and create that file. I had been compromised.\r\n\r\nThe first thing I did was rename the file and check through the rest of the site to ensure nothing had gone into affect or been messed with. I seemed to have gotten lucky here. I called my host to see what steps can be taken. They told me to delete the file and follow all steps here which was extremely helpful.\r\n\r\nYou can go through the above document if you run into the same issue, but I’ll give a high-level overview of the two most important things to do.\r\n

Change ALL Passwords

\r\nI went through and changed all of my passwords. Think of everything you have passwords for, and change them. Make sure to use strong passwords (mix of upper and lowercase, numbers, and symbols). I changed everything from my host dashboard password, to database passwords, to username passwords (ex: WordPress), etc. You have to assume that if your server was compromised, they have your passwords. Changing them will lock them out.\r\n

Back Everything Up

\r\nI created an archive of my entire web folder and databases. Make sure you always have backups. This is a given, but the event was an eye opener of a reminder.\r\n\r\nI got lucky that nothing worse occurred and that somebody brought this to my attention in time. To help prevent this, change your passwords and backup your data often.

  1. Sarah Kimmel

    12/14/2009 4:22 pm

    This just happened to me too! Very strange!

  2. CDesign

    12/26/2009 10:05 am

    The same thing happen to me but its a different malware. Its a GNU/GPL virus which embeds itself to my index.php and .js files. I immediately change my cpanel and ftp password after I cleaned everything.

  3. Damian

    01/04/2010 2:19 pm

    i have the same problem..How can i solved it???\r\n\r\nplease help me….

Add A Comment

Note: We use Gravatars, they are little icons that appear next to your name on this site and on many others. You can get a Gravatar account for free and any other site that supports it will show your avatar too!

  1. What’s Up Wednesdays: Security and Influence « Beyond the Rhetoric