Yesterday I got an e-mail from somebody saying that they had gone to my site and their anti-virus software popped up a message saying their was a trojan. I didn’t see anything on the site, so I asked them to send me a screenshot of the error. Once I saw the screenshot, I saw a call being made to a data.js file, which is not something that I would make a call for or uploaded in that location. I checked the site in IE, and sure enough there was the call. Somebody had been able to get it on the server and create that file. I had been compromised.
The first thing I did was rename the file and check through the rest of the site to ensure nothing had gone into affect or been messed with. I seemed to have gotten lucky here. I called my host to see what steps can be taken. They told me to delete the file and follow all steps here which was extremely helpful.
You can go through the above document if you run into the same issue, but I’ll give a high-level overview of the two most important things to do.
Change ALL Passwords
I went through and changed all of my passwords. Think of everything you have passwords for, and change them. Make sure to use strong passwords (mix of upper and lowercase, numbers, and symbols). I changed everything from my host dashboard password, to database passwords, to username passwords (ex: WordPress), etc. You have to assume that if your server was compromised, they have your passwords. Changing them will lock them out.
Back Everything Up
I created an archive of my entire web folder and databases. Make sure you always have backups. This is a given, but the event was an eye opener of a reminder.
I got lucky that nothing worse occurred and that somebody brought this to my attention in time. To help prevent this, change your passwords and backup your data often.