Hacked Website Repair: What You Should Know

Hacked Website Repair: What You Should Know

If your website is hacked, you may find yourself in a situation where you aren’t sure what to do or who to call. The good news is that there is no need to panic. Help is available and there are even some things that you can do yourself to help with the issue. Website security is critical to your online business and there are so many potential risks out there that a small business could find themselves spending a small fortune just to stay safe.According to an annual crime report from Cybersecurity Ventures:

“Ransomware attacks occur every 14 seconds. The report also estimates that this number will increase to every 11 seconds by the year 2021.”

One well-known attack compromised more than 4,600 websites when malware was used to steal payment information and other private user data.

Some of the websites still remain partially infected or contain some remnants of the coding. With all that being said, it’s obvious that hacking and malware are serious problems. However, there are also a number of solutions out there to help increase your website security and repair the damage.

Signs You May Have Been Hacked

Although every attack is different, there are certainly some “symptoms” that you may experience on your own website that others have reported. Some of the most common signs that there’s been a security breach on your website include:

  • Unknown or suspicious files, admin users, scrips, or links start appearing on your website or in the coding.
  • Your site becomes slow and unresponsive.
  • Third-party hosting accounts may be disabled or banned.
  • Search engine warnings are presented to visitors attempting to click through to your website.
  • There are ads and pop-ups redirecting your visitors to nefarious or irrelevant domains.
  • The server load is heavy even when traffic is low.
  • Gibberish content starts showing up at random throughout your website.
  • You find unknown extensions and plugins on your servers.
  • Spam emails are being sent from your own mail server.
  • Customers are reporting stolen credit card information or calling about security breaches.
  • Your website data is being sold online.

Obviously, the last couple are fairly obvious signs that you’ve probably been hacked. Others, however, may be harder to detect on their own. By knowing what to look for, it should be easier for you to identify breaches sooner and save some damage.

What Do I Do Now?

If you realize that your website has been hacked, you’ll want to do what you can to control the damage right away. Perform a total backup of your website and put it into maintenance mode. You can also use tools like Google Console to find the cause of the infection if your site has been blacklisted in search engine results.

There are plenty of articles online that offer advice and step-by-step solutions for removing malware and ransomware files on your own, but unless you’re experienced in coding and databases, you really need to reach out to a professional website repair service that can eliminate all of the infected files or scripts and secure your site to help prevent against future attacks.

Resources
https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/
https://www.getastra.com/blog/911/hacked-website-repair/
https://hackrepair.com/hackrepair-com-articles-catalog

WPEngine Open-Source Dependency Vulnerability

An open-source dependency vulnerability affects WPEngine’s PHPCompat module on https://github.com/wpengine/phpcompat

/src/js/handlebars.js

↳ handlebars.js 4.0.3 has known vulnerabilities: severity: high; summary: A prototype pollution vulnerability in handlebars is exploitable if an attacker can control the template;

https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692 https://github.com/wycats/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86 severity: high; summary: A prototype pollution vulnerability in handlebars is exploitable if an attacker can control the template;

https://snyk.io/vuln/SNYK-JS-HANDLEBARS-174183 https://github.com/wycats/handlebars.js/issues/1495 https://github.com/wycats/handlebars.js/commit/cd38583216dce3252831916323202749431c773e

dotCMS v5.1.1 Open Redirect Vulnerability

dotCMS v5.1.1 suffers from an Open Redirect Vulnerability, in addition to many other vulnerabilities that I am still verifying.

The following URL is a proof-of-concept that requires a user to be logged in. Simply login to the demo before visiting the supplied POC.

Logging into the demo requires you to go to https://demo.dotcms.com/dotAdmin and log in with the demo credentials (username: [email protected] password: admin).

POC link: https://demo.dotcms.com/html/portlet/ext/common/page_preview_popup.jsp?hostname=google.com/test.html

dotCMS v5.1.1 HTML Injection & XSS Vulnerability

dotCMS v5.1.1 suffers from an HTML injection and XSS vulnerability, in addition to many other vulnerabilities that I am still verifying.

Here’s a screenshot of HTML injection:

To reproduce this vulnerability, simply go to https://dotcms.com/dotAdmin/ and login with their demo credentials (username: [email protected] password: admin) and then visit the following URL:

https://demo.dotcms.com/html/portlet/ext/files/edit_text_inc.jsp?referer=%22%3EHTML%20Code%20Injection%20Here%20and%20XSS%20Vulnerability%20%3Cbr%3E%3Cbr%3E

There are more unconfirmed vulnerabilities in dotCMS.

dotCMS v5.1.1 – Vulnerable Open Source Dependencies

dotCMS v5.1.1 suffers from several vulnerabilities due to the reliance on open source dependencies with publicly disclosed issues.

These vulnerabilities are listed below:

Scanning open source dependencies of dotCMS_5.1.1
 
/ROOT/html/js/scriptaculous/prototype.js
 
↳ prototypejs 1.5.0
prototypejs 1.5.0 has known vulnerabilities: severity: high; CVE: CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/ http://prototypejs.org/2008/01/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security/
 
ROOT/assets/3/6/36c22c5d-c813-4869-a4b7-fcc10a74e8b6/fileAsset/jquery.min.js
 
↳ jquery 1.9.1
jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
 
ROOT/assets/5/1/515cba4e-ac64-4523-b683-8e38329e7f46/fileAsset/bootstrap.min.js
↳ bootstrap 3.2.0
bootstrap 3.2.0 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of tooltip/popover, CVE: CVE-2019-8331; https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/bootstrap/issues/20184
 
ROOT/assets/9/9/99c7ffe7-e1c2-407f-85b7-ec483dbcf6f1/fileAsset/jquery.min.js
↳ jquery 3.3.1
jquery 3.3.1 has known vulnerabilities: severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
 
ROOT/assets/f/6/f6fa6b13-3a96-4cbf-9a75-19a40137f05a/fileAsset/jquery.min.js
 
↳ jquery 1.9.1
jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
 
ROOT/assets/4/a/4a5a727f-369b-49e0-bff5-42d9efb4ba90/fileAsset/jquery-2.1.1.min.js
 
↳ jquery 2.1.1.min
jquery 2.1.1.min has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
 
ROOT/html/js/dojo/custom-build/dojo/dojo.js
 
↳ dojo 1.8.6
dojo 1.8.6 has known vulnerabilities: severity: medium; PR: 307; https://github.com/dojo/dojo/pull/307 https://dojotoolkit.org/blog/dojo-1-14-released
 
ROOT/html/js/tinymce/js/tinymce/tinymce.min.js
 
↳ tinyMCE 4.1.6
tinyMCE 4.1.6 has known vulnerabilities: severity: medium; summary: xss issues with media plugin not properly filtering out some script attributes.; https://www.tinymce.com/docs/changelog/ severity: medium; summary: FIXED so script elements gets removed by default to prevent possible XSS issues in default config implementations; https://www.tinymce.com/docs/changelog/ severity: medium; summary: FIXED so links with xlink:href attributes are filtered correctly to prevent XSS.; https://www.tinymce.com/docs/changelog/