Help for hacked sites: Server configuration
Articles,  Blog

Help for hacked sites: Server configuration


[MUSIC PLAYING] Hi. I’m Lucas Ballard. I’m a software engineer at
Google, and I work on Google Safe Browsing. I’d like to provide more
information for site owners who are notified that their
site was infected with malware, specifically with the
type “server configuration.” So that we’re all on the same
page, if your site is infected with malware, you can see sample
infected URLs and the type of infection when you
verify ownership of your site in Google Webmaster Tools. Google Webmaster Tools
can be found at google.com/webmasters. When Webmaster Tools indicates
the malware type “server configuration,” it often means
that the hacker is redirecting visitors from your good site
to their attack site by modifying your server’s
configuration files. Server configuration files allow
the site administrator to specify, among other things,
access permissions and URL redirects for specific
pages or directories on a website. You can imagine that cyber
criminals might modify this file to suit their own needs. To investigate the specific
behavior on your site, log in to Webmaster Tools and browse
through the Malware section. Make note of the sample URLs
listed with malware type “server configuration.” These
sample URLs are pages that no longer consistently serve your
site’s good content. Instead, because a cyber
criminal likely placed a redirect in the server
configuration file, these URLs redirect your users
to an attack site. You can use Wget our
curl to check for the redirect behavior. Remember, your site will need
to be back online first. If the sample URLs copied from
Webmaster Tools don’t redirect as expected, the hacker may have
tried more sophisticated techniques to avoid detection. For example, she may have
intended for the redirect to only given certain refers or
user agents, such as to avoid showing content to automated
programs that might detect it. You’ll want your Wget or curl
commands to reflect these possibilities. To further investigate how
your site was affected by malware type “server
configuration,” log into your web server’s file system. In my investigation, I’ll
use the htaccess server configuration file. htaccess is common on many
Apache-based web servers, as is httpd.conf. If your web server isn’t
Apache-based, say it’s IIS, then please perform similar
tasks with your server’s equivalent configuration
files. In the directory where the dot
htaccess file exists, I’ll perform ls-al, or a similar
command to view all the files, including hidden files
like .htaccess. The .htaccess controls behavior
on the current directory and potentially
on subdirectories. There may exist more than
one server configuration file on your site. You can view relevant server
configuration files, perhaps through an editor like vi, and
check for unwanted directives such as redirects. For example, as mentioned
earlier, to better hide malicious content, the hacker
may have configured conditional redirects based on
refer, operating system, user agent, browser, et cetera. Or the hacker may configure
redirects to unknown sites, likely malware attack sites. Be sure to check the entire file
in case the hacker added their code at the end of the
file where she hoped you wouldn’t notice. The sample server configuration
URL should have a corresponding rule in the
.htaccess file or other server configuration files. When you’re ready to clean up
your server configuration files, which occurs in the
following step of our hacked site recovery process, you can
either replace a file with a known good backup, or you can
delete the unwanted code from the existing file. Be aware that only fixing the
server configuration file isn’t enough. It won’t correct the underlying
vulnerability that allowed the hacker to compromise
your site in the first place. Furthermore, the hacker may have
left a back door on your server for future reentry if
you fail to delete it. Before finishing the step, be
sure to check out our file system damage assessment video
to investigate your site for back doors and other harm. I hope this has been helpful in
restoring a healthy server configuration file after
a malware infection. Thanks for watching. [MUSIC PLAYING]

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *