Summary
A hacked website can damage your business, reputation, and customer trust. In this post, we share how we rescued a severely compromised site, identifying the vulnerabilities, removing malicious code, and securing it against future attacks. Learn why outdated software and poor hosting put websites at risk and how proactive maintenance can prevent security breaches. If your website has been hacked or you want to strengthen its security, this post highlights the steps needed to recover and protect your online presence.
4 minutes read
You will learn 
  • How a website can become severely hacked – Learn how poor security, outdated software, and lack of maintenance can leave a site vulnerable.
  • Our approach to website recovery – See how we identified and removed malicious code, restored functionality, and secured the site against future attacks.
  • Why ongoing website maintenance matters – Understand the importance of regular updates, security monitoring, and choosing the right hosting provider.

At CMS Live, we specialise in providing top-notch web services, including web design, digital marketing, and premium web hosting. Recently, we had the opportunity to assist a business owner whose website had been severely hacked. This post details the issue, our rescue operation, and the extensive steps we took to restore and secure the site.

The Initial Situation

A reputable web designer, who typically uses our white label hosting services, built a website for a client. However, the client chose another hosting provider because they used green energy. While this is commendable, the hosting provider must also offer reliable service, support, and security.

Unfortunately, the client's website was not managed or maintained, leading to outdated software and a severe hack across the website files, database, and hosting platform. Over 30 PHP files were infected with malicious code. More than five full admin accounts were created on the fly. The old support team tried deleting the admin accounts, but they kept reappearing after a few days.

For over two weeks, the old hosting support team tried to fix the issue. The site redirected users to inappropriate websites and virus warning popups, severely damaging the client's professional image. The web designer and the client reached out to their hosting provider with constant support tickets. Eventually, they were told the provider couldn't help and suggested finding a security consultant.

At this point, the client realised they needed a managed hosting specialist and security expert. Based on their web designer's recommendation, they turned to us. This is where Martin Starkie from CMS Live stepped in.

The Technical Challenge

The website was compromised due to a vulnerability in a caching system installed by the hosting provider. Specifically, a Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-40000. This allowed attackers to inject malicious scripts into the website, leading to unauthorised redirects, unauthenticated admin users, and potential data breaches.

Understanding the Vulnerability

The XSS vulnerability in the caching system let attackers exploit the website by injecting malicious JavaScript code. This code could then perform actions on behalf of the user without their knowledge, such as redirecting them to harmful websites. The severity of this attack was rated extremely high at 8.2.

For more technical details on the vulnerability, you can refer to this source:

This vulnerability affected approximately 4 million websites globally between October 2023 and July 2024.

Infected source code showing external javascript callsInfected files

Our Approach to the Rescue

When we were brought in, we requested full access to logs and error logs from the current host to understand the extent of the issue. However, they could not provide these. Despite this setback, we quickly got to work. Here’s how we tackled the problem:

  1. Assessing the Damage: We found over 30 compromised files with malicious code and five unauthenticated admin accounts. It was clear that the systems had been compromised at a higher level.

  2. Initial Assessment and Backup: We took a complete backup of the compromised website to ensure we had a recoverable copy before making any changes. This also allowed us to conduct a post-mortem analysis later.

  3. Isolating the Issue: We identified the outdated caching system as the primary vulnerability, along with other secondary issues.

  4. Thorough Cleanup: The website was so infected that we opted for a clean install to ensure a solid base. Using automated tools and manual inspection, we meticulously scanned for malicious scripts and worked through every line in the database.

  5. Manual Database and File Cleanup: We manually cleaned all website files and database entries to ensure every trace of the hack was removed. This painstaking process was essential to fully restore the site.

  6. Monitoring: During the cleanup, we monitored all external requests to understand the ongoing attacks. We found two IP addresses, one in South Africa and one in the Netherlands, sending around 5000 malicious requests daily. We blocked this traffic and observed that the attackers increased their efforts when they realised their access was blocked. They even set up an external monitoring service to check if the website was still online, which we also blocked.

  7. Monitoring and Testing: After the cleanup and updates, we closely monitored the website logs for unusual activity and took necessary actions to maintain WAF and firewall rules.

Threats by countryThreats previous 7 daysImage

The Outcome

Thanks to Martin’s swift response, the client's website was fully restored and secured. The site no longer redirected users to malicious pages, and the client could operate their business smoothly again.

However, because the site had been compromised once, it is now on hackers' lists of vulnerable websites. Despite our efforts to secure the site, the update_cdn_status requests are still being sent to the website from external sources at a rate of over 5000 per day. These cannot be completely stopped as their origins are unknown.

Conclusion

At CMS Live, we believe in going the extra mile for our clients. This incident underscores the importance of choosing a reliable hosting provider who supports green initiatives and delivers on security and service. We are proud to have helped this business owner regain control of their website.

If you’re looking for a hosting provider that combines excellent service, personal customer care, and technical expertise, look no further than CMS Live. We’re here to ensure your online presence is safe, secure, and always up to date. One of the services we offer is the recovery of hacked websites, ensuring they are cleaned and fortified against future attacks.

CMS Live: Your Trusted Partner in Web Hosting

We’re always here to help!

Switch your hosting today