In a situation like this you will need to weigh the pro’s and con’s of how you want to tackle this issue. Do you want to maintain uptime whilst you are working on the issue (least effective due to the site could still be being attacked) OR do you want to completely take the site down to work on the issues (best way to prevent further attack but you will then get down time).
In order to recover from this you will want to get all of your files/folders back to where they are. If you were making regular backups then this will be a breeze, If you weren’t. This is the time to grab a coffee and get ready for a S##tstorm.
Whilst recovering your files seems like a quick fix, the chances are that the vulnerability lies within one of those files. Although saying that, the issue could be that your server OS is not up to date and the hacker got in through a dated exploit. The possibilities are endless as to how they have done this.
If it was me in this situation. I would:
- take all the files that you need (unless you have a backup).
- Reinstall server OS / Get new server provider with up-to-date software
- Malware scan all of your files
- Make sure that your Server is PCI compliant (if you are making transactions).
- Once you are all back up and running, i would do a full code review to try and find the vuln.
- Also make sure that you run frequent malware and virus scans with email reporting if something is found.
- Make sure you reset all of your passwords as they are now all compromised.
6
solved All my folders and sub-folders index page has been replaced by custom hacker’s index page