How To Restore a Website hacked by Jamaycka

Today’s digest is dedicated to all those who have been hacked by ‘Jamaycka’ with lessons of basic web maintenance as well. Zhongg.com was defaced on 12th May by a ‘Jamaycka’ who left this message behind:

Note very important :
Some People thinks I am from Jamaica.
I would like you to know that I am Not from Jamaica.

There are some people feel jealous of me but I am not care
this name just my nickname
I’m HaCked your system

Many reports have surfaced since then about Jamaycka targeting Malaysian websites, a large number of them running Wordpress. Websites are probably still being defaced as you read this, the count of defaced websites by Jamaycka has surpassed 9000. Someone needs to put a stop to it. That person probably isn’t you or me. What we can do is try our best to get out of the way and keep our site up and running in the meantime.

This mini guide is divided into 3 parts
1) Cure - dedicated to restoring a website hacked by Jamaycka
2) Prevention - avoid future attacks
3) Backup - CPanel script to automate the backup routine

CURE
Jamaycka defaces websites by replacing index files and leaves it at that. So thankfully, not much damage is done as compared to the potential damages. Here’s how you can fix your website within minutes. You’ll still need a backup copy of the content in order to restore the website.

WORDPRESS
Replace with the backup copy, index files (both .php and .htm) found at:
{blog_folder}
{blog_folder}\wp-admin
{blog_folder}\wp-includes
{blog_folder}\wp_content
{blog_folder}\wp_content\themes
{blog_folder}\wp_content\themes\classic
{blog_folder}\wp_content\themes\default
{blog_folder}\wp_content\themes\{other_theme_folders}

{blog_folder}\wp_content\plugins\wp-table

OTHERS
1) Download the all the files in the ‘www’ folder to your computer
2) Find and replace all the index files, either
a) Search for ‘index.*’ files
or
b) Searching the files containing ‘document.write(unescape’

3) Note down the files location and replace them with the backup copy.

WITHOUT BACKUP
1) It is impossible to restore the site without backup. You’ll just have to cross your fingers and hope the your web host has the backup.
2) Meanwhile, put up a under maintenance message. You can overwrite the defaced page by uploading a index.htm file with your message to the root folder.

PREVENTION
After you restore your site, you’ll need to patch up the system to prevent further attacks. Though opinions vary about the hacking techniques used, here are a few ways to up your security a notch

1. Dont leave any folder or files with the chmod permission 777
2. Disable anonymous FTP.
3. Have mod_security on
4. Make sure you have the latest Linux kernel installed
5. More tips here

BACKUP
You can never ever truly defend against all attacks so having backups are a must. Normally web hosting providers backups your stuff occasionally though they are not obliged to do so according the terms and conditions. Fortunately, doing backups yourself isn’t that hard. Below a script to backup your files (ONLY WORKS IN CPANEL!)

1) Click ‘Cron jobs’
2) go to Advanced
3) paste the following scripts and set the backup frequency

Backup files from the public_html folder
tar -zcf backup.tgz ./public_html

Backup your database
date=`date -I` ; mysqldump -ce –user={DBUsername} –password={DBPassword} {DBDatabase} | gzip > /home/{Account}/dbBackup_$date.sql.gz
fill in the blanks with the database username, password, database name and your account name. There should NOT be any spaces between -p and the password.

Sending a backup of your database to your email (uncompressed)
mysqldump -ce –user={DBUsername} –password={DBPassword} {DBDatabase} | mail {email}

Sending a backup of your database to your email (compressed)
None that works for me. Might be worth a try though
http://abdussamad.com/archives/54-Using-a-cron-job-to-backup-your-MySQL-Database.html
http://drupal.org/node/140213

ps: remember to download the latest backup to your computer

That’s it folks! If you have any additional information to help your fellow web brethren, do share