In this guide, you will find information and help relating to the shutdown of your website hosted with OVH after it has been hacked.

Click here for our various web hosting guides.

OVH's anti-hack system

.

Overview

Why did you shut down my website?
It's important to remember that your site has been closed to protect you, not punish you - you're also a victim of hacking.

If we detect a non-critical security vulnerability, we will give you a deadline within which you will need to patch this vulnerability before your website is shut down. Some of your website's features may be deactivated, such as outgoing emails or connections.

You might think that stopping the programme or infected script would be enough to resolve the issue, however, experience has shown that when a there's a security vulnerability on a website, hacking is more frequent and aggressive. Our system regularly monitors the server, but a hacker only needs a few seconds to cause significant damage to your website or our servers.

As a result, we ask you to find the vulnerability and patch it before you can restore your website.

Our system shuts down all programs linked to the hack in case the hacker has left a backdoor* that would make it easy for them to hack back into the system. This way, we are making it impossible for the hacker to continue their operations.
Why doesn't OVH prevent this kind of attack happening on my site?
In this kind of attack, the hacker had not accessed your passwords, nor had they gained access to your site via our servers.

The hacker has simply ran code via a security vulnerability on your site. There's no such security measure at our level that allows us to block this kind of attack directly.

True, we could limit the possibilities offered by the hosted scripts on our servers to make this kind of attack impossible. However, this would bring about a secondary effect. You would not be able to use certain really useful features offered by languages such as PHP, Perl and Python, and it would make it more difficult for you to create your sites overall.

As a result, we have chosen to offer you as much freedom as possible and prevent any potential issues so that we can guarantee your website's security and curb hacking attempts.
Different actions taken
  • We notify you by email of a security vulnerability.

  • Recently, our system has changed and will now warn you if a security vulnerability has been detected on your website.

  • Following this notification, we will give you a deadline in which you will need to patch this vulnerability in order to block your website or one of these features (outgoing PHP emails or connections).

Find more information on the notification of a security vulnerability in the diagram at the end of this guide.

  • Your site is blocked by Okiller.

Okiller, our monitoring robot, verifies commands related to the hack.

We notify you by email when a command run on your shared server is related to a hack.

Your logs are timestamped so you can check them. Okiller usually blocks your site in chmod 700.

  • The Abuse team blocks or deactivated your website.

One of OVH's teams are responsible for guaranteeing the security of our infrastructure.

The Abuse team may be forced to block or deactivate your website in the event of a hack or if your account has been used for phishing or spam without your knowledge.
.

Summary diagram - security vulnerability disgnostic

Below are the various stages that will follow once you have been notified of a security vulnerability.

  • 1. Our robot detects a security vulnerability on your website.
  • 2. We send you the robot's report via email.
  • 3. Functions that allow outgoing communications are deactivated (sending emails via PHP, outgoing connections).
  • 4. You are given a deadline of 7 days in which you need to patch the security vulnerability.

  • Within this deadline, you can regularly check your site to ensure that your files are properly patched.

    Two possible outcomes of your actions:

  • If the corrupted files are deletedandthe security vulnerabilities are patched, the website features will be reactivated.

  • If the corrupted filesandthe security vulnerabilities are not deleted, the website features will stay deactivated.

  • If the corrupted files and security vulnerabilities are still present after the 7 day period, your site will be deactivated.
  • In the event of critical failure, your website may be deactivated before the 7 day deadline and without prior warning.

Patches

.

Repair and patch the security vulnerability

  • If you use a popular system, such as WordPress, Joomla!, PrestaShop, phpBB, etc.

Developers of very popular systems such as those listed above often update their systems to patch any security vulnerabilities spotted by the users.

Therefore, update your system to the latest version and make sure you stay up-to-date with future updates. You can do this by subscribing to the mailing-list on the company's official site.

If you're already using the latest version, be sure to visit the company's official forums to let other users and the developers know about this intrusion. The developers are sure to quickly come up with a patch that you can apply.

Plugins, themes or modules added on to a CMS are also at risk of security vulnerabilities. You need to update these tools to ensure that your website's security level is optimal.
  • Search for the security vulnerability in your logs

It's impossible to carry out a detailed procedure that lets you localise the source of every intrusion. However, here is a general procedure for you to follow, on the proviso that the attack was caused by a script vulnerability and therefore the hacker gained entry using an HTTP request.

All HTTP requests are available in your logs (https://logs.ovh.net/your_domain). Replace "your_domain" with your domain name and extension, e.g. ovh.com.

See our guide on accessgin your logs:Shared: View my website's logs and statistics

  • 1 Retrieve the date and time of the email alert you received
  • 2 Check your logs starting from this time and gradually work back over earlier timestamps until you see an incorrect (strange, different from other entries, etc.) entry. This may take some practice and knowledge of the format of certain requests. Pay attention mainly to POST requests. These are the main sources of hacking
  • 3 Retrieve the script infected by this request
  • 4 Study the script to identify the source of the security vulnerability
  • 5 Patch the security vulnerability

b]It's not enough to just delete the malicious code inserted by the hacker. You need to fully patch the security vulnerability.

We advise that you ask a [url="http://www.ovh.biz/en/"]webmaster to help you for this kind of manipulation. Our support service cannot help you with this kind of request.
  • Payable intervention: searching for the security vulnerability

You may contact OVH support to request the intervention of our technical support team. The team will give you a quote for searching for the security vulnerability.

For such an intervention, our technical support team can:

  • search for malicious files or content on the host server
  • identify the file used by the hacker

The intervention costs €20 excl. VAT for a block of 15 minutes.

To request an intervention, or diagnostic, or contact the OVH technical support team, you can reply to the incident ticket created following the hack.

The purpose of the intervention is to perform a diagnostic to locate the security vulnerability. The customer is responsible for patching this vulnerability.

Please note: you can only request our team to search for the source of the hack if your site has been "visibly" hacked. The team can only search for the security vulnerability exploited by the hacker, and not other potential vulnerabilities on your website.

Rebooting the host server

.

Overview

There are several possible outcomes if your website is hacked:

  • You receive an email notifying you of the security vulnerability.

  • In this case, you can run a scan on your site.

  • chmod 700 command puts website into Hack mode.

  • In this case, you can reboot the site yourself after applying the necessary patches.

  • The chmod 000 command deactivates the website.

  • In this case, you can't reboot your website yourself.

    In all cases, you will be notified by email or an incident ticket.

    To reply to a new incident ticket, log in to the Control Panel and select the host server in question. The go to "Website hosting" -> "Summary" -> "See my incidents". Write your message in the dialogue box and click on respond at the bottom of the ticket.

The steps to reactivate your site are different.

  • In both cases, you need to patch the security vulnerability and not just delete the malicous code run by the hacker.
.

Scan your site

Steps related to the notification of a security vulnerability on your website:

  • 1 Our anti-hack system spots a security vulnerability on your website
  • 2 We send you an email warning you that your website will be blocked within 7 days
  • 3 Your website's outgoing fonctionnalities are blocked (sending emails in PHP and outgoing connections, for example)
  • 4 You must delete the malicious files and patch the security vulnerability
  • 5 You may run a website scan.
  • 6 Depending on the patches you apply, outgoing functionailities are reactivatedor the site is deactivated (set to chmod 000).
How to rescan your site
After you have deleted malicious files and patched the security vulnerability, you may then rescan your website.

You may scan your website several times during the 7 day period in which you must patch your website.

To do this, go to "Hosting", the select "Current operations".
Then select the spanner symbol in the table to run the scan on the domain in question.
Find out more on the notification of a security vulnerability on your website in this section of the guide.
.

Rebooting a website that has been blocked following a hack

Steps related to blocking a website following a hack

  • 1 Our Okiller robot spots an unauthorised command on the website, or a member of the abuse team is dealing with a security breach on the website
  • 2 We send you an email to warn you that your website will be blocked
  • 3 After a few hours, the website's status will be changed in accordance with the reason it was initially blocked
  • 4 You must delete malicious files and patch the security vulnerability
  • 5 You may directly reboot the website (follow the guidelines at the end of this guide).
  • If you don't apply any patches and reboot the website manually, it will be closed again within a few hours and may be deactivated.

  • We advise that you respond to the incident ticket to outline the changes you made to patch the issue.
.

Reboot a deactivated website

  • 1 You don't patch a security vulnerability spotted by our anti-hack system or a member of the abuse team is dealing with a security breach on the website
  • 2 We send you an email warning you that your website will be blocked
  • 3 After a few hours, the website's state will be changed depending on the reason it was blocked
  • 4 You must contact the inident service by replying to the ticket opened to request that they unblock the website and explain the changes that will be made
  • 5 Once you have replied to the ticket, the incident service may change that state of your website to "hack" state if they think that the changes you're going to make will be sufficient
  • 6 You need to delete any malicious files and patch the security vulnerablity
  • 7 You may then reboot your website (follow the steps at the end of this guide). It's however preferable to respond to the ticket so that administrators can ensure that any changes made are sufficient.
  • It's mandatory to reply to the incident ticket and give details on the modifications you will make so that the state of your website will be updated and you can patch your wesbite.
.

Please note:

Once access rights are changed to 705, you will need to wait a maximum of 3 hours. Our robots monitor your website every 3 hours to check any change in permissions. Depending on when you make the changes, your site may display again fairly quickly.

If the 3 hour deadline passes and your site is still not online, please contact our support team.

Useful information

.

Blocking an IP

Suggestion for improving security:

The first solution could be to block the IP at the source of the attack, but this is just a temporary solution as another hacker could take advantage of the same security vulnerability.

To find out how to block an IP from your website: .htaccess Protection IP.
Block an IP from a particular country
Block using an .htaccess file

Example:
SetEnvIf GEOIP_COUNTRY_CODE DE BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
# ... place more countries here
Deny from env=BlockCountry
This example will block visitors trying to access your site from from Germany and Russia.
.

Reboot via FileZilla

Overview
Your site was shut down as a result of prohibited activity, hacking or phishing.

You still have access to your FTP software or client so that you can patch any issues.

You can, for example, deactivate the compromised pages (set 700 rights/permissions via FTP to do this).

Once you've patched the source of the issue, reset the permissions to chmod 705 in the FTP root to restore access.
Pre-requisites
  • Retrieve your FTP login and password so you can log in to the website.
  • Here is a guide on how to retrieve FTP login details: Web hosting: how to get my website online

  • FTP software or client, such as FileZilla.

To know how to log in to FTP, please see our guide below:

Web hosting: FileZilla user guide
Step 1: FTP command
Open FileZilla. Click on "Server" then select "Enter an FTP command".

In FileZilla, you may see "Enter a customised command" instead of "Enter an FTP command".
Step 2: Reboot
In the new window that appears, enter the following command:

SITE CHMOD 705 /

If you see the following error:

550 would not chance perms on /. not such file or directory

you must use this command:

SITE CHMOD 705 .

To check that the reboot has been successful, simply test your website in a web browser.
Reminder: we recommend that you test that your website is displaying properly after 3 hours. Our robots monitor your website every 3 hours to check any change in permissions. Depending on when you make the changes, your site may display again fairly quickly.

If the 3 hour deadline passes and your site is still not online, please contact our support team.
.

Reboot via Net2Ftp

Overall
You may also use the FTP Explorer integrated in the "Net2Ftp" Control Panel.

You have access to your FTP so that you can patch the issues on your website.

Once the source of the issue has been patched, reset the permissions to chmod 705 in the FTP root to restore access.
Pre-requisites
Step 1: Control Panel
Log in to the Control Panel, select your domain name, then go to "Hosting" and then "FTP Explorer".
Step 2: FTP Explorer
In the new window that appears, click on the link to your cluster.

Here you will see your FTP login.
Step 3: Net2ftp connection
You will then see the "Net2ftp" connection interface.

In the "Username" field, enter your FTP login.

In the "Password" field, enter the password you set up in your Control Panel.

Then click on "Submit" to log in to the shared host server via FTP.
Step 5: Advanced mode
Then go to "Advanced".
Step 5: FTP command
Select "Go" to enter a customised command.
Step 6: Reopen your website
You need to enter the following code in the command list:

SITE CHMOD 705 /

Validate by clicking on the icon to execute the FTP.it command.

To check that the reboot has been successful, simply test your website in a web browser.
Reminder: we recommend that you test that your website is displaying properly after 3 hours. Our robots monitor your website every 3 hours to check any change in permissions. Depending on when you make the changes, your site may display again fairly quickly.

If the 3 hour deadline passes and your site is still not online, please contact our support team.
.

Reboot via SSH

Pre-requisites
Step 1: Verifying permissions
Firstly, make sure your site is fully closed using the following command:

ls -la
Step 2: Change chmod
To reboot, type in the following command:

chmod 705 .
Step 3: Reboot
To ensure that the permissions are correct, type in the following command:

ls -la
Reminder: we recommend that you test that your website is displaying properly after 3 hours. Our robots monitor your website every 3 hours to check any change in permissions. Depending on when you make the changes, your site may display again fairly quickly.

If the 3 hour deadline passes and your site is still not online, please contact our support team.
.

Glossary

Backdoor* is a function that is added without the knowledge of the website developer. It gives hidden access to the website and shared host server. It's usually added by a hacker after they have spotted a security vulnerability on your site.