How a stolen password led to 5 different backdoors, hundreds of infected files, and a lesson in online security
Last week, a client's website started redirecting visitors to a scam site. The cleanup took over 4 hours and uncovered something unsettling: the attacker had been inside the account for nearly 4 months.
I'm sharing this story (with identifying details removed) because the lessons apply to every website ownerโand frankly, every person who uses the internet.
The Timeline
In late September 2025, the attacker first gained access and quietly uploaded hidden backdoor files. These weren't obvious malwareโthey were disguised with innocent names like "image.php" and tucked away in folders no one would think to check. These backdoors gave them full access to the website's database.
For the next four months, the attacker had silent access. They could read the database, access emails, and monitor everythingโall without the site owner knowing anything was wrong.
In mid-January 2026, they injected malicious code into a core system file, setting up infrastructure to serve SEO spam to search engines. Then in late January, they made their big move: mass deployment of redirect code into hundreds of files across the entire account.
What We Found
The cleanup revealed five separate backdoors: two database management tools giving full database access, a file manager allowing complete control over all website files, a proxy script serving attacker-controlled content, and a core file injection with hidden payload files. On top of that, over 200 files had been infected with redirect code.
Every password had to be changedโdatabase, admin account, hosting panel, and all email accounts on the domain.
The Root Cause
Here's the important part: this wasn't a sophisticated exploit of some software vulnerability. The attacker got in because they had the hosting control panel password.
How did they get it? We can't know for certain, but the usual suspects are phishing (a convincing fake email leading to a fake login page), malware (a keylogger on the computer capturing the password as it was typed), or password reuse (the same password used on another site that suffered a data breach).
The attacker didn't need to be a genius. They just needed one password.
What Would Have Stopped This
If two-factor authentication had been enabled on the hosting control panel, the stolen password would have been useless. Even with the correct password, the attacker would have been stopped at the door, unable to enter without the 6-digit code from the account owner's phone. Time to set up: 5 minutes. Cost: free.
If the hosting password had been uniqueโnot reused on any other websiteโa breach elsewhere wouldn't have exposed it. A password manager like Bitwarden makes this easy and it's free.
If the computer had been regularly scanned for malware, any keylogger might have been caught before it could do damage. Windows Defender is built in, and Malwarebytes offers free scans as a second opinion.
The Math
Prevention would have taken 5 minutes to enable 2FA, plus a few minutes to set up a password managerโessentially free. Remediation took over 4 hours of professional cleanup tha can be a significant cost. And that doesn't count the reputation damage from customers being redirected to scam sites, the potential data exposure from 4 months of silent access, or the stress of dealing with a crisis instead of running a business.
What You Can Do Today
Take 30 minutes and do this: Enable 2FA on your email (this is the master key to everything else), your hosting panel, your website admin, and your bank accounts. Apps like Google Authenticator, Microsoft Authenticator, or Authy are free and work with almost everything.
Set up a password manager like Bitwarden and start generating unique passwords for every site. I know it sounds like a hassle, but it's actually more convenient than trying to remember which variation of your password you used where.
Run a malware scan with Windows Defender and Malwarebytes. Do this monthly.
Visit haveibeenpwned.com and enter your email address to see if it's appeared in any known data breaches. If it has, change passwords for any accounts where you've reused passwords.
You've Got This
You don't need to be a security expert to protect yourself. You just need 30 minutes and these free tools. The attackers out there are counting on "someday" never coming. Don't let them be right.
If your website has been hacked or you'd like help with security, contact Cybersalt. We'd rather help you prevent an incident than clean one upโbut we're here for both.
Add comment