What to do if your website gets hacked or defaced

Introduction

Websites get attacked daily. Sometimes the attacker succeeds in accessing the website. This is often told as “we got hacked” but in most cases a “our website got defaced is more accurate.

This post describes what you have to do if you control your website (a custom build website or a CMS website build with Drupal, Joomla, WordPress, …) via FTP and you do not have a shell account on your server.

Why did my site got defaced / hacked?

In most cases the attacker does not really care about *your* website. For them it is just *a* website. They search for additional resources to distribute their goods. This can be a political or religious message but also spam, malware or merely “bandwith”. Likewise how home computers get infected to be part of a botnet, websites get attacked to be part of large networks that can be used to conduct a DDoS attack, start a phishing or spam campaign or deliver malware.

What should I do?

There is no reason to panic. Stay calm and carefully write down the steps that you take (in digital form or on a piece of paper). Having some sort of a log book allows you to reconstruct later what you did (and possibly improve the process).

20140502 16:10	user1	received notification of XXX that website looks 'weird'
20140502 16:30	user1	visited website from LAN and confirmed altered content
20140502 16:34	user1	logged in to provider admin site from IP 1.2.3.4
20140502 16:38	user1	contacted head of IT-security
20140502 17:10	user2	confirmed receipt of escalation
...

Some of the steps below can already be prepared in advance of an incident (for example backups, crisis communication, having a list of contact details of your service providers, …).

  1. Scan the system(s) that you use to administer the site
  2. Change your webhosting access credentials and limit access
  3. Inform management
  4. Contact your hosting provider
  5. Contact your web developer, web content team and crisis communication team/li>
  6. Contact a CERT or Law Enforcement
  7. Backup your log files and possible system configuration files
  8. Backup the website and database (yes, the hacked website)
  9. Inform your customers
  10. Find the hack
  11. Remove the hack or start the website from scratch
  12. Change website admin credentials
  13. Change database credentials
  14. Restore the webcontent
  15. Set up an integrity check for your site
  16. Review your logbook
  17. Make a management report
  18. Do a lessons learned
  19. Propose prevention measures
  20. Make a detailed incident report
  21. Share incident report with CERT and peers

Detailed actions

Scan the system(s) that you use to administer the site

The easiest way attackers can get access to your website is by capturing the credentials (username + password) from your computer that you use to control your website. Use a virusscanner to scan your computer and check for unusual applications, processes or network connections.

Change your webhosting access credentials and limit access

Changing the passwords that you use to access your web hosting environment prevents an attacker from un-doing your changes. By limiting the sources (IP-filtering) from where you can access the administration pages to your website limits the actions an attacker can do. You might have to consult your web provider to implement these controls.

Inform management

Inform your management of the ongoing incident so they can take appropriate actions to consult your legal or communication team. Eventually they can also decide to contact the legal authorities.

Contact your hosting provider

Your hosting provider might be able to limit the access to your website to allowed sources (see 2.). By informing them you can also prevent that the incident causes problems for other sites provided by the provider. They might also be able to help you to mitigate and control the incident.

Contact your web developer, web content team and crisis communication team

Your web developer or web content team should be informed so they already investigate the root cause of the incident. Your crisis communication team can prepare a statement to stakeholders, press and your customers.

Contact a CERT or Law Enforcement

Depending on the type of service your deliver you might want o file a complaint. Reporting your incident to a CERT team would also benefit you. A CERT can correlate this to other incident or can provide co-ordination support. In Belgium you should contact CERT.be via cert@cert.be.

Backup your log files and possible system configuration files

Log files and the original configuration files are crucial if you want to conduct an investigation on how the incident happened. In order to protect yourself from unwillingly change these files you better make one or more backups and work on these backup files.

Backup the website and database (yes, the hacked website)

It might sound weird but backing up the -hacked- website and database allows you to look at the hacked files without tampering with the originals. If you want to file a complaint and pursue legal actions it is important not to alter the original.

Inform your customers

Your customers are your most important asset. Make sure you inform them properly. Don’t hide facts but also stick to the facts. Eventually your customers will know what happen and if you tried to hide parts of the series of events it will only make you look bad.

Find the hack

Remove the hack or start the website from scratch

Change website admin credentials

Change database credentials

Restore the webcontent

Set up an integrity check for your site

Review your logbook

Make a management report

Do a lessons learned

Propose prevention measures

Make a detailed incident report

Share incident report with CERT and peers

Leave a Reply

Your email address will not be published. Required fields are marked *