Websites get attacked daily. Sometimes the attacker succeeds in accessing the website. This is often told as “we got hacked” but in most cases a “our website got defaced is more accurate.
This post describes what you have to do if you control your website (a custom build website or a CMS website build with Drupal, Joomla, WordPress, …) via FTP and you do not have a shell account on your server.
Why did my site got defaced / hacked?
In most cases the attacker does not really care about *your* website. For them it is just *a* website. They search for additional resources to distribute their goods. This can be a political or religious message but also spam, malware or merely “bandwith”. Likewise how home computers get infected to be part of a botnet, websites get attacked to be part of large networks that can be used to conduct a DDoS attack, start a phishing or spam campaign or deliver malware.
What should I do?
There is no reason to panic. Stay calm and carefully write down the steps that you take (in digital form or on a piece of paper). Having some sort of a log book allows you to reconstruct later what you did (and possibly improve the process).
20140502 16:10 user1 received notification of XXX that website looks 'weird' 20140502 16:30 user1 visited website from LAN and confirmed altered content 20140502 16:34 user1 logged in to provider admin site from IP 188.8.131.52 20140502 16:38 user1 contacted head of IT-security 20140502 17:10 user2 confirmed receipt of escalation ...
Some of the steps below can already be prepared in advance of an incident (for example backups, crisis communication, having a list of contact details of your service providers, …).
- Scan the system(s) that you use to administer the site
- Change your webhosting access credentials and limit access
- Inform management
- Contact your hosting provider
- Contact your web developer, web content team and crisis communication team/li>
- Contact a CERT or Law Enforcement
- Backup your log files and possible system configuration files
- Backup the website and database (yes, the hacked website)
- Inform your customers
- Find the hack
- Remove the hack or start the website from scratch
- Change website admin credentials
- Change database credentials
- Restore the webcontent
- Set up an integrity check for your site
- Review your logbook
- Make a management report
- Do a lessons learned
- Propose prevention measures
- Make a detailed incident report
- Share incident report with CERT and peers
Scan the system(s) that you use to administer the site
The easiest way attackers can get access to your website is by capturing the credentials (username + password) from your computer that you use to control your website. Use a virusscanner to scan your computer and check for unusual applications, processes or network connections.
Change your webhosting access credentials and limit access
Changing the passwords that you use to access your web hosting environment prevents an attacker from un-doing your changes. By limiting the sources (IP-filtering) from where you can access the administration pages to your website limits the actions an attacker can do. You might have to consult your web provider to implement these controls.
Inform your management of the ongoing incident so they can take appropriate actions to consult your legal or communication team. Eventually they can also decide to contact the legal authorities.
Contact your hosting provider
Your hosting provider might be able to limit the access to your website to allowed sources (see 2.). By informing them you can also prevent that the incident causes problems for other sites provided by the provider. They might also be able to help you to mitigate and control the incident.
Contact your web developer, web content team and crisis communication team
Your web developer or web content team should be informed so they already investigate the root cause of the incident. Your crisis communication team can prepare a statement to stakeholders, press and your customers.
Contact a CERT or Law Enforcement
Depending on the type of service your deliver you might want o file a complaint. Reporting your incident to a CERT team would also benefit you. A CERT can correlate this to other incident or can provide co-ordination support. In Belgium you should contact CERT.be via firstname.lastname@example.org.
Backup your log files and possible system configuration files
Log files and the original configuration files are crucial if you want to conduct an investigation on how the incident happened. In order to protect yourself from unwillingly change these files you better make one or more backups and work on these backup files.
Backup the website and database (yes, the hacked website)
It might sound weird but backing up the -hacked- website and database allows you to look at the hacked files without tampering with the originals. If you want to file a complaint and pursue legal actions it is important not to alter the original.
Inform your customers
Your customers are your most important asset. Make sure you inform them properly. Don’t hide facts but also stick to the facts. Eventually your customers will know what happen and if you tried to hide parts of the series of events it will only make you look bad.