What to do when you've been hacked?
Published by Evil Bee Tuesday, 22 May 2007 15:13
We've been hacked more than once. We've been called hundreds of times by others who have experienced the same. If you have prepared well, being hacked can be a 20 minute chore to fix. If you've not well prepared, then it can be costly, painfully embarrassing and potentially career-ending.
There are three levels of response, below is a summary of the steps within each. What's critical in any secruity breach is following a standard process and documenting every step along the way. When you're all done with a hacking fire drill, it's common that someone will want to know why it happended, what damage was done and how it will not happen again.
1. IMMEDIATE
A. Take the site offline.
That doesn't mean terminate the account! We actually had someone do that, then called us for help. Rename the public_html directory, turn off HTTP services (shut down Apache)... Whatever you do, don't erase any files or just put up a landing page to replace index.html. If you expect extended downtime, update DNS to take visitors to your plan B site.
B. Put up a bounce page
Take visitors to an information page. "eg., We are down for maintenance" Do not have them bouncing to a page within the current site. Redirect them at the DNS level, not HTML within the hacked site. Do not tell the world you have been hacked. That's your business -- and it makes you look bad.
C. Make full backup of site (files and DB)
D. DO NOT modify any files. DO NOT delete any files.
E. Contact stakeholders and let them know the site is offline.
Send email to owners/managers of the domain. If the domain was also being used to host email you need to do something to let them know they too are down.
F. Contact the web hosting company -let them know you have been compromised
If the site is hosted by a company that is responsible for OS management, they should be alerted as many attacks arrive via open ports, unrelated to your site. This is very common in shared server environments, but can also happen on dedicated servers that are not properly patched/updated.
G. Contact local authorities if the hack was criminal
If the site contained anything related to credit card theft or if the attack generated links/content to anything illegal, it's a good idea to report it locally. Some cities have cybercrime units that may be able to offer assistance, but more importantly, reporting is a form of due diligence to demonstrate steps are being taken to correct the problem and to be cooperative with local authorities if needed.
H. Review any other sites on the same IP that are under your control
If the attack was not directed at the domain, it's very possible other sites on the same server/same IP were also targeted. This is especially true if other sites were running the same software.