Portal Home > Knowledgebase > Articles Database > 'Worst Case Scenario' Question
'Worst Case Scenario' Question
| Posted by Ricjustsaid, 10-13-2011, 08:46 PM |
| Hey all! Just a hypothetical question here... suppose your site, or a client's website has been defaced. I'm wondering what would be the main steps you would take immediately after to protect site visitors from being infected by the defaced website, and a general set of steps to getting the server cleaned and back online.
I'm trying to prepare myself for the inevitable here, so any advice would be appreciated!
|
| Posted by ZKuJoe, 10-13-2011, 10:37 PM |
| 1) Take server off the network and restore from backups on a new server.
2) Determine how the intrusion happened.
3) Secure other servers.
4) Format drives and do a clean install on the hacked server.
|
| Posted by Ricjustsaid, 10-13-2011, 11:01 PM |
| Thanks for your reply!
After a server is compromised, is it generally safe to SSH/SFTP in to grab logs and such? Is there a chance doing so could infect your own system somehow?
Also, when you say "Take server off the network" - do you mean shutting down the Apache service, or disconnect it completely? If so, how can one determine how the server was compromised?
|
| Posted by Shayan|Evolucix, 10-13-2011, 11:52 PM |
| I would go with this outline. TYPICALLY (please note, this is a blanket statement and should be taken with a grain of salt. There WILL be exceptions to this) if a site gets defaced, you're dealing with one of the following: an amateur hacker/script kiddie, someone with a vendetta against you or what you're advertising, or someone who's just bored.
These guys generally manage to deface your site by uploading "shells". c99 shells seem to be the most commonly used type, and are uploaded through a variety of avenues, mainly RFI/File Upload/default password vulnerabilities. In this case, I would do a quick search of whatever software you're running on a few reputable exploit databases (http://www.exploit-db.com/ && http://www.packetstormsecurity.org/ haven't failed me yet) to determine if there are any public exploits released for them, since that's generally what skids use - public exploits. Afterwards, if your search was unfruitful, take your server off the network - disallow all connections from the outside EXCEPT for your own of course - and perform a security analysis. If you're unskilled in this department I would either hire a professional or switch over to a well-updated CMS.
Finally, just format/cleanboot + resecure all other servers. If this is some big project and you have some expendable capital laying around, you can hire a professional pentest firm to determine all the potential exploits on your site, and then get a security expert to patch the holes.
|
| Posted by ssfred, 10-14-2011, 06:35 AM |
| Hello
1. remove the injected string from the files
2. Change your Cpanel and mysql password to a more secure one.
3. Make a detailed scan for your machine to detect viruses or Trojens
4. Check FTP,SSH logs to identify the IP which used for uploading the files
5. Change the permission of files and directory to correct and secure set.
6. Make sure the installed application is safe and no vulnerabilities are existing
7. ensure that firewalls and mod_Sec rules are implemented and are competent
|
| Posted by silasmoeckel, 10-14-2011, 09:34 AM |
| Please do not ever do this. A machine gets compromised and you nuke it period end of story. Trying to fix it inside a running system is like letting a mental patient self diagnose not a good idea. As said previously you remove it from the network, rebooting is not a good idea. Physical console access or an extremely strict acl on it's swtichport say only allowing ssh/rdp in from a management network. In parallel you do your bare metal restore procedure to fresh server with a clean base install and restoring content from backup. Every password gets changed. You track down the source if at all possible and archive the box in case there is something missing on the backups. Then you reboot into a known good environment and scan the box for anything you may have missed on the live system. However they got in you check the rest of your systems and add that check to your regularly scheduled scan to fix as needed.
My favorite one for this was a client that insisted they fixed there server did all this scanning hired this outside company (paid a pretty penny at that) etc etc etc. We were watching the traffic hitting the acl's as the infection tried to spread. Pretty much once a box is infected there is no way to be sure it's clean, and all the modern exploits try and hide themselves and can do a pretty good job of it. Scanning from a boot cd etc does a better job but it still not perfect.
|
| Posted by ssfred, 10-15-2011, 04:41 AM |
| I understand silasmoeckel. But in the initial post, RJC mentions defacing of the website and then mentions about cleaning the server. Server need not be insecure to get a website hacked. If a server is insecure, then chances of multiple websites in the same server has a new index page are high. Hypothetical situation is about defacing of one website. Otherwise if it is a desktop hack (desktop of the client or the developer) then it is the website which is getting defaced.
When defacing I believe you were talking about hacking itself and replacing the index page. I made a mistake because I missed the defacing word and was trying to explain how to handle a site which got script injection. i.e malware injections.
|
| Posted by HostAdmins, 10-15-2011, 12:25 PM |
| Always keep a copy of your Data in server at your local-end periodically.
|
| Posted by Ricjustsaid, 10-15-2011, 02:46 PM |
| The main concern here is with people going around looking for vulnerabilities in installed scripts, and then exploiting them to deface a website and inject a malicious script/iframe onto the site. But you guys are right - there's no way to tell how deep the infection has gone, and the time spent trying to clean it would probably be greater than reloading the server from scratch.
Assuming it were a script injection, what are the most likely places to look in order to find the source of the infection? Access logs?
Also, is it typically safe to log into the compromised server via SSH or FTP, or could that lead to spreading an infection?
|
Add to Favourites 
Print this Article
Also Read
