“How do I fix this?” read the post from someone whose site was hacked.  S/he wanted advice on how to find the hacker’s entry point.

Good question, but the right question is:  “What should I do when I discover my website has been hacked?”

When you notice that someone (or something, like a bot) has tampered with your system you have a serious incident (not a bug) and you need a response plan (not a reaction or quick bug fix):

  1. Don’t shutdown the system.  There probably is valuable evidence in volatile memory.  Segregate the system from your network and the Internet at large while you investigate. (Unplug the network cable/filter the server’s IP address/use VLAN capability to put the MAC address on an unconnected virtual subnet/etc.)
  2. Ask for professional help:  Talk to local experts and ask for advice.  Contact the officers of the local information security groups:  InfraGard, ISSA, ISACA, etc.  The response is a full-time job for a period of time, usually weeks.
  3. Keep a chain of custody. Be very careful about who accesses the system.  Write down steps taken.  Include times.
  4. Keep your head and take your time.  Don’t rush this; it’s going to be off line for longer than you think.  Like a week…or weeks.
  5. A SQL Injection flaw in a contractor developed system is not one flaw. It is many flaws. Probably many, many flaws.
Share →