Hacked? Part 2 - Mitigation and Cleaning
Last Updated: June 2019
This is Part 2 of a two-part series about the hacking of websites. If you missed the first part, have a look at Hacked? Part 1: The Why, How and What.
In this part, we will be examining some tips on Mitigating hacking attempts and the process of Recovering from a compromise.
How To Avoid Being Hacked?
Knowing the why and the how is important, it helps us develop a plan to protect your site from being hacked.
Let’s look at what VentraIP Australia are doing to try and protect you:
Industry Leading Security Practices
At VentraIP Australia, we take security very seriously. We have some sophisticated systems to ensure that our environment is as secure as possible and that it stays that way. We have also achieved the auDA Information Security Standards (ISS) after a full security audit.
ModSecurity (Web Application Firewall)
If you would like to know more about ModSec or WAF’s, check out our blog post on ModSecurity – Protection Through Patterns.
Basically, this firewall inspects requests made to the server and looks for malicious requests and blocks them before they can be processed.
We protect all our new services under SonicWall hardware firewalls with IPS (Intrusion Protection System) which functions in similar ways to a Web Application Firewall, and adds another layer of protection for your site.
In Part 1, I mentioned how Cross Contamination between individual accounts was no longer an issue. Well, this is thanks to CageFS.
CageFS puts each account into its own ‘cage’ that they can’t get out of and thus stops one account from contaminating other accounts that are on the same server.
ConfigServer eXploit Scanner is an active service on the server that is looking at files that are uploaded to the server and also files present on accounts, it examines the file and tries to match exploitable code and things like privilege escalation scripts.
ConfigServer Firewall (CSF) And Login Failure Daemon (LFD)
CSF is the firewall that we have customised to add protection and block certain ports and connections. This is network level protection, unlike ModSecurity with is higher up the food chain looking at things from an application level.
LFD is used to look for potential brute force attacks and blocks them when it believes they are malicious.
Let’s look at some practical ideas about mitigating attackers and some good security practices on your end:
Backups, Backups And Backups
The key to getting back online fast is having good backups, stored externally and in frequent time periods. All our new services come with hourly R1Soft backups – but it is always an excellent idea to have your own backup regime and store them offsite.
If you are compromised and are able to determine it was simply a compromised password, you can get back up-and-running in no time since you can restore a recent copy of your site.
Keep Everything Up To Date
This is such an important aspect of mitigating most attacks. It can be annoying and time-consuming, but once your site is compromised you are risking your business, your reputation and maybe even more.
Have an ‘everyday’ approach, much like you check your house is locked before leaving. Every day that you log into your site, check over the plugins, look for patches and updates, create a regime to making your site secure.
If you are really keen, subscribe to authors and developers of plugins on social media and newsletters. They will announce when updates are coming up and/or being released. Think about what the change will do to your site and come up with some ideas about change management to avoid any negative impact of an update.
Routinely Change Your Admin Password
I would recommend a three-month rotation, set a calendar reminder for yourself to change your passwords. The reason for password rotation is that even if your password is compromised, it is only ‘fresh’ for so long.
A great website to check if your password has been included in a ‘password dump’ is Have I Been Pwned? – Simply throw your password into the search and it will check its database of around 4.7 billion account breaches for your password.
Remove Plugins And Themes That You Are Not Using.
The more plugins you have installed, the more themes you have installed, the more vectors of attack exist. You want to keep it as bare bones as possible without disrupting your site functionality.
Always be looking at whether you ‘actually’ need that plugin. Is it adding value or functionality that is presently useful? This is often difficult, you want your site to have lots of functionality and give visitors the best experience. But often, the risk is too high and you are better off without it.
Use Antivirus On PC’s Connecting To Your Admin Pages
Really, you should have antivirus on all PC’s full stop (yes that include Mac users too!), but be sure anything connecting to your mission-critical systems has good, up to date AntiVirus running.
You want to avoid having keyloggers and RAT’s on your PC grabbing all your passwords and performing actions on your behalf when you are not around! I recommend Kaspersky as an excellent antivirus solution.
Get Protection From Professionals
I personally recommend Sucuri – They have a great plugin which monitors changes being made to core files, since a lot of hacks change these files, you can very quickly be alerted to a compromise.
They also have a very advanced Web Application Firewall that has some fantastic features like DDOS protection, threat analysis, smart caching and much more.
Their analysts are always looking at traffic and patterns and often are the first team in the world to recognise new 0-day exploits before anyone else and depending on the exploit, they can patch them via their firewall before the developer is even aware.
If you are serious about keeping your site safe or have already been compromised, Sucuri are the people to go to.
Look At Modified Dates Of Plugins
Before you add a plugin, look at the last time the author updated it or modified it. If the last time the developer touched the plugin is 2011, how many vulnerabilities have been found and not patched? Most likely…a lot!
This goes for existing plugins too, keep an eye on them. If the developers haven’t pushed an update for 12 months, you may want to start thinking about an exit strategy. You don’t want stale plugins that aren’t supported installed in your CMS opening holes that aren’t being patched.
Be Wary Of Public Networks
Something that you may forget about is the network that you’re are connecting to in order to access the internet. If you are at a cafe and see an open network for “Tom’s Cafe” I wouldn’t be connecting and doing anything important.
This is because of an attack type called ‘Man in the Middle’ attacks (MITM). Basically, some hackers set up their own ‘wifi’ hotspots in cafes and public places.
As they control the network, they control the traffic and can get up to all sorts of nasty business. Including sniffing your traffic or redirecting you unknowingly to phishing pages that have the same URL you are trying to access in order to get you to provide them with your login credentials.
Any network that you don’t have control of, or trust implicitly, don’t use it.
Have A Plan.
Last but not least. Have a plan about what you are going to do in the event you are hacked. Assume you will be hacked at some point and think exactly how you will handle it.
Who are you going to contact? What backups will you have available? Are you dealing with credit card information? What is stored on the server and the database?
These are key, once you detect a hack and know you have been compromised, you need to act quickly to minimise the damage. This will help not only help get you back up and running faster, but also keep your public image intact.
“The Goggles…They Do Nothing!”
I want to briefly touch on something that doesn’t help in protecting your site from being hacked, we see a lot of customers confused over what this security product actually does: SSL Certificates.
These are really important, but they don’t actually help stop hacks. By design, they are trying to protect the visitor, not the site itself. The SSL’s main job is to confirm that the user the site is connecting too is the correct site and they haven’t been maliciously redirected.
They encrypt traffic between the web server and the visitor, but nothing else. This is to help prevent hackers from viewing the information being transmitted, such as passwords and credit cards when communicating through your site.
So don’t install one and think that you are now protected. Your visitor’s communication is, your site…not so much.
What To Do If I’ve Been Hacked?
Let’s break down a simple plan that can help you move forward after being compromised:
Assess: The first thing you want to do is work out the scope of the attack.
What is the damage?
Are there files missing, or code removed? Have files been added? Can you determine the level of access they managed to get?
What is the type of hack?
Is your site serving malware? Is it spamming? Is it defaced? Is it phishing?
Establishing this early helps work out what has been touched and helps you focus your immediate efforts in specific areas.
Plan: How are we going to react to the information we have assessed.
What are we going to remove, what are we going to keep?
What have we assessed as damaged goods? Have we worked out if there is a backdoor or persistent exploit?
Are we going to disable the site?
Is the hack significant enough to switch to an ‘Under Maintenance’ page? Think about how we are going to keep evidence intact and put a maintenance page up.
Who are we contacting?
Was credit card information compromised? Or maybe PayPal information? Are we going to get in touch with these vendors as quickly as possible to alert them? Maybe let your customers know there was a breach through social media?
Is this outside your scope of ability? Are we going to contact an external agency to help with the cleanup (ie. Sucuri)?
Execute: We have assessed the situation, planned our reaction, now we execute.
Move swiftly and effectively, try and keep everything intact and tamper-free.
Copy the whole site into a ZIP file and store it locally and remotely in another location. This is important if we want to work out later the ‘how’ and the ‘who’ of the attack.
Switch over to your maintenance page so visitors aren’t infected or see the defacement page etc. Contact affected customers and vendors where appropriate.
Investigate: Now that the time-critical things are completed, it is time to work out what happened and how it happened.
Look at files, their modify times and see if you can narrow down a plugin that was compromised. Look in the database, are there users that were added recently? Or users you don’t recognise.
Look at the access log, examine the requests being made. Did a random IP POST to the wp-login page and get redirected to the admin panel? You now know they had valid login credentials and found a point of entry.
Cleanup: This depends on your own skill level and how familiar you are with the code and systems of your installation.
If you can determine the source of the breach, you can work to clean up after it. Remove a vulnerable plugin or code and patch the whole. Remove any backdoors that were placed to prevent re-intrusion.
If you aren’t sure, you will want to seek out some professional help.
I Need Help!
It is important to know when things are outside your scope of ability. Unless your ego is more important than your site, sometimes you need to get professionals who do this day in and day out to help.
The only organisation I can personally recommend is Sucuri. I have sent lots of customers to Sucuri and they always come back with a clean site regardless of the scope and level of compromise.
Sucuri really are the industry leaders in this department, they also have some great features and products to assist in the mitigation of attacks too.
Cybersecurity is often a balance of convenience and time, trying to strike the happy place between both can be tough. But it is very important to weigh up the risks, think about what is at stake. Based on that, you can make a conscious decision about how much time and effort you can dedicate to keeping your site secure.
The most important aspect to focus on is mitigating attacks and risk management.
- A properly maintained website that is regularly updated and monitored is a difficult target for 90% of hacks.
- Removing plugins that aren’t worth the risk and always looking at your site with a security critical eye.
- You make yourself an even more difficult target with good security practices and professional services from companies like Sucuri. Professional services often save you time too as they do some of the heavy lifting.
Although, our Technical Support team can’t always help with a hacked website (we are better server administrators than developers) – We can help with things like locking down your cPanel/FTP/email accounts.
So if you are unsure what to do next, feel free to get in touch with our 100% Australian – 24/7 Technical Support team and we will do our best to point you in the right direction!