

Ask HN: How do/would you deal with your website being hacked? - bapbap

I'm not super technical and it's not something I'll ever have to deal with but I'm curious; when a website is compromised how do you find out what they did and what data they took? Presumably the attacker will try and hide their tracks so I'm interested to know how you get a full understanding of what they did.<p>Additionally, is this something you prepare for, as part of a disaster recovery plan so to speak and what is your plan of action should an attack be carried out?
======
lifeguard
The first thing to determine is if only write access to the web site's
document root was achieved or if the operating system itself has been
compromised.

If your site was only defaced, you need to patch or reconfigure your web stack
so it doesn't happen again. And restore your content from known good backups.

If the OS was compromised, you must format and reinstall everything. This is
because 'root kits' may be undetectable once they are installed by attackers.

Depending on the risk to other systems, if the OS is not open source I always
format and reinstall.

------
LeviticusMB
Unfortunately, unless you have a very deep understandning of your operating
system AND you're logging audit to a REMOTE system, you should assume the
worst and reinstall all reachable systems from scratch. Invalidate all ssh
keys. Then check your databases for suspicious admin accounts before going
live.

If not, how do you know if backdoors were installed, if the databases were
modified, if local (known or unknown) exploits were used to gain root or if
private ssh keys were stolen or used to gain access to other servers?

------
zachlatta
See how bad the damage is and, if there is any chance they got access to the
OS, format and reinstall everything.

~~~
bapbap
My knowledge goes as far as ~/.bash_history, how do you find out what they got
up to?

