blog.Resource
August 5, 2011

What you need to know and need to do if your website has been hacked.

Category: Security

By: Helmut Hummel

This article aims to give a short overview of the most important things to do after your website has been compromised.

This year seems to be the year of (website) hacking. Hacking communities have been formed, big companies have been attacked and a lot of personal data was exposed. My impression is that the people intruding websites evolved much faster in terms of security knowlege than the people setting up websites. So it's no coincidence that the security team got quite some reports lately form people who run a TYPO3 website that has been hacked.

Two things I want to stress before explaining what needs to be done in case of such an incident:

  1. If the reason for the hack has been reported to us, it were known (and published) vulnerabilities or entry doors not related to TYPO3.
  2. We are not aware of any vulnerability in a current TYPO3 version that can be exploited to take over a website.

Marcus Krause presented on this topic last year and his slides are avaiable on our team resources page. I will basically give a short summary here.

Immediate action

  • Take down the website, by redirecting to a maintenance page, disabling the vhost in your webserver or if possible disable access to the complete server. This is important because you so not want to continue delivering the compromised website or allow malware to spread.
  • Inform your admin or hoster
  • Scan your PC for malware. It may well be that a trojan or keylogger on your PC got hold of your passwords.

Back up the current state for analysis

  • At best make an image of the complete filesystem, but at least backup all files in the document root of the website and all server logs.

Restore the website

  • Restore the website from a clean state out of a backup and in a new environment/ server.
  • If you don't have a backup (you hopefully do), hire an expert to clean up the the infected website files
  • Update TYPO3 core and extensions

Find the entry door

  • This is the most important part!
  • Hire an expert to analyse the server logs. It is important to find the way the website has been compromised in order to be sure you locked the door this time.
  • It does not help to analyse or report the infected files. The "what" is quite obvious and does not help to find out how the infection took place.

Report

  • Report vulnerabilities to the Security Team, in case they were found in the TYPO3 core or in an extension in the TER.

Last but not least


comments

comment #1
Gravatar: Steffen Müller Steffen Müller August 5, 2011 01:06
Learn from being hacked:

* Be happy if you find out you were hacked. Only a few of you detect security incidents at all, enabling you to react.
* Never feel safe just because you think you are so smart. There's always someone better out there...

comment #2
Gravatar: François François August 5, 2011 08:08
Good summary, Helmut, thanks.

And +1 to what Steffen says: it's sometimes not obvious that your site was cracked at all. It's worth checking for extraneous content while simulating a GoogleBot agent, for example.

comment #3
Gravatar: Lukas Rüegg Lukas Rüegg August 5, 2011 08:50
Great article!
Makes it easier to argue why TYPO3-Updates are important...

comment #4
Gravatar: Geschenkideen Geschenkideen August 19, 2011 14:45
Thanks for your article. Your tipps seem to be really informativ.

comment #5
Gravatar: Kimi Long Kimi Long August 24, 2011 16:59
Great article. I have many problems with attacks from India. I don't have customers from India, so I'm in contact with my hoster to block a range of IP-adresses

Sorry, comments are closed for this post.