News-Feeds:
What you need to know and need to do if your website has been hacked.
This article aims to give a short overview of the most important things to do after your website has been compromised.
This year seems to be the year of (website) hacking. Hacking communities have been formed, big companies have been attacked and a lot of personal data was exposed. My impression is that the people intruding websites evolved much faster in terms of security knowlege than the people setting up websites. So it's no coincidence that the security team got quite some reports lately form people who run a TYPO3 website that has been hacked.
Two things I want to stress before explaining what needs to be done in case of such an incident:
- If the reason for the hack has been reported to us, it were known (and published) vulnerabilities or entry doors not related to TYPO3.
- We are not aware of any vulnerability in a current TYPO3 version that can be exploited to take over a website.
Marcus Krause presented on this topic last year and his slides are avaiable on our team resources page. I will basically give a short summary here.
Immediate action
- Take down the website, by redirecting to a maintenance page, disabling the vhost in your webserver or if possible disable access to the complete server. This is important because you so not want to continue delivering the compromised website or allow malware to spread.
- Inform your admin or hoster
- Scan your PC for malware. It may well be that a trojan or keylogger on your PC got hold of your passwords.
Back up the current state for analysis
- At best make an image of the complete filesystem, but at least backup all files in the document root of the website and all server logs.
Restore the website
- Restore the website from a clean state out of a backup and in a new environment/ server.
- If you don't have a backup (you hopefully do), hire an expert to clean up the the infected website files
- Update TYPO3 core and extensions
Find the entry door
- This is the most important part!
- Hire an expert to analyse the server logs. It is important to find the way the website has been compromised in order to be sure you locked the door this time.
- It does not help to analyse or report the infected files. The "what" is quite obvious and does not help to find out how the infection took place.
Report
- Report vulnerabilities to the Security Team, in case they were found in the TYPO3 core or in an extension in the TER.
Last but not least
- Learn from mistakes
- Keep TYPO3 and extensions up to date
- Follow the recommendations that are given in the TYPO3 Security Cookbook.
- Subscribe to the typo3-announce mailing list.
comments
August 5, 2011
08:08
And +1 to what Steffen says: it's sometimes not obvious that your site was cracked at all. It's worth checking for extraneous content while simulating a GoogleBot agent, for example.
August 5, 2011
08:50
Makes it easier to argue why TYPO3-Updates are important...
Buzz is the official blog resource of the TYPO3 project. You can be part of Buzz too. If you want to blog about the achievements of your team or your personal involvement please check out our HELP section.
* Be happy if you find out you were hacked. Only a few of you detect security incidents at all, enabling you to react.
* Never feel safe just because you think you are so smart. There's always someone better out there...