Ask HN: How do/would you deal with your website being hacked?

2 pointsbapbap12y ago4 comments

I'm not super technical and it's not something I'll ever have to deal with but I'm curious; when a website is compromised how do you find out what they did and what data they took? Presumably the attacker will try and hide their tracks so I'm interested to know how you get a full understanding of what they did.

Additionally, is this something you prepare for, as part of a disaster recovery plan so to speak and what is your plan of action should an attack be carried out?

4 comments

lifeguard12y ago

The first thing to determine is if only write access to the web site's document root was achieved or if the operating system itself has been compromised.

If your site was only defaced, you need to patch or reconfigure your web stack so it doesn't happen again. And restore your content from known good backups.

If the OS was compromised, you must format and reinstall everything. This is because 'root kits' may be undetectable once they are installed by attackers.

Depending on the risk to other systems, if the OS is not open source I always format and reinstall.

LeviticusMB12y ago

Unfortunately, unless you have a very deep understandning of your operating system AND you're logging audit to a REMOTE system, you should assume the worst and reinstall all reachable systems from scratch. Invalidate all ssh keys. Then check your databases for suspicious admin accounts before going live.

If not, how do you know if backdoors were installed, if the databases were modified, if local (known or unknown) exploits were used to gain root or if private ssh keys were stolen or used to gain access to other servers?

zachlatta12y ago

See how bad the damage is and, if there is any chance they got access to the OS, format and reinstall everything.

bapbapOP12y ago

My knowledge goes as far as ~/.bash_history, how do you find out what they got up to?

j / k navigate · click thread line to collapse