What would you do as first thing if your website was hacked? Taking the site from net? or rollback a backup? not realy or? Did you made any experiences in this way?
-
4Probably more a Server Fault question – Joey Jan 22 '10 at 18:35
-
update your resume – einstiien Jan 22 '10 at 18:48
-
https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server – Quentin Apr 12 '22 at 10:19
8 Answers
The first thing I would do is to take it off the net at least till I understand what exactly is the damage. Assessing what has been compromised in a timely manner is most crucial.
- 101
- 3
Take the site offline.
This is crucial. If the intruder is still in your system and you start poking around, they might notice that you have detected their presence and try to cover their tracks (i.e. delete things).
- 281
- 1
- 3
Take it off-line and restore the entire machine, not just the web pages, from your backups. Then, before putting it back on-line, fix the hole they used to get in.
- 27,262
- 12
- 53
- 108
-
I know this sounds like common sense, but make sure you find out how they got in *before* you restore the entire machine, as you will lose the logs, etc when you restore from the backup. – Josh Brower Jan 22 '10 at 23:34
Hopefully your oganization has a written document that specifies the steps to be taken, who is involved, who is to be contacted. If not begin writing one up immediately. Have you reported it to police cyber-crimes unit, etc.? Don't wait until next time.
- 1,076
- 8
- 10
Change your passwords, and then restore from a backup. Then check your logs, contact your host, etc.
- 520
- 2
- 6
- 18
That depends on several factors. This includes things such as the sensitivity of your site's data and cost of losing or corrupting data hosted on your site.
I believe the first thing to do is to assess the level of threat in terms of the level of damage and cost to repair. The next thing to do is act accordingly.
- Understand that your web host understands how important your site is.
- Wipe the OS and re-install from backups. Don't ask your host to have a "quick look" to see if they can clean it up (this will prolong the downtime.)
- Learn from the experience (as it's almost guaranteed you do not have everything 100% backed up and a disaster recovery plan written)
- 616
- 5
- 11
- take it offline
- make backup
- check / analyze (when you have time)
- restore the last known to be good backup
You can later analyze the compromised files.
- 6,607
- 24
- 42
-
Only check/analyze if you have the time? Why would you put the system back online, without fixing the vulnerability that the attacker exploited the first time? – Josh Brower Jan 22 '10 at 23:37
-
You are right. "when" is what I meant instead of "if". Sometimes it is critical to have the service back online and in the meanwhile you can analyze the backup of the compromised machine. – cstamas Feb 02 '10 at 08:10