Incident response

The Top 10 Internet Resources to Use After Suffering a Cyber Breach

Stephan Jukic
May 21, 2013 by
Stephan Jukic

Most cyber breaches into your online presence will be directed at your website server and its accompanying databases or accounts.

And, if you've been the victim of a server hack, it probably occurred through one of two different means. The first would be an attack at some sort of weakness in third party web applications, or at addons/plugins that are attached to them and working from within your hosting server; the attack could even have taken place against your LAMP software bundle components. Secondly, your servers could have been breached because someone with password access accidentally or deliberately infected them with malware through FTP.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Another possible source of web server breaches could also be as simple as attackers guessing your access passwords for FTP, SSH or even email.

Whatever the specific case may be, having your servers breached is no joke and can lead to the hackers taking advantage of this newly hijacked resource to launch attacks against other sites or servers, send out spam mail, install phishing systems on your very server for use against your clients, or possibly just destroy everything that they can gain access to amongst your site files.

Thus, you need to take effective action to stop the damage and reclaim what's yours as quickly as possible. Let's go over some key resources, tools and tips for doing that.

1. Use your Hosting Provider

Your single best resource for managing a cyber-breach will be your hosting provider. As the people in charge of administering daily security for your servers and sites, they owe you not only transparent reporting but also all the technical assistance you might need.

If you noticed what seems to be a breach of your servers, contact your server host as soon as possible and ask them to perform their own diagnostic/repair work and assist you with your own. Also, ask them if the intrusion was specific to your server or just a small part of a much larger attempt at hijacking various servers.

2. Change all of your Passwords

As soon as you've become aware of a hack or the high likelihood of one, you should also immediately change all your passwords, or at the very least those for the affected access points, if you know them. Generally, it's better to err on the side of caution and change all relevant passwords such as those for your FTP/SFTP accounts, MySQL accounts and even your Root password just to be sure.

Passwords should be long, difficult to guess and randomized so that they contain maximal entropy. If you're very serious about passkey strength, a good password creation tool is available here: https://www.grc.com/passwords.htm.

3. Scan your Local Machine

In order to cover all your bases in a methodical fashion, you should also run a comprehensive scan of your local machine or any devices from which you regularly access your online servers and upload files to them.

For one thing, you can run a typical malware scan with tools such as Malwarebytes and snit-virus programs like AVG or Kaspersky, and, moving beyond those, you can even run a search in your computer(s) for all exe files to see if any of them appear suspicious or are completely unknown. Pay particular attention to smaller unknown files since most malware hidden in your machine will not exceed 5MB or so in terms of size.

By running a scan of all local machines with server access, you're at least removing potential avenues of entry in a methodical way.

4. Back Up your Data Bases

In order to minimize any possible damage they can do, start backing up your server contents as soon as possible after discovering that a hack has occurred. These should include all MySQL databases and all additional server content in general.

In order to back up your MySQL databases, you can simply use PHpMyAdmin in your cPanel if the databases are less than 10 MB in size. For larger databases, you can backup by logging into your server via SSH (if possible with your webhost) and opening the command line, navigating to an open directory with write privileges and exporting your large database through the following command:

mysqldump --add-drop-table -h internal-db.s00000.gridserver.com -u username -p dbname > dbname.sql

Entering this will prompt you to hand over your database password; do so and allow the SQL DB to export to the FTP accessible directory where you had sent it. After that, you can simply navigate to that directory file via FTP and download the entire data base backup, regardless of its size.

NOTE: For the above command: "-u username" should be replaced with your own user name, "-p" refers to your password, "dbname" will be your actual data base name, and "dbname.sql" is a reference to the name you chose for your SQL backup file. Also, omit "--add-drop-table" if you want to merge this database export with an existing DB backup you already might have from before.

There are other DB export methods available through MySQL, but this is probably the simplest to orchestrate for large databases, assuming your host allows SSH access to servers.

5. Make Back Ups of Other Site Content

For backing up other server/site content, you can use tools like Cobian Backup, available at http://www.cobiansoft.com/cobianbackup_faq.htm#1 or, if you're a Mac user, CyberDuck, available at http://cyberduck.ch/.

Don't worry about malicious code being included in your backup, you can later clean it out in a closed local host environment by installing your backups through a MAMP or WAMP bundle on a closed machine.

6. Investigate Details about the Hack

Look through your account access logs in your hosting account in order to see both whether or not someone has actually logged into your cPanel and when they logged in if that's the case. Also, check your .htaccess files to see if they have been modified or completely overwritten; doing this will also give you an idea of when damage to your site servers was done.

Another step you can take is to install a security monitoring system like Tripwire (http://sourceforge.net/projects/tripwire/?_test=b) to monitor your server files for any changes or modifications that occur without your permission.

7. Make Copies of Everything

Copy all unusual code that you find in your server files and store it for later examination. You can either copy and paste it or simply take screenshots of what's on the screen. Also save all odd files and exes to an outside storage medium such as a USB drive. Delete them from where they are causing harm on your servers afterwards, of course, but by saving copies, you can later do a proper digital forensics analysis of what caused damage to your site.

8. Take Copious Notes

Additionally, note down details about everything you discover during your investigation. This should include the time at which you first noticed the hack, what sort of activities or behavior you observed and what procedures you took to investigate and eliminate the problems. This note taking will serve as a useful guide for future intrusions while also being a great digital forensics tool.

9. Clean Up

If you've taken the above steps and done others you may have used for your own particular circumstances, such as using tools specific to a particular CMS bundle like WordPress for example, be sure to go through all corrupted files and server directories in order to destroy any malicious files or pieces of infectious code you find from places such as your .htaccess and .php files.

You should also destroy old, unused code in your server files in an effort to minimize surface area and complexity that could be an avenue for future attacks.

Finally, ensure that the permissions on all server directories are set to 755 and 644 for all directory files in your hosting server.

10. Download New, Updated Software

Once you've investigated, backed up and cleaned up your servers, you can now download completely new, fully updated versions of all software bundles, LAMP software (unless your host does this automatically) and third party addons/plugins that your server software uses.

This is vital, especially if you're running your sites from a CMS installed on their hosting servers.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Once you've got brand new installations running, re-import your newly cleaned up site content and SQL databases to their proper places.

Stephan Jukic
Stephan Jukic

Stephan Jukic is a freelance writer who generally covers a variety of subjects relating to the latest changes in white hat SEO, mobile technology, marketing tech and digital security. He also loves to read and write about subjects as varied as location free business, portable business management and anything to do with finance. When not busy writing or consulting on technology, digital forensics and security, Stephan spends his days enjoying life’s adventures either in Canada or Mexico or working with LWG Consulting.