Help, my website’s been hacked! Triage and collecting Indicators of Compromise

THREAT ANALYSIS AND SHARING WEBINAR SERIES

For the fourth webinar in the Threat Analysis and Sharing series, Nataliia Onyshchenko, ICT Coordinator for Internews Europe, introduced the tools to use, places to look, and questions to ask when investigating compromised websites. The following highlights some of the guidance Nataliia shared for dealing with the most common attacks experienced by civil society sites.

On discovering an attack:

We often learn about attacks from monitoring systems alerts about high resource consumption, since many attacks – including but not limited to DDoS – manifest as performance problems. Alerts may also arrive from 3rd parties such as the hosting platform. Or your website may just go down! More rarely, we discover malware by chance when conducting routine maintenance. And if you’re a first responder, you will likely be contacted by someone whose website was attacked, in which case you start off with zero information.

There are several important questions to ask at the outset of any investigation. For example, questions about the specific times incidents occurred will be important when analyzing logs further down the line. Other key questions include:

  • What is happening exactly? Errors, timeouts, slow loading times? Can you send a screenshot?
  • What were you doing when the incident occurred? Do you have any idea what might be triggering the problem?
  • Is the entire website affected or just a part of it?
  • How long has it been happening? How often does it happen? When did it happen last?
  • If it’s a recurring problem, does it need to be fixed by someone each time? What actions have they taken?
  • Have you changed anything on the website recently (e.g. plugins)? Who would know if something has been changed?
  • Is there another website administrator who wouldn’t want me exploring the system?
  • What steps do you approve for me to take? Can I install things on your system?
  • Is there a specific time slot I should work on your system during (e.g. weekends, night time)?

On sources of information when investigating:

The main sources of information for an investigation are files, logs, processes, cron jobs, and connections (netstat).For more detail on identifying anomalies and useful tools for analysis, see the detailed notes linked below. But often you don’t need to dig very deep or even analyse logs to get to the bottom of an attack! Most NGOs and independent media organizations use CMSs (content management systems) and the most common avenues for compromise are:

  • Poor credential management
  • Outdated login accounts
  • Plugins/components with known vulnerabilities

Because of this, you should start off by simply checking plugins for vulnerabilities and going through user accounts for old/default accounts. And don’t forget to document what you’re doing with screenshots!

On mitigating attacks:

If the compromise has occurred and you know malware is present on your website then the gold standard approach is to ‘burn it down’ and rebuild from scratch with fresh plugins. If this isn’t possible then clean the site with malware scanners and by hand – but you can never be 100% certain that no malware remains.

If an attack is in progress then basic IP blocking can help. And to guard against future attacks, keep your plugins up to date and maintain good account security. You can also put a captcha on your login page to prevent brute force bot attacks from trying to access your admin panel.

Useful resources:

Organizations who are providing support to independent media and human rights groups:

WordPress security plugins:

And for Joomla try https://github.com/rezasp/joomscan 


FOR MORE INFORMATION ON IDENTIFYING ANOMALIES, TOOLS FOR ANALYSIS, AND RESOURCES FOR CIVIL SOCIETY, CHECK OUT THE DETAILED NOTES AND SLIDEDECK FROM THE WEBINAR.

Cover Image by Khanh Tran / CC by 4.0