By Darren Beale

Finding out that your website has been hacked can be one of the most devastating things to find out for any website owner. Worse still is how do you get everything back and running smoothly again?

This article takes you through the steps to getting your business back online.

Take the site offline, immediately

The first thing you should do when you find out your application has been compromised is to take the site offline straight away. You should replace your app with a simple maintenance page that should be hosted on a totally separate server. Once this is done turn off public internet access to and from your server, so it cannot accept incoming connections and cannot make any outgoing connections.

This is to ensure that an attacker cannot gain (or continue to have) access to your machine and that any malicious scripts on the server can’t communicate with anything outside of the internal network.

Find out what went wrong

Once your server is safely off the internet, you need to work out what went wrong. This is the most important step because if you don’t know how someone gained access to your machine, you won’t be able to stop them from doing it again when you put the site back up. Some things to look out for are any changes made to .htaccess files, PHP code in files that do not have a .php file extensions or newly installed plugins on WordPress or other CMS solution. This isn’t an exhaustive list but gives you a place to start.

Create a backup of the server

You need to store a snapshot of the server somewhere safe so you can recreate the system as it was when the compromise was noticed for any future proceedings, whether they be internal investigations or police investigations in the event of a serious attack on your systems.

This allows you to go through the log files offline, looking for any behaviour inconsistent with normal user activity and will help you find out what went wrong. You can also pass these files onto your legal team if required if the attack was serious, such as sensitive user data being accessed.

Change SSH keys and passwords

Next up you’ll need to change the SSH keys and/or passwords you use to access the server or application. These are keys that establish your identity from your machine to your servers.

You probably don’t connect to your server at all (if you’re not technical you shouldn’t anyway) but we mention this here so you can be sure to ask your developers if they have changed their SSH keys.

Setup a brand new server, and take down the old one

You should always setup a new server from scracth after an attack. This is to ensure the operating system or the system software weren’t to blame for the server being attacked. If you colocate a server, then follow the steps in the next paragraph to reinstall the operating system. You should then set up the system as it was before hand ensuring any security updates are applied, as required.

Running security updates ensures that potential bugs in the system software won’t contribute to any attacks that may happen in the future.

If you don’t have a virtual server, but you colocate a physical server in a datacentre then you can’talways feasibly swap it out for a new one. What you can do, though, is reinstall the operating system. This step is important because we need to be sure that we eradicate any compromised sections of the system. We will also need to run security updates, which will ensure that potential bugs in the system software won’t contribute to any attacks that may happen in the future.

Fix the cause

You already know what went wrong, now is time to plug the hole. You shouldn’t relaunch until you’ve fixed the attack vector, as a malicious user can simply attack you again and compromise the server again.

Deploy the site from a known safe repository

Now you have done everything you can to find out what happened, and why, and reinstalled your operating system and system software, you don’t want to just put the website back online how it was. You need to deploy the source code fresh from the repository using your normal deployment procedures, providing that these weren’t the source of the attack. This ensures a safe copy of your website code will be deployed to the fresh server and not a compromised version that will allow the attacker to gain access to your system as soon as it is put back online.

Reinstate Databases & Change user passwords

The final step before putting your website back onto the public internet is to reinstate the database from the most recent backup and reset all user passwords. It is recommended to send all users an email explaining what happened — making sure to apologise for the break in service — and provide them with a link to easily reset their password. It is important that all passwords are changed and this policy is enforced. This is to keep users safe if they have used the same password with the email address associated with their account on other websites.

Finally, relaunch!

Once you have followed the list above it will be much safer to put your website back online.