What happens if my website is hacked ?
Posted by Helpdesk Admin on 13 August 2009 08:24 AM
Unfortunately, website hacking and other compromise is an ever increasing problem. As your host, we provide a baseline secure environment by ensuring that our machines are regularly patched and updated, and that the versions of software we run are not known to be susceptible to compromise. Additionally, our hosting systems are designed to ensure that to the maximum extent possible, a compromise on one customer's site will not affect another customer.
However, because a customer can upload applications or content that we have no control over, the responsibility for all uploaded content and applications rests firmly with the customer.
Having your site hacked or otherwise compromised is not a trivial matter. At the very least it will result in your site being deactivated and archived, so it will be unavailable for a significant period of time. You will also have to expend time & cost in repairing and/or securing your website against repeat compromise. If your site stores personal information about your customers or members etc, there may be data protection implications and possible liability issues. If the compromise includes phishing or fraud perpetrated on others, then this may involve law enforcement agencies, evidence gathering, etc.
We do not routinely scan customer websites, however we may from time to time become aware that a customer's site has been compromised.
Such notifications may arise from a number of sources including:
* Third parties that are subject of attacks or probes from your website
* Third party security companies acting for banks or other institutions whose customers your site is targeting (phishing).
* Email recipients or providers that see large amounts of email spam originating from your site
* Search companies (such as Google) that identify malware or dangerous content on your site.
* Customer or other reports that their site is not working
Our procedure, upon receiving such notification, is quite straightforward:
* We will conduct an initial examination of your site including logs, suspicious files and any information provided by the notifier.
* If any compromise or other AUP violation is evident, we will deactivate the site immediately.
* We will examine site files and logs to identify the likely source of compromise*
* We will remove and archive the site files as a zip or unix archive - we will place this in the site root directory**
* We will notify the customer as soon as practicable afterwards.
If your site has been compromised, you should expect the site (and any applications etc) to be unavailable for an extended period of time.
* Identification of root cause is on a best efforts basis to identify the most likely source of the compromise. If an insecure application is identified that has known security vulnerabilities that could have enabled the attack, then we will not usually dig any deeper. If multiple vulnerabilities or compromises are evident, we will investigate only to the extent that we identify one potential source of compromise.
** Once compromised, all code and other files on the website should be treated with the utmost suspicion. Hackers sometimes make modifications to seemingly innocent files and reset time & date stamps so that they look identical to the original and are not obviously modified. For this reason, we forbid the unzipping of the archived site on our servers, and likewise you may not re-upload any programs or scripts that were contained in that archive. The reason we make the archived site available to you for download is only for the purposes of retrieving images or other media files that might not be available locally to you.
In most cases, where the site is based on third party applications or components, it will be necessary for you to rebuild the site using the latest known secure version of the application, and to apply any security patches or configurations recommended by the vendor. Where the site is of bespoke design (in-house or contracted developer) you will have to conduct a detailed security assessment of the application and confirm to us that the vulnerability has been removed before you restore the site from your own known-good copy.
The archived site may be of assistance in rebuilding your site locally. Additionally, we do not ususally remove database content, but please be aware that it is possible that your database content may have been altered or downloaded and that it may contain malicious or dangerous content so should be thoroughly checked before being reused.
In all situations, the site owner is required to confirm to us the measures taken to address the issue before the site may be placed live on our servers.
Note that in the event of website compromise resulting from customer supplied application or content, we reserve the right to charge the customer on a professional services* basis for any support time required over and above the steps outlined above. This includes time expended in retrieving content, assisting in the restoration of the website, conducting further investigations into the source of the compromise, or interfacing with law enforcement or security consultants regarding the incident. In the case of a second or subsequent compromise, whether related to the original incident or not, all support time expended will be billed to the customer.
*Professional services support time will be billed at the rate of €95 plus VAT per hour or portion thereof, plus any expenses incurred in the delivery of such service.
The following link may also be useful: How can I stop my website being hacked or compromised?