Most organizations spend a lot of time and effort on building websites or applications and once they’re launched it’s assumed that little to no effort is required to maintain the applications unless some functional or content updates are required.  Unfortunately, with any sort of application-based website this is not the case.  The result of little-to-no maintenance over a longer period of time is often a hacked/compromised server.

Generally a compromised server or hacked website is only realized in one of two ways:

1. A Google (or other search engine) notice, either on the search engine itself or while browsing the site within a browser, indicating that the site is unsafe

2. A notice from the web host indicating the server is compromised along with a deadline to resolve the compromise.  If the compromise is not resolved by the specific deadline set by the web host, the server or services are usually suspended.

If there has been little-to-no maintenance done for a period of time, the result is obviously a reactive exercise to remediate the server or website compromise as quickly as possible.

Steps to Remediate a Server Hack/Compromised Server

Once your server has been hacked, the immediate reactive goal is obviously to remove any malicious content from the website/server.  The second, more important, goal should be to identify the root cause of the server compromise and patch the vulnerabilities to prevent a reccurrence of the issue.

There are different tools which can be used on Linux and Windows servers, but the first step in the remediation process should be to install and run a server rootkit/malware scan utility to identify and remove or quarantine any malicious content/scripts identified.  Additionally a server-side anti-virus utility should be installed and run to identify any viruses that may exist on the server.

During the course of these scans, it’s important to identify if the server has been compromised at the root level or just the application level.  This can often be identified by the nature of the malicious content identified and/or by also performing a review of the server logs.  If a root level compromise exists, in most cases, the only option to guarantee remediation of the compromise is to perform a migration of all of the content on the server to a brand new server.

Once the malicious content has been removed, it’s important to identify the vulnerabilities which led to the compromise in the first place.  To do so, a site/server vulnerability scan should be run.  Using a service like McAfee or Nessus to scan the site/server is generally the best and the easiest method.  The resulting data from the server scan tool will lend to a report that identifies both application-side and/or server-side vulnerabilities.  The tools will generally categorize them from critical to low-level vulnerabilities.  It’s recommended that at least any/all critical, high, and medium-level vulnerabilities be patched to prevent a future compromise.

Though fixing the vulnerabilities reported by 3rd party tools is definitely recommended, one should keep in mind that the scanning tools will only identify visible problems (‘security holes’) lying on the surface and available for any automatic hacking tool to break. The majority of the problems usually reside in the authentication protected areas or require a specific scenario (e.g. an user profile image upload).

Security best practices dictate that the application is at least somewhat hacker-proof when put into production, and also that the application is built with security in mind as well as any future updates that may be required to undergo a special security analysis before they go live.  This may be difficult when dealing with budget and/or application development time constraints leaving no room for a full scale security test during the development phase. However, it is important to realize that the impact of a security vulnerability discovered at a later stage can place a much more significant burden – financial or otherwise – on any business.

Additionally, if maintenance hasn’t been performed on your websites/applications in quite some time, a review – especially in open source applications (like Joomla, Drupal, WordPress, Magento, etc.) – of the versions of the applications that are in use vs. the latest stable versions that are available is in order.  All open source applications should be upgraded to the latest, stable versions.  It’s recommended that this type of review be done at least every 6 months, if not more frequently.

Once the malicious content has been removed, and/or your content has been migrated to a new server, you may have to submit to Google or other major search engines to have your site removed from their black-lists.  This can take up to 7 days to occur, but can take place within 48 hours after the request is submitted.

Best Practices to Prevent a Server Compromise

After this reactive exercise is complete, it’s a good idea to review your regular maintenance plans to ensure a proactive approach to prevent a future server compromise.  A continuous security monitoring strategy is a must –  this includes both server side monitoring with systems like OSSEC to be able to track suspicious file changes, and also monitoring of the security patches for both server components and the application.

The most important part here, of course, is to have a security expert tighten the security on the server; this ranges from permissions validation to installing additional modules to isolate processes.

At a minimum, vulnerability scans should be completed after each update to ensure that a recently added feature does not expose a vulnerability which can let an attacker steal all the data or penetrate the server.

So to summarize, if your server or app got compromised these are your steps:

1. Mitigate immediate damage and clean up the server/app from malware, scripts, injects, viruses, etc.

2. Identify and close ‘open doors’ to the server/app – i.e. fix code vulnerabilities and tighten security of the server

3. Protect your assets as the bad guys will always come back for more – install specialized security tools and continuously monitor the activity on the server, review server logs, and of course proactively monitor and apply upcoming releases for your web servers, all the modules, and the web application (if it’s open source or developed by a 3rd party)

For help with server & application security, WSM offers both server compromise remediation services, as well as a proactive vulnerability scans and application development, fixes & patches. For more information feel free to contact our solution specialists at 888-899-7940 x1.