Company’s website page defaced!

Website defacement involves an attack on a website that results in changes in the visual appearance of the site or a webpage.
It is typically done by system crackers, who break into a web server and replace the hosted website with one of their own. Usually, this is done by getting access to the administrator’s account using SQL injections.

Defacements may include the defacer’s pseudonym or a codename along with content that intends to mock at the system administrator for failing to maintain server security. Sometimes defacement is done just to show off a system cracker’s skills or other times as a distraction to cover up more evil actions such as deleting essential files from the server or uploading malware.

Such defacements are usually targeted towards government organizations and religious websites and typically perpetrated by activists (or hacktivists) working against the principles and ideals of the sponsoring organization.

Top Recovery Tips

1. First things first – Preserve evidence and clean up your website!

As soon as you discover the defacement, backup all your website data as well as database to preserve evidence for investigation purposes. Take the site offline especially if you suspect presence of malicious content. If required deploy a temporary web server up to date with applications that offers the same content as the compromised web server or show the site as “Temporary unavailable”. Displaying static content will prevent further infection.

In case of shared hosting, notify your ISP/host. Make sure you immediately change all passwords (FTP, database access, email, Control panel etc.). Scan for malicious content and do a thorough clean-up of your website. Update to latest patches of operating system & other software.

In case of a serious attack, restore the most recent and clean backup of the website and any database supporting it. Update the site with any missing code or data since last backup. Make sure you regularly update the Content Management Frameworks (CMF) such as Joomla or WordPress, as many defacements exploit CMF’s vulnerabilities. Also, if any of the plugins, widgets, or modules you are using are vulnerable then replace them now.

2. Investigate how your website was breached.

Find out what attack vector was used – XSS, SQLi, easy FTP password, etc. and patch it. Examine all logs including FTP logs. Check for any changes in dates and permissions for files with static content. Scan the code as well as the database for malicious content. Also have a look at the site analytics to get an indication about who is targeting the site.

3. Inform your customers about the breach and force a password change.

Inform all customers about the breach and provide an explanation as to how it happened. If your website requires user authentication, and you suspect or have evidence about passwords being compromised, ask all customers to change their passwords.

Our Diamond Sponsors