“How do I fix this?” read the post from someone whose site was hacked. S/he wanted advice on how to find the hacker’s entry point.
Good question, but the right question is: “What should I do when I discover my website has been hacked?”
When you notice that someone (or something, like a bot) has tampered with your system you have a serious incident (not a bug) and you need a response plan (not a reaction or quick bug fix):
- Don’t shutdown the system. There probably is valuable evidence in volatile memory. Segregate the system from your network and the Internet at large while you investigate. (Unplug the network cable/filter the server’s IP address/use VLAN capability to put the MAC address on an unconnected virtual subnet/etc.)
- Ask for professional help: Talk to local experts and ask for advice. Contact the officers of the local information security groups: InfraGard, ISSA, ISACA, etc. The response is a full-time job for a period of time, usually weeks.
- Keep a chain of custody. Be very careful about who accesses the system. Write down steps taken. Include times.
- Keep your head and take your time. Don’t rush this; it’s going to be off line for longer than you think. Like a week…or weeks.
- A SQL Injection flaw in a contractor developed system is not one flaw. It is many flaws. Probably many, many flaws.