The experience of being hacked is almost the same as the poor income. At least, this is the feeling I recently learned from the modification and destruction of one of my own web pages.
Sure enough, our investigation found that an unpatched PHP forum program was running on the damaged server, and the hacker used the PHP vulnerability to leave a short and friendly message, indicating that he had occupied this territory. Although this is a relatively small event, it emphasizes how important it is to have a well-prepared and wise emergency plan.
There is a proverb that is right: no one will see the value of a strategy until the critical moment.
Information Response (IR) provides us with the process of immediate response, investigation, analysis and recovery. They are like three intersecting rings in our hands. In order to ensure its success, we must do the following:
Server isolation
This is a very important server, so we must ensure its installation and isolate it from the network. We intercept the attack between the server and the external network through firewall rules, and then we can close the responding switch port and isolate the server. Once the isolation is completed, we can stop recording the time of discovery, which will discover the hacker and his behavior, which is also an important step to provide evidence for court analysis and possible litigation behavior.
Ctrl Alt Delete
The hacker didn't delete the log, so it took us a short time to find that the hacker tried to attack PHP many times with a fixed script. What we really want to know is whether the hacker has the privilege of root user or uses this server as a stepping stone to attack other systems. The CRC check of important files tells us that they have not been changed or damaged, and there is no suspicious process running in memory. We checked the website of the forum program vendor. In fact, one week before the attack, the vendor had issued a statement about this vulnerability and released a patch. No problem ― a week is enough time for a hacker.
We are shocked that no evidence of PHP attack was found in our IDS logs. Our IDS supplier told us that the signature will be used for about two weeks before the next scheduled signature update. In other words, there is a three-week interval before vulnerabilities and attacks are discovered and IDS signatures are available.
Response and recovery
Our incident response strategy is that no matter how serious the incident is (leaving no chance for adventure), any damaged machine will be rebuilt. The system is set up and integrated in terms of security according to generally accepted standards, and we also scan the weaknesses of the machine through a vulnerability scanner to check our work. Of course, we also detect similar machines through attack software.
summarize experience and lessons
We have learned a lesson from this incident: make sure that your system administrator updates the latest patches in time (once a month is not enough) and check the logs frequently (once a week is not enough). Security administrators must know what software is installed on each machine so that they can guard against related vulnerabilities and weaknesses. Don't rely on any unique IDS vendor, because the signature may come too late for the first defense scope. Consider implementing Tripwire (an intrusion detection system) on a public-oriented server to monitor the changes of important file attributes.
Finally, keep your emergency response strategy real-time to meet the requirements of the current system. Let everyone know what to do in an emergency, so as to ensure the smooth implementation of remedial measures.
Ten tips to prevent hackers
1. Use antivirus software and update it frequently to keep destructive programs away from your computer.
Online merchants are not allowed to store your credit card information for your convenience in future shopping.
Third, use a password that is difficult to decipher and mixed with numbers and letters, and change it frequently.
Fourth, different websites and programs should use different passwords to prevent them from being cracked by hackers.
Use the latest version of web browser software, email software and other programs.
6. Send the credit card number only to websites with security guarantee, and pay attention to look for the padlock icon or key icon displayed at the bottom of the browser.
7. Confirm the address of the website you want to deal with, and pay attention to the address you enter, for example, don't write ana-zon.com as amozon.com.
8. Use the security program that controls the cookie program, and the cookie program will send the information back to the website.
If you use a digital subscriber line or cable modem to connect to the Internet, you should install firewall software to monitor the data flow.
Don't open the attachment of the email unless you know the source of the information.